CA root certificate required even if not used

[crystalin]

When starting the offchain workers, the SharedClient will instantiate an https client.(https://github.com/paritytech/substrate/blob/master/client/offchain/src/api/http.rs#L54)
This client will panic if the platform doesn't have any CA root certificate.
I believe that those certificates are not strictly necessary for the node to work correctly.

Version: 0.9.11-a8ab8002f-x86_64-linux-gnu

   0: sp_panic_handler::set::{{closure}}
   1: std::panicking::rust_panic_with_hook
             at rustc/c8dfcfe046a7680554bf4eb612bad840e7631c4b/library/std/src/panicking.rs:626:17
   2: std::panicking::begin_panic::{{closure}}
   3: std::sys_common::backtrace::__rust_end_short_backtrace
   4: std::panicking::begin_panic
   5: hyper_rustls::connector::HttpsConnector<hyper::client::connect::http::HttpConnector>::with_native_roots
   6: sc_offchain::api::http::SharedClient::new
   7: sc_offchain::OffchainWorkers<Client,Block>::new
   8: sc_service::builder::build_offchain_workers
   9: polkadot_service::new_full
  10: polkadot_service::build_full
  11: <core::future::from_generator::GenFuture<T> as core::future::future::Future>::poll
  12: tokio::park::thread::CachedParkThread::block_on
  13: tokio::runtime::thread_pool::ThreadPool::block_on
  14: tokio::runtime::Runtime::block_on
  15: sc_cli::runner::Runner<C>::run_node_until_exit
  16: polkadot_cli::command::run
  17: polkadot::main
  18: std::sys_common::backtrace::__rust_begin_short_backtrace
  19: std::rt::lang_start::{{closure}}
  20: core::ops::function::impls::<impl core::ops::function::FnOnce<A> for &F>::call_once
             at rustc/c8dfcfe046a7680554bf4eb612bad840e7631c4b/library/core/src/ops/function.rs:259:13
      std::panicking::try::do_call
             at rustc/c8dfcfe046a7680554bf4eb612bad840e7631c4b/library/std/src/panicking.rs:401:40
      std::panicking::try
             at rustc/c8dfcfe046a7680554bf4eb612bad840e7631c4b/library/std/src/panicking.rs:365:19
      std::panic::catch_unwind
             at rustc/c8dfcfe046a7680554bf4eb612bad840e7631c4b/library/std/src/panic.rs:434:14
      std::rt::lang_start_internal::{{closure}}
             at rustc/c8dfcfe046a7680554bf4eb612bad840e7631c4b/library/std/src/rt.rs:45:48
      std::panicking::try::do_call
             at rustc/c8dfcfe046a7680554bf4eb612bad840e7631c4b/library/std/src/panicking.rs:401:40
      std::panicking::try
             at rustc/c8dfcfe046a7680554bf4eb612bad840e7631c4b/library/std/src/panicking.rs:365:19
      std::panic::catch_unwind
             at rustc/c8dfcfe046a7680554bf4eb612bad840e7631c4b/library/std/src/panic.rs:434:14
      std::rt::lang_start_internal
             at rustc/c8dfcfe046a7680554bf4eb612bad840e7631c4b/library/std/src/rt.rs:45:20
  21: main
  22: __libc_start_main
  23: _start


Thread 'main' panicked at 'no CA certificates found', /usr/local/cargo/registry/src/github.com-1ecc6299db9ec823/hyper-rustls-0.22.1/src/connector.rs:45

This is a bug. Please report it at:

        https://github.com/paritytech/polkadot/issues/new

This is easily triggered by running polkadot inside a docker image FROM debian:buster-slim using --validator

[ggwpez]

I have the same problem with Docker in my CI.
A workaround is to install and run update-ca-certificates (for Debian based images).
@crystalin