Merge branch 'main' of github.com:fosrl/docs-v2

self-host/advanced/container-cli-tool.mdx

@@ -124,3 +124,21 @@ This command permanently deletes the client and its associated data:
 
 This action cannot be undone. Ensure you have backups if needed.
 </Warning>
+
+## Generate Org CA Keys
+
+Generate an SSH CA public/private key pair for an organization and store them in the database. The private key is encrypted with the server secret.
+
+```bash
+docker exec -it pangolin pangctl generate-org-ca-keys --orgId "org-123"
+```
+
+### Options
+
+- `--orgId` (required): The organization ID
+- `--secret` (optional): Server secret used to encrypt the CA private key. If omitted, the secret is read from the config file (`config.yml` or `config.yaml` in the config directory).
+- `--force` (optional, default: `false`): Overwrite existing CA keys for the organization if they already exist
+
+<Warning>
+If the organization already has CA keys, the command fails unless you pass `--force`. Using `--force` overwrites the existing keys; ensure you have a backup or understand the impact before overwriting.
+</Warning>

self-host/advanced/wild-card-domains.mdx

@@ -255,6 +255,8 @@ Traefik supports most DNS providers. You can find a full list of supported provi
   - Check API token permissions and scope
   - Ensure DNS propagation has completed
   - Review provider-specific configuration
+  - If your DNS provider has a firewall in place, ensure it allows incoming DNS traffic (typically UDP on port **53**). Adding an ingress rule to permit such traffic may help resolve the issue, especially if the firewall is stateless.
+
 </Accordion>
 
 <Accordion title="Old certificates still being used">
@@ -262,4 +264,4 @@ Traefik supports most DNS providers. You can find a full list of supported provi
   
   **Solution**: Delete the `acme.json` file to force new certificate generation.
 </Accordion>
-</AccordionGroup>
+</AccordionGroup>