diff --git a/server/rcv-site.cabal b/server/rcv-site.cabal
index 387fb07..244e46a 100644
--- a/server/rcv-site.cabal
+++ b/server/rcv-site.cabal
@@ -58,7 +58,8 @@ executable server
     wai,
     wai-app-static,
     wai-extra,
-    warp
+    warp,
+    warp-tls
   default-language:
     Haskell2010
   other-modules:
diff --git a/server/src/Main.hs b/server/src/Main.hs
index 58a85e3..e1a35ec 100644
--- a/server/src/Main.hs
+++ b/server/src/Main.hs
@@ -16,6 +16,8 @@ import qualified Database as DB
 import qualified Error as Er
 import qualified InstantRunoff as IR
 import qualified Network.Wai.Handler.Warp as W
+import qualified System.Environment as S
+import qualified Network.Wai.Handler.WarpTLS as WTLS
 import qualified Poll as P
 import Servant
 import Network.Wai.Application.Static (defaultWebAppSettings, StaticSettings (ss404Handler))
@@ -81,7 +83,14 @@ getEnv = Env <$> DB.openLocalDB
 runWithEnv :: Env -> AppM a -> Handler a
 runWithEnv = flip Rd.runReaderT
 
+tlsSettings = WTLS.tlsSettings "/etc/letsencrypt/live/rankedchoice.net/cert.pem" "/etc/letsencrypt/live/rankedchoice.net/privkey.pem"
+warpSettings = W.setPort 443 W.defaultSettings
+
 main :: IO ()
 main = do
   env <- getEnv
-  W.run 8080 . serve api . hoistServer api (runWithEnv env) $ server
+  opts <- S.getArgs
+  let application = serve api . hoistServer api (runWithEnv env) $ server
+  case opts of
+    ["--with-ssl"] -> WTLS.runTLS tlsSettings warpSettings application
+    _ -> W.run 8080 application