fix: remove windows cert pool support

internal/http/http.go

@@ -10,6 +10,7 @@ import (
 	"io"
 	h "net/http"
 	"os"
+	"runtime"
 	"strings"
 
 	"github.com/apex/log"
@@ -243,9 +244,14 @@ func getHTTPClient(put *config.Put) (*h.Client, error) {
 	if put.TrustedCerts == "" {
 		return h.DefaultClient, nil
 	}
-	pool, err := loadSystemRoots()
+	pool, err := x509.SystemCertPool()
 	if err != nil {
-		return nil, err
+		if runtime.GOOS == "windows" {
+			// on windows ignore errors until golang issues #16736 & #18609 get fixed
+			pool = x509.NewCertPool()
+		} else {
+			return nil, err
+		}
 	}
 	pool.AppendCertsFromPEM([]byte(put.TrustedCerts)) // already validated certs checked by CheckConfig
 	return &h.Client{

internal/http/system.go

@@ -1,11 +0,0 @@
-// +build !windows
-
-package http
-
-import (
-	"crypto/x509"
-)
-
-func loadSystemRoots() (*x509.CertPool, error) {
-	return x509.SystemCertPool()
-}

internal/http/system_win.go

@@ -1,42 +0,0 @@
-// +build windows
-
-package http
-
-import (
-	"crypto/x509"
-	"syscall"
-	"unsafe"
-)
-
-func loadSystemRoots() (*x509.CertPool, error) {
-	const CRYPT_E_NOT_FOUND = 0x80092004
-	store, err := syscall.CertOpenSystemStore(0, syscall.StringToUTF16Ptr("ROOT"))
-	if err != nil {
-		return nil, err
-	}
-	defer syscall.CertCloseStore(store, 0)
-	roots := x509.NewCertPool()
-	var cert *syscall.CertContext
-	for {
-		cert, err = syscall.CertEnumCertificatesInStore(store, cert)
-		if err != nil {
-			if errno, ok := err.(syscall.Errno); ok {
-				if errno == CRYPT_E_NOT_FOUND {
-					break
-				}
-			}
-			return nil, err
-		}
-		if cert == nil {
-			break
-		}
-		// Copy the buf, since ParseCertificate does not create its own copy.
-		buf := (*[1 << 20]byte)(unsafe.Pointer(cert.EncodedCert))[:]
-		buf2 := make([]byte, cert.Length)
-		copy(buf2, buf)
-		if c, err := x509.ParseCertificate(buf2); err == nil {
-			roots.AddCert(c)
-		}
-	}
-	return roots, nil
-}