diff --git a/acmetool/defaults/main.yml b/acmetool/defaults/main.yml
index dc1fb52db0daaedc5632afc5a418b2d83aece150..30bd4da898cb362f11d61cdb3e61c86c5192c362 100644
--- a/acmetool/defaults/main.yml
+++ b/acmetool/defaults/main.yml
@@ -6,4 +6,4 @@ acmetool_key_type: rsa
 acmetool_rsa_key_size: 4096
 
 acmetool_mail: "{{ adminaddr }}"
-acmetool_enable_proxy: true
+acmetool_services: ["nginx-proxy"]
diff --git a/acmetool/tasks/main.yml b/acmetool/tasks/main.yml
index bda2e5db4f2d8c75cd7605aaa7d04f7f31440cc3..441729b2f3a0b05cdf5d22137183564a49fab4bb 100644
--- a/acmetool/tasks/main.yml
+++ b/acmetool/tasks/main.yml
@@ -29,7 +29,7 @@
 - name: initially configure acmetool
   # yamllint disable-line rule:line-length
   command: acmetool quickstart --expert --batch --response-file /var/lib/acme/quickstart-reponses.yml
-  when: not acmetool_status.stdout|search(acmetool_endpoint)
+  when: not acmetool_status.stdout is search(acmetool_endpoint)
   tags:
     - acmetool
     - config
@@ -54,7 +54,6 @@
     mode: '0755'
   notify:
     - reload systemd service files
-  when: acmetool_enable_proxy
   tags:
     - acmetool
     - services
@@ -68,7 +67,6 @@
     mode: '0644'
   notify:
     - reload systemd service files
-  when: acmetool_enable_proxy
   tags:
     - acmetool
     - services
diff --git a/acmetool/templates/reload-config.j2 b/acmetool/templates/reload-config.j2
index 2dbb69e033b15dc22a75adde1dba91ed15919b99..3271bdf82b976ae73f453c1d843e1d334e891c5d 100644
--- a/acmetool/templates/reload-config.j2
+++ b/acmetool/templates/reload-config.j2
@@ -1,5 +1 @@
-{% if acmetool_enable_proxy %}
-SERVICES="nginx-proxy"
-{% else %}
-SERVICES="nginx"
-{% endif %}
+SERVICES="{{acmetool_services|join(" ")}}"
diff --git a/webserver/templates/sites/hostnamerewrite.conf b/webserver/templates/sites/hostnamerewrite.conf
index a095c0454790cc4fdde43caea703913451909efc..f9863fcf50bd2880e33b25e44bd51cef241f20c2 100644
--- a/webserver/templates/sites/hostnamerewrite.conf
+++ b/webserver/templates/sites/hostnamerewrite.conf
@@ -3,11 +3,9 @@ server {
     listen 443 ssl;
     server_name {{server.forward_hostnames.hostnames|default(server.forward_hostnames)|join(" ")}};
 
-    ssl_certificate {{server.certificate}};
-    ssl_trusted_certificate {{server.certificate}};
-    ssl_certificate_key {{server.private_key}};
+    {% include "ssl-certificate" %}
 
-{% if server.include_acme is defined and server.include_acme %}
+{% if server.include_acme|default(true) %}
     include /etc/nginx/snippets/acmetool.conf;
 
     location / {
diff --git a/webserver/templates/sites/iprewrite.conf b/webserver/templates/sites/iprewrite.conf
index d6ec14f6f9d54c593d08787809642fe1c6655046..e94b3c63719d0543612fc49f6c7e04c195001170 100644
--- a/webserver/templates/sites/iprewrite.conf
+++ b/webserver/templates/sites/iprewrite.conf
@@ -3,9 +3,7 @@ server {
     listen 443 ssl;
     server_name {{ansible_all_ipv4_addresses|join(" ")}};
 
-    ssl_certificate {{server.certificate}};
-    ssl_trusted_certificate {{server.certificate}};
-    ssl_certificate_key {{server.private_key}};
+    {% include "ssl-certificate" %}
 
     return 301 https://{{server.server_name}}$request_uri;
 }
diff --git a/webserver/templates/sites/mediawiki.conf b/webserver/templates/sites/mediawiki.conf
index 8e21742deee06b07ab40097df68716cfa2a55228..3aff898a92bbbcc95ecb56a652b9c24a5d6ff4bc 100644
--- a/webserver/templates/sites/mediawiki.conf
+++ b/webserver/templates/sites/mediawiki.conf
@@ -13,7 +13,7 @@ server {
     index {{server.indices|join(" ")}};
     {% endif %}
 
-    {% if server.include_acme is defined and server.include_acme %}
+    {% if server.include_acme|default(true) %}
     include /etc/nginx/snippets/acmetool.conf;
 
     {% endif -%}
diff --git a/webserver/templates/sites/tlsproxy.conf b/webserver/templates/sites/tlsproxy.conf
index 25e2c1b3f5fdea154659427f3197649be65b6055..9652553f48b24d3fe92f9ddaba0484990ec12fbe 100644
--- a/webserver/templates/sites/tlsproxy.conf
+++ b/webserver/templates/sites/tlsproxy.conf
@@ -2,7 +2,7 @@ server {
     listen {% if server.no_ssl is undefined or not server.no_ssl %}443 ssl{% else %}80{% endif %};
     server_name {{server.server_names|default([server.server_name])|join(" ")}};
 
-    {% if server.include_acme is defined and server.include_acme %}
+    {% if server.include_acme|default(true) %}
     include /etc/nginx/snippets/acmetool.conf;
 
     {% endif -%}
@@ -11,9 +11,7 @@ server {
     {% endif %}
     {% if server.no_ssl is undefined or not server.no_ssl %}
 
-    ssl_certificate {{server.certificate}};
-    ssl_trusted_certificate {{server.certificate}};
-    ssl_certificate_key {{server.private_key}};
+    {% include "ssl-certificate" %}
     {% endif %}
     {% if server.cipher_strength is defined -%}
     ssl_ciphers '{{ciphers[server.cipher_strength]}}';
diff --git a/webserver/templates/sites/webapp.conf b/webserver/templates/sites/webapp.conf
index 3e8e13e0ab1d1805499140692959bd9c8c045883..cb916f59c73544524be04656c22348fa8a43a70c 100644
--- a/webserver/templates/sites/webapp.conf
+++ b/webserver/templates/sites/webapp.conf
@@ -17,7 +17,7 @@ server {
     {% endfor %}
     {% endif %}
 
-    {% if server.include_acme is defined and server.include_acme %}
+    {% if server.include_acme|default(true) %}
     include /etc/nginx/snippets/acmetool.conf;
 
     {% endif -%}
diff --git a/webserver/templates/ssl-certificate b/webserver/templates/ssl-certificate
new file mode 100644
index 0000000000000000000000000000000000000000..4b81ce507f13a5ef78c462f2d576eee04d8f9a80
--- /dev/null
+++ b/webserver/templates/ssl-certificate
@@ -0,0 +1,3 @@
+    ssl_certificate {{server.certificate|default("/var/lib/acme/live/" + server.server_name + "/fullchain")}};
+    ssl_trusted_certificate {{server.certificate|default("/var/lib/acme/live/" + server.server_name + "/fullchain")}};
+    ssl_certificate_key {{server.private_key|default("/var/lib/acme/live/" + server.server_name + "/privkey")}};