Add option to have LEGO_CA_CERTIFICATES add to the local cert pool instead of replacing it

[dfyx]

Welcome

• Yes, I've searched similar issues on GitHub and didn't find any.

How do you use lego?

Through Traefik

Detailed Description

As described in https://community.traefik.io/t/lets-encrypt-x509-certificate-signed-by-unknown-authority/11112 I had been wondering for two months why Traefik refused to talk to the default Let's Encrypt servers while curl and even a custom go test program had no problems. Eventually I noticed that I had set LEGO_CA_CERTIFICATES to my local CA's root cert, assuming this would allow the cert in addition to the default certs. In reality, this fully replaces the default cert pool.

I could imagine the following solutions:

• Have LEGO_CA_CERTIFICATES add to the default pool by default
• Add a new environment variable LEGO_ADDITIONAL_CA_CERTIFICATES that adds to the default pool
• Allow multiple file names like LEGO_CA_CERTIFICATES=/etc/traefik/acme.crt,/etc/ssl/certs/ca-certificates.crt

[schieberegister]

It'd be super awesome to have this feature. For now i always have to rebuild traefik because we use let's encrypt and our own ca.