diff --git a/tlsconfig/certpool_go17.go b/tlsconfig/certpool_go17.go
index c086a2d6b..1d5fa4c76 100644
--- a/tlsconfig/certpool_go17.go
+++ b/tlsconfig/certpool_go17.go
@@ -1,4 +1,4 @@
-// +build go1.7,!go1.8
+// +build go1.7
 
 package tlsconfig
 
diff --git a/tlsconfig/certpool_go18.go b/tlsconfig/certpool_go18.go
deleted file mode 100644
index 6a52f1c7c..000000000
--- a/tlsconfig/certpool_go18.go
+++ /dev/null
@@ -1,10 +0,0 @@
-// +build go1.8
-
-package tlsconfig
-
-import "crypto/x509"
-
-// SystemCertPool returns the system cert pool
-func SystemCertPool() (*x509.CertPool, error) {
-	return x509.SystemCertPool()
-}
diff --git a/tlsconfig/config.go b/tlsconfig/config.go
index 8bbffcfd3..44733ff50 100644
--- a/tlsconfig/config.go
+++ b/tlsconfig/config.go
@@ -118,7 +118,7 @@ func Server(options Options) (*tls.Config, error) {
 		return nil, fmt.Errorf("Error reading X509 key pair (cert: %q, key: %q): %v. Make sure the key is not encrypted.", options.CertFile, options.KeyFile, err)
 	}
 	tlsConfig.Certificates = []tls.Certificate{tlsCert}
-	if options.ClientAuth >= tls.VerifyClientCertIfGiven {
+	if options.ClientAuth >= tls.VerifyClientCertIfGiven && options.CAFile != "" {
 		CAs, err := certPool(options.CAFile)
 		if err != nil {
 			return nil, err