diff --git a/compose.production.yaml b/compose.production.yaml
index 5f4542ff3f1..3fbc9d8f730 100644
--- a/compose.production.yaml
+++ b/compose.production.yaml
@@ -91,8 +91,6 @@ services:
     volumes:
       - ./docker/nginx.conf:/etc/nginx/nginx.conf:ro
       - ./docker/covers_nginx.conf:/etc/nginx/sites-enabled/covers_nginx.conf:ro
-      # Needed for HTTPS, since this is a public server
-      - ./docker/public_nginx.conf:/etc/nginx/sites-available/public_nginx.conf:ro
       # letsencrypt
       - letsencrypt-data:/etc/letsencrypt
       - ../olsystem/etc/cron.d/certbot:/etc/cron.d/certbot
@@ -182,8 +180,6 @@ services:
       # nginx configurations
       - ./docker/nginx.conf:/etc/nginx/nginx.conf:ro
       - ./docker/web_nginx.conf:/etc/nginx/sites-enabled/openlibrary.conf:ro
-      # Needed for HTTPS, since this is a public server
-      - ./docker/public_nginx.conf:/etc/nginx/sites-available/public_nginx.conf:ro
       # archive web log uploads
       - ../olsystem:/olsystem
       # web log rotation
diff --git a/docker/covers_nginx.conf b/docker/covers_nginx.conf
index 1639c26b492..0d6ec59e2cc 100644
--- a/docker/covers_nginx.conf
+++ b/docker/covers_nginx.conf
@@ -1,4 +1,20 @@
-include /etc/nginx/sites-available/public_nginx.conf;
+# Keep in sync with web_nginx.conf
+server {
+    listen 80 default;
+    listen [::]:443 ssl http2 ipv6only=on;
+    listen 443 ssl http2;
+    server_name localhost;
+
+    ssl_certificate /etc/letsencrypt/live/covers.openlibrary.org/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/covers.openlibrary.org/privkey.pem;
+
+    # Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
+    ssl_dhparam /olsystem/etc/nginx/dhparam-2048.pem;
+
+    ssl_protocols TLSv1.2 TLSv1.3;
+    ssl_ciphers EECDH+CHACHA20:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5;
+    ssl_prefer_server_ciphers on;
+}
 
 server {
       listen 80;
diff --git a/docker/ol-nginx-start.sh b/docker/ol-nginx-start.sh
index 84d20109110..c958cfb5f70 100755
--- a/docker/ol-nginx-start.sh
+++ b/docker/ol-nginx-start.sh
@@ -1,18 +1,14 @@
 #!/bin/bash
 
 # Create certs for domains missing them
-RUN_CERTBOT=0
 CERTBOT_OPTIONS=""
 for domain in $NGINX_DOMAIN; do
   CERTBOT_OPTIONS+=" -d $domain"
-  if [ ! -d "/etc/letsencrypt/live/$domain" ]; then
-    RUN_CERTBOT=1
-  fi
 done
-
-if [ "$RUN_CERTBOT" -eq 1 ]; then
-  certbot certonly --webroot --webroot-path /openlibrary/static $CERTBOT_OPTIONS
-fi
+certbot certonly \
+  --noninteractive --agree-tos \
+  -m openlibrary@archive.org \
+  --webroot --webroot-path /openlibrary/static $CERTBOT_OPTIONS
 
 # Run crontab if there are files
 if [ -n "$CRONTAB_FILES" ] ; then
diff --git a/docker/public_nginx.conf b/docker/public_nginx.conf
deleted file mode 100644
index 971662834df..00000000000
--- a/docker/public_nginx.conf
+++ /dev/null
@@ -1,21 +0,0 @@
-# TODO: Keep in ~ sync with olsystem/etc/nginx/sites-available/defaults until we're fully onto Docker
-
-# Sets up HTTP2 listening on 443 with ssl_protocols and ssl_ciphers.
-# Should be used for all public facing Nginx instances.
-
-server {
-    listen 80 default;
-    listen [::]:443 ssl http2 ipv6only=on;
-    listen 443 ssl http2;
-    server_name localhost;
-
-    ssl_certificate /etc/letsencrypt/live/openlibrary.org/fullchain.pem;
-    ssl_certificate_key /etc/letsencrypt/live/openlibrary.org/privkey.pem;
-
-    # Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
-    ssl_dhparam /olsystem/etc/nginx/dhparam-2048.pem;
-
-    ssl_protocols TLSv1.2 TLSv1.3;
-    ssl_ciphers EECDH+CHACHA20:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5;
-    ssl_prefer_server_ciphers on;
-}
diff --git a/docker/web_nginx.conf b/docker/web_nginx.conf
index 7f19e19239e..d05666c9437 100644
--- a/docker/web_nginx.conf
+++ b/docker/web_nginx.conf
@@ -16,7 +16,23 @@ upstream webnodes {
     server web_haproxy:7072;
 }
 
-include /etc/nginx/sites-available/public_nginx.conf;
+# Keep in sync with covers_nginx.conf
+server {
+    listen 80 default;
+    listen [::]:443 ssl http2 ipv6only=on;
+    listen 443 ssl http2;
+    server_name localhost;
+
+    ssl_certificate /etc/letsencrypt/live/openlibrary.org/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/openlibrary.org/privkey.pem;
+
+    # Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
+    ssl_dhparam /olsystem/etc/nginx/dhparam-2048.pem;
+
+    ssl_protocols TLSv1.2 TLSv1.3;
+    ssl_ciphers EECDH+CHACHA20:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5;
+    ssl_prefer_server_ciphers on;
+}
 
 server {
     listen 80;