diff --git a/tests/bats/11_bouncers_tls.bats b/tests/bats/11_bouncers_tls.bats
index 0961255d5..119ef10cd 100644
--- a/tests/bats/11_bouncers_tls.bats
+++ b/tests/bats/11_bouncers_tls.bats
@@ -5,7 +5,6 @@ set -u
 
 setup_file() {
     load "../lib/setup_file.sh"
-    [[ "${PACKAGE_TESTING}" == "true" ]] && return
     ./instance-data load
 
     tmpdir="${BATS_FILE_TMPDIR}"
@@ -33,6 +32,8 @@ setup_file() {
     echo "ibase=16; ${serial}" | bc >"${tmpdir}/serials.txt"
     cfssl gencrl "${tmpdir}/serials.txt" "${tmpdir}/ca.pem" "${tmpdir}/ca-key.pem" | base64 -d | openssl crl -inform DER -out "${tmpdir}/crl.pem"
 
+    cat "${tmpdir}/ca.pem" "${tmpdir}/inter.pem" > "${tmpdir}/bundle.pem"
+
     config_set '
         .api.server.tls.cert_file=strenv(tmpdir) + "/server.pem" |
         .api.server.tls.key_file=strenv(tmpdir) + "/server-key.pem" |
@@ -49,7 +50,6 @@ teardown_file() {
 }
 
 setup() {
-    [[ "${PACKAGE_TESTING}" == "true" ]] && skip
     load "../lib/setup.sh"
     ./instance-crowdsec start
 }
@@ -66,7 +66,7 @@ teardown() {
 }
 
 @test "simulate one bouncer request with a valid cert" {
-    run -0 curl -s --cert "${tmpdir}/bouncer.pem" --key "${tmpdir}/bouncer-key.pem" --cacert "${tmpdir}/inter.pem" https://localhost:8080/v1/decisions\?ip=42.42.42.42
+    run -0 curl -s --cert "${tmpdir}/bouncer.pem" --key "${tmpdir}/bouncer-key.pem" --cacert "${tmpdir}/bundle.pem" https://localhost:8080/v1/decisions\?ip=42.42.42.42
     assert_output "null"
     run -0 cscli bouncers list -o json
     run -0 jq '. | length' <(output)
@@ -84,13 +84,13 @@ teardown() {
 }
 
 @test "simulate one bouncer request with an invalid OU" {
-    run curl -s --cert "${tmpdir}/bouncer_bad_ou.pem" --key "${tmpdir}/bouncer_bad_ou-key.pem" --cacert "${tmpdir}/inter.pem" https://localhost:8080/v1/decisions\?ip=42.42.42.42
+    run curl -s --cert "${tmpdir}/bouncer_bad_ou.pem" --key "${tmpdir}/bouncer_bad_ou-key.pem" --cacert "${tmpdir}/bundle.pem" https://localhost:8080/v1/decisions\?ip=42.42.42.42
     run -0 cscli bouncers list -o json
     assert_output "[]"
 }
 
 @test "simulate one bouncer request with a revoked certificate" {
-    run -0 curl -i -s --cert "${tmpdir}/bouncer_revoked.pem" --key "${tmpdir}/bouncer_revoked-key.pem" --cacert "${tmpdir}/inter.pem" https://localhost:8080/v1/decisions\?ip=42.42.42.42
+    run -0 curl -i -s --cert "${tmpdir}/bouncer_revoked.pem" --key "${tmpdir}/bouncer_revoked-key.pem" --cacert "${tmpdir}/bundle.pem" https://localhost:8080/v1/decisions\?ip=42.42.42.42
     assert_output --partial "access forbidden"
     run -0 cscli bouncers list -o json
     assert_output "[]"
diff --git a/tests/bats/30_machines_tls.bats b/tests/bats/30_machines_tls.bats
index a125599e6..309290ac9 100644
--- a/tests/bats/30_machines_tls.bats
+++ b/tests/bats/30_machines_tls.bats
@@ -5,7 +5,6 @@ set -u
 
 setup_file() {
     load "../lib/setup_file.sh"
-    [[ "${PACKAGE_TESTING}" == "true" ]] && return
     ./instance-data load
 
     CONFIG_DIR=$(dirname "${CONFIG_YAML}")
@@ -36,6 +35,8 @@ setup_file() {
     echo "ibase=16; ${serial}" | bc >"${tmpdir}/serials.txt"
     cfssl gencrl "${tmpdir}/serials.txt" "${tmpdir}/ca.pem" "${tmpdir}/ca-key.pem" | base64 -d | openssl crl -inform DER -out "${tmpdir}/crl.pem"
 
+    cat "${tmpdir}/ca.pem" "${tmpdir}/inter.pem" > "${tmpdir}/bundle.pem"
+
     config_set '
         .api.server.tls.cert_file=strenv(tmpdir) + "/server.pem" |
         .api.server.tls.key_file=strenv(tmpdir) + "/server-key.pem" |
@@ -53,7 +54,6 @@ teardown_file() {
 }
 
 setup() {
-    [[ "${PACKAGE_TESTING}" == "true" ]] && skip
     load "../lib/setup.sh"
 }
 
@@ -65,7 +65,7 @@ teardown() {
 
 @test "invalid OU for agent" {
     config_set "${CONFIG_DIR}/local_api_credentials.yaml" '
-        .ca_cert_path=strenv(tmpdir) + "/inter.pem" |
+        .ca_cert_path=strenv(tmpdir) + "/bundle.pem" |
         .key_path=strenv(tmpdir) + "/agent_bad_ou-key.pem" |
         .cert_path=strenv(tmpdir) + "/agent_bad_ou.pem" |
         .url="https://127.0.0.1:8080"
@@ -79,7 +79,7 @@ teardown() {
 
 @test "we have exactly one machine registered with TLS" {
     config_set "${CONFIG_DIR}/local_api_credentials.yaml" '
-        .ca_cert_path=strenv(tmpdir) + "/inter.pem" |
+        .ca_cert_path=strenv(tmpdir) + "/bundle.pem" |
         .key_path=strenv(tmpdir) + "/agent-key.pem" |
         .cert_path=strenv(tmpdir) + "/agent.pem" |
         .url="https://127.0.0.1:8080"
@@ -97,7 +97,7 @@ teardown() {
 
 @test "invalid cert for agent" {
     config_set "${CONFIG_DIR}/local_api_credentials.yaml" '
-        .ca_cert_path=strenv(tmpdir) + "/inter.pem" |
+        .ca_cert_path=strenv(tmpdir) + "/bundle.pem" |
         .key_path=strenv(tmpdir) + "/agent_invalid-key.pem" |
         .cert_path=strenv(tmpdir) + "/agent_invalid.pem" |
         .url="https://127.0.0.1:8080"
@@ -110,7 +110,7 @@ teardown() {
 
 @test "revoked cert for agent" {
     config_set "${CONFIG_DIR}/local_api_credentials.yaml" '
-         .ca_cert_path=strenv(tmpdir) + "/inter.pem" |
+         .ca_cert_path=strenv(tmpdir) + "/bundle.pem" |
         .key_path=strenv(tmpdir) + "/agent_revoked-key.pem" |
         .cert_path=strenv(tmpdir) + "/agent_revoked.pem" |
         .url="https://127.0.0.1:8080"
diff --git a/tests/generate-hub-tests b/tests/generate-hub-tests
index 56afa6719..76dd3cd6d 100755
--- a/tests/generate-hub-tests
+++ b/tests/generate-hub-tests
@@ -1,4 +1,4 @@
-#!/bin/sh
+#!/usr/bin/env bash
 
 set -eu
 
diff --git a/tests/instance-mock-http b/tests/instance-mock-http
index 901ba8c87..c7ae62a68 100755
--- a/tests/instance-mock-http
+++ b/tests/instance-mock-http
@@ -1,4 +1,4 @@
-#!/bin/sh
+#!/usr/bin/env bash
 
 set -eu