diff --git a/.gitea/workflows/ci-cd.yml b/.gitea/workflows/ci-cd.yml
index 220c00b..5298be1 100644
--- a/.gitea/workflows/ci-cd.yml
+++ b/.gitea/workflows/ci-cd.yml
@@ -80,29 +80,44 @@ jobs:
           </configuration>
           EOF
 
-      - name: Trust Nexus mirror CA
-        # The mirror's cert chains to ISRG Root YR (new LE ECDSA root, 2025).
-        # This root is NOT in the .NET SDK image's trust store, causing PartialChain.
-        # Fix: fetch ISRG Root YR via its HTTP AIA URL (plain HTTP, no TLS) then
-        # add both the root AND the YR2 intermediate so the full chain validates.
-        # Belt-and-suspenders: also append directly to the OpenSSL cert bundle so the
-        # fix works regardless of whether update-ca-certificates is wired correctly.
+      - name: Trust Nexus mirror CA (diagnostic)
+        # Verbose / fail-fast version to expose exactly where the chain trust breaks.
+        # Step exits non-zero on any unexpected failure so the CI log shows the cause.
         run: |
-          # 1. Fetch ISRG Root YR root cert from Let's Encrypt AIA (HTTP — no TLS risk)
-          curl -sf --max-time 15 http://yr.i.lencr.org/ -o /tmp/isrg-root-yr.der \
-            && openssl x509 -inform DER -in /tmp/isrg-root-yr.der \
-                            -out /usr/local/share/ca-certificates/isrg-root-yr.crt \
-            && echo "Fetched ISRG Root YR: $(openssl x509 -noout -subject -in /usr/local/share/ca-certificates/isrg-root-yr.crt)" \
-            || echo "Warning: could not fetch ISRG Root YR — falling back to intermediate only"
-          # 2. Add YR2 intermediate (already in repo, CA:TRUE)
+          set -euo pipefail
+          echo "=== OS / OpenSSL info ==="
+          cat /etc/os-release | head -4 || true
+          openssl version || true
+
+          echo "=== Fetch ISRG Root YR from AIA (HTTP) ==="
+          curl -v --max-time 15 http://yr.i.lencr.org/ -o /tmp/isrg-root-yr.der 2>&1
+          echo "File size: $(wc -c < /tmp/isrg-root-yr.der) bytes"
+          openssl x509 -inform DER -in /tmp/isrg-root-yr.der \
+                       -out /usr/local/share/ca-certificates/isrg-root-yr.crt
+          openssl x509 -noout -subject -issuer \
+                       -in /usr/local/share/ca-certificates/isrg-root-yr.crt
+
+          echo "=== Add YR2 intermediate ==="
           cp docker/nexus-mirror-ca.crt /usr/local/share/ca-certificates/nexus-mirror-ca.crt
-          # 3. Update OS trust store
+          openssl x509 -noout -subject -issuer -in docker/nexus-mirror-ca.crt
+
+          echo "=== Update OS trust store ==="
           update-ca-certificates
-          # 4. Append directly to the OpenSSL active bundle (dotnet reads this on Linux)
+
+          echo "=== Append to OpenSSL bundle ==="
           cat docker/nexus-mirror-ca.crt >> /etc/ssl/certs/ca-certificates.crt
-          [ -f /usr/local/share/ca-certificates/isrg-root-yr.crt ] \
-            && cat /usr/local/share/ca-certificates/isrg-root-yr.crt >> /etc/ssl/certs/ca-certificates.crt \
-            || true
+          cat /usr/local/share/ca-certificates/isrg-root-yr.crt >> /etc/ssl/certs/ca-certificates.crt
+          echo "Bundle size: $(wc -l < /etc/ssl/certs/ca-certificates.crt) lines"
+
+          echo "=== Verify YR2 against bundle ==="
+          openssl verify -CAfile /etc/ssl/certs/ca-certificates.crt \
+                         /usr/local/share/ca-certificates/nexus-mirror-ca.crt
+
+          echo "=== Full chain verify against mirror ==="
+          echo | openssl s_client -connect mirror.soroushasadi.com:443 \
+                   -CAfile /etc/ssl/certs/ca-certificates.crt 2>&1 | tail -5
+
+          echo "=== Done ==="
 
       - name: Restore
         run: dotnet restore src/Meezi.API/Meezi.API.csproj --configfile /tmp/nuget.ci.config
@@ -153,21 +168,23 @@ jobs:
           </configuration>
           EOF
 
-      - name: Trust Nexus mirror CA
-        # See api-build for full explanation. Same fix: fetch ISRG Root YR root +
-        # add YR2 intermediate + belt-and-suspenders append to ca-certificates.crt.
+      - name: Trust Nexus mirror CA (diagnostic)
+        # Same verbose/fail-fast step as api-build — see that job for full comments.
         run: |
-          curl -sf --max-time 15 http://yr.i.lencr.org/ -o /tmp/isrg-root-yr.der \
-            && openssl x509 -inform DER -in /tmp/isrg-root-yr.der \
-                            -out /usr/local/share/ca-certificates/isrg-root-yr.crt \
-            && echo "Fetched ISRG Root YR: $(openssl x509 -noout -subject -in /usr/local/share/ca-certificates/isrg-root-yr.crt)" \
-            || echo "Warning: could not fetch ISRG Root YR — falling back to intermediate only"
+          set -euo pipefail
+          curl -v --max-time 15 http://yr.i.lencr.org/ -o /tmp/isrg-root-yr.der 2>&1
+          echo "File size: $(wc -c < /tmp/isrg-root-yr.der) bytes"
+          openssl x509 -inform DER -in /tmp/isrg-root-yr.der \
+                       -out /usr/local/share/ca-certificates/isrg-root-yr.crt
+          openssl x509 -noout -subject -issuer \
+                       -in /usr/local/share/ca-certificates/isrg-root-yr.crt
           cp docker/nexus-mirror-ca.crt /usr/local/share/ca-certificates/nexus-mirror-ca.crt
           update-ca-certificates
           cat docker/nexus-mirror-ca.crt >> /etc/ssl/certs/ca-certificates.crt
-          [ -f /usr/local/share/ca-certificates/isrg-root-yr.crt ] \
-            && cat /usr/local/share/ca-certificates/isrg-root-yr.crt >> /etc/ssl/certs/ca-certificates.crt \
-            || true
+          cat /usr/local/share/ca-certificates/isrg-root-yr.crt >> /etc/ssl/certs/ca-certificates.crt
+          openssl verify -CAfile /etc/ssl/certs/ca-certificates.crt \
+                         /usr/local/share/ca-certificates/nexus-mirror-ca.crt
+          echo "=== Done ==="
 
       - name: Restore
         run: dotnet restore src/Meezi.Admin.API/Meezi.Admin.API.csproj --configfile /tmp/nuget.ci.config