fix tls: use letsencrypt-prod cluster-issuer for jellyfin/n8n/qbittorrent/myorg/phoenix/fava

The ingresses referenced a Cloudflare OriginIssuer 'prod-issuer' whose CRD
and controller are not installed in the cluster, so cert-manager could not
issue certs and Traefik served a default cert (invalid SSL). Switch to the
existing letsencrypt-prod ClusterIssuer with specific hostnames + per-app
secrets, matching the working ingresses (http-01 cannot issue wildcards).

qbittorrent/ingress.yaml

@@ -7,14 +7,12 @@ metadata:
     kubernetes.io/ingress.class: "traefik"
     traefik.ingress.kubernetes.io/redirect-entry-point: https
     traefik.ingress.kubernetes.io/compress: "true"
-    cert-manager.io/issuer: prod-issuer
-    cert-manager.io/issuer-kind: OriginIssuer
-    cert-manager.io/issuer-group: cert-manager.k8s.cloudflare.com
+    cert-manager.io/cluster-issuer: letsencrypt-prod
 spec:
   tls:
     - hosts:
-      - "*.rogi.casa"
-      secretName: rogicasa-tls
+      - qbittorrent.rogi.casa
+      secretName: qbittorrent-tls
   rules:
   - host: qbittorrent.rogi.casa
     http: