diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
index a4a555e..31d40e2 100644
--- a/.github/workflows/main.yml
+++ b/.github/workflows/main.yml
@@ -45,11 +45,28 @@ jobs:
       - name: run integration tests
         run: ./integration_tests.sh --durations=10 --cov=nomad_tools -n 3
 
+  test_ssl:
+    name: Test ssl
+    runs-on: ubuntu-latest
+    steps:
+      - name: checkout
+        uses: actions/checkout@v4
+      - name: upgrade pip
+        run: pip install --upgrade pip
+      - name: install editable package
+        run: pip install -e .
+      - name: install nomad server
+        run: bash ./tests/provision.sh nomad_install 1.8.0
+      - name: run nomad server tls
+        run: bash ./tests/provision.sh momad_start_tls
+      - name: test tls connection
+        run: ./tests/tls_env.bash testall
 
   pypi-publish:
     name: Upload release to PyPI
     needs:
       - test
+      - test_ssl
     if: github.event_name == 'push' && contains(github.ref, 'refs/tags/')
     #if: github.ref == 'refs/heads/main'
     runs-on: ubuntu-latest
diff --git a/jobs/test-forever.nomad.hcl b/jobs/test-forever.nomad.hcl
new file mode 100644
index 0000000..c057649
--- /dev/null
+++ b/jobs/test-forever.nomad.hcl
@@ -0,0 +1,13 @@
+job "test-forever" {
+  # meta { uuid = uuidv4() }
+  group "test-forever" {
+    task "test-forever" {
+      driver = "docker"
+      config {
+        image   = "busybox:stable"
+        command = "sleep"
+        args    = ["3600h"]
+      }
+    }
+  }
+}
diff --git a/src/nomad_tools/nomadlib/connection.py b/src/nomad_tools/nomadlib/connection.py
index 7b06fcb..256faa0 100644
--- a/src/nomad_tools/nomadlib/connection.py
+++ b/src/nomad_tools/nomadlib/connection.py
@@ -191,15 +191,6 @@ def request(
         params.setdefault(
             "namespace", self.namespace or os.environ.get(NOMAD_NAMESPACE, "*")
         )
-        print(
-            False
-            if NOMAD_SKIP_VERIFY in os.environ
-            else (
-                os.environ[NOMAD_CACERT]
-                if NOMAD_CACERT in os.environ
-                else (os.environ[NOMAD_CAPATH] if NOMAD_CAPATH in os.environ else True)
-            )
-        )
         req = self.session.request(
             method,
             self.addr() + "/v1/" + url,
@@ -309,7 +300,7 @@ def create_websocket_connection(path: str) -> websocket.WebSocket:
         sslopt["check_hostname"] = False
     cacert = os.environ.get(NOMAD_CACERT)
     if cacert:
-        sslopt["ca_cert"] = cacert
+        sslopt["ca_certs"] = cacert
     else:
         capath = os.environ.get(NOMAD_CAPATH)
         if capath:
diff --git a/tests/provision.sh b/tests/provision.sh
index 4a9dc77..0fbabf6 100755
--- a/tests/provision.sh
+++ b/tests/provision.sh
@@ -31,15 +31,7 @@ cni_install() {
 	sudo rm cni-plugins*.tgz
 }
 
-nomad_start() {
-	local pid now endtime
-	if pid=$(pgrep nomad); then
-		echo "nomad already running: $(xargs ps aux "$pid")"
-		return
-	fi
-	sudo nomad agent -dev -config ./tests/nomad.hcl &
-	NOMADPID=$!
-	# Wait for nomad
+nomad_wait() {
 	now=$(date +%s)
 	endtime=$((now + 30))
 	while ! nomad status >/dev/null; do
@@ -55,6 +47,23 @@ nomad_start() {
 	nomad status
 }
 
+# shellcheck disable=2120
+nomad_start() {
+	local pid now endtime
+	if pid=$(pgrep nomad); then
+		echo "nomad already running: $(xargs ps aux "$pid")"
+		return
+	fi
+	sudo nomad agent -dev -config ./tests/nomad.d/nomad.hcl "$@" &
+	declare -g NOMADPID=$!
+	# Wait for nomad
+	nomad_wait
+}
+
+nomad_start_tls() {
+	nomad_start -config ./tests/nomad.d/tls.hcl
+}
+
 nomad_restart() {
 	sudo pkill nomad || :
 	sudo "$0" nomad_start
@@ -79,7 +88,7 @@ vagrant() {
 }
 
 case "$1" in
-cni_install | nomad_install | nomad_start | nomad_restart | vagrant)
+cni_install | nomad_install | nomad_start | nomad_start_tls | nomad_restart | vagrant)
 	"$@"
 	;;
 *)
diff --git a/tests/tls_env.bash b/tests/tls_env.bash
index 1c90ada..c0ad62f 100755
--- a/tests/tls_env.bash
+++ b/tests/tls_env.bash
@@ -4,47 +4,68 @@ _r() {
 	echo "+ $*" >&2
 	"$@"
 }
-case "$1" in
-clear)
-	_r unset NOMAD_ADDR
-	_r unset NOMAD_TLS_SERVER_NAME
-	_r unset NOMAD_CACERT
-	_r unset NOMAD_CAPATH
-	_r unset NOMAD_CLIENT_CERT
-	_r unset NOMAD_CLIENT_KEY
-	;;
-tls)
-	_r export NOMAD_ADDR=https://localhost:4646
-	_r unset NOMAD_TLS_SERVER_NAME
-	_r export NOMAD_CACERT=$_DIR/nomad-agent-ca.pem
-	_r unset NOMAD_CAPATH
-	_r export NOMAD_CLIENT_CERT=$_DIR/global-cli-nomad.pem
-	_r export NOMAD_CLIENT_KEY=$_DIR/global-cli-nomad-key.pem
-	;;
-capath)
-	_r export NOMAD_ADDR=https://localhost:4646
-	_r unset NOMAD_TLS_SERVER_NAME
-	_r unset NOMAD_CACERT
-	_r export NOMAD_CAPATH=$_DIR/capath
-	_r export NOMAD_CLIENT_CERT=$_DIR/global-cli-nomad.pem
-	_r export NOMAD_CLIENT_KEY=$_DIR/global-cli-nomad-key.pem
-	;;
-sni)
-	_r export NOMAD_ADDR=https://127.0.0.1:4646
-	_r export NOMAD_TLS_SERVER_NAME=localhost
-	_r export NOMAD_CACERT=$_DIR/nomad-agent-ca.pem
-	_r unset NOMAD_CAPATH
-	_r export NOMAD_CLIENT_CERT=$_DIR/global-cli-nomad.pem
-	_r export NOMAD_CLIENT_KEY=$_DIR/global-cli-nomad-key.pem
-	;;
-test)
-	_r nomad status
-	_r nomadtools vardir -j nginx@nginx ls
-	;;
-*)
-	echo "${BASH_SOURCE[0]}: invalid argument: $1" >&2
-	echo "${BASH_SOURCE[0]}: must be: clear tls sni" >&2
-	;;
-esac
-unset -f _r
-unset _DIR
+_clear_envs() {
+	envs=$(compgen -v NOMAD_)
+	if [[ -n "$envs" ]]; then
+		# shellcheck disable=2086
+		_r unset $envs
+	fi
+}
+while (($#)); do
+	case "$1" in
+	clear)
+		_clear_envs
+		;;
+	tls)
+		_clear_envs
+		_r export NOMAD_ADDR=https://localhost:4646
+		_r unset NOMAD_TLS_SERVER_NAME
+		_r export NOMAD_CACERT="$_DIR"/nomad-agent-ca.pem
+		_r unset NOMAD_CAPATH
+		_r export NOMAD_CLIENT_CERT="$_DIR"/global-cli-nomad.pem
+		_r export NOMAD_CLIENT_KEY="$_DIR"/global-cli-nomad-key.pem
+		;;
+	capath)
+		_clear_envs
+		_r export NOMAD_ADDR=https://localhost:4646
+		_r unset NOMAD_TLS_SERVER_NAME
+		_r unset NOMAD_CACERT
+		_r export NOMAD_CAPATH="$_DIR"/capath
+		_r export NOMAD_CLIENT_CERT="$_DIR"/global-cli-nomad.pem
+		_r export NOMAD_CLIENT_KEY="$_DIR"/global-cli-nomad-key.pem
+		;;
+	sni)
+		_clear_envs
+		_r export NOMAD_ADDR=https://127.0.0.1:4646
+		_r export NOMAD_TLS_SERVER_NAME=localhost
+		_r export NOMAD_CACERT="$_DIR"/nomad-agent-ca.pem
+		_r unset NOMAD_CAPATH
+		_r export NOMAD_CLIENT_CERT="$_DIR"/global-cli-nomad.pem
+		_r export NOMAD_CLIENT_KEY="$_DIR"/global-cli-nomad-key.pem
+		;;
+	test)
+		_r export NOMAD_NAMESPACE=default
+		_r nomad status
+		_r nomadtools vardir -j nginx@nginx ls
+		_r python -m nomad_tools.taskexec test-forever test-forever echo Hello world
+		;;
+	testall)
+		_r "$0" tls -- nomadtools watch start "$_DIR"/../../jobs/test-forever.nomad.hcl
+		echo
+		_r "$0" tls test
+		echo
+		_r "$0" capath test
+		echo
+		_r "$0" sni test
+		;;
+	--)
+		shift
+		_r exec "$@"
+		;;
+	*)
+		echo "Unknown arguments: $*" >&2
+		exit 123
+		;;
+	esac
+	shift
+done