diff --git a/ansible/group_vars/all.yml b/ansible/group_vars/all.yml
index 8fc02e9..67ceb3d 100644
--- a/ansible/group_vars/all.yml
+++ b/ansible/group_vars/all.yml
@@ -5,10 +5,7 @@ deploy_dir: /var/www/e-auth
 auth_domain: auth.e-cosplay.fr
 keycloak_local_port: 9450
 
-# Caddy (assumed already installed with the caddy-dns/cloudflare plugin
-# and configured to load per-site files from /etc/caddy/sites/*.conf)
+# Caddy (assumed already installed and configured to load per-site
+# files from /etc/caddy/sites/*.conf). TLS is handled by Caddy's
+# default ACME flow (HTTP-01 / TLS-ALPN), no Cloudflare DNS plugin.
 caddy_site_file: /etc/caddy/sites/e-auth.conf
-
-# Cloudflare API token consumed by the caddy-dns/cloudflare plugin
-# for the ACME DNS-01 challenge.
-cloudflare_token: cfat_rIHZqzCm9GKK3xVnQDNGfu6J91TseIDdTKeuWSFUdf6ccd31
diff --git a/ansible/templates/e-auth.conf.j2 b/ansible/templates/e-auth.conf.j2
index 17e3444..ba73312 100644
--- a/ansible/templates/e-auth.conf.j2
+++ b/ansible/templates/e-auth.conf.j2
@@ -2,10 +2,6 @@
 # Reverse proxy for {{ auth_domain }} -> local Keycloak container on :{{ keycloak_local_port }}
 
 {{ auth_domain }} {
-    tls {
-        dns cloudflare {{ cloudflare_token }}
-    }
-
     encode gzip zstd
 
     reverse_proxy 127.0.0.1:{{ keycloak_local_port }}