Fallback to system CAs

No automated test for this case because it's complicated to get a
properly signed certificate in tests:

- the domain we use is sslip.io (not sure if letsencrypt would sign it)
- we need to use the letsencrypt production and that has quotas not
  suitable for CI

Signed-off-by: Dimitris Karakasilis <dimitris@karakasilis.me>

cmd/discovery/client/client.go

@@ -70,6 +70,7 @@ func (c *Client) generatePass(postEndpoint string, p *block.Partition) error {
 
 	opts := []tpm.Option{
 		tpm.WithCAs([]byte(c.Config.Kcrypt.Challenger.Certificate)),
+		tpm.AppendCustomCAToSystemCA,
 		tpm.WithAdditionalHeader("label", p.Label),
 		tpm.WithAdditionalHeader("name", p.Name),
 		tpm.WithAdditionalHeader("uuid", p.UUID),

cmd/discovery/client/enc.go

@@ -19,6 +19,7 @@ const DefaultNVIndex = "0x1500000"
 func getPass(server, certificate string, partition *block.Partition) (string, bool, error) {
 	msg, err := tpm.Get(server,
 		tpm.WithCAs([]byte(certificate)),
+		tpm.AppendCustomCAToSystemCA,
 		tpm.WithAdditionalHeader("label", partition.Label),
 		tpm.WithAdditionalHeader("name", partition.Name),
 		tpm.WithAdditionalHeader("uuid", partition.UUID))

tests/encryption_test.go

@@ -327,17 +327,6 @@ kcrypt:
 				Expect(out).To(MatchRegexp("could not encrypt partition.*x509: certificate signed by unknown authority"))
 			})
 		})
-
-		When("the certificate signed by a well known CA (system certs)", func() {
-			BeforeEach(func() {
-				Skip("No way to implement")
-			})
-			It("successfully talks to the server", func() {
-				// TODO: How do we get a properly signed cert? Maybe do that once,
-				// and put the cert is the assets directory?
-				// Is it possible to have a signed cert without a proper domain?
-			})
-		})
 	})
 })