获取连接的根CA证书

As the comment in the code says PeerCertificates only includes certificates returned by the server. VerifiedChains should contain the chain up to a trusted certificate in your local certificate store (assuming that verification passed ok).

E.g. here is a simple sample code snippet:

client := &http.Client{}

resp, err := client.Get("https://www.microsoft.com")
if err != nil {
    panic(err)
}

for _, cert := range resp.TLS.PeerCertificates {
    fmt.Printf("Peer certificate \"%v\", ISSUED BY \"%v\"
", cert.Subject.CommonName, cert.Issuer.CommonName)
}
for i, chain := range resp.TLS.VerifiedChains {
    for _, cert := range chain {
        fmt.Printf("Verified Chain %v Certificate \"%v\", ISSUED BY \"%v\"
", i, cert.Subject.CommonName, cert.Issuer.CommonName)
    }
}

And it prints following output:

Peer certificate "www.microsoft.com", ISSUED BY "Symantec Class 3 Secure Server CA - G4"
Peer certificate "Symantec Class 3 Secure Server CA - G4", ISSUED BY "VeriSign Class 3 Public Primary Certification Authority - G5"
Verified Chain 0 Certificate "www.microsoft.com", ISSUED BY "Symantec Class 3 Secure Server CA - G4"
Verified Chain 0 Certificate "Symantec Class 3 Secure Server CA - G4", ISSUED BY "VeriSign Class 3 Public Primary Certification Authority - G5"
Verified Chain 0 Certificate "VeriSign Class 3 Public Primary Certification Authority - G5", ISSUED BY "VeriSign Class 3 Public Primary Certification Authority - G5"

Now, note that microsoft certificate is signed by Symantec and microsoft server returns both certificates - its own and Symantec certificate used to sign it. You can see both certificates listed in both Peer certificates and Verified chain. But Symantec's certificate isn't commonly present in trust store, but it is signed by VeriSign certificate which is a root certificate that was found in my computer's trust store. And Verified Chain includes this trusted certificate.