diff --git a/.woodpecker.yml b/.woodpecker.yml
index 7f91682..ae90560 100644
--- a/.woodpecker.yml
+++ b/.woodpecker.yml
@@ -57,9 +57,12 @@ steps:
       - echo "Fichier .env.deploy cree ($(wc -c < .env.deploy) octets)"
       - env | grep '^CONSUL_TOKEN=' | cut -d= -f2- > .consul_token
 
-  # Etape 3b : Deploiement sur sonic via Docker socket + enregistrement Consul
-  # Le token est lu depuis .consul_token (ecrit par write-env) car
+  # Etape 3b : Deploiement sur sonic via Docker socket
+  # Le token Consul est lu depuis .consul_token (ecrit par write-env) car
   # volumes + from_secret = secrets vides (bug Woodpecker next)
+  #
+  # Modele pipeline sonic : cette etape est generique pour tout service deploye sur sonic.
+  # Elle gere : deploy Docker Compose + cert TLS (acme.sh) + Consul + Fabio KV
   - name: deploy
     image: docker:27-cli
     volumes:
@@ -76,9 +79,29 @@ steps:
         CONTAINER_IP=$(docker inspect prestashop --format '{{.NetworkSettings.Networks.sonic.IPAddress}}')
         DOMAIN=$(grep '^PS_DOMAIN=' /opt/prestashop/.env | cut -d= -f2)
         CTOK=$(cat $CI_WORKSPACE/.consul_token)
+
+        # --- Certificat TLS (acme.sh via sonic-acme-1) ---
+        # acme.sh est idempotent : skip si cert valide, renouvelle si proche expiration
+        # Exit 0 = emis/renouvele, exit 2 = skip (domaine inchange), autres = erreur
+        docker exec sonic-acme-1 /app/acme.sh \
+          --issue -d "$DOMAIN" \
+          --webroot /usr/share/nginx/html \
+          --server letsencrypt \
+          --accountemail support+acme@asycn.io; ACME_EXIT=$?
+        if [ "$ACME_EXIT" -ne 0 ] && [ "$ACME_EXIT" -ne 2 ]; then
+          echo "ERREUR: acme.sh a echoue (exit $ACME_EXIT)"
+          exit 1
+        fi
+        docker exec sonic-acme-1 cp /etc/acme.sh/$DOMAIN/fullchain.cer /host/certs/$DOMAIN-cert.pem
+        docker exec sonic-acme-1 cp /etc/acme.sh/$DOMAIN/$DOMAIN.key /host/certs/$DOMAIN-key.pem
+        echo "Cert TLS: /host/certs/$DOMAIN-cert.pem OK (acme exit $ACME_EXIT)"
+
+        # --- Enregistrement Consul ---
         docker exec sonic-consul env CONSUL_HTTP_TOKEN="$CTOK" consul services register \
           -address "$CONTAINER_IP" -port 80 -name prestashop -tag "urlprefix-$DOMAIN/"
         echo "Consul: prestashop -> $CONTAINER_IP:80 urlprefix-$DOMAIN/"
+
+        # --- Routes Fabio KV (HTTP + HTTPS) ---
         ROUTES=$(printf 'route add prestashop %s/ http://%s:80/\nroute add prestashop %s:443/ http://%s:80/' "$DOMAIN" "$CONTAINER_IP" "$DOMAIN" "$CONTAINER_IP")
         docker exec sonic-consul env CONSUL_HTTP_TOKEN="$CTOK" consul kv put fabio/config "$ROUTES"
         echo "Fabio KV: routes HTTP+HTTPS $DOMAIN -> $CONTAINER_IP:80"