diff --git a/README.md b/README.md
index 2a71d90..b845d48 100644
--- a/README.md
+++ b/README.md
@@ -32,15 +32,16 @@
 3. Insert the secret: `abra app secret insert <domain> usersfile v1 -f usersfile
 4. Redploy your app: `abra app deploy -f <domain>`
 
-## Configuring wildcard SSL using DNS
+## Configuring SSL using DNS
 
-Automatic certificate generation will Just Work™ for most recipes  which use a fixed
-number of subdomains. For some recipes which need to work across arbitrary
+Automatic certificate generation will Just Work™ for most recipes which use a
+fixed number of subdomains. If your server can't be reached from the Internet,
+or if you're deploying a recipe that needs to work across arbitrary
 subdomains, like
 [`federatedwiki`](https://git.coopcloud.tech/coop-cloud/federatedwiki/) and
-[`go-ssb-room`](https://git.coopcloud.tech/coop-cloud/federatedwiki/), you'll
-need to give Traefik access to your DNS provider so that it can carry out
-Letsencrypt DNS challenges.
+[`go-ssb-room`](https://git.coopcloud.tech/coop-cloud/federatedwiki/) (requiring
+the use of wildcard certificates,) you can give Traefik access to your DNS provider
+so that it can carry out Letsencrypt DNS challenges.
 
 1. Use Gandi, OVH, DO, Azure, or PorkBun for DNS 🤡 (support for other providers
    can be easily added, see
diff --git a/abra.sh b/abra.sh
index ac93525..9a1fab8 100644
--- a/abra.sh
+++ b/abra.sh
@@ -1,3 +1,3 @@
-export TRAEFIK_YML_VERSION=v30
+export TRAEFIK_YML_VERSION=v31
 export FILE_PROVIDER_YML_VERSION=v12
 export ENTRYPOINT_VERSION=v5
diff --git a/release/next b/release/next
new file mode 100644
index 0000000..08d5a07
--- /dev/null
+++ b/release/next
@@ -0,0 +1 @@
+letsencrypt: Avoid HTTP-01 challenge if `LETS_ENCRYPT_DNS_CHALLENGE_ENABLED` is set, in order to rely on DNS-01 challenges for servers not exposed to the internet.
diff --git a/traefik.yml.tmpl b/traefik.yml.tmpl
index d51f7f8..0ad4a07 100644
--- a/traefik.yml.tmpl
+++ b/traefik.yml.tmpl
@@ -127,8 +127,10 @@ certificatesResolvers:
       email: {{ env "LETS_ENCRYPT_EMAIL" }}
       storage: /etc/letsencrypt/staging-acme.json
       caServer: "https://acme-staging-v02.api.letsencrypt.org/directory"
+      {{- if ne (env "LETS_ENCRYPT_DNS_CHALLENGE_ENABLED") "1" }}
       httpChallenge:
         entryPoint: web
+      {{- end }}
       {{- if eq (env "LETS_ENCRYPT_DNS_CHALLENGE_ENABLED") "1" }}
       dnsChallenge:
         provider: {{ (env "LETS_ENCRYPT_DNS_CHALLENGE_PROVIDER") }}
@@ -140,8 +142,10 @@ certificatesResolvers:
     acme:
       email: {{ env "LETS_ENCRYPT_EMAIL" }}
       storage: /etc/letsencrypt/production-acme.json
+      {{- if ne (env "LETS_ENCRYPT_DNS_CHALLENGE_ENABLED") "1" }}
       httpChallenge:
         entryPoint: web
+      {{- end }}
       {{- if eq (env "LETS_ENCRYPT_DNS_CHALLENGE_ENABLED") "1" }}
       dnsChallenge:
         provider: {{ (env "LETS_ENCRYPT_DNS_CHALLENGE_PROVIDER") }}