diff --git a/defaults/main.yml b/defaults/main.yml
index 8eda029..1884ec8 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -50,14 +50,14 @@ nginx_open_ports:
 nginx_tls_enabled: False
 nginx_tls_versions:
   - TLSv1.2
-# Source has to be a file
-nginx_tls_cert_source: mycert.pem
-nginx_tls_key_source: mykey.pem
-# Set the destination filename
+## Source has to be a file
+# nginx_tls_cert_source: # defaults to not set
+# nginx_tls_key_source: # defaults to not set
+## Set the destination filename
 nginx_tls_cert_file: mycert.pem
 nginx_tls_key_file: mykey.pem
 # nginx_tls_dhparam_file: # defaults to not set
-# nginx_tls_dhparam_size: # defaults to 2048
+nginx_tls_dhparam_size: 2048
 
 nginx_tls_ciphers:
   - ECDHE-RSA-AES256-GCM-SHA512
@@ -65,6 +65,7 @@ nginx_tls_ciphers:
   - ECDHE-RSA-AES256-GCM-SHA384
   - DHE-RSA-AES256-GCM-SHA384
   - ECDHE-RSA-AES256-SHA384
+# nginx_tls_ecdh_curve: # defaults to not set
 
 nginx_tls_ocsp_enabled: False
 # nginx_tls_ocsp_trusted_certificate: # defaults to not set
diff --git a/tasks/install.yml b/tasks/install.yml
index ef2f923..c95136f 100644
--- a/tasks/install.yml
+++ b/tasks/install.yml
@@ -73,7 +73,7 @@
         owner: root
         group: root
         mode: 0640
-        validate: bash -c 'nginx -t -c /dev/stdin <<< "events {worker_connections 1;} http { include %s; }"'
+        validate: bash -c '/sbin/nginx -t -c /dev/stdin <<< "events {worker_connections 1;} http { include %s; }"'
       notify: __nginx_reload
 
     - name: Open ports in iptables
@@ -122,6 +122,7 @@
         owner: root
         group: root
         mode: 0640
+        validate: /sbin/nginx -t -c %s
       loop: "{{ nginx_vhosts_default + nginx_vhosts_extra }}"
       loop_control:
         label: "{{ item.file }}"
diff --git a/tasks/main.yml b/tasks/main.yml
index 6e6048f..ce6a9cd 100644
--- a/tasks/main.yml
+++ b/tasks/main.yml
@@ -1,6 +1,5 @@
 ---
 - import_tasks: install.yml
 - import_tasks: tls.yml
-  when: nginx_tls_enabled | bool
   tags: tls_renewal
 - import_tasks: post_tasks.yml
diff --git a/tasks/tls.yml b/tasks/tls.yml
index dff1acf..94f7684 100644
--- a/tasks/tls.yml
+++ b/tasks/tls.yml
@@ -10,13 +10,15 @@
         - { src: "{{ nginx_tls_cert_source }}", dest: '/etc/pki/tls/certs/{{ nginx_tls_cert_file }}', mode: '0750' }
       loop_control:
         label: "{{ item.dest }}"
+      when:
+        - nginx_tls_cert_source is defined
+        - nginx_tls_key_source is defined
       notify: __nginx_reload
-      when: nginx_tls_source_use_files | bool
 
     - name: Create Diffie-Hellman Parameter
       openssl_dhparam:
         path: "{{ nginx_tls_dhparam_file }}"
-        size: "{{ nginx_tls_dhparam_size | default('2048') }}"
+        size: "{{ nginx_tls_dhparam_size }}"
       when: nginx_tls_dhparam_file is defined
 
     - name: Update tls.conf
diff --git a/templates/etc/nginx/conf.d/header.conf.j2 b/templates/etc/nginx/conf.d/header.conf.j2
index df7a23e..f280949 100644
--- a/templates/etc/nginx/conf.d/header.conf.j2
+++ b/templates/etc/nginx/conf.d/header.conf.j2
@@ -1,5 +1,5 @@
 #jinja2: lstrip_blocks: True
-# {{ ansible_managed }}
+{{ ansible_managed | comment }}
 
 # protect against protocol downgrading and cookie hijacking
 # https://www.owasp.org/index.php/OWASP_Secure_Headers_Project#hsts
diff --git a/templates/etc/nginx/conf.d/tls.conf.j2 b/templates/etc/nginx/conf.d/tls.conf.j2
index 3220e90..d951208 100644
--- a/templates/etc/nginx/conf.d/tls.conf.j2
+++ b/templates/etc/nginx/conf.d/tls.conf.j2
@@ -1,5 +1,6 @@
 #jinja2: lstrip_blocks: True
-# {{ ansible_managed }}
+{{ ansible_managed | comment }}
+
 ssl_ciphers {{ nginx_tls_ciphers | join(":") }};
 ssl_prefer_server_ciphers on;
 {% if nginx_tls_ecdh_curve is defined %}
diff --git a/templates/etc/nginx/nginx.conf.j2 b/templates/etc/nginx/nginx.conf.j2
index 706c525..8797a2e 100644
--- a/templates/etc/nginx/nginx.conf.j2
+++ b/templates/etc/nginx/nginx.conf.j2
@@ -1,5 +1,6 @@
 #jinja2: lstrip_blocks: True
-# {{ ansible_managed }}
+{{ ansible_managed | comment }}
+
 user {{ nginx_user }} {{ nginx_group }};
 worker_processes {{ nginx_worker_processes }};
 
diff --git a/templates/etc/nginx/sites-available/vhost.j2 b/templates/etc/nginx/sites-available/vhost.j2
index 82f8b87..bf00e1e 100644
--- a/templates/etc/nginx/sites-available/vhost.j2
+++ b/templates/etc/nginx/sites-available/vhost.j2
@@ -15,8 +15,8 @@ server {
     server_name  {{ server.server_name }};
 
     {% if server.tls is defined and server.tls %}
-    ssl_certificate {{ server.tls.cert }};
-    ssl_certificate_key {{ server.tls.key }};
+    ssl_certificate /etc/pki/tls/certs/{{ server.tls.cert }};
+    ssl_certificate_key /etc/pki/tls/private/{{ server.tls.key }};
     {% if server.tls.dhparam is defined %}
     ssl_dhparam {{ item.value.ssl.dhparam }};
     {% endif %}