diff --git a/inventories/z9/host_vars/light.yml b/inventories/z9/host_vars/light.yml
index ce98a49..2d70510 100644
--- a/inventories/z9/host_vars/light.yml
+++ b/inventories/z9/host_vars/light.yml
@@ -48,6 +48,9 @@ ola__configs:
   - name: ola-usbserial
     content: "{{ lookup('ansible.builtin.file', 'configs/light/ola/ola-usbserial.conf') }}"
 foobazdmx__art_net_host: localhost
+nginx__enable_https_redirect: false
 nginx__configs:
-  - name: foobazdmx
-    content: "{{ lookup('ansible.builtin.file', 'configs/light/nginx/foobazdmx.conf') }}"
+  - name: light.ccchh.net
+    content: "{{ lookup('ansible.builtin.file', 'configs/light/nginx/light.ccchh.net.conf') }}"
+  - name: http_handler
+    content: "{{ lookup('ansible.builtin.file', 'configs/light/nginx/http_handler.conf') }}"
diff --git a/playbooks/files/configs/light/nginx/foobazdmx.conf b/playbooks/files/configs/light/nginx/foobazdmx.conf
deleted file mode 100644
index a05e674..0000000
--- a/playbooks/files/configs/light/nginx/foobazdmx.conf
+++ /dev/null
@@ -1,8 +0,0 @@
-server {
-	listen 80;
-	server_name light.z9;
-
-	location / {
-		proxy_pass http://localhost:8080;
-	}
-}
diff --git a/playbooks/files/configs/light/nginx/http_handler.conf b/playbooks/files/configs/light/nginx/http_handler.conf
new file mode 100644
index 0000000..2dcf7d9
--- /dev/null
+++ b/playbooks/files/configs/light/nginx/http_handler.conf
@@ -0,0 +1,14 @@
+server {
+    listen 80 default_server;
+    #listen [::]:80 default_server;
+    server_name _;
+
+    location /.well-known/acme-challenge/ {
+        autoindex on;
+        root /webroot-for-acme-challenge;
+    }
+
+    location / {
+        return 301 https://$host$request_uri;
+    }
+}
diff --git a/playbooks/files/configs/light/nginx/light.ccchh.net.conf b/playbooks/files/configs/light/nginx/light.ccchh.net.conf
new file mode 100644
index 0000000..31ce288
--- /dev/null
+++ b/playbooks/files/configs/light/nginx/light.ccchh.net.conf
@@ -0,0 +1,25 @@
+# partly generated 2022-01-08, Mozilla Guideline v5.6, nginx 1.17.7, OpenSSL 1.1.1k, intermediate configuration
+# https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1k&guideline=5.6
+server {
+    listen 443 ssl http2;
+    #listen [::]:443 ssl http2;
+
+    server_name light.ccchh.net;
+
+    ssl_certificate /etc/letsencrypt/live/light.ccchh.net/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/light.ccchh.net/privkey.pem;
+    # verify chain of trust of OCSP response using Root CA and Intermediate certs
+    ssl_trusted_certificate /etc/letsencrypt/live/light.ccchh.net/chain.pem;
+
+    # replace with the IP address of your resolver
+    resolver 10.31.208.1;
+
+    location / {
+        proxy_pass http://127.0.0.1:8080;
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        # This is https in any case.
+        proxy_set_header X-Forwarded-Proto https;
+    }
+}
diff --git a/playbooks/files/configs/public-reverse-proxy/nginx/acme_challenge.conf b/playbooks/files/configs/public-reverse-proxy/nginx/acme_challenge.conf
index 5c9cfb6..42b648e 100644
--- a/playbooks/files/configs/public-reverse-proxy/nginx/acme_challenge.conf
+++ b/playbooks/files/configs/public-reverse-proxy/nginx/acme_challenge.conf
@@ -1,6 +1,7 @@
 map $host $upstream_acme_challenge_host {
     club-assistant.ccchh.net 10.31.208.10;
     netbox.ccchh.net 10.31.208.29;
+    light.ccchh.net 10.31.208.23;
     thinkcccore0.ccchh.net 10.31.242.3;
     thinkcccore1.ccchh.net 10.31.242.4;
     thinkcccore2.ccchh.net 10.31.242.5;