diff --git a/global/overlay/etc/puppet/modules/dns/manifests/apache2.pp b/global/overlay/etc/puppet/modules/dns/manifests/apache2.pp
index 13e4bf9..48d41e6 100644
--- a/global/overlay/etc/puppet/modules/dns/manifests/apache2.pp
+++ b/global/overlay/etc/puppet/modules/dns/manifests/apache2.pp
@@ -32,6 +32,13 @@ class dns::apache2 (
     refreshonly => true,
     notify      => Service['apache2'],
   }
+
+  file {'/etc/letsencrypt/options-ssl-apache.conf':
+    ensure  => present,
+    source => "cp /usr/lib/python3/dist-packages/certbot_apache/_internal/tls_configs/current-options-ssl-apache.conf",
+  }
+
+  # NFT rules
   sunet::nftables::rule { 'apache-http':
     rule => "add rule inet filter input tcp dport 80 counter accept comment \"allow-apache2-http\""
   }
diff --git a/global/overlay/etc/puppet/modules/dns/templates/apache2/dns-rest-api.conf.erb b/global/overlay/etc/puppet/modules/dns/templates/apache2/dns-rest-api.conf.erb
index 251d683..26bf1b1 100644
--- a/global/overlay/etc/puppet/modules/dns/templates/apache2/dns-rest-api.conf.erb
+++ b/global/overlay/etc/puppet/modules/dns/templates/apache2/dns-rest-api.conf.erb
@@ -22,5 +22,6 @@
 ServerName dns-rest-api.sunet.se
 SSLCertificateFile /etc/letsencrypt/live/dns-rest-api.sunet.se/fullchain.pem
 SSLCertificateKeyFile /etc/letsencrypt/live/dns-rest-api.sunet.se/privkey.pem
+Include /etc/letsencrypt/options-ssl-apache.conf
 </VirtualHost>
 </IfModule>