checkURL needs suitable CA root cert in the right location

The HTTP HEAD request done by checkURL() currently relies on the environment providing suitable CA root cert for Go. So currently the check fails in the typical setup of the demo, which doesn't provide anything Go can find: https://git.glasklar.is/system-transparency/core/system-transparency/-/blob/main/tasks/demo.yml?ref_type=heads#L84

stboot itself of course deals with properly by itself reading isrgrootx1.pem in an expected location (hm, but now I wonder -- sidetracked -- is the use of this precise CA root hardcoded in spec?). And then providing it for the Go http client. Should stprov do the same, in order for this check to be as real as possible?

Go looks here: https://go.dev/src/crypto/x509/root_linux.go -- so this can be solved by adding something like this when building your stprov.cpio using u-root: -files cache/isrgrootx1.pem:etc/ssl/certs/ca-certificates.crt

Maybe related to: #30 (closed)