From d88c7ebde3d9682570cb9d50016c078d8f084b50 Mon Sep 17 00:00:00 2001
From: Chris Kim <oats87g@gmail.com>
Date: Fri, 19 Jul 2024 21:34:21 +0000
Subject: [PATCH] set transport to nil if there was an error connecting to the
 server with the file-based root ca

Signed-off-by: Chris Kim <oats87g@gmail.com>
---
 cmd/agent/main.go | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/cmd/agent/main.go b/cmd/agent/main.go
index eab18d87047..2a5606bcc3f 100644
--- a/cmd/agent/main.go
+++ b/cmd/agent/main.go
@@ -221,9 +221,13 @@ func run(ctx context.Context) error {
 			Timeout:   time.Second * 5,
 			Transport: transport,
 		}
-		if _, err = httpClient.Get(server); err != nil && cluster.CAStrictVerify() {
-			logrus.Errorf("Could not securely connect to %s: %v", server, err)
-			os.Exit(1)
+		if _, err = httpClient.Get(server); err != nil {
+			if cluster.CAStrictVerify() {
+				logrus.Errorf("Could not securely connect to %s: %v", server, err)
+				os.Exit(1)
+			}
+			// onConnect will use the transport later on, so discard it as it doesn't work and fallback to the system store.
+			transport = nil
 		} else {
 			topContext = context.WithValue(topContext, cavalidator.CacertsValid, true)
 			systemStoreConnectionCheckRequired = false