diff --git a/files/nginx/odk.conf.template b/files/nginx/odk.conf.template
index 6d88171a..49610762 100644
--- a/files/nginx/odk.conf.template
+++ b/files/nginx/odk.conf.template
@@ -1,19 +1,10 @@
-server {
-  listen ${HTTPS_PORT} default_server ssl;
-
-  ssl_certificate /etc/nginx/ssl/nginx.default.crt;
-  ssl_certificate_key /etc/nginx/ssl/nginx.default.key;
-
-  return 421;
-}
-
 server {
   listen ${HTTPS_PORT} ssl;
   server_name ${DOMAIN};
 
-  ssl_certificate /etc/${SSL_TYPE}/live/${CERT_DOMAIN}/fullchain.pem;
-  ssl_certificate_key /etc/${SSL_TYPE}/live/${CERT_DOMAIN}/privkey.pem;
-  ssl_trusted_certificate /etc/${SSL_TYPE}/live/${CERT_DOMAIN}/fullchain.pem;
+  ssl_certificate /etc/${SSL_TYPE}/live/${CNAME}/fullchain.pem;
+  ssl_certificate_key /etc/${SSL_TYPE}/live/${CNAME}/privkey.pem;
+  ssl_trusted_certificate /etc/${SSL_TYPE}/live/${CNAME}/fullchain.pem;
 
   ssl_protocols TLSv1.2 TLSv1.3;
   ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
diff --git a/files/nginx/redirector.conf b/files/nginx/redirector.conf
index 53b32d31..2b06951b 100644
--- a/files/nginx/redirector.conf
+++ b/files/nginx/redirector.conf
@@ -18,10 +18,3 @@ server {
         return 301 https://$http_host$request_uri;
     }
 }
-
-server {
-    listen ${HTTP_PORT} default_server;
-    listen [::]:${HTTP_PORT} default_server;
-
-    return 421;
-}
diff --git a/files/nginx/setup-odk.sh b/files/nginx/setup-odk.sh
index e9e2dcc4..b2fc715a 100644
--- a/files/nginx/setup-odk.sh
+++ b/files/nginx/setup-odk.sh
@@ -9,16 +9,6 @@ fi
 
 envsubst < /usr/share/odk/nginx/client-config.json.template > /usr/share/nginx/html/client-config.json
 
-# Generate self-signed keys for incorrect (catch-all) HTTP listeners.  This cert
-# should never be seen by legitimate users, so it's not a big deal that it's
-# self-signed and won't expire for 1,000 years.
-mkdir -p /etc/nginx/ssl
-openssl req -x509 -nodes -newkey rsa:2048 \
-    -subj "/" \
-    -keyout /etc/nginx/ssl/nginx.default.key \
-    -out    /etc/nginx/ssl/nginx.default.crt \
-    -days 365000
-
 DH_PATH=/etc/dh/nginx.pem
 if [ "$SSL_TYPE" != "upstream" ] && [ ! -s "$DH_PATH" ]; then
   openssl dhparam -out "$DH_PATH" 2048
@@ -37,12 +27,12 @@ fi
 # start from fresh templates in case ssl type has changed
 echo "writing fresh nginx templates..."
 # redirector.conf gets deleted if using upstream SSL so copy it back
-envsubst '$DOMAIN $HTTP_PORT $HTTPS_PORT' \
+envsubst '$HTTP_PORT $HTTPS_PORT' \
   < /usr/share/odk/nginx/redirector.conf \
   > /etc/nginx/conf.d/redirector.conf
 
-CERT_DOMAIN=$( [ "$SSL_TYPE" = "customssl" ] && echo "local" || echo "$DOMAIN") \
-envsubst '$SSL_TYPE $CERT_DOMAIN $DOMAIN $HTTPS_PORT $HTTPS_PORT $SENTRY_ORG_SUBDOMAIN $SENTRY_KEY $SENTRY_PROJECT' \
+CNAME=$( [ "$SSL_TYPE" = "customssl" ] && echo "local" || echo "$DOMAIN") \
+envsubst '$SSL_TYPE $CNAME $HTTPS_PORT $HTTPS_PORT $SENTRY_ORG_SUBDOMAIN $SENTRY_KEY $SENTRY_PROJECT' \
   < /usr/share/odk/nginx/odk.conf.template \
   > /etc/nginx/conf.d/odk.conf
 
diff --git a/files/service/scripts/start-odk.sh b/files/service/scripts/start-odk.sh
index 59b807fe..f47c8124 100755
--- a/files/service/scripts/start-odk.sh
+++ b/files/service/scripts/start-odk.sh
@@ -4,7 +4,7 @@ echo "generating local service configuration.."
 
 ENKETO_API_KEY=$(cat /etc/secrets/enketo-api-key) \
 BASE_URL=$( [ "${HTTPS_PORT}" = 443 ] && echo https://"${DOMAIN}" || echo https://"${DOMAIN}":"${HTTPS_PORT}" ) \
-envsubst '$DOMAIN $BASE_URL $SYSADMIN_EMAIL $ENKETO_API_KEY $DB_HOST $DB_USER $DB_PASSWORD $DB_NAME $DB_SSL $EMAIL_FROM $EMAIL_HOST $EMAIL_PORT $EMAIL_SECURE $EMAIL_IGNORE_TLS $EMAIL_USER $EMAIL_PASSWORD $OIDC_ENABLED $OIDC_ISSUER_URL $OIDC_CLIENT_ID $OIDC_CLIENT_SECRET $SENTRY_ORG_SUBDOMAIN $SENTRY_KEY $SENTRY_PROJECT $S3_SERVER $S3_ACCESS_KEY $S3_SECRET_KEY $S3_BUCKET_NAME $HTTP_PORT $HTTPS_PORT' \
+envsubst '$DOMAIN $BASE_URL $SYSADMIN_EMAIL $ENKETO_API_KEY $DB_HOST $DB_USER $DB_PASSWORD $DB_NAME $DB_SSL $EMAIL_FROM $EMAIL_HOST $EMAIL_PORT $EMAIL_SECURE $EMAIL_IGNORE_TLS $EMAIL_USER $EMAIL_PASSWORD $HTTP_PORT $HTTPS_PORT $OIDC_ENABLED $OIDC_ISSUER_URL $OIDC_CLIENT_ID $OIDC_CLIENT_SECRET $SENTRY_ORG_SUBDOMAIN $SENTRY_KEY $SENTRY_PROJECT $S3_SERVER $S3_ACCESS_KEY $S3_SECRET_KEY $S3_BUCKET_NAME' \
     < /usr/share/odk/config.json.template \
     > /usr/odk/config/local.json