diff --git a/provision/base.sh b/provision/base.sh
index b3a197e9..f937e5a4 100755
--- a/provision/base.sh
+++ b/provision/base.sh
@@ -137,7 +137,7 @@ done
 EO_PKG_SECURITY
 }
 
-configure_ssl_dirs()
+configure_tls_dirs()
 {
 	if [ ! -d "$BASE_MNT/etc/ssl/certs" ]; then
 		mkdir -m 0644 "$BASE_MNT/etc/ssl/certs"
@@ -213,7 +213,7 @@ configure_base()
 		update_motd=NO
 
 	configure_pkg_latest "$BASE_MNT"
-	configure_ssl_dirs
+	configure_tls_dirs
 	configure_tls_dhparams
 	disable_cron_jobs
 	enable_security_periodic
diff --git a/provision/haproxy.sh b/provision/haproxy.sh
index b149a883..abfe566d 100755
--- a/provision/haproxy.sh
+++ b/provision/haproxy.sh
@@ -82,7 +82,7 @@ defaults
 frontend http-in
 	#mode tcp
 	bind :::80 v4v6 alpn http/1.1
-	bind :::443 v4v6 alpn http/1.1 ssl crt /etc/ssl/private crt /data/etc/tls.d
+	bind :::443 v4v6 alpn http/1.1 ssl crt /data/etc/tls.d
 	# ciphers AES128+EECDH:AES128+EDH
 
 	http-request  set-header X-Forwarded-Proto https if { ssl_fc }
@@ -329,20 +329,16 @@ EO_OCSP
 
 configure_haproxy_tls()
 {
-	if [ ! -f "$STAGE_MNT/etc/ssl/private/server.pem" ]; then
-		tell_status "concatenating TLS key and crt to PEM"
-		cat /etc/ssl/private/server.key /etc/ssl/certs/server.crt \
-			> "$STAGE_MNT/etc/ssl/private/server.pem"
-	fi
-
-	if [ ! -d "$ZFS_DATA_MNT/haproxy/ssl" ]; then
-		tell_status "creating /data/ssl"
-		mkdir -p "$ZFS_DATA_MNT/haproxy/ssl"
+	local _tls_dir="$ZFS_DATA_MNT/haproxy/etc/tls.d"
+	if [ ! -d "$_tls_dir" ]; then
+		tell_status "creating $_tls_dir"
+		mkdir -p "$_tls_dir"
 	fi
 
-	if [ ! -d "$ZFS_DATA_MNT/haproxy/etc/tls.d" ]; then
-		tell_status "creating /data/etc/tls.d"
-		mkdir -p "$ZFS_DATA_MNT/haproxy/etc/tls.d"
+	if [ ! -f "$_tls_dir/$TOASTER_HOSTNAME.pem" ]; then
+		tell_status "concatenating TLS key and crt to PEM"
+		cat /etc/ssl/private/server.key /etc/ssl/certs/server.crt \
+			> "$_tls_dir/$TOASTER_HOSTNAME.pem"
 	fi
 
 	install_ocsp_stapler "$STAGE_MNT/usr/local/etc/periodic/daily/501.ocsp-staple.sh"
diff --git a/provision/webmail.sh b/provision/webmail.sh
index 0eac85ca..3935ba8e 100755
--- a/provision/webmail.sh
+++ b/provision/webmail.sh
@@ -185,7 +185,6 @@ install_webmail()
 
 		if [ "$TOASTER_WEBMAIL_PROXY" = "nginx" ]; then
 			stage_setup_tls
-			pkg install -y socat acme.sh
 		fi
 
 		configure_nginx_server