diff --git a/clusters/noble/bootstrap/cert-manager/clusterissuer-letsencrypt-prod.yaml b/clusters/noble/bootstrap/cert-manager/clusterissuer-letsencrypt-prod.yaml
index fd22692..7acb80a 100644
--- a/clusters/noble/bootstrap/cert-manager/clusterissuer-letsencrypt-prod.yaml
+++ b/clusters/noble/bootstrap/cert-manager/clusterissuer-letsencrypt-prod.yaml
@@ -11,7 +11,8 @@ spec:
     privateKeySecretRef:
       name: letsencrypt-prod-account-key
     solvers:
-      # DNS-01 — Cloudflare token covers pcenicni.dev only. Requires Secret cloudflare-dns-api-token in cert-manager.
+      # DNS-01 — Cloudflare token must have Zone.Read + DNS.Edit for BOTH pcenicni.dev AND nikflix.ca.
+      # Edit the token in Cloudflare → My Profile → API Tokens to add nikflix.ca zone permissions.
       - dns01:
           cloudflare:
             apiTokenSecretRef:
@@ -20,8 +21,4 @@ spec:
         selector:
           dnsZones:
             - pcenicni.dev
-      # HTTP-01 fallback — used for all other zones (e.g. nikflix.ca via Pangolin → Newt → Traefik).
-      # Requires a Pangolin HTTP resource + target for each hostname before LE can reach /.well-known/acme-challenge/.
-      - http01:
-          ingress:
-            ingressClassName: traefik
+            - nikflix.ca
diff --git a/clusters/noble/bootstrap/cert-manager/clusterissuer-letsencrypt-staging.yaml b/clusters/noble/bootstrap/cert-manager/clusterissuer-letsencrypt-staging.yaml
index 317b4a7..b85c2a8 100644
--- a/clusters/noble/bootstrap/cert-manager/clusterissuer-letsencrypt-staging.yaml
+++ b/clusters/noble/bootstrap/cert-manager/clusterissuer-letsencrypt-staging.yaml
@@ -19,6 +19,4 @@ spec:
         selector:
           dnsZones:
             - pcenicni.dev
-      - http01:
-          ingress:
-            ingressClassName: traefik
+            - nikflix.ca