diff --git a/.gitea/workflows/vault.yaml b/.gitea/workflows/vault.yaml
index c6030c9..927ba92 100644
--- a/.gitea/workflows/vault.yaml
+++ b/.gitea/workflows/vault.yaml
@@ -20,6 +20,7 @@ concurrency:
   id: vault-secrets
   with:
     url: https://vault.arcodange.lab
+    caCertificate: ${{ secrets.HOMELAB_CA_CERT }}
     jwtGiteaOIDC: ${{ needs.gitea_vault_auth.outputs.gitea_vault_jwt }}
     role: gitea_cicd_webapp
     method: jwt
@@ -30,25 +31,42 @@ concurrency:
 jobs:
   gitea_vault_auth:
     name: Auth with gitea for vault
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-latest-ca
     outputs:
       gitea_vault_jwt: ${{steps.gitea_vault_jwt.outputs.id_token}}
     steps:
 
       - name: Auth with gitea for vault
         id: gitea_vault_jwt
+        env:
+          HOMELAB_CA_CERT: ${{ secrets.HOMELAB_CA_CERT }}
         run: |
+          set -x
+
+          echo <<EOT
+          $HOMELAB_CA_CERT
+          EOT
+
           echo -n "${{ secrets.vault_oauth__sh_b64 }}" | base64 -d | bash
 
   tofu:
     name: Tofu - Vault
     needs:
       - gitea_vault_auth
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-latest-ca
     env:
       OPENTOFU_VERSION: 1.8.2
       TERRAFORM_VAULT_AUTH_JWT: ${{ needs.gitea_vault_auth.outputs.gitea_vault_jwt }}
     steps:
+      - name: commands
+        run: |
+          set -x
+
+          echo <<EOT
+          ${{ secrets.HOMELAB_CA_CERT }}
+          EOT
+
+          cat /usr/local/share/ca-certificates/root_ca.crt
       - *vault_step
       - uses: actions/checkout@v4
       - name: terraform apply