fix certificate check in the example client

example/client/main.go

@@ -3,6 +3,7 @@ package main
 import (
 	"bytes"
 	"crypto/tls"
+	"crypto/x509"
 	"flag"
 	"io"
 	"net/http"
@@ -29,9 +30,14 @@ func main() {
 	}
 	logger.SetLogTimeFormat("")
 
+	pool, err := x509.SystemCertPool()
+	if err != nil {
+		panic(err)
+	}
+	testdata.AddRootCA(pool)
 	roundTripper := &http3.RoundTripper{
 		TLSClientConfig: &tls.Config{
-			RootCAs:            testdata.GetRootCA(),
+			RootCAs:            pool,
 			InsecureSkipVerify: *insecure,
 		},
 	}

internal/testdata/cert.go

@@ -3,7 +3,6 @@ package testdata
 import (
 	"crypto/tls"
 	"crypto/x509"
-	"encoding/pem"
 	"io/ioutil"
 	"path"
 	"runtime"
@@ -36,22 +35,21 @@ func GetTLSConfig() *tls.Config {
 	}
 }
 
-// GetRootCA returns an x509.CertPool containing the CA certificate
+// AddRootCA adds the root CA certificate to a cert pool
-func GetRootCA() *x509.CertPool {
+func AddRootCA(certPool *x509.CertPool) {
 	caCertPath := path.Join(certPath, "ca.pem")
 	caCertRaw, err := ioutil.ReadFile(caCertPath)
 	if err != nil {
 		panic(err)
 	}
-	p, _ := pem.Decode(caCertRaw)
+	if ok := certPool.AppendCertsFromPEM(caCertRaw); !ok {
-	if p.Type != "CERTIFICATE" {
+		panic("Could not add root ceritificate to pool.")
-		panic("expected a certificate")
 	}
-	caCert, err := x509.ParseCertificate(p.Bytes)
-	if err != nil {
-		panic(err)
 }
-	certPool := x509.NewCertPool()
+
-	certPool.AddCert(caCert)
+// GetRootCA returns an x509.CertPool containing (only) the CA certificate
-	return certPool
+func GetRootCA() *x509.CertPool {
+	pool := x509.NewCertPool()
+	AddRootCA(pool)
+	return pool
 }