diff --git a/lib/srv/discovery/discovery.go b/lib/srv/discovery/discovery.go
index b7eee12478aca..e8113c8caeee2 100644
--- a/lib/srv/discovery/discovery.go
+++ b/lib/srv/discovery/discovery.go
@@ -230,7 +230,7 @@ kubernetes matchers are present.`)
 		c.LegacyLogger = logrus.New()
 	}
 	if c.protocolChecker == nil {
-		c.protocolChecker = fetchers.NewProtoChecker(false)
+		c.protocolChecker = fetchers.NewProtoChecker()
 	}
 
 	if c.PollInterval == 0 {
diff --git a/lib/srv/discovery/fetchers/kube_services.go b/lib/srv/discovery/fetchers/kube_services.go
index f6afe625d8c00..ea86a86076bff 100644
--- a/lib/srv/discovery/fetchers/kube_services.go
+++ b/lib/srv/discovery/fetchers/kube_services.go
@@ -20,7 +20,6 @@ package fetchers
 
 import (
 	"context"
-	"crypto/tls"
 	"errors"
 	"fmt"
 	"net/http"
@@ -72,7 +71,7 @@ func (k *KubeAppsFetcherConfig) CheckAndSetDefaults() error {
 		return trace.BadParameter("missing parameter ClusterName")
 	}
 	if k.ProtocolChecker == nil {
-		k.ProtocolChecker = NewProtoChecker(false)
+		k.ProtocolChecker = NewProtoChecker()
 	}
 
 	return nil
@@ -313,8 +312,7 @@ func getServicePorts(s v1.Service) ([]v1.ServicePort, error) {
 }
 
 type ProtoChecker struct {
-	InsecureSkipVerify bool
-	client             *http.Client
+	client *http.Client
 
 	// cacheKubernetesServiceProtocol maps a Kubernetes Service Namespace/Name to a tuple containing the Service's ResourceVersion and the Protocol.
 	// When the Kubernetes Service ResourceVersion changes, then we assume the protocol might've changed as well, so the cache is invalidated.
@@ -333,18 +331,12 @@ type kubernetesNameNamespace struct {
 	name      string
 }
 
-func NewProtoChecker(insecureSkipVerify bool) *ProtoChecker {
+func NewProtoChecker() *ProtoChecker {
 	p := &ProtoChecker{
-		InsecureSkipVerify: insecureSkipVerify,
 		client: &http.Client{
 			// This is a best-effort scenario, where teleport tries to guess which protocol is being used.
 			// Ideally it should either be inferred by the Service's ports or explicitly configured by using annotations on the service.
 			Timeout: 500 * time.Millisecond,
-			Transport: &http.Transport{
-				TLSClientConfig: &tls.Config{
-					InsecureSkipVerify: insecureSkipVerify,
-				},
-			},
 		},
 		cacheKubernetesServiceProtocol: make(map[kubernetesNameNamespace]appResourceVersionProtocol),
 	}
diff --git a/lib/srv/discovery/fetchers/kube_services_test.go b/lib/srv/discovery/fetchers/kube_services_test.go
index ea32105c86334..4502c0ab0b6ff 100644
--- a/lib/srv/discovery/fetchers/kube_services_test.go
+++ b/lib/srv/discovery/fetchers/kube_services_test.go
@@ -20,6 +20,7 @@ package fetchers
 
 import (
 	"context"
+	"crypto/tls"
 	"fmt"
 	"net"
 	"net/http"
@@ -30,6 +31,7 @@ import (
 	"strings"
 	"sync/atomic"
 	"testing"
+	"time"
 
 	"github.com/google/go-cmp/cmp"
 	"github.com/stretchr/testify/require"
@@ -458,7 +460,14 @@ func TestGetServicePorts(t *testing.T) {
 
 func TestProtoChecker_CheckProtocol(t *testing.T) {
 	t.Parallel()
-	checker := NewProtoChecker(true)
+	checker := NewProtoChecker()
+	// Increasing client Timeout because CI/CD fails with a lower value.
+	checker.client.Timeout = 5 * time.Second
+
+	// Allow connections to HTTPS server created below.
+	checker.client.Transport = &http.Transport{TLSClientConfig: &tls.Config{
+		InsecureSkipVerify: true,
+	}}
 
 	totalNetworkHits := &atomic.Int32{}