diff --git a/.woodpecker.yml b/.woodpecker.yml
index 8c70d47..534aaef 100644
--- a/.woodpecker.yml
+++ b/.woodpecker.yml
@@ -51,15 +51,14 @@ steps:
       - cd /opt/dtrack && docker compose config
       - echo "=== pull ==="
       - cd /opt/dtrack && docker compose pull --no-parallel
-      - echo "=== up ==="
-      - cd /opt/dtrack && docker compose up -d --remove-orphans
-      - cd /opt/dtrack && docker compose ps
       - |
-        PROJECT=$(grep '^COMPOSE_PROJECT_NAME=' /opt/dtrack/.env | cut -d= -f2)
         DOMAIN=$(grep '^DTRACK_DOMAIN=' /opt/dtrack/.env | cut -d= -f2)
 
-        # --- Certificat TLS (acme.sh via sonic-acme-1) ---
-        # Exit 0 = emis/renouvele, exit 2 = skip (domaine inchange), autres = erreur
+        # --- Certificat TLS AVANT docker compose up ---
+        # Doit tourner avant que Registrator enregistre les conteneurs dans Fabio :
+        # la route Registrator dtrack.syoul.fr/* prendrait sinon le dessus sur la route
+        # globale */.well-known/acme-challenge/* utilisee par acme.sh
+        # Exit 0 = emis/renouvele, exit 2 = skip (cert valide), autres = erreur
         ACME_EXIT=0
         docker exec sonic-acme-1 /app/acme.sh \
           --home /etc/acme.sh \
@@ -74,8 +73,10 @@ steps:
         docker exec sonic-acme-1 cp /etc/acme.sh/$DOMAIN/fullchain.cer /host/certs/$DOMAIN-cert.pem
         docker exec sonic-acme-1 cp /etc/acme.sh/$DOMAIN/$DOMAIN.key /host/certs/$DOMAIN-key.pem
         echo "Cert TLS: /host/certs/$DOMAIN-cert.pem OK (acme exit $ACME_EXIT)"
-
-        # Fabio routing gere automatiquement par Registrator via les labels SERVICE_* du compose
+      - echo "=== up ==="
+      - cd /opt/dtrack && docker compose up -d --remove-orphans
+      - cd /opt/dtrack && docker compose ps
+      # Fabio routing gere automatiquement par Registrator via les labels SERVICE_* du compose
 
   # TEST deploy : verifie que les conteneurs sont running
   # NOTE: pas de ${VAR} (substitue par Woodpecker) — utiliser $VAR sans accolades