diff --git a/group_vars/all.yml b/group_vars/all.yml
index b8e5dbe..494e3a6 100644
--- a/group_vars/all.yml
+++ b/group_vars/all.yml
@@ -25,6 +25,7 @@ tls_ciphers_compat: ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:EC
 # defaults for tls diretories
 tls_certs: /etc/pki/tls/certs
 tls_private: /etc/pki/tls/private
+tls_bundle: /etc/pki/tls/cert.pem
 
 # hardcode this for now
 ansible_datacenter: home
diff --git a/group_vars/openbsd.yml b/group_vars/openbsd.yml
index 4062a62..a4aca09 100644
--- a/group_vars/openbsd.yml
+++ b/group_vars/openbsd.yml
@@ -8,6 +8,7 @@ ansible_wheel: wheel
 # fix tls directories
 tls_certs: /etc/ssl
 tls_private: /etc/ssl/private
+tls_bundle: "{{ tls_certs }}/cert.pem"
 
 # default resources for new vm
 dsk_size: 10
diff --git a/roles/ldap/client/templates/ldap.conf.j2 b/roles/ldap/client/templates/ldap.conf.j2
index 7df7756..a1ef17c 100644
--- a/roles/ldap/client/templates/ldap.conf.j2
+++ b/roles/ldap/client/templates/ldap.conf.j2
@@ -2,5 +2,5 @@
 BASE {{ ldap_basedn }}
 URI {% for item in ldap_server %}ldaps://{{ item }} {% endfor %}
 
-TLS_CACERT {{ tls_certs }}/cert.pem
+TLS_CACERT {{ tls_bundle }}
 TLS_REQCERT demand