diff --git a/.gitignore b/.gitignore
index ee874ab..edc9a46 100644
--- a/.gitignore
+++ b/.gitignore
@@ -14,3 +14,4 @@
 
 # Dependency directories (remove the comment below to include it)
 # vendor/
+.DS_Store
diff --git a/README.md b/README.md
index aadf834..24a309e 100644
--- a/README.md
+++ b/README.md
@@ -130,3 +130,15 @@ Short 'numeric' version (v skipped, useful for docker image tags etc)
  % multicurl version
 1.10.1
 ```
+
+### https/tls in FROM scratch docker images
+
+You should always try to use `FROM scratch` Docker images when possible,
+it's one of the strength of go.
+
+Using this `fortio.org/cli` as a base makes it work for outcalls to internet valid TLS certs (e.g. https).
+It does this by defaulting to the bundle provided by `golang.org/x/crypto/x509roots/fallback` automatically.
+
+See https://github.com/fortio/multicurl for a good example.
+
+If you do not want this behavior, build using `-tag=no_tls_fallback`.
diff --git a/ca_bundle.go b/ca_bundle.go
new file mode 100644
index 0000000..7fa2aee
--- /dev/null
+++ b/ca_bundle.go
@@ -0,0 +1,14 @@
+// Fortio CLI/Main utilities.
+//
+// (c) 2024 Fortio Authors
+// See LICENSE
+
+//go:build !no_tls_fallback
+// +build !no_tls_fallback
+
+package cli // import "fortio.org/cli"
+
+// golang.org/x/crypto/x509roots/fallback blank import below is because this is a base for all our main package,
+// the CA bundle is needed for FROM scratch images to work with outcalls to internet valid TLS certs (https).
+// See https://github.com/fortio/multicurl/pull/146 for instance.
+import _ "golang.org/x/crypto/x509roots/fallback" // This is a base for main, see extended comment above.
diff --git a/go.mod b/go.mod
index ed73191..5505fa6 100644
--- a/go.mod
+++ b/go.mod
@@ -5,6 +5,7 @@ go 1.18
 require (
 	fortio.org/log v1.12.2
 	fortio.org/version v1.0.4
+	golang.org/x/crypto/x509roots/fallback v0.0.0-20240604170348-d4e7c9cb6cb8
 )
 
 require fortio.org/struct2env v0.4.0 // indirect
diff --git a/go.sum b/go.sum
index 36e5cd8..34a05a5 100644
--- a/go.sum
+++ b/go.sum
@@ -4,3 +4,5 @@ fortio.org/struct2env v0.4.0 h1:k5alSOTf3YHiB3MuacjDHQ3YhVWvNZ95ZP/a6MqvyLo=
 fortio.org/struct2env v0.4.0/go.mod h1:lENUe70UwA1zDUCX+8AsO663QCFqYaprk5lnPhjD410=
 fortio.org/version v1.0.4 h1:FWUMpJ+hVTNc4RhvvOJzb0xesrlRmG/a+D6bjbQ4+5U=
 fortio.org/version v1.0.4/go.mod h1:2JQp9Ax+tm6QKiGuzR5nJY63kFeANcgrZ0osoQFDVm0=
+golang.org/x/crypto/x509roots/fallback v0.0.0-20240604170348-d4e7c9cb6cb8 h1:+kWDWI3Eb5cPIOr4cP+R2RLDwK3/dXppL+7XmSOh2LA=
+golang.org/x/crypto/x509roots/fallback v0.0.0-20240604170348-d4e7c9cb6cb8/go.mod h1:kNa9WdvYnzFwC79zRpLRMJbdEFlhyM5RPFBBZp/wWH8=