diff --git a/roles/althost/tasks/main.yml b/roles/althost/tasks/main.yml
index a01a0e5..822a7d4 100644
--- a/roles/althost/tasks/main.yml
+++ b/roles/althost/tasks/main.yml
@@ -1,6 +1,16 @@
     # DOCKER CE this is specific for Debian
     # https://docs.docker.com/install/linux/docker-ce/debian/
     # Soporta Debian 12 (bookworm) y Debian 13 (trixie)
+
+    # Clean up conflicting Docker repositories first (always runs, even with --skip-tags=installation)
+    - name: remove old docker repository files to avoid APT conflicts
+      file:
+        path: "{{ item }}"
+        state: absent
+      loop:
+        - /etc/apt/sources.list.d/docker.list
+        - /etc/apt/sources.list.d/download_docker_com_linux_debian.list
+
     - block:
       - name: "unattended upgrades"
         apt:
diff --git a/roles/certbot/tasks/certbot.yml b/roles/certbot/tasks/certbot.yml
index 8b49fa7..8ef5339 100644
--- a/roles/certbot/tasks/certbot.yml
+++ b/roles/certbot/tasks/certbot.yml
@@ -10,9 +10,11 @@
       register: vhost_stat
 
     - set_fact:
-        needs_cert: (loop.ssl | default(domains_default_ssl) ) or (loop.force_https | default(domains_default_force_https))
-        needs_vhost: needs_cert and not vhost_stat.stat.exists
-        obtain_cert: needs_cert and not ssl_cert.stat.exists
+        needs_cert: "{{ ((loop.ssl | default(domains_default_ssl) | bool) or (loop.force_https | default(domains_default_force_https) | bool)) | bool }}"
+
+    - set_fact:
+        needs_vhost: "{{ (needs_cert | bool and not vhost_stat.stat.exists) | bool }}"
+        obtain_cert: "{{ (needs_cert | bool and not ssl_cert.stat.exists) | bool }}"
 
     - name: certificate obtention
       block:
@@ -36,7 +38,7 @@
             - reload proxy
           register: cert_result
 
-      when: obtain_cert
+      when: obtain_cert | bool
 
     # RESET
     - set_fact: