From 5f96fb816c42b85813a7c158c9d072836f91c395 Mon Sep 17 00:00:00 2001
From: Nandor Kracser <bonifaido@gmail.com>
Date: Thu, 22 Jun 2017 20:37:26 +0200
Subject: [PATCH] CAFile is now optional, in that case the default RootCAs are
 used

---
 pkg/getter/httpgetter.go |  2 +-
 pkg/tlsutil/tls.go       | 17 ++++++++++-------
 2 files changed, 11 insertions(+), 8 deletions(-)

diff --git a/pkg/getter/httpgetter.go b/pkg/getter/httpgetter.go
index 1dfffb6d4..9afa31f60 100644
--- a/pkg/getter/httpgetter.go
+++ b/pkg/getter/httpgetter.go
@@ -50,7 +50,7 @@ func (g *httpGetter) Get(href string) (*bytes.Buffer, error) {
 // newHTTPGetter constructs a valid http/https client as Getter
 func newHTTPGetter(URL, CertFile, KeyFile, CAFile string) (Getter, error) {
 	var client httpGetter
-	if CertFile != "" && KeyFile != "" && CAFile != "" {
+	if CertFile != "" && KeyFile != "" {
 		tlsConf, err := tlsutil.NewClientTLS(CertFile, KeyFile, CAFile)
 		if err != nil {
 			return nil, fmt.Errorf("can't create TLS config for client: %s", err.Error())
diff --git a/pkg/tlsutil/tls.go b/pkg/tlsutil/tls.go
index 05a671211..422bddacb 100644
--- a/pkg/tlsutil/tls.go
+++ b/pkg/tlsutil/tls.go
@@ -29,14 +29,17 @@ func NewClientTLS(certFile, keyFile, caFile string) (*tls.Config, error) {
 	if err != nil {
 		return nil, err
 	}
-	cp, err := CertPoolFromFile(caFile)
-	if err != nil {
-		return nil, err
-	}
-	return &tls.Config{
+	config := tls.Config{
 		Certificates: []tls.Certificate{*cert},
-		RootCAs:      cp,
-	}, nil
+	}
+	if caFile != "" {
+		cp, err := CertPoolFromFile(caFile)
+		if err != nil {
+			return nil, err
+		}
+		config.RootCAs = cp
+	}
+	return &config, nil
 }
 
 // CertPoolFromFile returns an x509.CertPool containing the certificates