@@ -31,8 +31,8 @@
 func (s *Server) serveTLS() (err error) {
 	log := s.log.Named("tls")
 
-	wildcardDomain := "*." + s.options.Config.WildcardDomain
-	certificateDomains := slices.Clone(s.options.Config.Domains)
+	wildcardDomains := slices.Clone(s.options.WildcardDomains)
+	certificateDomains := slices.Clone(s.options.Domains)
 
 	certmagic.HTTPPort = s.options.Port
 	certmagic.HTTPSPort = s.options.TLSPort
@@ -42,15 +42,9 @@
 	acme := &certmagic.DefaultACME
 	acme.Logger = certmagic.Default.Logger
 	acme.Agreed = true
-	acme.Email = s.options.Config.Email
 	acme.ListenHost = strings.Trim(s.options.ListenAddress, "[]")
 
-	if s.options.Development {
-		ca := s.options.ACMEIssuer
-		if ca == "" {
-			return errors.New("can't enable tls in development without an ACME_ISSUER")
-		}
-
+	if s.options.ACMEIssuer != "" {
 		cp, err := x509.SystemCertPool()
 		if err != nil {
 			log.Warn("could not get system certificate pool", "error", err)
@@ -87,7 +81,9 @@ Logger:      cfg.Logger,
 			},
 		}
 
-		certificateDomains = append(slices.Clone(s.options.Config.Domains), wildcardDomain)
+		if len(wildcardDomains) > 0 {
+			certificateDomains = append(certificateDomains, wildcardDomains...)
+		}
 
 		rs := certmagic_redis.New()
 		rs.Address = []string{rc.Address}
@@ -121,20 +117,10 @@ if certmagic.LooksLikeHTTPChallenge(r) &&
 				acme.HandleHTTPChallenge(w, r) {
 				return
 			}
-			url := r.URL
-			url.Scheme = "https"
-			port := s.options.Config.BaseURL.Port()
-			if port == "" {
+			if slices.Contains(s.options.Domains, r.Host) {
+				url := r.URL
+				url.Scheme = "https"
 				url.Host = r.Host
-			} else {
-				host, _, err := net.SplitHostPort(r.Host)
-				if err != nil {
-					log.Warn("error splitting host and port", "error", err)
-					host = r.Host
-				}
-				url.Host = net.JoinHostPort(host, s.options.Config.BaseURL.Port())
-			}
-			if slices.Contains(s.options.Config.Domains, r.Host) {
 				http.Redirect(w, r, url.String(), http.StatusMovedPermanently)
 			} else {
 				http.NotFound(w, r)