diff --git a/web/service/node.go b/web/service/node.go
index 5aa6bffb..ab40f050 100644
--- a/web/service/node.go
+++ b/web/service/node.go
@@ -136,20 +136,10 @@ func (s *NodeService) FetchCertFingerprint(ctx context.Context, n *model.Node) (
 	if err != nil {
 		return "", err
 	}
-	var fingerprint string
 	client := &http.Client{
 		Transport: &http.Transport{
-			DialContext: netsafe.SSRFGuardedDialContext,
-			TLSClientConfig: &tls.Config{
-				InsecureSkipVerify: true,
-				VerifyConnection: func(cs tls.ConnectionState) error {
-					if len(cs.PeerCertificates) > 0 {
-						sum := sha256.Sum256(cs.PeerCertificates[0].Raw)
-						fingerprint = base64.StdEncoding.EncodeToString(sum[:])
-					}
-					return nil
-				},
-			},
+			DialContext:     netsafe.SSRFGuardedDialContext,
+			TLSClientConfig: &tls.Config{InsecureSkipVerify: true}, // lgtm[go/disabled-certificate-check]
 		},
 	}
 	resp, err := client.Do(req)
@@ -157,10 +147,11 @@ func (s *NodeService) FetchCertFingerprint(ctx context.Context, n *model.Node) (
 		return "", err
 	}
 	defer resp.Body.Close()
-	if fingerprint == "" {
+	if resp.TLS == nil || len(resp.TLS.PeerCertificates) == 0 {
 		return "", common.NewError("node did not present a TLS certificate")
 	}
-	return fingerprint, nil
+	sum := sha256.Sum256(resp.TLS.PeerCertificates[0].Raw)
+	return base64.StdEncoding.EncodeToString(sum[:]), nil
 }
 
 func (s *NodeService) GetAll() ([]*model.Node, error) {