diff --git a/client/tls.go b/client/tls.go
index 469c7529..94a005d0 100644
--- a/client/tls.go
+++ b/client/tls.go
@@ -184,9 +184,10 @@ func TLSClient(opts TLSClientOptions) (*http.Client, error) {
 	return &http.Client{Transport: transport}, nil
 }
 
+// basePool returns pool if non-nil; otherwise it returns a new empty cert pool.
 func basePool(pool *x509.CertPool) *x509.CertPool {
 	if pool == nil {
 		return x509.NewCertPool()
 	}
-	return pool
+	return pool.Clone()
 }