diff --git a/tasks/cert_generate.yml b/tasks/cert_generate.yml
index f0ef40e37ea41c728e2ace75625a923627f9b56b..4cf55a1968ad74b6bc610d767ff9ee21fe5825d9 100644
--- a/tasks/cert_generate.yml
+++ b/tasks/cert_generate.yml
@@ -18,9 +18,15 @@
       jump: 'ACCEPT'
       state: 'present'
 
-  - name: "Install New Cert"
+  - name: "Install New Cert via webroot"
+    shell: certbot certonly --expand --non-interactive --config /etc/letsencrypt/{{ cert.domain }}.ini --cert-name {{ cert.domain }} --webroot-path /var/www/html --webroot
+    ignore_errors: true
+    when: groups.proxyserver is not defined or inventory_hostname not in groups.proxyserver
+
+  - name: "Install New Cert via HaProxy"
     shell: certbot certonly --expand --non-interactive --config /etc/letsencrypt/{{ cert.domain }}.ini --http-01-port {{ port }} --preferred-challenges http-01 --cert-name {{ cert.domain }}
     ignore_errors: true
+    when: groups.proxyserver is defined and inventory_hostname in groups.proxyserver
 
   - name: "Close Port"
     iptables:
diff --git a/tasks/renew.yml b/tasks/renew.yml
index 67cd4a7fb3c34714e428cb75c4445e9b8c14d4d8..37fc7388d454cc51a092e7f4cc3e5f4f260fbc9c 100644
--- a/tasks/renew.yml
+++ b/tasks/renew.yml
@@ -18,12 +18,19 @@
     jump: 'ACCEPT'
     state: 'present'
 
-- name: "Renew Existing Certs"
-  #shell: certbot renew --non-interactive --http-01-port {{ port }} --preferred-challenges http-01
+- name: "Renew Existing Certs via webroot"
   shell: certbot renew --non-interactive --webroot-path /var/www/html --webroot
   ignore_errors: true
   register: renew_result
   changed_when: "'No renewals were attempted.' not in renew_result.stdout"
+  when: groups.proxyserver is not defined or inventory_hostname not in groups.proxyserver
+
+- name: "Renew Existing Certs via HaProxy"
+  shell: certbot renew --non-interactive --http-01-port {{ port }} --preferred-challenges http-01
+  ignore_errors: true
+  register: renew_result
+  changed_when: "'No renewals were attempted.' not in renew_result.stdout"
+  when: groups.proxyserver is defined and inventory_hostname in groups.proxyserver
 
 - name: "Close Port"
   iptables:
diff --git a/templates/letsencrypt.ini b/templates/letsencrypt.ini
index 7e73c559804e04dabb9476f91bb3e5e511ac9329..f953f05d0eb950cd10521628416b13a2e98bc806 100644
--- a/templates/letsencrypt.ini
+++ b/templates/letsencrypt.ini
@@ -2,7 +2,9 @@ email = {{ apache_server_admin|default('admin@paragon-es.de') }}
 domains = {{ cert.domain }}{% for alias in cert.aliases|default([]) %}, {{ alias }}{% endfor %}{% for trusted_domain in cert.trusted_domains|default([]) %}, {{ trusted_domain }}{% endfor %}
 
 text = True
+{% if groups.proxyserver is defined and inventory_hostname in groups.proxyserver %}
 authenticator = standalone
+{% endif %}
 # standalone-supported-challenges = tls-sni-01
 agree-tos = True
 expand = True