diff --git a/go.mod b/go.mod
index aae1ec6..bdd0b5c 100644
--- a/go.mod
+++ b/go.mod
@@ -50,7 +50,7 @@ require (
 	github.com/ziutek/mymysql v1.5.4 // indirect
 	gitlab.com/yawning/obfs4.git v0.0.0-20220102012252-cbf3f3cfa09c
 	gitlab.com/yawning/utls.git v0.0.12-1
-	golang.org/x/crypto v0.0.0-20220112180741-5e0467b6c7ce // indirect
+	golang.org/x/crypto v0.0.0-20220112180741-5e0467b6c7ce
 	golang.org/x/net v0.0.0-20220114011407-0dd24b26b47d
 	golang.org/x/sys v0.0.0-20220114195835-da31bd327af9
 	golang.org/x/term v0.0.0-20210927222741-03fcf44c2211 // indirect
diff --git a/internal/engine/experiment/ndt7/dial.go b/internal/engine/experiment/ndt7/dial.go
index 520c2a8..5c2a7c7 100644
--- a/internal/engine/experiment/ndt7/dial.go
+++ b/internal/engine/experiment/ndt7/dial.go
@@ -17,7 +17,6 @@ type dialManager struct {
 	logger          model.Logger
 	proxyURL        *url.URL
 	readBufferSize  int
-	tlsConfig       *tls.Config
 	userAgent       string
 	writeBufferSize int
 }
@@ -43,10 +42,15 @@ func (mgr dialManager) dialWithTestName(ctx context.Context, testName string) (*
 		Logger:              mgr.logger,
 		ProxyURL:            mgr.proxyURL,
 	}, reso)
+	// We force using our bundled CA pool, which should fix
+	// https://github.com/ooni/probe/issues/2031
+	tlsConfig := &tls.Config{
+		RootCAs: netxlite.NewDefaultCertPool(),
+	}
 	dialer := websocket.Dialer{
 		NetDialContext:  dlr.DialContext,
 		ReadBufferSize:  mgr.readBufferSize,
-		TLSClientConfig: mgr.tlsConfig,
+		TLSClientConfig: tlsConfig,
 		WriteBufferSize: mgr.writeBufferSize,
 	}
 	headers := http.Header{}