diff --git a/docs/rolereference.rst b/docs/rolereference.rst
index 7dbaf3b928dba46fc3a05635fc5edb48b3aeb63f..cf021019a08b9007dfefac7f02b01a5ca0432916 100644
--- a/docs/rolereference.rst
+++ b/docs/rolereference.rst
@@ -21,14 +21,14 @@ deployment. This section lists such parameters.
 
 **tls_private_key_dir** (string, optional if paths to private keys for all roles are explicitly specified)
   Path to directory on Ansible host that contains the private keys used by
-  services deployed by various roles. When TLS key path is not explicitly
-  defined in a role, this is the directory where the TLS key will be looked-up
-  during Ansible run. Expected filename pattern is ``FQDN_SERVICE.key`` (for
-  example, ``mail.example.com_smtp.key`` or ``xmpp.example.com_xmpp.key``).
+  services deployed by various roles. When TLS keys are not explicitly defined
+  in a role, this is the directory where the TLS key will be looked-up during
+  Ansible run. Expected filename pattern is ``FQDN_SERVICE.key`` (for example,
+  ``mail.example.com_smtp.key`` or ``xmpp.example.com_xmpp.key``).
 
 **tls_certificate_dir** (string, optional if paths to certificate files for all roles are explicitly specified)
   Path to directory on Ansible host that contains the X.509 certificate files
-  used by services deployed by various roles. When X.509 certificate path is not
+  used by services deployed by various roles. When X.509 certificate is not
   explicitly defined in a role, this is the directory where the X.509
   certificate will be looked-up during Ansible run. Expected filename pattern is
   ``FQDN_SERVICE.pem`` (for example, ``mail.example.com_smtp.pem`` or
@@ -575,13 +575,13 @@ Parameters
   <http://www.openldap.org/doc/admin24/slapdconf2.html#cn=config>` for value
   description and syntax.
 
-**ldap_server_tls_certificate** (string, optional, ``{{ tls_certificate_dir }}/{{ ansible_fqdn }}_ldap.pem``)
-  Path to file on Ansible host that contains the X.509 certificate used for TLS
-  for LDAP service. The file will be copied to directory ``/etc/ssl/certs/``.
+**ldap_server_tls_certificate** (string, optional, ``{{ lookup('file', tls_certificate_dir + '/' ansible_fqdn + '_ldap.pem') }}``)
+  X.509 certificate used for TLS for LDAP service. The file will be stored in
+  directory ``/etc/ssl/certs/`` under name ``{{ ansible_fqdn }}_ldap.pem``.
 
-**ldap_server_tls_key** (string, optional, ``{{ tls_private_key_dir }}/{{ ansible_fqdn }}_ldap.key``)
-  Path to file on Ansible host that contains the private key used for TLS for
-  LDAP service. The file will be copied to directory ``/etc/ssl/private/``.
+**ldap_server_tls_key** (string, optional, ``{{ lookup('file', tls_private_key_dir + '/' ansible_fqdn + '_ldap.key') }}``)
+  Private key used for TLS for LDAP service. The file will be stored in
+  directory ``/etc/ssl/private/`` under name ``{{ ansible_fqdn }}_ldap.key``.
 
 **ldap_server_ssf** (number, optional, ``128``)
   Minimum *Security Strength Factor* to require from all incoming
@@ -600,8 +600,8 @@ Here is an example configuration for setting-up LDAP server:
   ldap_server_domain: "example.com"
   ldap_server_organization: "Example Corporation"
   ldap_server_log_level: 256
-  ldap_server_tls_certificate: ~/tls/ldap.example.com_ldap.pem
-  ldap_server_tls_key: ~/tls/ldap.example.com_ldap.key
+  ldap_server_tls_certificate: "{{ lookup('file', '~/tls/ldap.example.com_ldap.pem') }}"
+  ldap_server_tls_key: "{{ lookup('file', '~/tls/ldap.example.com_ldap.key') }}"
   ldap_server_ssf: 128
   
   ldap_permissions:
@@ -726,13 +726,13 @@ Parameters
   Fully qualified domain name, hostname, or IP address of the LDAP server used
   for user authentication and listing.
 
-**xmpp_tls_certificate** (string, optional, ``{{ tls_certificate_dir }}/{{ ansible_fqdn }}_xmpp.pem``)
-  Path to file on Ansible host that contains the X.509 certificate used for TLS
-  for SMTP service. The file will be copied to directory ``/etc/ssl/certs/``.
+**xmpp_tls_certificate** (string, optional, ``{{ lookup('file', tls_certificate_dir + '/' + fqdn + '_xmpp.pem') }}``)
+  X.509 certificate used for TLS for XMPP service. The file will be stored in
+  directory ``/etc/ssl/certs/`` under name ``{{ ansible_fqdn }}_xmpp.pem``.
 
-**xmpp_tls_key** (string, optional, ``{{ tls_private_key_dir }}/{{ ansible_fqdn }}_xmpp.key``)
-  Path to file on Ansible host that contains the private key used for TLS for
-  XMPP service. The file will be copied to directory ``/etc/ssl/private/``.
+**xmpp_tls_key** (string, optional, ``{{ lookup('file', tls_private_key_dir + '/' + fqdn + '_xmpp.key') }}``)
+  Private key used for TLS for XMPP service. The file will be stored in
+  directory ``/etc/ssl/private/`` under name ``{{ ansible_fqdn }}_xmpp.key``.
 
 
 Examples
@@ -753,8 +753,8 @@ Here is an example configuration for setting-up XMPP server using Prosody:
   xmpp_ldap_server: ldap.example.com
   # These are default key and certificate that generated during Prosody
   # installation. Possibly you want to deploy your own.
-  xmpp_tls_key: /etc/prosody/certs/localhost.key
-  xmpp_tls_certificate: /etc/prosody/certs/localhost.crt
+  xmpp_tls_key: "{{ lookup('file', '/etc/prosody/certs/localhost.key') }}"
+  xmpp_tls_certificate: "{{ lookup('file', '/etc/prosody/certs/localhost.crt') }}"
 
 
 Mail Server
@@ -864,23 +864,21 @@ Parameters
 **mail_user_gid** (integer, optional, ``whatever OS picks``)
   GID of the user that owns all the mail files.
 
-**imap_tls_certificate** (string, optional, ``{{ tls_certificate_dir }}/{{ ansible_fqdn }}_imap.pem``)
-  Path to file on Ansible host that contains the X.509 certificate used for TLS
-  for IMAP and ManageSieve services. The file will be copied to directory
-  ``/etc/ssl/certs/``.
+**imap_tls_certificate** (string, optional, ``{{ lookup('file', tls_certificate_dir + '/' ansible_fqdn + '_imap.pem') }}``)
+  X.509 certificate used for TLS for IMAP service. The file will be stored in
+  directory ``/etc/ssl/certs/`` under name ``{{ ansible_fqdn }}_imap.pem``.
 
-**imap_tls_key** (string, optional, ``{{ tls_private_key_dir }}/{{ ansible_fqdn }}_imap.key``)
-  Path to file on Ansible host that contains the private key used for TLS for
-  IMAP and ManageSieve services. The file will be copied to directory
-  ``/etc/ssl/private/``.
+**imap_tls_key** (string, optional, ``{{ lookup('file', tls_private_key_dir + '/' ansible_fqdn + '_imap.key') }}``)
+  Private key used for TLS for IMAP service. The file will be stored in
+  directory ``/etc/ssl/private/`` under name ``{{ ansible_fqdn }}_imap.key``.
 
-**smtp_tls_certificate** (string, optional, ``{{ tls_certificate_dir }}/{{ ansible_fqdn }}_smtp.pem``)
-  Path to file on Ansible host that contains the X.509 certificate used for TLS
-  for SMTP service. The file will be copied to directory ``/etc/ssl/certs/``.
+**smtp_tls_certificate** (string, optional, ``{{ lookup('file', tls_certificate_dir + '/' ansible_fqdn + '_smtp.pem') }}``)
+  X.509 certificate used for TLS for SMTP service. The file will be stored in
+  directory ``/etc/ssl/certs/`` under name ``{{ ansible_fqdn }}_smtp.pem``.
 
-**smtp_tls_key** (string, optional, ``{{ tls_certificate_dir }}/{{ ansible_fqdn }}_smtp.key``)
-  Path to file on Ansible host that contains the private key used for TLS for
-  SMTP service. The file will be copied to directory ``/etc/ssl/private/``.
+**smtp_tls_key** (string, optional, ``{{ lookup('file', tls_private_key_dir + '/' ansible_fqdn + '_smtp.key') }}``)
+  Private key used for TLS for SMTP service. The file will be stored in
+  directory ``/etc/ssl/private/`` under name ``{{ ansible_fqdn }}_smtp.key``.
 
 **imap_folder_separator** (string, optional, ``/``)
   Character used for separating the IMAP folders when clients are requesting
@@ -919,10 +917,10 @@ Here is an example configuration for setting-up XMPP server using Prosody:
   mail_user_uid: 5000
   mail_user_gid: 5000
 
-  imap_tls_certificate: ~/tls/mail.example.com_imap.pem
-  imap_tls_key: ~/tls/mail.example.com_imap.key
-  smtp_tls_certificate: ~/tls/mail.example.com_smtp.pem
-  smtp_tls_key: ~/tls/mail.example.com_smtp.key
+  imap_tls_certificate: "{{ lookup('file', '~/tls/mail.example.com_imap.pem') }}"
+  imap_tls_key: "{{ lookup('file', '~/tls/mail.example.com_imap.key') }}"
+  smtp_tls_certificate: "{{ lookup('file', '~/tls/mail.example.com_smtp.pem') }}"
+  smtp_tls_key: "{{ lookup('file', '~/tls/mail.example.com_smtp.key') }}"
   imap_folder_separator: /
   smtp_rbl:
     - bl.spamcop.net
@@ -1041,15 +1039,13 @@ Parameters
   Specify if HTTPS should be enforced for the default virtual host or not. If
   enforced, clients connecting via plaintext will be redirected to HTTPS.
 
-**default_https_tls_key** (string, optional, ``{{ tls_private_key_dir }}/{{ ansible_fqdn }}_https.key``)
-  Path to file on Ansible host that contains the private key used for TLS for
-  HTTPS service. The file will be copied to directory
-  ``/etc/ssl/private/``. This key is used for the default virrtual host.
+**default_https_tls_certificate** (string, optional, ``{{ lookup('file', tls_certificate_dir + '/' + ansible_fqdn + '_https.pem') }}``)
+  X.509 certificate used for TLS for HTTPS service. The file will be stored in
+  directory ``/etc/ssl/certs/`` under name ``{{ ansible_fqdn }}_https.pem``.
 
-**default_https_tls_certificate** (string, optional, ``{{ tls_certificate_dir }}/{{ ansible_fqdn }}_https.pem``)
-  Path to file on Ansible host that contains the X.509 certificate used for TLS
-  for HTTPS service. The file will be copied to directory
-  ``/etc/ssl/certs/``. This certificate is used for the default virrtual host.
+**default_https_tls_key** (string, optional, ``{{ lookup('file', tls_private_key_dir + '/' + ansible_fqdn + '_https.key') }}``)
+  Private key used for TLS for HTTPS service. The file will be stored in
+  directory ``/etc/ssl/private/`` under name ``{{ ansible_fqdn }}_https.key``.
 
 **web_default_title** (string, optional, ``Welcome``)
   Title for the default web page shown to users (if no other vhosts were matched).
@@ -1068,8 +1064,8 @@ Here is an example configuration for setting-up web server:
 
   ---
 
-  default_https_tls_key: "{{ inventory_dir }}/tls/web.example.com_https.key"
-  default_https_tls_certificate: "{{ inventory_dir }}/tls/web.example.com_https.pem"
+  default_https_tls_key: "{{ lookup('file', inventory_dir + '/tls/web.example.com_https.key') }}"
+  default_https_tls_certificate: "{{ lookup('file', inventory_dir + '/tls/web.example.com_https.pem') }}"
 
   web_default_title: "Welcome to Example Inc."
   web_default_message: "You are attempting to access the web server using a wrong name or an IP address. Please check your URL."
@@ -1159,13 +1155,13 @@ Parameters
   succession, until the first match, or until it runs out of matches, when a
   client requests an URI pointing to directory.
 
-**https_tls_certificate** (string, optional, ``{{ tls_certificate_dir }}/{{ fqdn }}_https.pem``)
-  Path to file on Ansible host that contains the X.509 certificate used for TLS
-  for HTTPS service. The file will be copied to directory ``/etc/ssl/certs/``.
+**https_tls_certificate** (string, optional, ``{{ lookup('file', tls_certificate_dir + '/' + fqdn + '_https.pem') }}``)
+  X.509 certificate used for TLS for HTTPS service. The file will be stored in
+  directory ``/etc/ssl/certs/`` under name ``{{ fqdn }}_https.pem``.
 
-**https_tls_key** (string, optional, ``{{ tls_private_key_dir }}/{{ fqdn }}_https.key``)
-  Path to file on Ansible host that contains the private key used for TLS for
-  HTTPS service. The file will be copied to directory ``/etc/ssl/private/``.
+**https_tls_key** (string, optional, ``{{ lookup('file', tls_private_key_dir + '/' + fqdn + '_https.key') }}``)
+  Private key used for TLS for HTTPS service. The file will be stored in
+  directory ``/etc/ssl/private/`` under name ``{{ fqdn }}_https.key``.
 
 **php_file_regex** (string, optional, ``\.php$``)
   Regular expression used for determining which file should be interepted via
@@ -1222,8 +1218,8 @@ running *ownCloud* and *The Bug Genie* applications):
         - php5-json
         - php5-mysql
         - php5-curl
-      https_tls_key: "{{ inventory_dir }}/tls/cloud.example.com_https.key"
-      https_tls_certificate: "{{ inventory_dir }}/tls/cloud.example.com_https.pem"
+      https_tls_key: "{{ lookup('file', inventory_dir + '/tls/cloud.example.com_https.key') }}"
+      https_tls_certificate: "{{ lookup('file', inventory_dir + '/tls/cloud.example.com_https.pem') }}"
     - role: php_website
       admin: admin
       deny_files_regex:
@@ -1232,8 +1228,8 @@ running *ownCloud* and *The Bug Genie* applications):
         - ^(.*) /index.php?url=$1
       fqdn: tbg.example.com
       uid: 2007
-      https_tls_key: "{{ inventory_dir }}/tls/tbg.example.com_https.key"
-      https_tls_certificate: "{{ inventory_dir }}/tls/tbg.example.com_https.pem"
+      https_tls_key: "{{ lookup('file', inventory_dir + '/tls/tbg.example.com_https.key') }}"
+      https_tls_certificate: "{{ lookup('file', inventory_dir + '/tls/tbg.example.com_https.pem') }}"
 
 
 WSGI Website
@@ -1322,13 +1318,13 @@ Parameters
   for calculating the user/group name for dedicated website user, as well as
   home directory of the website user (where data/code should be stored at).
 
-**https_tls_certificate** (string, optional, ``{{ tls_certificate_dir }}/{{ fqdn }}_https.pem``)
-  Path to file on Ansible host that contains the X.509 certificate used for TLS
-  for HTTPS service. The file will be copied to directory ``/etc/ssl/certs/``.
+**https_tls_certificate** (string, optional, ``{{ lookup('file', tls_certificate_dir + '/' + fqdn + '_https.pem') }}``)
+  X.509 certificate used for TLS for HTTPS service. The file will be stored in
+  directory ``/etc/ssl/certs/`` under name ``{{ fqdn }}_https.pem``.
 
-**https_tls_key** (string, optional, ``{{ tls_private_key_dir }}/{{ fqdn }}_https.key``)
-  Path to file on Ansible host that contains the private key used for TLS for
-  HTTPS service. The file will be copied to directory ``/etc/ssl/private/``.
+**https_tls_key** (string, optional, ``{{ lookup('file', tls_private_key_dir + '/' + fqdn + '_https.key') }}``)
+  Private key used for TLS for HTTPS service. The file will be stored in
+  directory ``/etc/ssl/private/`` under name ``{{ fqdn }}_https.key``.
 
 **packages** (list, optional, ``[]``)
   A list of additional packages to install for this particular WSGI
@@ -1384,8 +1380,8 @@ running a bare Django project):
       virtualenv_packages:
         - django
       wsgi_application: django_example_com.wsgi:application
-      https_tls_key: "{{ inventory_dir }}/tls/wsgi.example.com_https.key"
-      https_tls_certificate: "{{ inventory_dir }}/tls/wsgi.example.com_https.pem"
+      https_tls_key: "{{ lookup('file', inventory_dir + '/tls/wsgi.example.com_https.key') }}"
+      https_tls_certificate: "{{ lookup('file', inventory_dir + '/tls/wsgi.example.com_https.pem') }}"
 
 
 Database Server
diff --git a/roles/ldap_server/defaults/main.yml b/roles/ldap_server/defaults/main.yml
index fc3c43742407c3d0b211adaf6ffebc45613c9f7b..e9b4033ba231b037dbfb6fe844d156c189ff04a3 100644
--- a/roles/ldap_server/defaults/main.yml
+++ b/roles/ldap_server/defaults/main.yml
@@ -7,8 +7,8 @@ ldap_server_domain: "{{ ansible_domain }}"
 ldap_server_int_basedn: "{{ ldap_server_domain | regex_replace('\\.', ',dc=') | regex_replace('^', 'dc=') }}"
 ldap_server_organization: "Private"
 ldap_server_log_level: 256
-ldap_server_tls_certificate: "{{ tls_certificate_dir }}/{{ ansible_fqdn }}_ldap.pem"
-ldap_server_tls_key: "{{ tls_private_key_dir }}/{{ ansible_fqdn }}_ldap.key"
+ldap_server_tls_certificate: "{{ lookup('file', tls_certificate_dir + '/' ansible_fqdn + '_ldap.pem') }}"
+ldap_server_tls_key: "{{ lookup('file', tls_private_key_dir + '/' ansible_fqdn + '_ldap.key') }}"
 ldap_server_ssf: 128
 ldap_server_consumers: []
 ldap_server_groups: []
diff --git a/roles/ldap_server/tasks/main.yml b/roles/ldap_server/tasks/main.yml
index 7b8787fde3ea0779f36bcba07bc815a2390a7c10..fc820f93c76f584eceb6f016e04aa2faf5d0e888 100644
--- a/roles/ldap_server/tasks/main.yml
+++ b/roles/ldap_server/tasks/main.yml
@@ -49,19 +49,19 @@
   when: ldap_misc_schema_present.stdout == ""
 
 - name: Deploy LDAP TLS private key
-  copy: dest="/etc/ssl/private/{{ ldap_server_tls_key | basename }}" src="{{ ldap_server_tls_key }}"
+  copy: dest="/etc/ssl/private/{{ ansible_fqdn }}_ldap.key" content="{{ ldap_server_tls_key }}"
         mode=640 owner=root group=openldap
   notify:
     - Restart slapd
 
 - name: Deploy LDAP TLS certificate
-  copy: dest="/etc/ssl/certs/{{ ldap_server_tls_certificate | basename }}" src="{{ ldap_server_tls_certificate }}"
+  copy: dest="/etc/ssl/certs/{{ ansible_fqdn }}_ldap.pem" content="{{ ldap_server_tls_certificate }}"
         mode=644 owner=root group=root
   notify:
     - Restart slapd
 
 - name: Configure TLS for slapd (includes hardening)
-  ldap_entry: dn=cn=config state=replace olcTLSCertificateFile="/etc/ssl/certs/{{ ldap_server_tls_certificate | basename }}" olcTLSCertificateKeyFile="/etc/ssl/private/{{ ldap_server_tls_key | basename }}"
+  ldap_entry: dn=cn=config state=replace olcTLSCertificateFile="/etc/ssl/certs/{{ ansible_fqdn }}_ldap.pem" olcTLSCertificateKeyFile="/etc/ssl/private/{{ ansible_fqdn }}_ldap.key"
               olcTLSCipherSuite="NONE:+VERS-TLS1.2:+CTYPE-X509:+COMP-NULL:+SIGN-RSA-SHA256:+SIGN-RSA-SHA384:+SIGN-RSA-SHA512:+DHE-RSA:+ECDHE-RSA:+SHA256:+SHA384:+AEAD:+AES-128-GCM:+AES-128-CBC:+AES-256-GCM:+AES-256-CBC:+CURVE-ALL"
   notify:
     - Restart slapd
diff --git a/roles/mail_server/defaults/main.yml b/roles/mail_server/defaults/main.yml
index cf1140bcd5b8a6005e256ced7da332484e57baa4..5e41257e58ca8b7dad78e6a61698228f856a0198 100644
--- a/roles/mail_server/defaults/main.yml
+++ b/roles/mail_server/defaults/main.yml
@@ -3,10 +3,10 @@
 enable_backup: False
 mail_ldap_tls_truststore: "/etc/ssl/certs/truststore.pem"
 mail_user: vmail
-imap_tls_certificate: "{{ tls_certificate_dir }}/{{ ansible_fqdn }}_imap.pem"
-imap_tls_key: "{{ tls_private_key_dir }}/{{ ansible_fqdn }}_imap.key"
-smtp_tls_certificate: "{{ tls_certificate_dir }}/{{ ansible_fqdn }}_smtp.pem"
-smtp_tls_key: "{{ tls_certificate_dir }}/{{ ansible_fqdn }}_smtp.key"
+imap_tls_certificate: "{{ lookup('file', tls_certificate_dir + '/' ansible_fqdn + '_imap.pem') }}"
+imap_tls_key: "{{ lookup('file', tls_private_key_dir + '/' ansible_fqdn + '_imap.key') }}"
+smtp_tls_certificate: "{{ lookup('file', tls_certificate_dir + '/' ansible_fqdn + '_smtp.pem') }}"
+smtp_tls_key: "{{ lookup('file', tls_private_key_dir + '/' ansible_fqdn + '_smtp.key') }}"
 imap_folder_separator: "/"
 smtp_rbl: []
 mail_postmaster: "postmaster@{{ ansible_domain }}"
diff --git a/roles/mail_server/tasks/main.yml b/roles/mail_server/tasks/main.yml
index a4f4fb2b9a80c0e2c0a094079edebc2160c09ed6..9a830e9e761c2c2286678d6fdf2f07c97bcb925c 100644
--- a/roles/mail_server/tasks/main.yml
+++ b/roles/mail_server/tasks/main.yml
@@ -27,25 +27,25 @@
   user: name=dovecot append=yes groups=ssl-cert
 
 - name: Deploy SMTP TLS private key
-  copy: dest="/etc/ssl/private/{{ smtp_tls_key | basename }}" src="{{ smtp_tls_key }}"
+  copy: dest="/etc/ssl/private/{{ ansible_fqdn }}_smtp.key" content="{{ smtp_tls_key }}"
         mode=640 owner=root group=root
   notify:
     - Restart Postfix
 
 - name: Deploy SMTP TLS certificate
-  copy: dest="/etc/ssl/certs/{{ smtp_tls_certificate | basename }}" src="{{ smtp_tls_certificate }}"
+  copy: dest="/etc/ssl/certs/{{ ansible_fqdn }}_smtp.pem" content="{{ smtp_tls_certificate }}"
         mode=644 owner=root group=root
   notify:
     - Restart Postfix
 
 - name: Deploy IMAP TLS private key
-  copy: dest="/etc/ssl/private/{{ imap_tls_key | basename }}" src="{{ imap_tls_key }}"
+  copy: dest="/etc/ssl/private/{{ ansible_fqdn }}_imap.key" content="{{ imap_tls_key }}"
         mode=640 owner=root group=root
   notify:
     - Restart Dovecot
 
 - name: Deploy IMAP TLS certificate
-  copy: dest="/etc/ssl/certs/{{ imap_tls_certificate | basename }}" src="{{ imap_tls_certificate }}"
+  copy: dest="/etc/ssl/certs/{{ ansible_fqdn }}_imap.pem" content="{{ imap_tls_certificate }}"
         mode=644 owner=root group=root
   notify:
     - Restart Dovecot
diff --git a/roles/mail_server/templates/99-local.conf.j2 b/roles/mail_server/templates/99-local.conf.j2
index bc937a2212a174973e9c93044ca0c351a2c0d689..b11d31bd3d2fc08c3ebea6f54aab71d476e3b618 100644
--- a/roles/mail_server/templates/99-local.conf.j2
+++ b/roles/mail_server/templates/99-local.conf.j2
@@ -29,8 +29,8 @@ service auth {
 }
 
 # TLS configuration.
-ssl_cert = </etc/ssl/certs/{{ imap_tls_certificate | basename }}
-ssl_key = </etc/ssl/private/{{ imap_tls_key | basename }}
+ssl_cert = </etc/ssl/certs/{{ ansible_fqdn }}_imap.pem
+ssl_key = </etc/ssl/private/{{ ansible_fqdn }}_imap.key
 ssl_protocols = TLSv1.2
 ssl_cipher_list = DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:!aNULL:!MD5:!EXPORT
 ssl = required
diff --git a/roles/mail_server/templates/main.cf.j2 b/roles/mail_server/templates/main.cf.j2
index 149112a710c7fceb4b441b5628501ccb9e333c70..8a6a8332ea40000eb2ff904a0910fded0ce766c4 100644
--- a/roles/mail_server/templates/main.cf.j2
+++ b/roles/mail_server/templates/main.cf.j2
@@ -52,8 +52,8 @@ smtpd_sasl_auth_enable = no
 # TLS configuration.
 smtpd_tls_security_level = may
 smtpd_tls_auth_only = yes
-smtpd_tls_cert_file = /etc/ssl/certs/{{ smtp_tls_certificate | basename }}
-smtpd_tls_key_file = /etc/ssl/private/{{ smtp_tls_key | basename }}
+smtpd_tls_cert_file = /etc/ssl/certs/{{ ansible_fqdn }}_smtp.pem
+smtpd_tls_key_file = /etc/ssl/private/{{ ansible_fqdn }}_smtp.key
 smtpd_use_tls=yes
 smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
 smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
diff --git a/roles/php_website/defaults/main.yml b/roles/php_website/defaults/main.yml
index 1de83076a969beba1c7146eb9661f2ba85d60da1..749d39f975592e142a067596fc261aa3ac6edaf7 100644
--- a/roles/php_website/defaults/main.yml
+++ b/roles/php_website/defaults/main.yml
@@ -8,5 +8,5 @@ php_file_regex: \.php$
 php_rewrite_urls: []
 rewrites: []
 admin: "web-{{ fqdn | replace('.', '_') }}"
-https_tls_certificate: "{{ tls_certificate_dir }}/{{ fqdn }}_https.pem"
-https_tls_key: "{{ tls_private_key_dir }}/{{ fqdn }}_https.key"
+https_tls_certificate: "{{ lookup('file', tls_certificate_dir + '/' + fqdn + '_https.pem') }}"
+https_tls_key: "{{ lookup('file', tls_private_key_dir + '/' + fqdn + '_https.key') }}"
diff --git a/roles/php_website/tasks/main.yml b/roles/php_website/tasks/main.yml
index 205626a41d2efe967f44690cab50286da2a8f00d..79dea91d52b59f98018fee4ba683e014cad8b9b1 100644
--- a/roles/php_website/tasks/main.yml
+++ b/roles/php_website/tasks/main.yml
@@ -33,13 +33,13 @@
     - Restart php5-fpm
 
 - name: Deploy nginx TLS private key for website
-  copy: dest="/etc/ssl/private/{{ https_tls_key | basename }}" src="{{ https_tls_key }}"
+  copy: dest="/etc/ssl/private/{{ fqdn }}_https.key" content="{{ https_tls_key }}"
         mode=640 owner=root group=root
   notify:
     - Restart nginx
 
 - name: Deploy nginx TLS certificate for website
-  copy: dest="/etc/ssl/certs/{{ https_tls_certificate | basename }}" src="{{ https_tls_certificate }}"
+  copy: dest="/etc/ssl/certs/{{ fqdn }}_https.pem" content="{{ https_tls_certificate }}"
         mode=644 owner=root group=root
   notify:
     - Restart nginx
diff --git a/roles/php_website/templates/nginx_site.j2 b/roles/php_website/templates/nginx_site.j2
index 16c8ac9fbc6e755c2fe8a710381a5c734321d3a3..54c825fa440569cd8a607f889faa12234be01643 100644
--- a/roles/php_website/templates/nginx_site.j2
+++ b/roles/php_website/templates/nginx_site.j2
@@ -23,8 +23,8 @@ server {
     # HTTPS (TLS) configuration.
     listen 443 ssl;
     listen [::]:443 ssl;
-    ssl_certificate_key /etc/ssl/private/{{ https_tls_key | basename }};
-    ssl_certificate /etc/ssl/certs/{{ https_tls_certificate | basename }};
+    ssl_certificate_key /etc/ssl/private/{{ fqdn }}_https.key;
+    ssl_certificate /etc/ssl/certs/{{ fqdn }}_https.pem;
 
     {% if rewrites -%}
     # Generic URL rewrites.
diff --git a/roles/web_server/defaults/main.yml b/roles/web_server/defaults/main.yml
index 6581ec34a57a83f54fbeeef6f86475033d53f810..88ca28d2bc354b97d9c4e2e322cf9f37fafb8ca4 100644
--- a/roles/web_server/defaults/main.yml
+++ b/roles/web_server/defaults/main.yml
@@ -1,7 +1,7 @@
 ---
 
 default_enforce_https: True
-default_https_tls_key: "{{ tls_private_key_dir }}/{{ ansible_fqdn }}_https.key"
-default_https_tls_certificate: "{{ tls_certificate_dir }}/{{ ansible_fqdn }}_https.pem"
+default_https_tls_certificate: "{{ lookup('file', tls_certificate_dir + '/' + ansible_fqdn + '_https.pem') }}"
+default_https_tls_key: "{{ lookup('file', tls_private_key_dir + '/' + ansible_fqdn + '_https.key') }}"
 web_default_title: "Welcome"
 web_default_message: "You are attempting to access the web server using a wrong name or an IP address. Please check your URL."
diff --git a/roles/web_server/tasks/main.yml b/roles/web_server/tasks/main.yml
index 8a8a3372e85217fd56656a3d83ba73e374a1518c..dfe64ac9bfab2d948a07ee56aff4bd56b2ab1887 100644
--- a/roles/web_server/tasks/main.yml
+++ b/roles/web_server/tasks/main.yml
@@ -9,13 +9,13 @@
     - Restart nginx
 
 - name: Deploy nginx TLS private key
-  copy: dest="/etc/ssl/private/{{ default_https_tls_key | basename }}" src="{{ default_https_tls_key }}"
+  copy: dest="/etc/ssl/private/{{ ansible_fqdn }}_https.key" content="{{ default_https_tls_key }}"
         mode=640 owner=root group=root
   notify:
     - Restart nginx
 
 - name: Deploy nginx TLS certificate
-  copy: dest="/etc/ssl/certs/{{ default_https_tls_certificate | basename }}" src="{{ default_https_tls_certificate }}"
+  copy: dest="/etc/ssl/certs/{{ ansible_fqdn }}_https.pem" content="{{ default_https_tls_certificate }}"
         mode=644 owner=root group=root
   notify:
     - Restart nginx
diff --git a/roles/web_server/templates/nginx-default.j2 b/roles/web_server/templates/nginx-default.j2
index c734b1340a9e7d0a15a003cfe0acbf2d3a9996b3..3e654c1df678e37741c1252f030e50b87ed26d4a 100644
--- a/roles/web_server/templates/nginx-default.j2
+++ b/roles/web_server/templates/nginx-default.j2
@@ -25,8 +25,8 @@ server {
     # HTTPS (TLS) configuration.
     listen 443 ssl default_server;
     listen [::]:443 ssl default_server;
-    ssl_certificate_key /etc/ssl/private/{{ default_https_tls_key | basename }};
-    ssl_certificate /etc/ssl/certs/{{ default_https_tls_certificate | basename }};
+    ssl_certificate_key /etc/ssl/private/{{ ansible_fqdn }}_https.key;
+    ssl_certificate /etc/ssl/certs/{{ ansible_fqdn }}_https.pem;
 
     # Set-up the serving of default page.
     root /var/www/default/;
diff --git a/roles/wsgi_website/defaults/main.yml b/roles/wsgi_website/defaults/main.yml
index 979d07e888cb26caed1449b6de08b83bbaaea708..afc44e0cc2e57bb1291ff107dea74ec2ff805842 100644
--- a/roles/wsgi_website/defaults/main.yml
+++ b/roles/wsgi_website/defaults/main.yml
@@ -7,5 +7,5 @@ static_locations: []
 use_paste: False
 virtualenv_packages: []
 admin: "web-{{ fqdn | replace('.', '_') }}"
-https_tls_certificate: "{{ tls_certificate_dir }}/{{ fqdn }}_https.pem"
-https_tls_key: "{{ tls_private_key_dir }}/{{ fqdn }}_https.key"
+https_tls_certificate: "{{ lookup('file', tls_certificate_dir + '/' + fqdn + '_https.pem') }}"
+https_tls_key: "{{ lookup('file', tls_private_key_dir + '/' + fqdn + '_https.key') }}"
diff --git a/roles/wsgi_website/tasks/main.yml b/roles/wsgi_website/tasks/main.yml
index 1e439d55c59418c8d891a5dd37105d5fe5e8ae8d..1d0ba128693e3c48e16eddb513d58b1e40fd63a5 100644
--- a/roles/wsgi_website/tasks/main.yml
+++ b/roles/wsgi_website/tasks/main.yml
@@ -82,13 +82,13 @@
         owner="{{ admin }}" group="{{ user }}" mode="2750"
 
 - name: Deploy nginx TLS private key for website
-  copy: dest="/etc/ssl/private/{{ https_tls_key | basename }}" src="{{ https_tls_key }}"
+  copy: dest="/etc/ssl/private/{{ fqdn }}_https.key" content="{{ https_tls_key }}"
         mode=640 owner=root group=root
   notify:
     - Restart nginx
 
 - name: Deploy nginx TLS certificate for website
-  copy: dest="/etc/ssl/certs/{{ https_tls_certificate | basename }}" src="{{ https_tls_certificate }}"
+  copy: dest="/etc/ssl/certs/{{ fqdn }}_https.pem" content="{{ https_tls_certificate }}"
         mode=644 owner=root group=root
   notify:
     - Restart nginx
diff --git a/roles/wsgi_website/templates/nginx_site.j2 b/roles/wsgi_website/templates/nginx_site.j2
index 48d99e5e05db269d5554a50abd7116c2c79e6170..09588a8b19e3a2037e45f814fe8f7085a01e3421 100644
--- a/roles/wsgi_website/templates/nginx_site.j2
+++ b/roles/wsgi_website/templates/nginx_site.j2
@@ -22,8 +22,8 @@ server {
     # HTTPS (TLS) configuration.
     listen 443 ssl;
     listen [::]:443 ssl;
-    ssl_certificate_key /etc/ssl/private/{{ https_tls_key | basename }};
-    ssl_certificate /etc/ssl/certs/{{ https_tls_certificate | basename }};
+    ssl_certificate_key /etc/ssl/private/{{ fqdn }}_https.key;
+    ssl_certificate /etc/ssl/certs/{{ fqdn }}_https.pem;
 
     {% if rewrites -%}
     # Site rewrites.
diff --git a/roles/xmpp_server/defaults/main.yml b/roles/xmpp_server/defaults/main.yml
index 6a07ccf59e989cb1304dfd40eff54d9255fb4b28..034ccdfc2f2262f66323d6ac4ab6474799cbdc00 100644
--- a/roles/xmpp_server/defaults/main.yml
+++ b/roles/xmpp_server/defaults/main.yml
@@ -2,5 +2,5 @@
 
 enable_backup: False
 xmpp_domains: "{{ ansible_domain }}"
-xmpp_tls_certificate: "{{ tls_certificate_dir }}/{{ ansible_fqdn }}_xmpp.pem"
-xmpp_tls_key: "{{ tls_private_key_dir }}/{{ ansible_fqdn }}_xmpp.key"
+xmpp_tls_certificate: "{{ lookup('file', tls_certificate_dir + '/' + fqdn + '_xmpp.pem') }}"
+xmpp_tls_key: "{{ lookup('file', tls_private_key_dir + '/' + fqdn + '_xmpp.key') }}"
diff --git a/roles/xmpp_server/tasks/main.yml b/roles/xmpp_server/tasks/main.yml
index 65e52744b012ff0e9a2f3a13a0c14adf59ca016e..dcd2057dc04d6e5fac23937c6e83fb39ff4af320 100644
--- a/roles/xmpp_server/tasks/main.yml
+++ b/roles/xmpp_server/tasks/main.yml
@@ -24,13 +24,13 @@
   user: name=prosody append=yes groups=ssl-cert
 
 - name: Deploy XMPP TLS private key
-  copy: dest="/etc/ssl/private/{{ xmpp_tls_key | basename }}" src="{{ xmpp_tls_key }}"
+  copy: dest="/etc/ssl/private/{{ ansible_fqdn }}_xmpp.key" content="{{ xmpp_tls_key }}"
         mode=640 owner=root group=prosody
   notify:
     - Restart Prosody
 
 - name: Deploy XMPP TLS certificate
-  copy: dest="/etc/ssl/certs/{{ xmpp_tls_certificate | basename }}" src="{{ xmpp_tls_certificate }}"
+  copy: dest="/etc/ssl/certs/{{ ansible_fqdn }}_xmpp.pem" content="{{ xmpp_tls_certificate }}"
         mode=644 owner=root group=root
   notify:
     - Restart Prosody
diff --git a/roles/xmpp_server/templates/prosody.cfg.lua.j2 b/roles/xmpp_server/templates/prosody.cfg.lua.j2
index 0553b12cdb2b1b4b2fd6fe4239f74cee252ab559..7d9477abd8948c5682cdb80f5d8fe8c5a7aca2b2 100644
--- a/roles/xmpp_server/templates/prosody.cfg.lua.j2
+++ b/roles/xmpp_server/templates/prosody.cfg.lua.j2
@@ -42,8 +42,8 @@ allow_registration = false;
 -- These are the SSL/TLS-related settings. If you don't want
 -- to use SSL/TLS, you may comment or remove this
 ssl = {
-  key = "/etc/ssl/private/{{ xmpp_tls_key | basename }}";
-  certificate = "/etc/ssl/certs/{{ xmpp_tls_certificate | basename }}";
+  key = "/etc/ssl/private/{{ ansible_fqdn }}_xmpp.key";
+  certificate = "/etc/ssl/certs/{{ ansible_fqdn }}_xmpp.pem";
   prosody = "tlsv1_2";
   ciphers = "DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:!aNULL:!MD5:!EXPORT;"
 }
diff --git a/testsite/group_vars/ldap.yml b/testsite/group_vars/ldap.yml
index f1f37d6d166d288d0e71d502ab933e99ef9497f8..85af3af7a1849d8da7b5d97e014075d43c5a0d6c 100644
--- a/testsite/group_vars/ldap.yml
+++ b/testsite/group_vars/ldap.yml
@@ -42,8 +42,8 @@ ldap_server_groups:
     state: absent
 ldap_server_organization: "Example Inc."
 ldap_server_log_level: 256
-ldap_server_tls_certificate: "{{ inventory_dir }}/tls/ldap.{{ testsite_domain }}_ldap.pem"
-ldap_server_tls_key: "{{ inventory_dir }}/tls/ldap.{{ testsite_domain }}_ldap.key"
+ldap_server_tls_certificate: "{{ lookup('file', inventory_dir + '/tls/ldap.' + testsite_domain + '_ldap.pem') }}"
+ldap_server_tls_key: "{{ lookup('file', inventory_dir + '/tls/ldap.' + testsite_domain + '_ldap.key') }}"
 ldap_server_ssf: 128
 
 ldap_permissions:
diff --git a/testsite/group_vars/mail.yml b/testsite/group_vars/mail.yml
index 6fcc6c66736286eba7dfe84ebcd9f4d7a97ce909..864bedb44a7553f9d62d1dd37c0ed350f49bf136 100644
--- a/testsite/group_vars/mail.yml
+++ b/testsite/group_vars/mail.yml
@@ -10,10 +10,10 @@ mail_user: vmail
 mail_user_uid: 5000
 mail_user_gid: 5000
 
-imap_tls_certificate: "{{ inventory_dir }}/tls/mail.{{ testsite_domain }}_imap.pem"
-imap_tls_key: "{{ inventory_dir }}/tls/mail.{{ testsite_domain }}_imap.key"
-smtp_tls_certificate: "{{ inventory_dir }}/tls/mail.{{ testsite_domain }}_smtp.pem"
-smtp_tls_key: "{{ inventory_dir }}/tls/mail.{{ testsite_domain }}_smtp.key"
+imap_tls_certificate: "{{ lookup('file', inventory_dir + '/tls/mail.' + testsite_domain + '_imap.pem') }}"
+imap_tls_key: "{{ lookup('file', inventory_dir + '/tls/mail.' + testsite_domain + '_imap.key') }}"
+smtp_tls_certificate: "{{ lookup('file', inventory_dir + '/tls/mail.' + testsite_domain + '_smtp.pem') }}"
+smtp_tls_key: "{{ lookup('file', inventory_dir + '/tls/mail.' + testsite_domain + '_smtp.key') }}"
 imap_folder_separator: /
 smtp_rbl:
   - bl.spamcop.net
diff --git a/testsite/group_vars/web.yml b/testsite/group_vars/web.yml
index 4b876c75288c86113d811c5e637e952b096ae9f9..fd828e2ff4c556adff580605d219469c5b6aa0ee 100644
--- a/testsite/group_vars/web.yml
+++ b/testsite/group_vars/web.yml
@@ -7,8 +7,8 @@ smtp_relay_host: mail.{{ testsite_domain }}
 
 smtp_relay_truststore: /etc/ssl/certs/ca.pem
 
-default_https_tls_key: "{{ inventory_dir }}/tls/web.{{ testsite_domain }}_https.key"
-default_https_tls_certificate: "{{ inventory_dir }}/tls/web.{{ testsite_domain }}_https.pem"
+default_https_tls_key: "{{ lookup('file', inventory_dir + '/tls/web.' + testsite_domain + '_https.key') }}"
+default_https_tls_certificate: "{{ lookup('file', inventory_dir + '/tls/web.' + testsite_domain + '_https.pem') }}"
 
 web_default_title: "Welcome to Example Inc."
 web_default_message: "You are attempting to access the web server using a wrong name or an IP address. Please check your URL."
diff --git a/testsite/group_vars/xmpp.yml b/testsite/group_vars/xmpp.yml
index 8dfad6cb414ff54d78700690f9f35e989361a07f..4229ecdf74b170996b8cd194482ac85d1a3aa3e9 100644
--- a/testsite/group_vars/xmpp.yml
+++ b/testsite/group_vars/xmpp.yml
@@ -10,9 +10,9 @@ smtp_relay_truststore: /etc/ssl/certs/ca.pem
 xmpp_administrators:
   - john.doe@{{ testsite_domain }}
 
-xmpp_tls_key: "{{ inventory_dir }}/tls/xmpp.{{ testsite_domain }}_xmpp.key"
+xmpp_tls_key: "{{ lookup('file', inventory_dir + '/tls/xmpp.' + testsite_domain + '_xmpp.key') }}"
 
-xmpp_tls_certificate: "{{ inventory_dir }}/tls/xmpp.{{ testsite_domain }}_xmpp.pem"
+xmpp_tls_certificate: "{{ lookup('file', inventory_dir + '/tls/xmpp.' + testsite_domain + '_xmpp.pem') }}"
 
 xmpp_domains:
   - "{{ testsite_domain }}"
diff --git a/testsite/playbooks/roles/phpinfo/meta/main.yml b/testsite/playbooks/roles/phpinfo/meta/main.yml
index de006488111ebe3d9c931fb022ebd2de1e0dea1c..2a7b20c0e8c129fc88798cac037c144171abd3f0 100644
--- a/testsite/playbooks/roles/phpinfo/meta/main.yml
+++ b/testsite/playbooks/roles/phpinfo/meta/main.yml
@@ -8,8 +8,8 @@ dependencies:
       - ^(.*) /index.php
     uid: 2000
     enforce_https: False
-    https_tls_key: "{{ inventory_dir }}/tls/phpinfo.{{ testsite_domain }}_https.key"
-    https_tls_certificate: "{{ inventory_dir }}/tls/phpinfo.{{ testsite_domain }}_https.pem"
+    https_tls_key: "{{ lookup('file', inventory_dir + '/tls/phpinfo.' + testsite_domain + '_https.key') }}"
+    https_tls_certificate: "{{ lookup('file', inventory_dir + '/tls/phpinfo.' + testsite_domain + '_https.pem') }}"
   - role: database
     db_name: phpinfo_{{ testsite_domain_underscores }}
     db_password: phpinfo_{{ testsite_domain_underscores }}
\ No newline at end of file
diff --git a/testsite/playbooks/roles/wsgihello/meta/main.yml b/testsite/playbooks/roles/wsgihello/meta/main.yml
index c9195467ac914f3376dc68fdded5025d506211b4..de254e21d6daa42438cb3bd2d8288f4b99803fd0 100644
--- a/testsite/playbooks/roles/wsgihello/meta/main.yml
+++ b/testsite/playbooks/roles/wsgihello/meta/main.yml
@@ -8,8 +8,8 @@ dependencies:
     wsgi_application: wsgi:application
     static_locations:
       - /static/
-    https_tls_key: "{{ inventory_dir }}/tls/wsgi.{{ testsite_domain }}_https.key"
-    https_tls_certificate: "{{ inventory_dir }}/tls/wsgi.{{ testsite_domain }}_https.pem"
+    https_tls_key: "{{ lookup('file', inventory_dir + '/tls/wsgi.' + testsite_domain + '_https.key') }}"
+    https_tls_certificate: "{{ lookup('file', inventory_dir + '/tls/wsgi.' + testsite_domain + '_https.pem') }}"
   - role: database
     db_name: wsgi_{{ testsite_domain_underscores }}
     db_password: wsgi_{{ testsite_domain_underscores }}
\ No newline at end of file