Use either the system root pool or an empty cert pool with custom CA roots,

and not a joint system+custom CA roots pool, when connecting from a docker
client to a remote daemon.

Signed-off-by: Ying Li <ying.li@docker.com>

cli/command/cli.go

@@ -243,8 +243,9 @@ func newHTTPClient(host string, tlsOptions *tlsconfig.Options) (*http.Client, er
 		// let the api client configure the default transport.
 		return nil, nil
 	}
-
-	config, err := tlsconfig.Client(*tlsOptions)
+	opts := *tlsOptions
+	opts.ExclusiveRootPools = true
+	config, err := tlsconfig.Client(opts)
 	if err != nil {
 		return nil, err
 	}