diff --git a/deploy/nginx/README-ia-enso.md b/deploy/nginx/README-ia-enso.md
index ce85a78..74fdf25 100644
--- a/deploy/nginx/README-ia-enso.md
+++ b/deploy/nginx/README-ia-enso.md
@@ -39,9 +39,24 @@ Si `IA_ENSO_OLLAMA_BEARER_TOKEN` est absent, le script génère un token hex (af
 ### Prérequis sur le proxy
 
 - `http { include /etc/nginx/conf.d/*.conf; ... }` dans `/etc/nginx/nginx.conf` (sinon le script échoue avec un message explicite).
-- **Certificats** Let’s Encrypt pour `ia.enso.4nkweb.com` **déjà présents** aux chemins du fichier site (`/etc/letsencrypt/live/ia.enso.4nkweb.com/fullchain.pem` et `privkey.pem`) — sans cela `nginx -t` échoue ; voir section TLS / certbot **avant** le premier déploiement.
+- **Certificats** Let’s Encrypt pour `ia.enso.4nkweb.com` aux chemins du fichier site (`/etc/letsencrypt/live/ia.enso.4nkweb.com/fullchain.pem` et `privkey.pem`). Sans eux, le bloc `listen 443` fait échouer `nginx -t` : voir **Bootstrap TLS** ci-dessous.
 - **`sudo` non interactif** pour `nginx` et `systemctl reload nginx`.
 
+### Bootstrap TLS (première fois, `nginx -t` impossible)
+
+1. DNS : `ia.enso.4nkweb.com` doit résoudre vers l’entrée publique qui atteint ce proxy (HTTP port 80).
+2. Sur le proxy :
+
+```bash
+sudo install -d -m 0755 /var/www/certbot
+# Remplacer temporairement le vhost par HTTP seul (fichier dans le dépôt : sites/ia.enso.4nkweb.com.http-only.conf)
+sudo cp /chemin/smart_ide/deploy/nginx/sites/ia.enso.4nkweb.com.http-only.conf /etc/nginx/sites-available/ia.enso.4nkweb.com.conf
+sudo nginx -t && sudo systemctl reload nginx
+sudo certbot certonly --webroot -w /var/www/certbot -d ia.enso.4nkweb.com --non-interactive --agree-tos --register-unsafely-without-email
+```
+
+3. Déployer la config complète : `./deploy/nginx/deploy-ia-enso-to-proxy.sh` (rétablit HTTPS + upstreams).
+
 ### Fichiers installés par le script
 
 | Chemin sur le proxy | Rôle |
diff --git a/deploy/nginx/sites/ia.enso.4nkweb.com.http-only.conf b/deploy/nginx/sites/ia.enso.4nkweb.com.http-only.conf
new file mode 100644
index 0000000..64acb60
--- /dev/null
+++ b/deploy/nginx/sites/ia.enso.4nkweb.com.http-only.conf
@@ -0,0 +1,15 @@
+# Temporary: HTTP only for initial Let's Encrypt webroot challenge.
+# Replace with ia.enso.4nkweb.com.conf after cert exists under live/ia.enso.4nkweb.com/.
+
+server {
+    listen 80;
+    server_name ia.enso.4nkweb.com;
+
+    location /.well-known/acme-challenge/ {
+        root /var/www/certbot;
+    }
+
+    location / {
+        return 301 https://$host$request_uri;
+    }
+}
diff --git a/docs/features/ia-enso-nginx-proxy-ollama-anythingllm.md b/docs/features/ia-enso-nginx-proxy-ollama-anythingllm.md
index 6290760..ba4fdd7 100644
--- a/docs/features/ia-enso-nginx-proxy-ollama-anythingllm.md
+++ b/docs/features/ia-enso-nginx-proxy-ollama-anythingllm.md
@@ -26,7 +26,8 @@ Expose Ollama and AnythingLLM on the public proxy hostname with HTTPS, path pref
 | `deploy/nginx/http-maps/ia-enso-ollama-bearer.map.conf.example` | Example Bearer `map` (manual install) |
 | `deploy/nginx/http-maps/websocket-connection.map.conf.example` | Example WebSocket `map` (manual install) |
 | `deploy/nginx/deploy-ia-enso-to-proxy.sh` | SSH deploy: maps + site, `nginx -t`, reload; Bearer-only retry if websocket `map` already exists |
-| `deploy/nginx/README-ia-enso.md` | **Operator reference:** automated + manual steps, env vars, checks, troubleshooting |
+| `deploy/nginx/sites/ia.enso.4nkweb.com.http-only.conf` | Temporary HTTP-only vhost for first Let’s Encrypt `webroot` issuance when `live/ia.enso…` is missing |
+| `deploy/nginx/README-ia-enso.md` | **Operator reference:** automated + manual steps, env vars, checks, troubleshooting, TLS bootstrap |
 
 ## Deployment modalities