fix: use host's root CA set if ClientTLS ca is not defined

Co-authored-by: Tom Moulard <tom.moulard@traefik.io>

docs/content/middlewares/http/forwardauth.md

@@ -353,7 +353,8 @@ The `tls` option is the TLS configuration from Traefik to the authentication ser
 
 #### `tls.ca`
 
-Certificate Authority used for the secured connection to the authentication server.
+Certificate Authority used for the secured connection to the authentication server,
+defaults to the system bundle.
 
 ```yaml tab="Docker"
 labels:

docs/content/providers/consul-catalog.md

@@ -368,7 +368,8 @@ Defines TLS options for Consul server endpoint.
 
 _Optional_
 
-`ca` is the path to the CA certificate used for Consul communication, defaults to the system bundle if not specified.
+Certificate Authority used for the secure connection to Consul,
+defaults to the system bundle.
 
 ```yaml tab="File (YAML)"
 providers:

docs/content/providers/consul.md

@@ -106,7 +106,8 @@ _Optional_
 
 #### `tls.ca`
 
-Certificate Authority used for the secure connection to Consul.
+Certificate Authority used for the secure connection to Consul,
+defaults to the system bundle.
 
 ```yaml tab="File (YAML)"
 providers:

docs/content/providers/docker.md

@@ -615,7 +615,8 @@ _Optional_
 
 #### `tls.ca`
 
-Certificate Authority used for the secure connection to Docker.
+Certificate Authority used for the secure connection to Docker,
+defaults to the system bundle.
 
 ```yaml tab="File (YAML)"
 providers:

docs/content/providers/etcd.md

@@ -106,7 +106,8 @@ _Optional_
 
 #### `tls.ca`
 
-Certificate Authority used for the secure connection to etcd.
+Certificate Authority used for the secure connection to etcd,
+defaults to the system bundle.
 
 ```yaml tab="File (YAML)"
 providers:

docs/content/providers/http.md

@@ -78,7 +78,8 @@ _Optional_
 
 #### `tls.ca`
 
-Certificate Authority used for the secure connection to the configured endpoint.
+Certificate Authority used for the secure connection to the configured endpoint,
+defaults to the system bundle.
 
 ```yaml tab="File (YAML)"
 providers:

docs/content/providers/kubernetes-crd.md

@@ -62,7 +62,7 @@ Previous versions of Traefik used a [KV store](https://doc.traefik.io/traefik/v1
 
 If you need Let's Encrypt with HA in a Kubernetes environment, we recommend using [Traefik Enterprise](https://traefik.io/traefik-enterprise/), which includes distributed Let's Encrypt as a supported feature.
 
-If you want to keep using Traefik Proxy, high availability for Let's Encrypt can be achieved by using a Certificate Controller such as [Cert-Manager](https://docs.cert-manager.io/en/latest/index.html).
+If you want to keep using Traefik Proxy, high availability for Let's Encrypt can be achieved by using a Certificate Controller such as [Cert-Manager](https://cert-manager.io/docs/).
 When using Cert-Manager to manage certificates, it creates secrets in your namespaces that can be referenced as TLS secrets in your [ingress objects](https://kubernetes.io/docs/concepts/services-networking/ingress/#tls).
 When using the Traefik Kubernetes CRD Provider, unfortunately Cert-Manager cannot yet interface directly with the CRDs.
 A workaround is to enable the [Kubernetes Ingress provider](./kubernetes-ingress.md) to allow Cert-Manager to create ingress objects to complete the challenges.

docs/content/providers/kubernetes-ingress.md

@@ -104,7 +104,7 @@ If you need Let's Encrypt with high availability in a Kubernetes environment,
 we recommend using [Traefik Enterprise](https://traefik.io/traefik-enterprise/) which includes distributed Let's Encrypt as a supported feature.
 
 If you want to keep using Traefik Proxy,
-LetsEncrypt HA can be achieved by using a Certificate Controller such as [Cert-Manager](https://docs.cert-manager.io/en/latest/index.html).
+LetsEncrypt HA can be achieved by using a Certificate Controller such as [Cert-Manager](https://cert-manager.io/docs/).
 When using Cert-Manager to manage certificates,
 it creates secrets in your namespaces that can be referenced as TLS secrets in your [ingress objects](https://kubernetes.io/docs/concepts/services-networking/ingress/#tls).
 

docs/content/providers/marathon.md

@@ -406,7 +406,8 @@ _Optional_
 
 #### `tls.ca`
 
-Certificate Authority used for the secure connection to Marathon.
+Certificate Authority used for the secure connection to Marathon,
+defaults to the system bundle.
 
 ```yaml tab="File (YAML)"
 providers:

docs/content/providers/redis.md

@@ -106,7 +106,8 @@ _Optional_
 
 #### `tls.ca`
 
-Certificate Authority used for the secure connection to Redis.
+Certificate Authority used for the secure connection to Redis,
+defaults to the system bundle.
 
 ```yaml tab="File (YAML)"
 providers:

docs/content/providers/zookeeper.md

@@ -106,7 +106,8 @@ _Optional_
 
 #### `tls.ca`
 
-Certificate Authority used for the secure connection to ZooKeeper.
+Certificate Authority used for the secure connection to ZooKeeper,
+defaults to the system bundle.
 
 ```yaml tab="File (YAML)"
 providers:

pkg/types/tls.go

@@ -30,7 +30,9 @@ func (clientTLS *ClientTLS) CreateTLSConfig(ctx context.Context) (*tls.Config, e
 		return nil, nil
 	}
 
-	caPool := x509.NewCertPool()
+	// Not initialized, to rely on system bundle.
+	var caPool *x509.CertPool
+
 	clientAuth := tls.NoClientCert
 	if clientTLS.CA != "" {
 		var ca []byte
@@ -44,6 +46,7 @@ func (clientTLS *ClientTLS) CreateTLSConfig(ctx context.Context) (*tls.Config, e
 			ca = []byte(clientTLS.CA)
 		}
 
+		caPool = x509.NewCertPool()
 		if !caPool.AppendCertsFromPEM(ca) {
 			return nil, errors.New("failed to parse CA")
 		}

pkg/types/tls_test.go

@@ -115,9 +115,15 @@ func TestClientTLS_CreateTLSConfig(t *testing.T) {
 
 			require.NoError(t, err)
 
-			assert.Len(t, tlsConfig.RootCAs.Subjects(), test.wantCALen)
 			assert.Len(t, tlsConfig.Certificates, test.wantCertLen)
 			assert.Equal(t, test.clientTLS.InsecureSkipVerify, tlsConfig.InsecureSkipVerify)
+
+			if test.wantCALen > 0 {
+				assert.Len(t, tlsConfig.RootCAs.Subjects(), test.wantCALen)
+				return
+			}
+
+			assert.Nil(t, tlsConfig.RootCAs)
 		})
 	}
 }