diff --git a/certbot/0.ns1.grapheneos.org b/certbot/0.ns1.grapheneos.org
index 2711e58..8f722ee 100644
--- a/certbot/0.ns1.grapheneos.org
+++ b/certbot/0.ns1.grapheneos.org
@@ -1,6 +1,6 @@
 certbot certonly --webroot --webroot-path /srv/certbot --no-eff-email \
     --key-type ecdsa --reuse-key --required-profile tlsserver \
-    --deploy-hook "nginx -s reload; rsync -acv --delete --chmod=D750,F640 --chown root:dnsdist /etc/letsencrypt/live/ /etc/letsencrypt/dnsdist/; dnsdist -c -e 'reloadAllCertificates()'" \
+    --deploy-hook "nginx -s reload; rsync -acv --copy-links --delete --chmod=D750,F640 --chown root:dnsdist /etc/letsencrypt/live/ /etc/letsencrypt/dnsdist/; dnsdist -c -e 'reloadAllCertificates()'" \
     --cert-name ns1.grapheneos.org \
     -d ns1.grapheneos.org \
     -d ns1.attestation.app \
diff --git a/certbot/0.ns2.grapheneos.org b/certbot/0.ns2.grapheneos.org
index 09a8fa0..5278b94 100644
--- a/certbot/0.ns2.grapheneos.org
+++ b/certbot/0.ns2.grapheneos.org
@@ -1,6 +1,6 @@
 certbot certonly --webroot --webroot-path /srv/certbot --no-eff-email \
     --key-type ecdsa --reuse-key --required-profile tlsserver \
-    --deploy-hook "nginx -s reload; rsync -acv --delete --chmod=D750,F640 --chown root:dnsdist /etc/letsencrypt/live/ /etc/letsencrypt/dnsdist/; dnsdist -c -e 'reloadAllCertificates()'" \
+    --deploy-hook "nginx -s reload; rsync -acv --copy-links --delete --chmod=D750,F640 --chown root:dnsdist /etc/letsencrypt/live/ /etc/letsencrypt/dnsdist/; dnsdist -c -e 'reloadAllCertificates()'" \
     --cert-name ns2.grapheneos.org \
     -d ns2.grapheneos.org \
     -d ns2.attestation.app \
diff --git a/certbot/ns1.staging.grapheneos.org b/certbot/ns1.staging.grapheneos.org
index 69da7e1..39a9f5f 100644
--- a/certbot/ns1.staging.grapheneos.org
+++ b/certbot/ns1.staging.grapheneos.org
@@ -1,6 +1,6 @@
 certbot certonly --webroot --webroot-path /srv/certbot --no-eff-email \
     --key-type ecdsa --reuse-key --required-profile tlsserver \
-    --deploy-hook "nginx -s reload; rsync -acv --delete --chmod=D750,F640 --chown root:dnsdist /etc/letsencrypt/live/ /etc/letsencrypt/dnsdist/; dnsdist -c -e 'reloadAllCertificates()'" \
+    --deploy-hook "nginx -s reload; rsync -acv --copy-links --delete --chmod=D750,F640 --chown root:dnsdist /etc/letsencrypt/live/ /etc/letsencrypt/dnsdist/; dnsdist -c -e 'reloadAllCertificates()'" \
     --cert-name ns1.staging.grapheneos.org \
     -d ns1.staging.grapheneos.org \
     -d ns2.staging.grapheneos.org \