diff --git a/.gitea/workflows/iac.yaml b/.gitea/workflows/iac.yaml
index 427c265..89aa083 100644
--- a/.gitea/workflows/iac.yaml
+++ b/.gitea/workflows/iac.yaml
@@ -23,6 +23,7 @@ concurrency:
   id: vault-secrets
   with:
     url: https://vault.arcodange.lab
+    caCertificate: ${{ secrets.HOMELAB_CA_CERT }}
     jwtGiteaOIDC: ${{ needs.gitea_vault_auth.outputs.gitea_vault_jwt }}
     role: gitea_cicd
     method: jwt
@@ -53,6 +54,7 @@ jobs:
     env:
       OPENTOFU_VERSION: 1.8.2
       TERRAFORM_VAULT_AUTH_JWT: ${{ needs.gitea_vault_auth.outputs.gitea_vault_jwt }}
+      VAULT_CACERT: /usr/local/share/ca-certificates/root_ca.crt
     steps:
       - *vault_step
       - uses: actions/checkout@v4
diff --git a/.gitea/workflows/postgres.yaml b/.gitea/workflows/postgres.yaml
index 12ef565..1d6c18f 100644
--- a/.gitea/workflows/postgres.yaml
+++ b/.gitea/workflows/postgres.yaml
@@ -21,6 +21,7 @@ concurrency:
   id: vault-secrets
   with:
     url: https://vault.arcodange.lab
+    caCertificate: ${{ secrets.HOMELAB_CA_CERT }}
     jwtGiteaOIDC: ${{ needs.gitea_vault_auth.outputs.gitea_vault_jwt }}
     role: gitea_cicd
     method: jwt
@@ -50,9 +51,15 @@ jobs:
     env:
       OPENTOFU_VERSION: 1.8.2
       TERRAFORM_VAULT_AUTH_JWT: ${{ needs.gitea_vault_auth.outputs.gitea_vault_jwt }}
+      VAULT_CACERT: /workspace/arcodange-org/factory/postgres/iac/homelab.pem
     steps:
       - *vault_step
       - uses: actions/checkout@v4
+      - name: check cert
+        run: |
+          cp /usr/local/share/ca-certificates/root_ca.crt $VAULT_CACERT
+          realpath $VAULT_CACERT
+          chmod 777 $VAULT_CACERT
       - name: terraform apply
         uses: dflook/terraform-apply@v1
         with: