diff --git a/roles/quassel/templates/letsencrypt.hook.d.j2 b/roles/quassel/templates/letsencrypt.hook.d.j2
index 891624f4509589e66c841f8f9bae829f9e81a44d..f1c89623b97083aa9d8e98cd3cdd7e4a7bb325d7 100644
--- a/roles/quassel/templates/letsencrypt.hook.d.j2
+++ b/roles/quassel/templates/letsencrypt.hook.d.j2
@@ -2,9 +2,13 @@
 
 test "$1" = renew || exit 0
 
+quassel_domain="{{ quassel_domain }}"
+
 for domain in $RENEWED_DOMAINS; do
   case "$domain" in
-    {{ quassel_domain }})
+    $quassel_domain)
+      cat /etc/letsencrypt/live/$quassel_domain/{privkey,fullchain}.pem |
+        install -o quassel -g quassel -m 400 /dev/stdin /var/lib/quassel/quasselCert.pem
       systemctl restart quassel
       ;;
   esac
diff --git a/roles/quassel/templates/quassel.service.d.j2 b/roles/quassel/templates/quassel.service.d.j2
index 83f07cb54bec8f48d2999ba64354d6c88eb1d907..acef3de49022744e3686fa7ce44db6fba2ca714e 100644
--- a/roles/quassel/templates/quassel.service.d.j2
+++ b/roles/quassel/templates/quassel.service.d.j2
@@ -1,6 +1,4 @@
 [Service]
 ExecStartPre=/usr/bin/truncate -s 0 /var/lib/quassel/.oidentd.conf
 ExecStart=
-ExecStart=/usr/bin/quasselcore --configdir=/var/lib/quassel --oidentd --syslog --require-ssl \
-    --ssl-cert=/etc/letsencrypt/live/{{ quassel_domain }}/fullchain.pem \
-    --ssl-key=/etc/letsencrypt/live/{{ quassel_domain }}/privkey.pem
+ExecStart=/usr/bin/quasselcore --configdir=/var/lib/quassel --oidentd --syslog --require-ssl