diff --git a/nginx.conf.build.sh b/nginx.conf.build.sh
index a094922..8b3fbf6 100755
--- a/nginx.conf.build.sh
+++ b/nginx.conf.build.sh
@@ -1,6 +1,7 @@
 #!/bin/bash
 set -e
 set -x
+set -u
 
 . build.profile
 
@@ -30,7 +31,7 @@ http {
 
     server {
         server_name  ${PAPERLESS_BIND_ADDR};
-        access_log   ${PAPERLESS_LOGGING_DIR}/nginx-access.log;
+        access_log   ${LOGDIR}/nginx-access.log;
 
         listen       ${PAPERLESS_BIND_ADDR}:${PAPERLESS_PORT};
 _EOP_
@@ -38,8 +39,8 @@ _EOP_
 if [ -v PAPERLESS_HTTPS ]; then
 tee -a ${CONF} <<_EOP_
         listen       ${PAPERLESS_BIND_ADDR}:${PAPERLESS_HTTPS} ssl;
-        ssl_certificate     fullchain.pem;
-        ssl_certificate_key privkey.pem;
+        ssl_certificate     ${NGINX_SSL_CERTIFICATE};      # from build.local
+        ssl_certificate_key ${NGINX_SSL_CERTIFICATE_KEY};  # from build.local
         ssl_dhparam         dhparam.pem; # src/nginx.build.sh
         ssl_session_timeout 1d;
         ssl_session_cache   shared:MozSSL:10m;