diff --git a/nginx-sites-default.conf.tpl b/nginx-sites-default.conf.tpl
index 606a848..ecd0c18 100644
--- a/nginx-sites-default.conf.tpl
+++ b/nginx-sites-default.conf.tpl
@@ -5,8 +5,8 @@ server {
   listen 443 ssl;
   listen [::]:443 ssl;
   server_name ${server_name};
-  ssl_certificate spoke.crt;
-  ssl_certificate_key spoke.key;
+  ssl_certificate /home/spoke/spoke.crt;
+  ssl_certificate_key /home/spoke/spoke.key;
   ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
   ssl_ciphers HIGH:!aNULL:!MD5;
   access_log /var/log/nginx/spoke.access.log combined;
diff --git a/spoke-app-provision b/spoke-app-provision
index 6ab01a9..f45e287 100755
--- a/spoke-app-provision
+++ b/spoke-app-provision
@@ -59,14 +59,6 @@ _run_system0() {
     psql -c "ALTER USER spoke WITH PASSWORD '\${DB_PASSWORD}';"
 PGSETUP
 
-  mv -v /tmp/spoke.crt /etc/nginx/spoke.crt
-  mv -v /tmp/spoke.key /etc/nginx/spoke.key
-  chmod 0600 /etc/nginx/spoke.crt /etc/nginx/spoke.key
-  cp -v /tmp/nginx-sites-default.conf /etc/nginx/sites-available/default
-  ln -svf /etc/nginx/sites-available/default /etc/nginx/sites-enabled/default
-  sha1sum /etc/nginx/sites-available/default
-  systemctl restart nginx
-
   if ! command -v yarn; then
     curl -fsSL https://dl.yarnpkg.com/debian/pubkey.gpg | sudo apt-key add -
     echo "deb https://dl.yarnpkg.com/debian/ stable main" |
@@ -81,6 +73,14 @@ PGSETUP
 
   sudo chsh -s /bin/bash spoke
   sudo chown -R spoke:spoke /home/spoke
+
+  mv -v /tmp/spoke.crt /home/spoke/spoke.crt
+  mv -v /tmp/spoke.key /home/spoke/spoke.key
+  chmod 0600 /home/spoke/spoke.crt /home/spoke/spoke.key
+  cp -v /tmp/nginx-sites-default.conf /etc/nginx/sites-available/default
+  ln -svf /etc/nginx/sites-available/default /etc/nginx/sites-enabled/default
+  sha1sum /etc/nginx/sites-available/default
+  systemctl restart nginx
 }
 
 _run_system1() {