diff --git a/.gitea/workflows/vault.yaml b/.gitea/workflows/vault.yaml
index c6030c9..c3b9629 100644
--- a/.gitea/workflows/vault.yaml
+++ b/.gitea/workflows/vault.yaml
@@ -20,6 +20,7 @@ concurrency:
   id: vault-secrets
   with:
     url: https://vault.arcodange.lab
+    caCertificate: ${{ secrets.HOMELAB_CA_CERT }}
     jwtGiteaOIDC: ${{ needs.gitea_vault_auth.outputs.gitea_vault_jwt }}
     role: gitea_cicd_webapp
     method: jwt
@@ -30,7 +31,7 @@ concurrency:
 jobs:
   gitea_vault_auth:
     name: Auth with gitea for vault
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-latest-ca
     outputs:
       gitea_vault_jwt: ${{steps.gitea_vault_jwt.outputs.id_token}}
     steps:
@@ -38,17 +39,22 @@ jobs:
       - name: Auth with gitea for vault
         id: gitea_vault_jwt
         run: |
+          git clone 'https://gitea.arcodange.lab/arcodange-org/vault-action.git' || echo 'oups'
           echo -n "${{ secrets.vault_oauth__sh_b64 }}" | base64 -d | bash
+          git clone 'https://gitea.arcodange.lab/arcodange-org/vault-action.git'
 
   tofu:
     name: Tofu - Vault
     needs:
       - gitea_vault_auth
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-latest-ca
     env:
       OPENTOFU_VERSION: 1.8.2
       TERRAFORM_VAULT_AUTH_JWT: ${{ needs.gitea_vault_auth.outputs.gitea_vault_jwt }}
     steps:
+      - run: |
+          curl https://ssl-ca.arcodange.lab:8443/roots.pem -ks > /usr/local/share/ca-certificates/arcodange-root.crt && update-ca-certificates 2>/dev/null >/dev/null
+          export VAULT_CACERT=/usr/local/share/ca-certificates/arcodange-root.crt
       - *vault_step
       - uses: actions/checkout@v4
       - name: terraform apply