diff --git a/README.md b/README.md
index b2dada1..93ab3e4 100644
--- a/README.md
+++ b/README.md
@@ -285,9 +285,18 @@ Before the first deploy, complete these steps on the production server (`srvr.nu
 
    Set `bilhej.se` (and `www.bilhej.se`) A record to the server's public IP.
 
-3. **Obtain SSL Certificate**
+3. **Add HTTP-only Nginx vhost** (required before certs exist)
 
-   Run certbot in the nginx container:
+   The full [`docker/bilhej.nginx.conf`](docker/bilhej.nginx.conf) references TLS files that do not
+   exist yet. Deploy the HTTP-only config first:
+
+   ```bash
+   docker cp docker/bilhej.nginx.http.conf nginx:/etc/nginx/conf.d/bilhej.conf
+   docker exec nginx nginx -t
+   docker exec nginx nginx -s reload
+   ```
+
+4. **Obtain SSL Certificate**
 
    ```bash
    docker exec certbot certbot certonly \
@@ -295,12 +304,11 @@ Before the first deploy, complete these steps on the production server (`srvr.nu
      -d bilhej.se -d www.bilhej.se
    ```
 
-4. **Add Nginx Config**
-
-   Copy the Bilhej server block into the nginx container:
+5. **Enable HTTPS proxy to the frontend**
 
    ```bash
    docker cp docker/bilhej.nginx.conf nginx:/etc/nginx/conf.d/bilhej.conf
+   docker exec nginx nginx -t
    docker exec nginx nginx -s reload
    ```
 
diff --git a/docker/bilhej.nginx.http.conf b/docker/bilhej.nginx.http.conf
new file mode 100644
index 0000000..9bf9316
--- /dev/null
+++ b/docker/bilhej.nginx.http.conf
@@ -0,0 +1,15 @@
+# Phase 1: HTTP only — use before Let's Encrypt certs exist.
+# After certbot, replace with bilhej.nginx.conf (includes HTTPS).
+
+server {
+    listen 80;
+    server_name bilhej.se www.bilhej.se;
+
+    location /.well-known/acme-challenge/ {
+        root /var/www/certbot;
+    }
+
+    location / {
+        return 301 https://$host$request_uri;
+    }
+}