diff --git a/pkg/webserver/webserver.go b/pkg/webserver/webserver.go
index 962871b19..586654bc2 100644
--- a/pkg/webserver/webserver.go
+++ b/pkg/webserver/webserver.go
@@ -194,6 +194,8 @@ func (s *Server) Listen(addr string) error {
 		}
 		if s.tlsCertFile == "" && s.certManager != nil {
 			config.GetCertificate = s.certManager
+			// TODO(mpl): see if we can instead use
+			// https://godoc.org/golang.org/x/crypto/acme/autocert#Manager.TLSConfig
 			config.NextProtos = append(config.NextProtos, alpnProto)
 			s.listener = tls.NewListener(s.listener, config)
 			return nil
diff --git a/website/pk-web/pkweb.go b/website/pk-web/pkweb.go
index 3abaf09e9..e8f684804 100644
--- a/website/pk-web/pkweb.go
+++ b/website/pk-web/pkweb.go
@@ -1036,9 +1036,7 @@ func serve(httpServer *http.Server, onHTTPError func(error)) error {
 	if *adminEmail != "" {
 		m.Email = *adminEmail
 	}
-	httpsServer.TLSConfig = &tls.Config{
-		GetCertificate: m.GetCertificate,
-	}
+	httpsServer.TLSConfig = m.TLSConfig()
 	log.Printf("Listening for HTTPS on %v", *httpsAddr)
 	ln, err := net.Listen("tcp", *httpsAddr)
 	if err != nil {