diff --git a/client/main.go b/client/main.go
index 7caaf0238..3adee90b3 100644
--- a/client/main.go
+++ b/client/main.go
@@ -54,7 +54,12 @@ func (o *ConnOptions) SetFlags(flagSet *pflag.FlagSet) {
 	flagSet.BoolVar(&o.Insecure, "insecure", false, "Run in insecure mode (no TLS)")
 }
 
-func fetchCert(url string) (credentials.TransportCredentials, error) {
+// This function is bad and ideally should be removed, but for now it moves all the bad into one place.
+// This is the legacy of packethost/cacher running behind an ingress that couldn't terminate TLS on behalf
+// of GRPC. All of this functionality should be ripped out in favor of either using trusted certificates
+// or moving the establishment of trust in the certificate out to the environment (or running in insecure mode
+// e.g. for development.)
+func grpcCredentialFromCertEndpoint(url string) (credentials.TransportCredentials, error) {
 	resp, err := http.Get(url)
 	if err != nil {
 		return nil, errors.Wrap(err, "fetch cert")
@@ -78,7 +83,7 @@ func fetchCert(url string) (credentials.TransportCredentials, error) {
 func NewClientConn(opt *ConnOptions) (*grpc.ClientConn, error) {
 	method := grpc.WithInsecure()
 	if !opt.Insecure {
-		creds, err := fetchCert(opt.CertURL)
+		creds, err := grpcCredentialFromCertEndpoint(opt.CertURL)
 		if err != nil {
 			return nil, err
 		}
@@ -115,7 +120,7 @@ func GetConnection() (*grpc.ClientConn, error) {
 		if certURL == "" {
 			return nil, errors.New("undefined TINKERBELL_CERT_URL")
 		}
-		creds, err := fetchCert(certURL)
+		creds, err := grpcCredentialFromCertEndpoint(certURL)
 		if err != nil {
 			return nil, err
 		}