diff --git a/internal/controller/apisixtls_controller.go b/internal/controller/apisixtls_controller.go
index d854fdde..eeda370d 100644
--- a/internal/controller/apisixtls_controller.go
+++ b/internal/controller/apisixtls_controller.go
@@ -248,7 +248,7 @@ func (r *ApisixTlsReconciler) listApisixTlsForSecret(ctx context.Context, obj cl
 		ctx,
 		r.Client,
 		r.Log,
-		&apiv2.ApisixConsumerList{},
+		&apiv2.ApisixTlsList{},
 		client.MatchingFields{
 			indexer.SecretIndexRef: indexer.GenIndexKey(secret.GetNamespace(), secret.GetName()),
 		},
diff --git a/test/e2e/crds/v2/tls.go b/test/e2e/crds/v2/tls.go
index ef4acba0..8599cca3 100644
--- a/test/e2e/crds/v2/tls.go
+++ b/test/e2e/crds/v2/tls.go
@@ -146,6 +146,27 @@ spec:
 				WithHost("api6.com").
 				Expect().
 				Status(200)
+
+			err = s.NewKubeTlsSecret("test-tls-secret", framework.TestCert, framework.TestKey)
+			Expect(err).NotTo(HaveOccurred(), "updating TLS secret")
+
+			Eventually(func() error {
+				tlss, err := s.DefaultDataplaneResource().SSL().List(context.Background())
+				if err != nil {
+					return err
+				}
+				if len(tlss) != 1 {
+					return fmt.Errorf("expected 1 tls, got %d", len(tls))
+				}
+				certs := tlss[0].Certificates
+				if len(certs) != 1 {
+					return fmt.Errorf("expected 1 certificate, got %d", len(certs))
+				}
+				if !strings.Contains(certs[0].Certificate, framework.TestCert) {
+					return fmt.Errorf("certificate not updated yet")
+				}
+				return nil
+			}).WithTimeout(30*time.Second).ProbeEvery(1*time.Second).ShouldNot(HaveOccurred(), "tls secret updated in dataplane")
 		})
 
 		It("ApisixTls with mTLS test", func() {