diff --git a/certificates.go b/certificates.go
index 680fea8..0c4ffdb 100644
--- a/certificates.go
+++ b/certificates.go
@@ -1,15 +1,46 @@
 package main
 
 import (
+	"crypto/rand"
+	"crypto/rsa"
 	"crypto/tls"
-	"fmt"
+	"crypto/x509"
+	"crypto/x509/pkix"
+	"encoding/pem"
+	"math/big"
+	"strings"
+	"time"
 )
 
+var fallbackCertKey, _ = rsa.GenerateKey(rand.Reader, 1024)
+var fallbackCertSpecification = &x509.Certificate{
+	Subject: pkix.Name{
+		CommonName: strings.TrimPrefix(string(MainDomainSuffix), "."),
+	},
+	SerialNumber: big.NewInt(0),
+	NotBefore: time.Now(),
+	NotAfter: time.Now().AddDate(100, 0, 0),
+}
+var fallbackCertBytes, _ = x509.CreateCertificate(
+	rand.Reader,
+	fallbackCertSpecification,
+	fallbackCertSpecification,
+	fallbackCertKey.Public(),
+	fallbackCertKey,
+)
+var fallbackCert, _ = tls.X509KeyPair(pem.EncodeToMemory(&pem.Block{
+	Bytes: fallbackCertBytes,
+	Type: "CERTIFICATE",
+}), pem.EncodeToMemory(&pem.Block{
+	Bytes: x509.MarshalPKCS1PrivateKey(fallbackCertKey),
+	Type: "RSA PRIVATE KEY",
+}))
+
 // tlsConfig contains the configuration for generating, serving and cleaning up Let's Encrypt certificates.
 var tlsConfig = &tls.Config{
 	GetCertificate: func(info *tls.ClientHelloInfo) (*tls.Certificate, error) {
 		// TODO: check DNS name & get certificate from Let's Encrypt
-		return nil, fmt.Errorf("NYI")
+		return &fallbackCert, nil
 	},
 	PreferServerCipherSuites: true,
 	// TODO: optimize cipher suites, minimum TLS version, etc.
diff --git a/main.go b/main.go
index 60aad97..23ab970 100644
--- a/main.go
+++ b/main.go
@@ -80,7 +80,7 @@ func main() {
 
 	// Use HOST and PORT environment variables to determine listening address
 	address := fmt.Sprintf("%s:%s", envOr("HOST", "[::]"), envOr("PORT", "80"))
-	fmt.Printf("Listening on http://%s\n", address)
+	fmt.Printf("Listening on https://%s\n", address)
 
 	// Enable compression by wrapping the handler() method with the compression function provided by FastHTTP
 	compressedHandler := fasthttp.CompressHandlerBrotliLevel(handler, fasthttp.CompressBrotliBestSpeed, fasthttp.CompressBestSpeed)
@@ -91,9 +91,7 @@ func main() {
 		fmt.Printf("Couldn't create listener: %s\n", err)
 		os.Exit(1)
 	}
-	if envOr("LETS_ENCRYPT", "0") == "1" {
-		tls.NewListener(listener, tlsConfig)
-	}
+	listener = tls.NewListener(listener, tlsConfig)
 
 	// Start the web server
 	err = (&fasthttp.Server{