When an update is started using mender -rootfs, only the system certificate storage will be used to verify the server certificate. The file specified for the ServerCertificate-configuration in /etc/mender/mender.conf (usually /etc/mender/server.crt) is never loaded when Mender is run this way.
To me, this was unexpected behaviour, as the documentation says that if you want to use self-signed certificates, you have to put your certificate in server.crt, which is what I did, and I still got an error saying that the certificate was signed by an unknown authority.
When mender is run with -rootfs AND -trusted-certs, the certificates from the file specified in the trusted-certs-argument is loaded, so this serves as a workaround.
I expected mender -rootfs to use the configured ServerCertificate file as the default, and have the -trusted-certs argument work as an override.
I'm not sure if this is the proper fix, but I wonder if what is done on the following lines should be done for the ServerCert-option as well: https://github.com/mendersoftware/mender/blob/1.6.0/main.go#L430-L432
I see Mirza briefly came across this issue in september (https://groups.google.com/a/lists.mender.io/d/msg/mender/qIZFokSnIKc/h46nB3KHAwAJ), but I couldn't find any other traces of this issue, so I created this issue here.