diff --git a/roles/services/templates/traefik/dynamic/routes.yml.j2 b/roles/services/templates/traefik/dynamic/routes.yml.j2
index 6f49a70..e90a531 100644
--- a/roles/services/templates/traefik/dynamic/routes.yml.j2
+++ b/roles/services/templates/traefik/dynamic/routes.yml.j2
@@ -1,18 +1,8 @@
 # Traefik dynamic routing config — generated by Ansible
 # Do not edit manually; re-run ansible-playbook deploy.yml
 
-# ── Wildcard TLS certificate via Cloudflare DNS-01 ────────────────────────────
-# One cert covers ALL *.csrx.ru subdomains + root csrx.ru.
-# Adding a new service = zero cert wait time, Traefik reuses this cert.
-tls:
-  stores:
-    default:
-      defaultGeneratedCert:
-        resolver: letsencrypt
-        domain:
-          main: "*.{{ domain_base }}"
-          sans:
-            - "{{ domain_base }}"
+# NOTE: wildcard cert (*.csrx.ru) будет включён после переноса NS на Cloudflare.
+# Тогда переключим ACME на dnsChallenge и добавим tls.stores.default.defaultGeneratedCert
 
 http:
   routers:
diff --git a/roles/services/templates/traefik/traefik.yml.j2 b/roles/services/templates/traefik/traefik.yml.j2
index 5a72160..9511cdf 100644
--- a/roles/services/templates/traefik/traefik.yml.j2
+++ b/roles/services/templates/traefik/traefik.yml.j2
@@ -93,12 +93,9 @@ certificatesResolvers:
     acme:
       email: "{{ acme_email }}"
       storage: /acme/acme.json
-      dnsChallenge:
-        provider: cloudflare
-        # Use Cloudflare DNS resolvers to avoid propagation delays
-        resolvers:
-          - "1.1.1.1:53"
-          - "1.0.0.1:53"
+      # TODO: switch to dnsChallenge after Cloudflare NS propagation
+      httpChallenge:
+        entryPoint: web
 
 providers:
   file: