diff --git a/docs/docs/administer/security-considerations.md b/docs/docs/administer/security-considerations.md
index 8041dc6ec..94e04ac41 100644
--- a/docs/docs/administer/security-considerations.md
+++ b/docs/docs/administer/security-considerations.md
@@ -16,7 +16,8 @@ Shown below is a table of ports used by Firezone services.
 
 | Service | Default port | Listen address | Description |
 | ------ | --------- | ------- | --------- |
-| Nginx | `80` `443` | `all` | Public HTTP(S) port for administering Firezone and facilitating authentication. |
+| Nginx | `443` | `all` | Public HTTPS port for administering Firezone and facilitating authentication. |
+| Nginx | `80` | `all` | Public HTTP port used for ACME. Disabled when ACME is disabled. |
 | WireGuard | `51820` | `all` | Public WireGuard port used for VPN sessions. |
 | Postgresql | `15432` | `127.0.0.1` | Local-only port used for bundled Postgresql server. |
 | Phoenix | `13000` | `127.0.0.1` | Local-only port used by upstream elixir app server. |
diff --git a/omnibus/cookbooks/firezone/recipes/acme.rb b/omnibus/cookbooks/firezone/recipes/acme.rb
index d08047d8e..24b33fa75 100644
--- a/omnibus/cookbooks/firezone/recipes/acme.rb
+++ b/omnibus/cookbooks/firezone/recipes/acme.rb
@@ -65,6 +65,12 @@ if node['firezone']['ssl']['acme']['enabled'] && !node['firezone']['ssl']['certi
     ACME
   end
 
+  # Pick up any nginx conf changes that may have happened during this Chef run
+  execute 'Reload Nginx' do
+    notifies :reload, 'component_runit_service[nginx]', :immediately
+    command 'echo "reloading nginx..."'
+  end
+
   execute 'ACME issue' do
     # Command returns 0: Cert was issued
     # Command returns 2: Skipping because renewal isn't needed
diff --git a/omnibus/cookbooks/firezone/recipes/nginx.rb b/omnibus/cookbooks/firezone/recipes/nginx.rb
index 0f938fb68..07d51ce8c 100644
--- a/omnibus/cookbooks/firezone/recipes/nginx.rb
+++ b/omnibus/cookbooks/firezone/recipes/nginx.rb
@@ -64,7 +64,8 @@ template 'redirect.conf' do
     server_name: URI.parse(node['firezone']['external_url']).host,
     acme_www_root: "#{node['firezone']['var_directory']}/nginx/acme_root",
     rate_limiting_zone_name: node['firezone']['nginx']['rate_limiting_zone_name'],
-    ipv6: node['firezone']['nginx']['ipv6']
+    ipv6: node['firezone']['nginx']['ipv6'],
+    acme: node['firezone']['ssl']['acme']
   )
 end
 
@@ -74,6 +75,7 @@ if node['firezone']['nginx']['enabled']
     action :enable
     subscribes :restart, 'template[nginx.conf]'
     subscribes :restart, 'template[phoenix.nginx.conf]'
+    subscribes :restart, 'template[redirect.conf]'
     subscribes :restart, 'template[acme.conf]'
   end
 else
diff --git a/omnibus/cookbooks/firezone/recipes/phoenix.rb b/omnibus/cookbooks/firezone/recipes/phoenix.rb
index ea0cdc8e0..e89ebcebe 100644
--- a/omnibus/cookbooks/firezone/recipes/phoenix.rb
+++ b/omnibus/cookbooks/firezone/recipes/phoenix.rb
@@ -27,6 +27,10 @@ include_recipe 'firezone::acme'
 include_recipe 'firezone::ssl'
 include_recipe 'firezone::wireguard'
 
+fqdn = URI.parse(node['firezone']['external_url']).host
+acme_cert = "#{node['firezone']['var_directory']}/ssl/acme/#{fqdn}.fullchain"
+acme_key = "#{node['firezone']['var_directory']}/ssl/acme/#{fqdn}.key"
+
 [node['firezone']['phoenix']['log_directory'],
  "#{node['firezone']['var_directory']}/phoenix/run"].each do |dir|
   directory dir do
@@ -37,8 +41,22 @@ include_recipe 'firezone::wireguard'
   end
 end
 
+if node['firezone']['ssl']['acme']['enabled']
+  # Generate a temporary cert until ACME issues one so that nginx can be restarted
+  openssl_x509_certificate acme_cert do
+    common_name fqdn
+    org node['firezone']['ssl']['company_name']
+    org_unit node['firezone']['ssl']['organizational_unit_name']
+    country node['firezone']['ssl']['country_name']
+    key_length 2048
+    expire 3650
+    owner 'root'
+    group 'root'
+    mode '0644'
+  end
+end
+
 template 'phoenix.nginx.conf' do
-  fqdn = URI.parse(node['firezone']['external_url']).host
   path "#{node['firezone']['nginx']['directory']}/sites-enabled/phoenix"
   source 'phoenix.nginx.conf.erb'
   owner node['firezone']['user']
@@ -53,8 +71,8 @@ template 'phoenix.nginx.conf' do
             app_directory: node['firezone']['app_directory'],
             acme: {
               'enabled' => node['firezone']['ssl']['acme']['enabled'],
-              'certificate' => "#{node['firezone']['var_directory']}/ssl/acme/#{fqdn}.fullchain",
-              'certificate_key' => "#{node['firezone']['var_directory']}/ssl/acme/#{fqdn}.key"
+              'certificate' => acme_cert,
+              'certificate_key' => acme_key
             })
 end
 
diff --git a/omnibus/cookbooks/firezone/templates/redirect.conf.erb b/omnibus/cookbooks/firezone/templates/redirect.conf.erb
index 94934a609..b76cb3198 100644
--- a/omnibus/cookbooks/firezone/templates/redirect.conf.erb
+++ b/omnibus/cookbooks/firezone/templates/redirect.conf.erb
@@ -1,3 +1,4 @@
+<% if @acme['enabled'] -%>
 server {
   listen 80 default_server;
   <% if @ipv6 -%>
@@ -10,3 +11,4 @@ server {
     alias <%= @acme_www_root %>/.well-known/acme-challenge/;
   }
 }
+<% end -%>