diff --git a/.github/docker/Dockerfile.ci b/.github/docker/Dockerfile.ci
index 516e4893..43e505e5 100644
--- a/.github/docker/Dockerfile.ci
+++ b/.github/docker/Dockerfile.ci
@@ -4,15 +4,20 @@ FROM ubuntu:24.04
 
 ENV DEBIAN_FRONTEND=noninteractive
 
-# Switch apt sources to Hetzner's public mirror over HTTPS.
+# Switch apt sources to Hetzner's public mirror.
 # Ubicloud runners (Hetzner FSN1-DC21) hit reliable connection timeouts to
 # archive.ubuntu.com:80 — observed 90+ second outages on multiple builds.
 # Hetzner's mirror is publicly accessible from any cloud and route-local for
 # Ubicloud, so this fixes both reliability and latency. Ubuntu 24.04 uses
 # the deb822 sources format at /etc/apt/sources.list.d/ubuntu.sources.
+#
+# Using HTTP (not HTTPS) intentionally: the base ubuntu:24.04 image ships
+# without ca-certificates, so HTTPS apt fails with "No system certificates
+# available." Apt's security model verifies via GPG-signed Release files,
+# not TLS, so HTTP here is no weaker than the upstream defaults.
 RUN sed -i \
-    -e 's|http://archive.ubuntu.com/ubuntu|https://mirror.hetzner.com/ubuntu/packages|g' \
-    -e 's|http://security.ubuntu.com/ubuntu|https://mirror.hetzner.com/ubuntu/packages|g' \
+    -e 's|http://archive.ubuntu.com/ubuntu|http://mirror.hetzner.com/ubuntu/packages|g' \
+    -e 's|http://security.ubuntu.com/ubuntu|http://mirror.hetzner.com/ubuntu/packages|g' \
     /etc/apt/sources.list.d/ubuntu.sources
 
 # System deps (retry apt-get update — even Hetzner can blip occasionally)