diff --git a/utility-services/gitea/server/index.ts b/utility-services/gitea/server/index.ts
index f90228e..25e7c98 100644
--- a/utility-services/gitea/server/index.ts
+++ b/utility-services/gitea/server/index.ts
@@ -7,7 +7,6 @@ import {
   OnePasswordSecret,
   PublicIngressRoute,
   IngressRouteTcp,
-  PrivateCertificate,
 } from "../../../utils";
 import type { Providers } from "../../../types";
 
@@ -53,20 +52,6 @@ export class GiteaServer extends Construct {
       itemPath: "vaults/Lab/items/cloudflare",
     });
 
-    new PrivateCertificate(this, "internal-cert", {
-      provider: kubernetes,
-      namespace,
-      name: "gitea-tls-internal",
-      secretName: "gitea-tls-internal",
-      dnsNames: [
-        "git.dogar.dev",
-        "gitea",
-        "gitea.homelab.svc",
-        "gitea.homelab.svc.cluster.local",
-      ],
-      usages: ["digital signature", "key encipherment", "server auth"],
-    });
-
     new Release(this, id, {
       ...options,
       provider: helm,
diff --git a/utils/traefik/ingress/ingress.ts b/utils/traefik/ingress/ingress.ts
index d7e7712..d8d55fd 100644
--- a/utils/traefik/ingress/ingress.ts
+++ b/utils/traefik/ingress/ingress.ts
@@ -2,7 +2,7 @@ import { Construct } from "constructs";
 import { Manifest } from "@cdktf/provider-kubernetes/lib/manifest";
 import { KubernetesProvider } from "@cdktf/provider-kubernetes/lib/provider";
 
-import { CloudflareCertificate } from "../../cert-manager";
+import { CloudflareCertificate, PrivateCertificate } from "../../cert-manager";
 
 export type IngressRouteOptions = {
   provider: KubernetesProvider;
@@ -43,6 +43,19 @@ export class IngressRoute extends Construct {
     const { provider, namespace } = opts;
 
     if (opts.serviceProtocol === "https") {
+      new PrivateCertificate(this, "internal-cert", {
+        provider,
+        namespace,
+        name: `${opts.serviceName}-tls-internal`,
+        secretName: `${opts.serviceName}-tls-internal`,
+        dnsNames: [
+          opts.serviceName,
+          `${opts.serviceName}.${opts.namespace}.svc`,
+          `${opts.serviceName}.${opts.namespace}.svc.cluster.local`,
+        ],
+        usages: ["digital signature", "key encipherment", "server auth"],
+      });
+
       new Manifest(this, `${name}-https-transport`, {
         provider,
         manifest: {
@@ -53,7 +66,7 @@ export class IngressRoute extends Construct {
             namespace,
           },
           spec: {
-            serverName: `${opts.name}.${opts.namespace}.svc.cluster.local`,
+            serverName: `${opts.serviceName}.${opts.namespace}.svc.cluster.local`,
             rootCAs: [
               {
                 secret: "root-secret",