diff --git a/roles/service-nginx/files/known_hosts b/roles/service-nginx/files/known_hosts
new file mode 100644
index 0000000..91be244
--- /dev/null
+++ b/roles/service-nginx/files/known_hosts
@@ -0,0 +1,4 @@
+zuckerwatte.ffmwu.org,89.163.245.179,2001:4ba0:fffc:3d:0:b4dc:4b1e:2 ssh-dss AAAAB3NzaC1kc3MAAACBAJS26DIY2QfUOrGMr5Tnlds7jVLQPEvgtOVRmz+6Y576XjrtDL24R+J5ow2NFY0jJbo3ib11a38qflqx8u7ZVXIi23EzhgszQPte3q44EMHIlw5HfvfN3qYXXn33pPiLWPmr8bNwUK4EyGoNctNSrWOhwf/vZn0MIroPwJtIpfbLAAAAFQCrUtRkboJy0Tpn06ph77Nf0mkYNQAAAIEAiGjBSFBSGtZjARlHl6dT6HADMkuCT2dW4bh7JxRyJke4nglWzTPT84XZ/4KjiLcYPKROFdxdLSkFQt0b9Ef5KMGUa9QNPs8M89Zcrpyrz6O31KXaSbHaiV3Uimx9N2RNg4++7d+AWXNTivV/jPT+FPSKf9PLX5PebYpR97+/UVsAAACAahkxs6SS97ntBBmxGT0VSFiV8U8dBHlgKy2Jj3NjP3e4OwHOmqcD8LsvBS+IGdki/2uSUpd2fprV/4R1djkjMvlw/iP0VZyad0gKIikqHK1mtLduzjJXgVHtU+CdsfGuoVh/3EXhKyyZJAwpNjqbjLbEZu9MwcAIDq9m8Hgol1I=
+zuckerwatte.ffmwu.org,89.163.245.179,2001:4ba0:fffc:3d:0:b4dc:4b1e:2 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBMCbZJJZsYR3fHhRFJyPYbbRf/VvbUoKYBjpQTSpaCZG2Tl5pvNIwVbyDF/dcCRtamIeFAxWMVVc0wJj9gQnnog=
+zuckerwatte.ffmwu.org,89.163.245.179,2001:4ba0:fffc:3d:0:b4dc:4b1e:2 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJMqFRautch/VPTUpG7vJvt8M05vI4+qq6zWFiji9C2o
+zuckerwatte.ffmwu.org,89.163.245.179,2001:4ba0:fffc:3d:0:b4dc:4b1e:2 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDAXcRPe0d4JLfm67086fGMxBEeS1wi/sVpCB5rcR9tPNKGKZ/rL/DvP6Juqch+5xC6zG5uMGRLJhW3SLTLQuQ3ru7lvJxJYxBPpokO0hAde3JMZx4xV0p4Flw0WGWql2TkPYzWSGP62FaFH77BnpMVVBVXaoVVqKqPFgb8YzYFcEFPIpw8HOnKLhCBJmQzaWeLFu/HbasvdUYPGXvh+8VYc9KXcbQPfLtwlejI0iCYlJTGFv29WVUabceoskeMipljwQ/oNIk8mpSKKD0MGRw96sWByG2uHxJZtlAELHNoSw6uowpU02xJNPW8LF3ip07k6pV33Q/Y/9NGyDw4Yk0X
diff --git a/roles/service-nginx/handlers/main.yml b/roles/service-nginx/handlers/main.yml
index d0c9b9a..fe30574 100644
--- a/roles/service-nginx/handlers/main.yml
+++ b/roles/service-nginx/handlers/main.yml
@@ -1,8 +1,8 @@
 ---
-- name: reload nginx
+- name: restart nginx
   systemd:
     name: nginx
-    state: reloaded
+    state: restarted
 
 - name: restart cron
   systemd:
diff --git a/roles/service-nginx/tasks/main.yml b/roles/service-nginx/tasks/main.yml
index b58b79d..f498efd 100644
--- a/roles/service-nginx/tasks/main.yml
+++ b/roles/service-nginx/tasks/main.yml
@@ -20,6 +20,17 @@
     name: nginx
     state: present
 
+- name: install ssl-cert packages
+  package:
+    name: ssl-cert
+    state: present
+
+- name: Add remote server to known_hosts
+  known_hosts:
+    path: /etc/ssh/ssh_known_hosts
+    name: zuckerwatte.ffmwu.org
+    key: "{{ lookup('file', 'known_hosts') }}"
+
 - name: create cronjob to sync ssl certs
   template:
     src: ssl_certs.cron.j2
@@ -39,11 +50,36 @@
 
 - name: create certs directory
   file:
-    path: /etc/nginx/ssl
+    path: /etc/nginx/ssl/{{ inventory_hostname_short }}.{{ http_domain_external }}
     state: directory
-    mode: 0755
-    owner: root
-    group: root
+    mode: 0550
+    owner: www-data
+    group: admin
+
+- name: create snakeoil cert
+  shell: make-ssl-cert generate-default-snakeoil
+  args:
+    creates: /etc/ssl/certs/ssl-cert-snakeoil.pem
+
+- name: copy snakeoil ssl key for first start
+  copy:
+    src: /etc/ssl/private/ssl-cert-snakeoil.key
+    dest: /etc/nginx/ssl/{{ inventory_hostname_short }}.{{ http_domain_external }}/privkey.pem
+    remote_src: yes
+    force: no
+    owner: www-data
+    group: admin
+    mode: 0440
+
+- name: copy snakeoil ssl cert for first start
+  copy:
+    src: /etc/ssl/certs/ssl-cert-snakeoil.pem
+    dest: /etc/nginx/ssl/{{ inventory_hostname_short }}.{{ http_domain_external }}/fullchain.pem
+    remote_src: yes
+    force: no
+    owner: www-data
+    group: admin
+    mode: 0440
 
 - name: sync ssl certs
   shell: /etc/cron.daily/ssl_certs
@@ -55,6 +91,7 @@
     mode: 0644
     owner: root
     group: root
+  notify: restart nginx
 
 - name: write nginx configuration nginx.conf
   template:
@@ -63,14 +100,14 @@
     mode: 0644
     owner: root
     group: root
-  notify: reload nginx
+  notify: restart nginx
 
 - name: write nginx configuration default.conf
   template:
     src: default.conf.j2
     dest: /etc/nginx/conf.d/default.conf
     mode: 0644
-  notify: reload nginx
+  notify: restart nginx
 
 - name: manage html directory for static files
   file:
diff --git a/roles/service-nginx/templates/letsencrypt-acme-challenge.conf.j2 b/roles/service-nginx/templates/letsencrypt-acme-challenge.conf.j2
index e16e95b..9a4a191 100644
--- a/roles/service-nginx/templates/letsencrypt-acme-challenge.conf.j2
+++ b/roles/service-nginx/templates/letsencrypt-acme-challenge.conf.j2
@@ -1,5 +1,5 @@
 location ^~ /.well-known/acme-challenge/ {
-    resolver 127.0.0.1;
+    resolver 9.9.9.9;
     set $acme_host {{ acme_server }}.{{ http_domain_internal }};
     proxy_pass https://$acme_host:443;
 }