diff --git a/certs/intermediate_ca.crt b/certs/intermediate_ca.crt
deleted file mode 100644
index e2d8aba..0000000
--- a/certs/intermediate_ca.crt
+++ /dev/null
@@ -1,12 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIB2TCCAX6gAwIBAgIQQkLUt4eUkj1iHx/bSnS7CTAKBggqhkjOPQQDAjA2MRUw
-EwYDVQQKEwxzaWQtaW50ZXJuYWwxHTAbBgNVBAMTFHNpZC1pbnRlcm5hbCBSb290
-IENBMB4XDTI2MDQxODIwMzkwM1oXDTM2MDQxNTIwMzkwM1owPjEVMBMGA1UEChMM
-c2lkLWludGVybmFsMSUwIwYDVQQDExxzaWQtaW50ZXJuYWwgSW50ZXJtZWRpYXRl
-IENBMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEARbL4O6VO4zrlXGTIQtf20A5
-BuytQgR99rUnWxQOXay1hyPyVeXAFyKWFyQ/vJNHRrMw8TjY829wWkxjFrAj66Nm
-MGQwDgYDVR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYBAf8CAQAwHQYDVR0OBBYE
-FCt20qDkibwOESQ4yUBDmh0m0MX4MB8GA1UdIwQYMBaAFFqIEAJENmQdkxT3Lxix
-QXhY8H7lMAoGCCqGSM49BAMCA0kAMEYCIQCwrStylYQB2hV2VifA8erEJQCFwPZ+
-jwcUHAZBKHBb7gIhAIfWurRwLLoXfsx5Ri1rY2JrVVnfPuENqMMcAlOHz/8J
------END CERTIFICATE-----
diff --git a/hosts/sid/services/nginx.nix b/hosts/sid/services/nginx.nix
index 57166b0..2619671 100644
--- a/hosts/sid/services/nginx.nix
+++ b/hosts/sid/services/nginx.nix
@@ -19,6 +19,11 @@ in
     enable = true;
     openFirewall = true;
     forceSSL = ssl;
+    virtualHosts."${constants.ca-fqdn}" = {
+      locations."/.well-known/acme-challenge/" = {
+        root = "/var/lib/acme/acme-challenge";
+      };
+    };
     virtualHosts."${constants.services.docs.fqdn}" = mkVirtualHost {
       inherit ssl;
       address = constants.hosts.rx4.ip;
@@ -34,10 +39,10 @@ in
       address = constants.hosts.rx4.ip;
       port = constants.services.miniflux.port;
     };
-    virtualHosts."${constants.services.netdata.fqdn}" = mkVirtualHost {
-      inherit ssl;
-      port = constants.services.netdata.port;
-    };
+    # virtualHosts."${constants.services.netdata.fqdn}" = mkVirtualHost {
+    #   inherit ssl;
+    #   port = constants.services.netdata.port;
+    # };
     virtualHosts."${constants.services.open-webui-oci.fqdn}" = mkVirtualHost {
       inherit ssl;
       address = constants.hosts.rx4.ip;
@@ -58,15 +63,20 @@ in
     virtualHosts."${constants.services.vaultwarden.fqdn}" = {
       useACMEHost = "sid-internal";
       forceSSL = ssl;
-      locations."/" = {
-        proxyPass = "http://${constants.hosts.rx4.ip}:${toString constants.services.vaultwarden.port}";
+      locations = {
+        "/" = {
+          proxyPass = "http://${constants.hosts.rx4.ip}:${toString constants.services.vaultwarden.port}";
+        };
+        "/.well-known/acme-challenge/" = {
+          root = "/var/lib/acme/acme-challenge";
+        };
       };
     };
-    virtualHosts."${constants.services.webdav.fqdn}" = mkVirtualHost {
-      inherit ssl;
-      address = constants.hosts.rx4.ip;
-      port = constants.services.webdav.port;
-    };
+    # virtualHosts."${constants.services.webdav.fqdn}" = mkVirtualHost {
+    #   inherit ssl;
+    #   address = constants.hosts.rx4.ip;
+    #   port = constants.services.webdav.port;
+    # };
     # FIXME
     # virtualHosts."print.sid.ovh" = {
     #   enableACME = true;
diff --git a/hosts/sid/services/step-ca.nix b/hosts/sid/services/step-ca.nix
index 45a43ae..685c07b 100644
--- a/hosts/sid/services/step-ca.nix
+++ b/hosts/sid/services/step-ca.nix
@@ -17,8 +17,12 @@ in
     intermediatePasswordFile = config.sops.secrets."step-ca/password".path;
     # nix-shell -p step-cli --run "step ca init"
     settings = {
-      root = ../../../certs/root_ca.crt;
-      crt = ../../../certs/intermediate_ca.crt;
+      # FIXME: nix-store paths do not work
+      # root = ../../../certs/root_ca.crt;
+      # crt = ../../../certs/intermediate_ca.crt;
+      # FIXME: not reproducible
+      root = "/var/lib/step-ca/certs/root_ca.crt";
+      crt = "/var/lib/step-ca/certs/intermediate_ca.crt";
       key = config.sops.secrets."step-ca/intermediate-key".path;
       dnsNames = [
         constants.ca-fqdn
@@ -75,9 +79,9 @@ in
     certs."sid-internal" = {
       domain = constants.intranet;
       extraDomainNames = [
-        constants.services.netdata.fqdn
+        # constants.services.netdata.fqdn
         constants.services.vaultwarden.fqdn
-        constants.services.webdav.fqdn
+        # constants.services.webdav.fqdn
       ];
       server = "https://${constants.ca-fqdn}:${toString cfg.port}/acme/acme/directory";
       group = "nginx";
diff --git a/modules/nixos/pki/default.nix b/modules/nixos/pki/default.nix
index 729ebd5..9b849f6 100644
--- a/modules/nixos/pki/default.nix
+++ b/modules/nixos/pki/default.nix
@@ -1,3 +1,3 @@
 {
-  security.pki.certificateFiles = [ ../../../certs/root_ca.crt ];
+  security.pki.certificateFiles = [ ./root_ca.crt ];
 }
diff --git a/certs/root_ca.crt b/modules/nixos/pki/root_ca.crt
similarity index 100%
rename from certs/root_ca.crt
rename to modules/nixos/pki/root_ca.crt