load system CAs before trying to load custom CAs (#7133)

This changes causes `getRootCAs` to always load system-wide CAs.
Any additional custom CAs (at `certs/CA/`) are added to the certificate pool
of system CAs.

The previous behavior was incorrect since all no system-wide CAs were
loaded if either there were CAs under `certs/CA` or the `certs/CA`
directory didn't exist at all.

cmd/certs.go

@@ -68,28 +68,6 @@ func parsePublicCertFile(certFile string) (x509Certs []*x509.Certificate, err er
 }
 
 func getRootCAs(certsCAsDir string) (*x509.CertPool, error) {
-	// Get all CA file names.
-	var caFiles []string
-	fis, err := readDir(certsCAsDir)
-	if err != nil && err != errFileNotFound {
-		return nil, err
-	}
-	// Return success if CA's directory is missing.
-	if err == errFileNotFound {
-		return nil, nil
-	}
-	for _, fi := range fis {
-		// Skip all directories.
-		if hasSuffix(fi, slashSeparator) {
-			continue
-		}
-		// We are only interested in regular files here.
-		caFiles = append(caFiles, pathJoin(certsCAsDir, fi))
-	}
-	if len(caFiles) == 0 {
-		return nil, nil
-	}
-
 	rootCAs, _ := x509.SystemCertPool()
 	if rootCAs == nil {
 		// In some systems (like Windows) system cert pool is
@@ -98,16 +76,26 @@ func getRootCAs(certsCAsDir string) (*x509.CertPool, error) {
 		rootCAs = x509.NewCertPool()
 	}
 
-	// Load custom root CAs for client requests
+	fis, err := readDir(certsCAsDir)
-	for _, caFile := range caFiles {
-		caCert, err := ioutil.ReadFile(caFile)
 	if err != nil {
-			return nil, err
+		if err == errFileNotFound {
+			err = nil // Return success if CA's directory is missing.
+		}
+		return rootCAs, err
 	}
 
+	// Load all custom CA files.
+	for _, fi := range fis {
+		// Skip all directories.
+		if hasSuffix(fi, slashSeparator) {
+			continue
+		}
+		caCert, err := ioutil.ReadFile(pathJoin(certsCAsDir, fi))
+		if err != nil {
+			return rootCAs, err
+		}
 		rootCAs.AppendCertsFromPEM(caCert)
 	}
-
 	return rootCAs, nil
 }