diff --git a/ansible/roles/firstboot/files/ansible_payload/roles/metacluster/tasks/main.yml b/ansible/roles/firstboot/files/ansible_payload/roles/metacluster/tasks/main.yml
index 5d24fc3..717a0ba 100644
--- a/ansible/roles/firstboot/files/ansible_payload/roles/metacluster/tasks/main.yml
+++ b/ansible/roles/firstboot/files/ansible_payload/roles/metacluster/tasks/main.yml
@@ -159,6 +159,7 @@
         --fingerprint={{ stepca_configmap.resources[0].data['defaults.json'] | from_json | json_query('fingerprint') }} \
         --install \
         --force
+      update-ca-certificates
 
 - name: Install harbor chart
   kubernetes.core.helm:
diff --git a/ansible/vars/metacluster.yml b/ansible/vars/metacluster.yml
index 00d43e1..aa5f00d 100644
--- a/ansible/vars/metacluster.yml
+++ b/ansible/vars/metacluster.yml
@@ -69,6 +69,14 @@ components:
       parse_logic: helm template . | yq --no-doc eval '.. | .image? | select(.)' | sed '/:/!s/$/:latest/' | sort -u
       chart_values: !unsafe |
         ca:
+        bootstrap:
+          postInitHook: |
+            echo '{{ vapp["guestinfo.rootpw"] }}' > ~/pwfile
+            step ca provisioner add acme \
+              --type ACME \
+              --password-file=~/pwfile \
+              --force-cn
+            rm ~/pwfile
           dns: ca.{{ vapp['metacluster.fqdn'] }},step-certificates.step-ca.svc.cluster.local,127.0.0.1
           password: "{{ vapp['guestinfo.rootpw'] }}"
           provisioner: