Add webpki roots for reqwest clients. (fixes #296)

src/main/Cargo.toml

@@ -233,6 +233,7 @@ tracing-opentelemetry.optional = true
 tracing-opentelemetry.workspace = true
 tracing-subscriber.workspace = true
 tracing.workspace = true
+webpki-root-certs.workspace = true
 
 [dev-dependencies]
 criterion.workspace = true

src/service/Cargo.toml

@@ -120,6 +120,7 @@ tracing.workspace = true
 url.workspace = true
 webpage.workspace = true
 webpage.optional = true
+webpki-root-certs.workspace = true
 blurhash.workspace = true
 blurhash.optional = true
 tuwunel-core.workspace = true

src/service/client/mod.rs

@@ -4,7 +4,7 @@ use std::{
 };
 
 use ipaddress::IPAddress;
-use reqwest::{dns::Resolve, redirect};
+use reqwest::{Certificate, dns::Resolve, redirect};
 use tuwunel_core::{Config, Result, either::Either, err, implement, trace};
 
 use crate::{service, services::OnceServices};
@@ -141,6 +141,13 @@ fn base(config: &Config) -> Result<reqwest::ClientBuilder> {
 		.user_agent(tuwunel_core::version::user_agent())
 		.redirect(redirect::Policy::limited(6))
 		.danger_accept_invalid_certs(config.allow_invalid_tls_certificates)
+		.tls_certs_merge(
+			webpki_root_certs::TLS_SERVER_ROOT_CERTS
+				.iter()
+				.map(|der| {
+					Certificate::from_der(der).expect("certificate must be valid der encoding")
+				}),
+		)
 		.connection_verbose(cfg!(debug_assertions));
 
 	#[cfg(feature = "gzip_compression")]