diff --git a/playbooks/roles/haproxy/tasks/main.yaml b/playbooks/roles/haproxy/tasks/main.yaml
index 5cfce31519..654b205d0a 100644
--- a/playbooks/roles/haproxy/tasks/main.yaml
+++ b/playbooks/roles/haproxy/tasks/main.yaml
@@ -27,6 +27,19 @@
     mode: 0644
   notify: Reload haproxy
 
+# Copy in testing CA so the container can see it.  When running under
+# Zuul this CA is created by the test framework.  We use it to
+# validate the https check path
+- name: Check for OpenDev Infra CA (test only)
+  stat:
+    path: /etc/opendev-ca/ca.crt
+  register: _opendev_ca_crt
+- name: Copy in OpenDev Infra CA (test only)
+  copy:
+    src: /etc/opendev-ca/ca.crt
+    dest: /var/haproxy/etc/
+  when: _opendev_ca_crt.stat.exists
+
 - name: Ensure docker compose configuration directory
   file:
     path: /etc/haproxy-docker
diff --git a/playbooks/zuul/templates/group_vars/gitea-lb.yaml.j2 b/playbooks/zuul/templates/group_vars/gitea-lb.yaml.j2
index ba08fccaae..04bd4b3a76 100644
--- a/playbooks/zuul/templates/group_vars/gitea-lb.yaml.j2
+++ b/playbooks/zuul/templates/group_vars/gitea-lb.yaml.j2
@@ -12,4 +12,4 @@ gitea_lb_listeners:
     servers:
       - name: "gitea99.opendev.org"
         address: "{{ (hostvars['gitea99.opendev.org'] | default({})).get('nodepool', {}).get('public_ipv4', '') }}:3081"
-        check_method: "check check-ssl verify none"
+        check_method: "check check-ssl ca-file /usr/local/etc/haproxy/ca.crt"