fix: also add ca to RootCAs (#2516)

Signed-off-by: MisakaCloud <xjdzch@126.com>

client/daemon/daemon.go

@@ -504,6 +504,7 @@ func (*clientDaemon) prepareTCPListener(opt config.ListenOption, withTLS bool) (
 		caCertPool := x509.NewCertPool()
 		caCertPool.AppendCertsFromPEM([]byte(opt.Security.CACert))
 		tlsConfig.ClientCAs = caCertPool
+		tlsConfig.RootCAs = caCertPool
 		if opt.Security.TLSVerify {
 			tlsConfig.ClientAuth = tls.RequireAndVerifyClientCert
 		}

client/daemon/peer/piece_downloader.go

@@ -153,7 +153,10 @@ func NewPieceDownloader(timeout time.Duration, caCertPool *x509.CertPool) PieceD
 
 	if caCertPool != nil {
 		pd.scheme = "https"
-		defaultTransport.(*http.Transport).TLSClientConfig = &tls.Config{ClientCAs: caCertPool}
+		defaultTransport.(*http.Transport).TLSClientConfig = &tls.Config{
+			ClientCAs: caCertPool,
+			RootCAs:   caCertPool,
+		}
 	}
 
 	return pd

pkg/rpc/credential.go

@@ -64,6 +64,7 @@ func NewServerCredentialsByCertify(tlsPolicy string, tlsVerify bool, pemClientCA
 			return certifyClient.GetCertificate(hello)
 		},
 		ClientCAs: certPool,
+		RootCAs:   certPool,
 	}
 
 	if tlsVerify {