diff --git a/files/snster-kaz/hoster-b/kaz2/kaz.sh b/files/snster-kaz/hoster-b/kaz2/kaz.sh
index eea1d65..76cee01 100644
--- a/files/snster-kaz/hoster-b/kaz2/kaz.sh
+++ b/files/snster-kaz/hoster-b/kaz2/kaz.sh
@@ -33,6 +33,9 @@ export DebugLog="${OUTPUT_DIR}/log/log-kaz-$(date +%y-%m-%d-%T)-"
        cp  "${DIR}/kaz-config/container-${type}.list" /kaz/config/
     done
 
+    # copie certif de la CA locale pour traefik (nécessaire pour ACME/Smallstep)
+    cp /usr/local/share/ca-certificates/root_ca.crt /kaz/dockers/traefik/conf/
+
     echo -e "\n    #### secretGen\n"
     /kaz/bin/secretGen.sh
 
diff --git a/files/snster-kaz/hoster-b/kaz2/provision.sh b/files/snster-kaz/hoster-b/kaz2/provision.sh
index 68e6b20..aa3fd86 100644
--- a/files/snster-kaz/hoster-b/kaz2/provision.sh
+++ b/files/snster-kaz/hoster-b/kaz2/provision.sh
@@ -55,13 +55,12 @@ echo "export SNSTERGUARD='true'" >> /root/.bashrc
 
 
 # On place les certifs
-if  [ -f tls/root_ca.crt ]; then
-  cp -ar tls/root_ca.crt /usr/local/share/ca-certificates/
-  /usr/sbin/update-ca-certificates --fresh
-fi
-if  [ -d letsencrypt ]; then
-  cp -ar letsencrypt /etc/
-fi
+cp -ar tls/root_ca.crt /usr/local/share/ca-certificates/
+/usr/sbin/update-ca-certificates --fresh
+
+mkdir -p /etc/letsencrypt/live/kaz.sns
+cp tls/wildcard.crt /etc/letsencrypt/live/kaz.sns/fullchain.pem
+cp tls/wildcard.key /etc/letsencrypt/live/kaz.sns/privkey.pem
 
 # On sauve le proxy APT
 proxy=$(/sbin/ip route | awk '/default/ { print $3 }' | head -1)
diff --git a/files/snster-kaz/isp-a/home/provision.sh b/files/snster-kaz/isp-a/home/provision.sh
index 9db8a76..c02003f 100644
--- a/files/snster-kaz/isp-a/home/provision.sh
+++ b/files/snster-kaz/isp-a/home/provision.sh
@@ -24,7 +24,7 @@ fi
 
 # On place les certifs
 if  [ -f tls/root_ca.crt ]; then
-  cp -ar tls/root_ca.crt /usr/local/share/ca-certificates/
+  cp -ar tls/root_ca.crt /usr/local/share/ca-certificates/root.crt
   /usr/sbin/update-ca-certificates --fresh
 fi
 
@@ -33,7 +33,7 @@ echo -e '{
  "policies": {
    "Certificates": {
       "ImportEnterpriseRoots": true,
-      "Install": ["/etc/ssl/certs/root_ca.pem"]
+      "Install": ["/etc/ssl/certs/root.pem"]
    }
  }
 }' > /usr/lib/firefox-esr/distribution/policies.json
diff --git a/files/snster-kaz/mica/infra/provision.sh b/files/snster-kaz/mica/infra/provision.sh
index efd4725..0f7153e 100644
--- a/files/snster-kaz/mica/infra/provision.sh
+++ b/files/snster-kaz/mica/infra/provision.sh
@@ -28,7 +28,7 @@ wget "https://dl.smallstep.com/gh-release/certificates/gh-release-header/v0.24.2
 dpkg -i step-ca_0.24.2_amd64.deb
 
 echo "password" > /root/ca-passwordfile
-step ca init --deployment-type=standalone --name="Kaz CA" --dns="ca.mica.sns" --acme --address=":443" --provisioner="contact@kaz.sns" --password-file="/root/ca-passwordfile" --root="${DIR}/tls/root_ca.crt" --key "${DIR}/tls/root_ca_key"
+step ca init --deployment-type=standalone --name="Kaz CA" --dns="ca.mica.sns" --acme --address=":443" --provisioner="contact@kaz.sns" --password-file="/root/ca-passwordfile" --root="${DIR}/tls/root_ca.crt" --key "${DIR}/tls/root_ca.key"
 echo -e '#!/bin/sh\nstep-ca --password-file /root/ca-passwordfile' >> /etc/rc.local
 chmod +x /etc/rc.local
 
diff --git a/files/vm-provision.sh b/files/vm-provision.sh
index ad1e8ed..9ac0e53 100755
--- a/files/vm-provision.sh
+++ b/files/vm-provision.sh
@@ -153,11 +153,12 @@ EOF
     step ca init --deployment-type=standalone --name="Kaz CA" --dns="ca.mica.sns" --acme --address=":443" --provisioner="contact@kaz.sns" --password-file="/root/ca-passwordfile"
 
     mkdir -p /root/tls
-    cp /root/.step/certs/root_ca.crt /root/tls/
-    cp /root/.step/secrets/root_ca_key /root/tls/
-    step crypto change-pass /root/tls/root_ca_key --no-password --insecure --password-file="/root/ca-passwordfile" --force
+    cp /root/.step/certs/root_ca.crt /root/tls/root_ca.crt
+    chmod 644 /root/tls/root_ca.crt
+    cp /root/.step/secrets/root_ca_key /root/tls/root_ca.key
+    step crypto change-pass /root/tls/root_ca.key --no-password --insecure --password-file="/root/ca-passwordfile" --force
 
-    step certificate create "*.kaz.sns" /root/tls/wildcard.crt /root/tls/wildcard.key --profile leaf --ca /root/.step/certs/intermediate_ca.crt --ca-key /root/.step/secrets/intermediate_ca_key --ca-password-file /root/ca-passwordfile --bundle --force --no-password --insecure
+    step certificate create "*.kaz.sns" /root/tls/wildcard.crt /root/tls/wildcard.key --profile leaf --ca /root/.step/certs/intermediate_ca.crt --ca-key /root/.step/secrets/intermediate_ca_key --ca-password-file /root/ca-passwordfile --bundle --force --no-password --insecure --not-after 20000h
 
     # Cache docker registry
     echo "proxy: