diff --git a/ansible/arcodange/factory/playbooks/tools/roles/hashicorp_vault/files/hashicorp_vault.tf b/ansible/arcodange/factory/playbooks/tools/roles/hashicorp_vault/files/hashicorp_vault.tf
index 377492d..19cc4b9 100644
--- a/ansible/arcodange/factory/playbooks/tools/roles/hashicorp_vault/files/hashicorp_vault.tf
+++ b/ansible/arcodange/factory/playbooks/tools/roles/hashicorp_vault/files/hashicorp_vault.tf
@@ -19,7 +19,7 @@ variable "admin_email" {
 }
 variable "gitea_app" {
   type = object({
-    url = optional(string, "https://gitea.arcodange.lab/")
+    url = optional(string, "https://gitea.arcodange.lab")
     id = string
     secret = string
     description = optional(string, "Arcodange Gitea Auth")
@@ -66,7 +66,7 @@ resource "vault_jwt_auth_backend" "gitea" {
     oidc_discovery_ca_pem = file(var.ca_pem)
     oidc_client_id      = var.gitea_app.id
     oidc_client_secret  = var.gitea_app.secret
-    bound_issuer        = var.gitea_app.url
+    bound_issuer        = trimsuffix(var.gitea_app.url, "/")
     
     tune {
         allowed_response_headers     = []
@@ -103,7 +103,7 @@ resource "vault_jwt_auth_backend" "gitea_jwt" {
     type                = "jwt"
     oidc_discovery_url  = var.gitea_app.url
     oidc_discovery_ca_pem = file(var.ca_pem)
-    bound_issuer        = var.gitea_app.url
+    bound_issuer        = trimsuffix(var.gitea_app.url, "/")
     
     tune {
         allowed_response_headers     = []
@@ -167,7 +167,7 @@ resource "vault_kv_secret" "google_credentials" {
   path = "${vault_mount.kvv1.path}/google/credentials"
   data_json = jsonencode(
   {
-    credentials = file("~/.config/gcloud/application_default_credentials.json")
+    credentials = file("/root/.config/gcloud/application_default_credentials.json")
   }
   )
 }
diff --git a/ansible/arcodange/factory/playbooks/tools/roles/hashicorp_vault/tasks/gitea_oidc_auth.yml b/ansible/arcodange/factory/playbooks/tools/roles/hashicorp_vault/tasks/gitea_oidc_auth.yml
index 9070124..0622b9c 100644
--- a/ansible/arcodange/factory/playbooks/tools/roles/hashicorp_vault/tasks/gitea_oidc_auth.yml
+++ b/ansible/arcodange/factory/playbooks/tools/roles/hashicorp_vault/tasks/gitea_oidc_auth.yml
@@ -24,6 +24,31 @@
 
     volume_name: tofu-{{ ansible_date_time.iso8601.replace(':','-') }}
 
+- name: Check SSL certificate for Gitea
+  shell: >-
+    openssl s_client -connect gitea.arcodange.lab:443 -CAfile /etc/ssl/certs/arcodange-root.pem -servername gitea.arcodange.lab < /dev/null 2>&1 | grep -E "Verify return code:|subject=|issuer="
+  register: ssl_check
+  ignore_errors: true
+
+- name: Debug SSL certificate check
+  debug:
+    var: ssl_check.stdout_lines
+
+
+
+- name: Delete existing Gitea OIDC backends if they exist
+  include_tasks: vault_cmd.yml
+  vars:
+    vault_cmd: vault auth disable {{ backend_name }}
+    vault_cmd_can_fail: true
+    vault_cmd_json_attr: ''
+    vault_cmd_output_var: false
+  loop:
+    - gitea
+    - gitea_jwt
+  loop_control:
+    loop_var: backend_name
+
 - name: use tofu to provision vault
   block:
   - shell: docker volume create {{ volume_name }}