diff --git a/.gitea/workflows/ci-cd.yml b/.gitea/workflows/ci-cd.yml
index b66ce29..99d2fd6 100644
--- a/.gitea/workflows/ci-cd.yml
+++ b/.gitea/workflows/ci-cd.yml
@@ -80,45 +80,24 @@ jobs:
           </configuration>
           EOF
 
-      - name: Trust Nexus mirror CA (diagnostic)
-        # Verbose / fail-fast version to expose exactly where the chain trust breaks.
-        # Gitea act runner v0.6.1 ignores shell: overrides and always uses sh.
-        # Use set -eu (POSIX) — pipefail is bash-only and crashes sh on line 1.
+      - name: Verify mirror TLS chain
+        # The mirror's fullchain.pem now serves leaf → YR2 → ISRG Root YR
+        # (cross-signed by ISRG Root X1, which IS in every stock trust store),
+        # so no custom CA is needed. This step only sanity-checks the chain and
+        # fails early with a clear message if the server cert regresses again.
+        # POSIX sh only — the Gitea act runner v0.6.1 ignores shell: overrides.
         run: |
           set -eu
-          echo "=== OS / OpenSSL info ==="
-          cat /etc/os-release | head -4 || true
-          openssl version || true
-
-          echo "=== Fetch ISRG Root YR from AIA (HTTP) ==="
-          curl -v --max-time 15 http://yr.i.lencr.org/ -o /tmp/isrg-root-yr.der 2>&1
-          echo "File size: $(wc -c < /tmp/isrg-root-yr.der) bytes"
-          openssl x509 -inform DER -in /tmp/isrg-root-yr.der \
-                       -out /usr/local/share/ca-certificates/isrg-root-yr.crt
-          openssl x509 -noout -subject -issuer \
-                       -in /usr/local/share/ca-certificates/isrg-root-yr.crt
-
-          echo "=== Add YR2 intermediate ==="
-          cp docker/nexus-mirror-ca.crt /usr/local/share/ca-certificates/nexus-mirror-ca.crt
-          openssl x509 -noout -subject -issuer -in docker/nexus-mirror-ca.crt
-
-          echo "=== Update OS trust store ==="
-          update-ca-certificates
-
-          echo "=== Append to OpenSSL bundle ==="
-          cat docker/nexus-mirror-ca.crt >> /etc/ssl/certs/ca-certificates.crt
-          cat /usr/local/share/ca-certificates/isrg-root-yr.crt >> /etc/ssl/certs/ca-certificates.crt
-          echo "Bundle size: $(wc -l < /etc/ssl/certs/ca-certificates.crt) lines"
-
-          echo "=== Verify YR2 against bundle ==="
-          openssl verify -CAfile /etc/ssl/certs/ca-certificates.crt \
-                         /usr/local/share/ca-certificates/nexus-mirror-ca.crt
-
-          echo "=== Full chain verify against mirror ==="
           echo | openssl s_client -connect mirror.soroushasadi.com:443 \
-                   -CAfile /etc/ssl/certs/ca-certificates.crt 2>&1 | tail -5
-
-          echo "=== Done ==="
+                   -servername mirror.soroushasadi.com 2>/dev/null \
+            | tee /tmp/sclient.txt | grep "Verify return code" || true
+          if ! grep -q "Verify return code: 0 (ok)" /tmp/sclient.txt; then
+            echo "❌ mirror.soroushasadi.com TLS chain is broken again."
+            echo "   Fix the cert ON THE SERVER (/etc/ssl/soroushasadi/fullchain.pem"
+            echo "   must include the full chain up to a publicly-trusted root),"
+            echo "   then: docker exec mirror-nginx nginx -s reload"
+            exit 1
+          fi
 
       - name: Restore
         run: dotnet restore src/Meezi.API/Meezi.API.csproj --configfile /tmp/nuget.ci.config
@@ -169,24 +148,17 @@ jobs:
           </configuration>
           EOF
 
-      - name: Trust Nexus mirror CA (diagnostic)
-        # Same verbose/fail-fast step as api-build — see that job for full comments.
-        # Gitea act runner v0.6.1 ignores shell: overrides; use POSIX set -eu.
+      - name: Verify mirror TLS chain
+        # Same sanity check as api-build — see that job for full comments.
         run: |
           set -eu
-          curl -v --max-time 15 http://yr.i.lencr.org/ -o /tmp/isrg-root-yr.der 2>&1
-          echo "File size: $(wc -c < /tmp/isrg-root-yr.der) bytes"
-          openssl x509 -inform DER -in /tmp/isrg-root-yr.der \
-                       -out /usr/local/share/ca-certificates/isrg-root-yr.crt
-          openssl x509 -noout -subject -issuer \
-                       -in /usr/local/share/ca-certificates/isrg-root-yr.crt
-          cp docker/nexus-mirror-ca.crt /usr/local/share/ca-certificates/nexus-mirror-ca.crt
-          update-ca-certificates
-          cat docker/nexus-mirror-ca.crt >> /etc/ssl/certs/ca-certificates.crt
-          cat /usr/local/share/ca-certificates/isrg-root-yr.crt >> /etc/ssl/certs/ca-certificates.crt
-          openssl verify -CAfile /etc/ssl/certs/ca-certificates.crt \
-                         /usr/local/share/ca-certificates/nexus-mirror-ca.crt
-          echo "=== Done ==="
+          echo | openssl s_client -connect mirror.soroushasadi.com:443 \
+                   -servername mirror.soroushasadi.com 2>/dev/null \
+            | tee /tmp/sclient.txt | grep "Verify return code" || true
+          if ! grep -q "Verify return code: 0 (ok)" /tmp/sclient.txt; then
+            echo "❌ mirror.soroushasadi.com TLS chain is broken again — fix the server cert."
+            exit 1
+          fi
 
       - name: Restore
         run: dotnet restore src/Meezi.Admin.API/Meezi.Admin.API.csproj --configfile /tmp/nuget.ci.config