From 8d2f63b07e4150a2c5b1890bf9365dd60cb521a4 Mon Sep 17 00:00:00 2001
From: Ryan Fowler <ryan.fowler19@gmail.com>
Date: Tue, 7 Apr 2026 16:19:35 -0700
Subject: [PATCH] Include system roots when using --ca-cert

Previously --ca-cert created a fresh cert pool with only the custom CA,
discarding system roots. This matches curl's behavior by starting from
the system cert pool and appending the custom CAs on top.
---
 internal/client/tls.go | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/internal/client/tls.go b/internal/client/tls.go
index c7fb090..96384c9 100644
--- a/internal/client/tls.go
+++ b/internal/client/tls.go
@@ -32,7 +32,10 @@ func (c *TLSDialConfig) BuildTLSConfig() *tls.Config {
 		tlsConfig.InsecureSkipVerify = true
 	}
 	if len(c.CACerts) > 0 {
-		certPool := x509.NewCertPool()
+		certPool, err := x509.SystemCertPool()
+		if err != nil {
+			certPool = x509.NewCertPool()
+		}
 		for _, cert := range c.CACerts {
 			certPool.AddCert(cert)
 		}