diff --git a/core/nginx/conf/tls.conf b/core/nginx/conf/tls.conf
index 5d7ec031..9100243d 100644
--- a/core/nginx/conf/tls.conf
+++ b/core/nginx/conf/tls.conf
@@ -1,5 +1,9 @@
 ssl_certificate {{ TLS[0] }};
 ssl_certificate_key {{ TLS[1] }};
+{% if TLS_FLAVOR in ['letsencrypt','mail-letsencrypt] %}
+ssl_certificate {{ TLS[2] }};
+ssl_certificate_key {{ TLS[3] }};
+{% endif %}
 ssl_session_timeout 1d;
 ssl_session_tickets off;
 ssl_dhparam /conf/dhparam.pem;
diff --git a/core/nginx/config.py b/core/nginx/config.py
index 6fc9c082..a9bce89b 100755
--- a/core/nginx/config.py
+++ b/core/nginx/config.py
@@ -27,10 +27,10 @@ keypair_name = os.getenv("TLS_KEYPAIR_FILENAME", default="key.pem")
 args["TLS"] = {
     "cert": ("/certs/%s" % cert_name, "/certs/%s" % keypair_name),
     "letsencrypt": ("/certs/letsencrypt/live/mailu/fullchain.pem",
-        "/certs/letsencrypt/live/mailu/privkey.pem"),
+        "/certs/letsencrypt/live/mailu/privkey.pem", "/certs/letsencrypt/live/mailu-ecdsa/fullchain.pem", "/certs/letsencrypt/live/mailu-ecdsa/privkey.pem"),
     "mail": ("/certs/%s" % cert_name, "/certs/%s" % keypair_name),
     "mail-letsencrypt": ("/certs/letsencrypt/live/mailu/fullchain.pem",
-        "/certs/letsencrypt/live/mailu/privkey.pem"),
+        "/certs/letsencrypt/live/mailu/privkey.pem", "/certs/letsencrypt/live/mailu-ecdsa/fullchain.pem", "/certs/letsencrypt/live/mailu-ecdsa/privkey.pem"),
     "notls": None
 }[args["TLS_FLAVOR"]]
 
diff --git a/core/nginx/letsencrypt.py b/core/nginx/letsencrypt.py
index ed106fa1..73659f7c 100755
--- a/core/nginx/letsencrypt.py
+++ b/core/nginx/letsencrypt.py
@@ -14,7 +14,19 @@ command = [
     "--cert-name", "mailu",
     "--preferred-challenges", "http", "--http-01-port", "8008",
     "--keep-until-expiring",
-    "--rsa-key-size", "3072",
+    "--config-dir", "/certs/letsencrypt",
+    "--post-hook", "/config.py"
+]
+command2 = [
+    "certbot",
+    "-n", "--agree-tos", # non-interactive
+    "-d", os.environ["HOSTNAMES"],
+    "-m", "{}@{}".format(os.environ["POSTMASTER"], os.environ["DOMAIN"]),
+    "certonly", "--standalone",
+    "--cert-name", "mailu-ecdsa",
+    "--preferred-challenges", "http", "--http-01-port", "8008",
+    "--keep-until-expiring",
+    "--key-type", "ecdsa",
     "--config-dir", "/certs/letsencrypt",
     "--post-hook", "/config.py"
 ]
@@ -25,5 +37,6 @@ time.sleep(5)
 # Run certbot every hour
 while True:
     subprocess.call(command)
+    subprocess.call(command2)
     time.sleep(3600)