diff --git a/roles/certbot/files/http-certbot.conf b/roles/certbot/files/http-certbot.conf
index 0c49a2c..7df2dbd 100644
--- a/roles/certbot/files/http-certbot.conf
+++ b/roles/certbot/files/http-certbot.conf
@@ -1 +1 @@
-tcp dport http accept comment "Allow http to all for certbot renewal"
+tcp dport http accept comment "Allow HTTP from all for certbot renewal"
diff --git a/roles/certbot/files/https.conf b/roles/certbot/files/https.conf
new file mode 100644
index 0000000..aac2b4a
--- /dev/null
+++ b/roles/certbot/files/https.conf
@@ -0,0 +1 @@
+tcp dport https accept comment "Allow HTTPS from all"
diff --git a/roles/certbot/files/ssl-options.conf b/roles/certbot/files/ssl-options.conf
new file mode 100644
index 0000000..97d104a
--- /dev/null
+++ b/roles/certbot/files/ssl-options.conf
@@ -0,0 +1,6 @@
+<IfModule mod_ssl.c>
+    SSLProtocol all -SSLv2 -SSLv3
+    SSLHonorCipherOrder On
+    SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:!DHE-RSA-AES128-GCM-SHA256:!DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:!DHE-RSA-AES128-SHA256:!DHE-RSA-AES128-SHA:!DHE-DSS-AES128-SHA256:!DHE-RSA-AES256-SHA256:!DHE-DSS-AES256-SHA:!DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:!DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:!DHE-RSA-AES256-GCM-SHA384:!DHE-RSA-CAMELLIA256-SHA:!DHE-RSA-CAMELLIA128-SHA
+    SSLCompression off
+</IfModule>
diff --git a/roles/certbot/tasks/main.yml b/roles/certbot/tasks/main.yml
index 3212a4a..f6e70fa 100644
--- a/roles/certbot/tasks/main.yml
+++ b/roles/certbot/tasks/main.yml
@@ -13,12 +13,6 @@
     state: directory
     mode: 0755
 
-- name: Copy acme apache conf
-  become: true
-  copy:
-    src: acme.conf
-    dest: /etc/apache2/conf-available/acme.conf
-
 - name: Enable modules
   become: true
   apache2_module:
@@ -29,9 +23,20 @@
     - ssl
   notify: Reload apache2 service
 
-- name: Enable acme apache conf
+- name: Copy apache confs
   become: true
-  command: a2enconf acme
+  copy: src={{ item.src }} dest={{ item.dest }}
+  with_items:
+    - { src: 'acme.conf', dest: '/etc/apache2/conf-available/acme.conf' }
+    - { src: 'ssl-options.conf', dest: '/etc/apache2/conf-available/ssl-options.conf' }
+
+
+- name: Enable apache confs
+  become: true
+  command: a2enconf {{ item }}
+  with_items:
+    - acme
+    - ssl-options
   register: result
   changed_when: "'already enabled' not in result.stdout"
   notify: Reload apache2 service
@@ -42,3 +47,10 @@
     src: http-certbot.conf
     dest: /etc/nftables/input.d/http-certbot.conf
   notify: Reload nftables service
+
+- name: Allow incoming HTTPS
+  become: true
+  copy:
+    src: https.conf
+    dest: /etc/nftables/input.d/https.conf
+  notify: Reload nftables service