diff --git a/docker/README.md b/docker/README.md
index 7f2aa84..25f5b86 100644
--- a/docker/README.md
+++ b/docker/README.md
@@ -19,7 +19,7 @@ See [`docker-compose.yml`](./docker-compose.yml) for the detailed configuration.
 
 ## Custom CAs for upstream TLS connections
 
-To add a custom certificate, you must use a non-`slim` non-`webpki` image. Then mount `/usr/local/share/ca-certificates` in the container with your desired CAs each in a file like `myca.crt`. The certificates are accepted in PEM format but file extension must be `crt`.
+To add a custom certificate, you must use a non-`webpki` image. Then mount `/usr/local/share/ca-certificates` in the container with your desired CAs each in a file like `myca.crt`. The certificates are accepted in PEM format but file extension must be `crt`.
 
 e.g. `-v rpxy/ca-certificates:/usr/local/share/ca-certificates`
 
diff --git a/docker/entrypoint.sh b/docker/entrypoint.sh
index 220ff67..d7fee43 100644
--- a/docker/entrypoint.sh
+++ b/docker/entrypoint.sh
@@ -62,8 +62,6 @@ EOF
 
 #######################################
 function setup_ubuntu () {
-  update-ca-certificates
-
   id ${USER} > /dev/null
   # Check the existence of the user, if not exist, create it.
   if [ $? -eq 1 ]; then
@@ -131,6 +129,9 @@ else
   exit 1
 fi
 
+# Add user CAs to OS trusted CA store (does not affect webpki)
+update-ca-certificates
+
 # Check the given user and its uid:gid
 if [ $(id -u ${USER}) -ne ${USER_ID} -a $(id -g ${USER}) -ne ${GROUP_ID} ]; then
   echo "${USER} exists or was previously created. However, its uid and gid are inconsistent. Please recreate your container."