diff --git a/roles/nginx/server/templates/nginx.conf.j2 b/roles/nginx/server/templates/nginx.conf.j2
index c39daad..225368f 100644
--- a/roles/nginx/server/templates/nginx.conf.j2
+++ b/roles/nginx/server/templates/nginx.conf.j2
@@ -25,6 +25,9 @@ http {
     ssl_ciphers {{ tls_ciphers }};
     ssl_prefer_server_ciphers off;
 
+    proxy_ssl_certificate {{ tls_certs }}/{{ inventory_hostname }}.crt;
+    proxy_ssl_certificate_key {{ tls_private }}/{{ inventory_hostname }}.key;
+
     server {
         listen 443 ssl http2;
         listen [::]:443 ssl http2;
diff --git a/roles/nginx/site/templates/site.conf.j2 b/roles/nginx/site/templates/site.conf.j2
index c159927..22b5d3d 100644
--- a/roles/nginx/site/templates/site.conf.j2
+++ b/roles/nginx/site/templates/site.conf.j2
@@ -22,8 +22,6 @@ server {
 {%  else %}
         proxy_pass {{ proxy }};
 {%  endif %}
-        proxy_ssl_certificate {{ tls_certs }}/{{ inventory_hostname }}.crt;
-        proxy_ssl_certificate_key {{ tls_private }}/{{ inventory_hostname }}.key;
     }
 {% else %}
     root /srv/web/{{ site }};
@@ -38,8 +36,6 @@ server {
     server_name {{ site }};
     location /.well-known/acme-challenge/ {
         proxy_pass https://certbot.home.foo.sh/.well-known/acme-challenge/;
-        proxy_ssl_certificate {{ tls_certs }}/{{ inventory_hostname }}.crt;
-        proxy_ssl_certificate_key {{ tls_private }}/{{ inventory_hostname }}.key;
     }
     location / {
 {% if redirect is defined %}