diff --git a/roles/setup-http-site-proxy/defaults/main.yml b/roles/setup-http-site-proxy/defaults/main.yml
new file mode 100644
index 0000000..e6171ff
--- /dev/null
+++ b/roles/setup-http-site-proxy/defaults/main.yml
@@ -0,0 +1,6 @@
+# Defaults for setup-http-dehydrated
+---
+# These match https://github.com/24367dfa/ansible-role-dehydrated
+dehydrated_config_dir: "/usr/local/etc/dehydrated"
+dehydrated_certs_dir: "{{ dehydrated_config_dir }}/certs"
+dehydrated_wellknown_dir: "{{ dehydrated_config_dir }}/challenge"
diff --git a/roles/setup-http-site-proxy/templates/apache-docker-proxy-site.j2 b/roles/setup-http-site-proxy/templates/apache-docker-proxy-site.j2
index b9f58a7..55dc711 100644
--- a/roles/setup-http-site-proxy/templates/apache-docker-proxy-site.j2
+++ b/roles/setup-http-site-proxy/templates/apache-docker-proxy-site.j2
@@ -9,7 +9,7 @@
     ErrorLog /var/log/apache2/{{ site_name }}-error.log
     CustomLog /var/log/apache2/{{ site_name }}-access.log common
 
-    Alias /.well-known/acme-challenge /usr/local/etc/dehydrated/challenge
+    Alias /.well-known/acme-challenge {{ dehydrated_wellknown_dir }}
 
     <ifmodule mod_rewrite.c>
         RewriteEngine On
@@ -18,9 +18,9 @@
     </ifmodule>
 </VirtualHost>
 
-<IfFile /usr/local/etc/dehydrated/certs/{{ site_name }}/cert.pem>
-<IfFile /usr/local/etc/dehydrated/certs/{{ site_name }}/privkey.pem>
-<IfFile /usr/local/etc/dehydrated/certs/{{ site_name }}/chain.pem>
+<IfFile {{dehydrated_certs_dir}/{{ site_name }}/cert.pem>
+<IfFile {{dehydrated_certs_dir}/{{ site_name }}/privkey.pem>
+<IfFile {{dehydrated_certs_dir}/{{ site_name }}/chain.pem>
 {% if 'address' in ansible_default_ipv6 %}
 <VirtualHost {{ ansible_default_ipv4.address }}:443 [{{ ansible_default_ipv6.address }}]:443>
 {% else %}
@@ -35,9 +35,9 @@
 
     SSLEngine on
     SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown
-    SSLCertificateFile    /usr/local/etc/dehydrated/certs/{{ site_name }}/cert.pem
-    SSLCertificateKeyFile /usr/local/etc/dehydrated/certs/{{ site_name }}/privkey.pem
-    SSLCertificateChainFile /usr/local/etc/dehydrated/certs/{{ site_name }}/chain.pem
+    SSLCertificateFile    {{dehydrated_certs_dir}/{{ site_name }}/cert.pem
+    SSLCertificateKeyFile {{dehydrated_certs_dir}/{{ site_name }}/privkey.pem
+    SSLCertificateChainFile {{dehydrated_certs_dir}/{{ site_name }}/chain.pem
 
     AllowEncodedSlashes NoDecode
     ProxyPass / http://{{ backend_host | default("localhost") }}:{{proxy_port}}/ nocanon