diff --git a/roles/certbot/tasks/main.yml b/roles/certbot/tasks/main.yml
index 812aff2cb551c659f376e78f4ead3142b1a7269e..91e2fde88b64b661c3255bda72f48fa51583b93e 100644
--- a/roles/certbot/tasks/main.yml
+++ b/roles/certbot/tasks/main.yml
@@ -29,7 +29,7 @@
   template:
     src: "letsencrypt/dhparam.j2"
     dest: "/etc/letsencrypt/dhparam"
-    mode: 0644
+    mode: 0600
 
 - name: Create /etc/letsencrypt/conf.d
   file:
@@ -46,3 +46,12 @@
 - name: Run certbot
   command: certbot --non-interactive --config /etc/letsencrypt/conf.d/{{ item.certname }}.ini certonly
   loop: "{{ certbot }}"
+
+- name: Clean old files
+  file:
+    path: "{{ item }}"
+    state: absent
+  loop:
+    - "/etc/letsencrypt/options-ssl-nginx.conf"
+    - "/etc/letsencrypt/ssl-dhparams.pem"
+    - "/etc/letsencrypt/rfc2136.ini"
diff --git a/roles/nginx/tasks/main.yml b/roles/nginx/tasks/main.yml
index c437106264a6e639950449ef711f46857f4bd0ab..c43f3a337b008b67c5b6ed9112a45ca768592a4a 100644
--- a/roles/nginx/tasks/main.yml
+++ b/roles/nginx/tasks/main.yml
@@ -24,14 +24,6 @@
     mode: 0644
   loop: "{{ nginx.ssl }}"
 
-- name: Copy dhparam
-  template:
-    src: letsencrypt/dhparam.j2
-    dest: /etc/letsencrypt/dhparam
-    owner: root
-    group: root
-    mode: 0644
-
 - name: Disable default site
   file:
     dest: "/etc/nginx/sites-enabled/default"
@@ -125,3 +117,12 @@
     src: update-motd.d/05-service.j2
     dest: /etc/update-motd.d/05-nginx
     mode: 0755
+
+- name: Clean old files
+  file:
+    path: "{{ item }}"
+    state: absent
+  loop:
+    - "/etc/nginx/snippets/options-ssl.conf"
+    - "/var/www/custom_401.html"
+    - "/var/www/robots.txt"