diff --git a/src/nginxconfig.ejs b/src/nginxconfig.ejs
index 193fefdaf..c73d4a527 100644
--- a/src/nginxconfig.ejs
+++ b/src/nginxconfig.ejs
@@ -87,7 +87,10 @@ server {
     ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256;
     ssl_prefer_server_ciphers off;
 
+<% if (endpoint !== 'ip' && endpoint !== 'setup') { -%>
+    # dhparams is generated only after dns setup
     ssl_dhparam /home/yellowtent/platformdata/dhparams.pem;
+<% } -%>
     add_header Strict-Transport-Security "max-age=63072000";
 
     <% if ( ocsp ) { -%>
diff --git a/src/provision.js b/src/provision.js
index 9a1c69e61..a044485a1 100644
--- a/src/provision.js
+++ b/src/provision.js
@@ -10,7 +10,6 @@ exports = module.exports = {
 const assert = require('assert'),
     backups = require('./backups.js'),
     backuptask = require('./backuptask.js'),
-    blobs = require('./blobs.js'),
     BoxError = require('./boxerror.js'),
     branding = require('./branding.js'),
     constants = require('./constants.js'),
@@ -18,6 +17,7 @@ const assert = require('assert'),
     debug = require('debug')('box:provision'),
     domains = require('./domains.js'),
     eventlog = require('./eventlog.js'),
+    fs = require('fs'),
     mail = require('./mail.js'),
     mounts = require('./mounts.js'),
     reverseProxy = require('./reverseproxy.js'),
@@ -25,6 +25,7 @@ const assert = require('assert'),
     semver = require('semver'),
     settings = require('./settings.js'),
     sysinfo = require('./sysinfo.js'),
+    paths = require('./paths.js'),
     users = require('./users.js'),
     tld = require('tldjs'),
     tokens = require('./tokens.js'),
@@ -50,6 +51,14 @@ function setProgress(task, message, callback) {
     if (callback) callback();
 }
 
+async function ensureDhparams() {
+    if (fs.existsSync(paths.DHPARAMS_FILE)) return;
+    debug('ensureDhparams: generating dhparams');
+    const dhparams = safe.child_process.execSync('openssl dhparam -dsaparam 2048');
+    if (!dhparams) throw new BoxError(BoxError.OPENSSL_ERROR, safe.error);
+    if (!safe.fs.writeFileSync(paths.DHPARAMS_FILE, dhparams)) throw new BoxError(BoxError.FS_ERROR, `Could not save dhparams.pem: ${safe.error.message}`);
+}
+
 async function unprovision() {
     // TODO: also cancel any existing configureWebadmin task
     await settings.setDashboardLocation('', '');
@@ -63,6 +72,7 @@ async function setupTask(domain, auditSource) {
 
     try {
         await cloudron.setupDnsAndCert(constants.DASHBOARD_LOCATION, domain, auditSource, (progress) => setProgress('setup', progress.message));
+        await ensureDhparams();
         await cloudron.setDashboardDomain(domain, auditSource);
         setProgress('setup', 'Done'),
         await eventlog.add(eventlog.ACTION_PROVISION, auditSource, {});
@@ -160,6 +170,7 @@ async function restoreTask(backupConfig, backupId, sysinfoConfig, options, audit
         const mailRestoreConfig = { backupConfig, backupId: mailBackups[0].id, backupFormat: mailBackups[0].format };
         await backuptask.downloadMail(mailRestoreConfig, (progress) => setProgress('restore', progress.message));
 
+        await ensureDhparams();
         await settings.setSysinfoConfig(sysinfoConfig);
         await reverseProxy.restoreFallbackCertificates();
 
diff --git a/src/reverseproxy.js b/src/reverseproxy.js
index 367563041..5e079b7b1 100644
--- a/src/reverseproxy.js
+++ b/src/reverseproxy.js
@@ -490,7 +490,7 @@ async function writeAppNginxConfig(app, fqdn, bundle) {
         hasIPv6: sysinfo.hasIPv6(),
         ip: app.containerIp,
         port: app.manifest.httpPort,
-        endpoint: endpoint,
+        endpoint,
         certFilePath: bundle.certFilePath,
         keyFilePath: bundle.keyFilePath,
         robotsTxtQuoted,
@@ -767,13 +767,6 @@ async function writeDefaultConfig(options) {
         }
     }
 
-    if (!fs.existsSync(paths.DHPARAMS_FILE)) {
-        debug('writeDefaultConfig: generating dhparams');
-        const dhparams = safe.child_process.execSync('openssl dhparam -dsaparam 2048');
-        if (!dhparams) throw new BoxError(BoxError.OPENSSL_ERROR, safe.error);
-        if (!safe.fs.writeFileSync(paths.DHPARAMS_FILE, dhparams)) throw new BoxError(BoxError.FS_ERROR, `Could not save dhparams.pem: ${safe.error.message}`);
-    }
-
     const data = {
         sourceDir: path.resolve(__dirname, '..'),
         vhost: '',