diff --git a/nixos/modules/security/acme.nix b/nixos/modules/security/acme.nix
index 12736e57b4a..726e5471141 100644
--- a/nixos/modules/security/acme.nix
+++ b/nixos/modules/security/acme.nix
@@ -178,6 +178,7 @@ in
                   path = [ pkgs.simp_le ];
                   preStart = ''
                     mkdir -p '${cfg.directory}'
+                    chown '${data.user}:${data.group}' '${cfg.directory}'
                     if [ ! -d '${cpath}' ]; then
                       mkdir '${cpath}'
                     fi
diff --git a/nixos/modules/security/acme.xml b/nixos/modules/security/acme.xml
index 226cf0382da..6fddb27e6a3 100644
--- a/nixos/modules/security/acme.xml
+++ b/nixos/modules/security/acme.xml
@@ -75,7 +75,7 @@ options for the <literal>security.acme</literal> module.</para>
 
 <programlisting>
 security.acme.certs."foo.example.com" = {
-  webroot = "/var/www/challenges";
+  webroot = config.security.acme.directory + "/acme-challenge";
   email = "foo@example.com";
   user = "nginx";
   group = "nginx";