diff --git a/files/nginx/certbot.conf b/files/nginx/certbot.conf
new file mode 100644
index 00000000..44f3a877
--- /dev/null
+++ b/files/nginx/certbot.conf
@@ -0,0 +1,13 @@
+server {
+    # Listen only on port 81 for localhost, and nothing else.
+    server_name 127.0.0.1;
+    listen 127.0.0.1:81 default_server;
+
+    charset utf-8;
+
+    # Certbot's folder used for the ACME challenge response.
+    location ^~ /.well-known/acme-challenge {
+        default_type text/plain;
+        root /var/www/letsencrypt;
+    }
+}
\ No newline at end of file
diff --git a/files/nginx/odk-setup.sh b/files/nginx/odk-setup.sh
index 4a29ad23..8101cbb4 100644
--- a/files/nginx/odk-setup.sh
+++ b/files/nginx/odk-setup.sh
@@ -24,16 +24,20 @@ CNAME=$([ "$SSL_TYPE" = "customssl" ] && echo "local" || echo "$DOMAIN") \
 if [ "$SSL_TYPE" = "letsencrypt" ]
 then
   echo "starting nginx with certbot.."
+  cp /usr/share/nginx/certbot.conf /etc/nginx/conf.d/certbot.conf
+  cp /usr/share/nginx/redirector.conf /etc/nginx/conf.d/redirector.conf
   /bin/bash /scripts/start_nginx_certbot.sh
 elif [ "$SSL_TYPE" = "upstream" ]
 then
+  echo "starting nginx without local SSL to allow for upstream SSL.."
   perl -i -ne 's/listen 443.*/listen 80;/; print if ! /ssl_/' /etc/nginx/conf.d/odk.conf
   perl -i -pe 's/X-Forwarded-Proto \$scheme/X-Forwarded-Proto https/;' /etc/nginx/conf.d/odk.conf
   rm -f /etc/nginx/conf.d/certbot.conf
-  echo "starting nginx without local SSL to allow for upstream SSL.."
+  rm -f /etc/nginx/conf.d/redirector.conf
   nginx -g "daemon off;"
 else
   echo "starting nginx without certbot.."
+  rm -f /etc/nginx/conf.d/certbot.conf
+  rm -f /etc/nginx/conf.d/redirector.conf
   nginx -g "daemon off;"
 fi
-
diff --git a/files/nginx/redirector.conf b/files/nginx/redirector.conf
new file mode 100644
index 00000000..05f75648
--- /dev/null
+++ b/files/nginx/redirector.conf
@@ -0,0 +1,19 @@
+server {
+    # Listen on plain old HTTP and catch all requests so they can be redirected
+    # to HTTPS instead.
+    listen 80 default_server reuseport;
+    listen [::]:80 default_server reuseport;
+
+    # Pass this particular URL off to the certbot server so it can properly
+    # respond to the Let's Encrypt ACME challenges for the HTTPS certificates.
+    location '/.well-known/acme-challenge' {
+        default_type "text/plain";
+        proxy_pass http://localhost:81;
+    }
+
+    # Everything else gets shunted over to HTTPS for each user defined
+    # server to handle.
+    location / {
+        return 301 https://$http_host$request_uri;
+    }
+}
\ No newline at end of file
diff --git a/nginx.dockerfile b/nginx.dockerfile
index d775faaa..92e2a7b2 100644
--- a/nginx.dockerfile
+++ b/nginx.dockerfile
@@ -4,8 +4,8 @@ COPY ./ ./
 RUN files/prebuild/write-version.sh
 RUN files/prebuild/build-frontend.sh
 
-
-FROM jonasal/nginx-certbot:2.4
+# make sure you have updated *.conf files when upgrading this
+FROM jonasal/nginx-certbot:2.4.1
 
 EXPOSE 80
 EXPOSE 443
@@ -15,14 +15,15 @@ ENTRYPOINT [ "/bin/bash", "/scripts/odk-setup.sh" ]
 
 RUN apt-get update; apt-get install -y openssl netcat nginx-extras lua-zlib
 
-RUN mkdir -p /etc/selfsign/live/local
-COPY files/nginx/odk-setup.sh /scripts
+RUN mkdir -p /etc/selfsign/live/local/
+COPY files/nginx/odk-setup.sh /scripts/
 
 COPY files/local/customssl/*.pem /etc/customssl/live/local/
 
 COPY files/nginx/default /etc/nginx/sites-enabled/
-COPY files/nginx/inflate_body.lua /usr/share/nginx
-COPY files/nginx/odk.conf.template /usr/share/nginx
-COPY --from=intermediate client/dist/ /usr/share/nginx/html
+COPY files/nginx/inflate_body.lua /usr/share/nginx/
+COPY files/nginx/odk.conf.template /usr/share/nginx/
+COPY files/nginx/certbot.conf /usr/share/nginx/
+COPY files/nginx/redirector.conf /usr/share/nginx/
+COPY --from=intermediate client/dist/ /usr/share/nginx/html/
 COPY --from=intermediate /tmp/version.txt /usr/share/nginx/html/
-