diff --git a/internal/controller/provider_controller.go b/internal/controller/provider_controller.go
index 4bf964420..d1b753b44 100644
--- a/internal/controller/provider_controller.go
+++ b/internal/controller/provider_controller.go
@@ -247,6 +247,12 @@ func (r *ProviderReconciler) validateCredentials(ctx context.Context, provider *
 			return fmt.Errorf("failed to read secret, error: %w", err)
 		}
 
+		switch secret.Type {
+		case corev1.SecretTypeOpaque, corev1.SecretTypeTLS, "":
+		default:
+			return fmt.Errorf("cannot use secret '%s' to get TLS certificate: invalid secret type: '%s'", secret.Name, secret.Type)
+		}
+
 		caFile, ok := secret.Data["ca.crt"]
 		if !ok {
 			caFile, ok = secret.Data["caFile"]
diff --git a/internal/controller/provider_controller_test.go b/internal/controller/provider_controller_test.go
index 6195469ba..652156acb 100644
--- a/internal/controller/provider_controller_test.go
+++ b/internal/controller/provider_controller_test.go
@@ -306,4 +306,31 @@ func TestProviderReconciler_Reconcile_cacert(t *testing.T) {
 		_, err = r.Reconcile(ctx, ctrl.Request{NamespacedName: client.ObjectKeyFromObject(provider)})
 		g.Expect(err).NotTo(HaveOccurred())
 	})
+
+	t.Run("returns error with certSecretRef of the wrong type", func(t *testing.T) {
+		g := NewWithT(t)
+
+		dockerSecret := &corev1.Secret{
+			ObjectMeta: metav1.ObjectMeta{
+				Name:      "docker-secret",
+				Namespace: providerKey.Namespace,
+			},
+			Type: corev1.DockerConfigJsonKey,
+		}
+		g.Expect(k8sClient.Create(context.Background(), dockerSecret)).To(Succeed())
+
+		clusterProvider := &apiv1beta2.Provider{}
+		g.Expect(k8sClient.Get(context.Background(), client.ObjectKeyFromObject(provider), clusterProvider)).To(Succeed())
+
+		patchHelper, err := patch.NewHelper(clusterProvider, k8sClient)
+		g.Expect(err).ToNot(HaveOccurred())
+		clusterProvider.Spec.CertSecretRef = &meta.LocalObjectReference{
+			Name: dockerSecret.Name,
+		}
+		g.Expect(patchHelper.Patch(context.Background(), clusterProvider)).ToNot(HaveOccurred())
+
+		_, err = r.Reconcile(ctx, ctrl.Request{NamespacedName: client.ObjectKeyFromObject(provider)})
+		g.Expect(err).To(HaveOccurred())
+		g.Expect(err.Error()).To(ContainSubstring("invalid secret type"))
+	})
 }
diff --git a/internal/server/event_handlers.go b/internal/server/event_handlers.go
index efb48692e..b0a57227f 100644
--- a/internal/server/event_handlers.go
+++ b/internal/server/event_handlers.go
@@ -205,6 +205,14 @@ func (s *EventServer) handleEvent() func(w http.ResponseWriter, r *http.Request)
 					continue
 				}
 
+				switch secret.Type {
+				case corev1.SecretTypeOpaque, corev1.SecretTypeTLS, "":
+				default:
+					alertLogger.Error(nil, "cannot use secret '%s' to get TLS certificate: invalid secret type: '%s'",
+						secret.Name, secret.Type)
+					continue
+				}
+
 				caFile, ok := secret.Data["ca.crt"]
 				if !ok {
 					caFile, ok = secret.Data["caFile"]