diff --git a/packaging/aleph-vm/etc/haproxy/haproxy-aleph.cfg b/packaging/aleph-vm/etc/haproxy/haproxy-aleph.cfg
index 6294ddddd..f5ee90926 100644
--- a/packaging/aleph-vm/etc/haproxy/haproxy-aleph.cfg
+++ b/packaging/aleph-vm/etc/haproxy/haproxy-aleph.cfg
@@ -5,8 +5,7 @@
 
 
 global
-	log /dev/log	local0
-	log /dev/log	local1 notice
+	log stdout format raw local0
 	chroot /var/lib/haproxy
 	stats socket /run/haproxy/admin.sock mode 660 level admin
 	stats timeout 30s
@@ -40,7 +39,7 @@ defaults
 	errorfile 504 /etc/haproxy/errors/504.http
 
 frontend stats
-  bind *:8404
+  bind :::8404 v4v6
   stats enable
   stats uri /
   stats refresh 10s
@@ -48,7 +47,8 @@ frontend stats
 
 # Frontend for HTTPS traffic (with SNI extraction)
 frontend ft_ssl
-    bind *:443
+    bind :::443 v4v6
+
     mode tcp
 
     # Inspect SSL handshake
@@ -65,19 +65,24 @@ frontend ft_ssl
 
 # Frontend for HTTP traffic (with Host header extraction)
 frontend ft_http
-    bind *:80
+    bind :::80 v4v6
     mode http
 
     # Extract Host header and store it
     http-request set-var(txn.host) hdr(host)
 
+    # Redirect to letsencrypt certbot for certificate challange requests
+    # Test URI to see if its a letsencrypt request
+    acl letsencrypt-acl path_beg /.well-known/acme-challenge/
+    use_backend bk_letsencrypt if letsencrypt-acl
+
     # Find the target server dynamically from Host header
     use_backend bk_http if { var(txn.host) -m found }
     default_backend bk_default_supervisor
 
 # Frontend for SSH and other TCP traffic
 frontend ft_ssh
-    bind *:2222
+    bind :::2222 v4v6
     #ssl crt /etc/haproxy/certs/ssl.pem
     mode tcp
 
@@ -106,8 +111,8 @@ backend bk_http
     mode http
     # Use the appropriate variable based on the traffic type
     # For HTTP - Use Host header
-    use-server %[var(txn.host),lower,map(/etc/haproxy/http_domains.map)] if { var(txn.host) -m found }
     http-request set-header Host %[req.hdr(host)]
+    use-server %[var(txn.host),lower,map(/etc/haproxy/http_domains.map)] if { var(txn.host) -m found }
     server web1 127.0.0.1:4020
 
 # Default to fallback to the aleph-vm supervisor
@@ -116,6 +121,10 @@ backend bk_default_ssl
     mode tcp
     server fallback_local 127.0.0.1:4443 send-proxy
 
+# Let's encrypt Backend for certificate renewal
+backend bk_letsencrypt
+    server letsencrypt 127.0.0.1:8888
+
 # Internal frontend that handles TLS termination (serve cert) and HTTP
 frontend ft_terminated_ssl
     bind 127.0.0.1:4443 ssl crt /etc/haproxy/certs/ accept-proxy