diff --git a/hosts.yaml b/hosts.yaml
index 694289f..30dd1a7 100644
--- a/hosts.yaml
+++ b/hosts.yaml
@@ -7,7 +7,7 @@ all:
   vars:
     ansible_become: false
   
-    certbotdomains:
+    certbot_domains:
       - "jabber.0rpheus.net"
 
     haproxy_domains:
diff --git a/roles/haproxy/files/update_haproxy_certs.sh b/roles/haproxy/files/update_haproxy_certs.sh
index 736ffb0..8c0bf58 100755
--- a/roles/haproxy/files/update_haproxy_certs.sh
+++ b/roles/haproxy/files/update_haproxy_certs.sh
@@ -12,14 +12,17 @@ do
           --non-interactive                  \
           --agree-tos                        \
           --email micha@0rpheus.net          \
-          --preferred-challenges=http        \
           --rsa-key-size 4096                \
-          --http-01-port=8888
+          --webroot                          \
+          --webroot-path /var/www/html
     fi
-done < /etc/haproxy/domains.txt
+done < /etc/haproxy/all-domains.txt
 
 # renew all certificates
-certbot renew --http-01-port=8888 --preferred-challenges=http --rsa-key-size 4096
+certbot renew                     \
+    --rsa-key-size 4096           \
+    --webroot                     \
+    --webroot-path /var/www/html
 
 # copy certificates
 find /etc/letsencrypt/live/ -mindepth 1 -maxdepth 1 -type d | while read -r domain_path
@@ -35,3 +38,7 @@ do
 done
 
 systemctl reload haproxy
+
+# prosody cert
+prosodyctl --root cert import /etc/letsencrypt/live
+systemctl restart prosody.service
diff --git a/roles/haproxy/tasks/main.yaml b/roles/haproxy/tasks/main.yaml
index 4a7d064..fe18e11 100644
--- a/roles/haproxy/tasks/main.yaml
+++ b/roles/haproxy/tasks/main.yaml
@@ -58,11 +58,14 @@
     - haproxy.cfg
   notify: reload haproxy
 
-- name: create domains.txt
+- name: create domains files for certificate generation
   template:
-    src: domains.txt
+    src: "{{ item }}"
     dest: /etc/haproxy/
     mode: 0644
+  with_items:
+    - domains.txt
+    - all-domains.txt
   notify:
     - update certs
 
diff --git a/roles/haproxy/templates/all-domains.txt b/roles/haproxy/templates/all-domains.txt
new file mode 100644
index 0000000..a5609aa
--- /dev/null
+++ b/roles/haproxy/templates/all-domains.txt
@@ -0,0 +1,6 @@
+{% for domain in haproxy_domains %}
+{{ domain }}
+{% endfor %}
+{% for domain in certbot_domains %}
+{{ domain }}
+{% endfor %}
diff --git a/roles/haproxy/templates/haproxy.cfg b/roles/haproxy/templates/haproxy.cfg
index 1236994..4a125fa 100644
--- a/roles/haproxy/templates/haproxy.cfg
+++ b/roles/haproxy/templates/haproxy.cfg
@@ -74,7 +74,8 @@ frontend http
 
     # Let's encrypt
     acl letsencrypt-acl path_beg /.well-known/acme-challenge/
-    use_backend bk_letsencrypt                                                 if letsencrypt-acl
+    http-request set-header Host certbot                                       if letsencrypt-acl
+    use_backend bk_apache                                                      if letsencrypt-acl
 
     # stats backend
     acl stats-acl  path_beg /haproxy
@@ -84,10 +85,6 @@ frontend http
     use_backend bk_%[hdr(Host),lower,map(/etc/haproxy/hostname2backend.map)]   if hostname_has_backend
 
 
-backend bk_letsencrypt
-    server letsencrypt 127.0.0.1:8888
-
-
 {% for backend in haproxy_backends %}
 backend bk_{{ backend }}
 {% if haproxy_backends[backend]["httpchk"] is defined %}