diff --git a/apps/monitor/src/runner.rs b/apps/monitor/src/runner.rs
index 7bb96fe..e5edcd7 100644
--- a/apps/monitor/src/runner.rs
+++ b/apps/monitor/src/runner.rs
@@ -200,11 +200,25 @@ fn run_check_blocking(
     body: Option<&str>,
     timeout: std::time::Duration,
 ) -> Result<(u16, HashMap<String, String>, String), String> {
+    // Load system CA certs so we can verify chains from Cloudflare and other
+    // CAs not included in the bundled webpki-roots.
+    let root_certs: Vec<ureq::tls::Certificate<'static>> =
+        rustls_native_certs::load_native_certs()
+            .certs
+            .into_iter()
+            .map(|c| ureq::tls::Certificate::from_der(c.as_ref()).to_owned())
+            .collect();
+
+    let tls = ureq::tls::TlsConfig::builder()
+        .root_certs(ureq::tls::RootCerts::Specific(Arc::new(root_certs)))
+        .build();
+
     let agent = ureq::Agent::config_builder()
         .timeout_global(Some(timeout))
         .timeout_connect(Some(timeout))
-        .http_status_as_error(false) // handle 4xx/5xx as Ok so we can evaluate queries
+        .http_status_as_error(false)
         .user_agent("PingQL-Monitor/0.1")
+        .tls_config(tls)
         .build()
         .new_agent();