diff --git a/migrations/20180131152200-domains-add-tlsConfigJson.js b/migrations/20180131152200-domains-add-tlsConfigJson.js
index 6621acd76..2734c231a 100644
--- a/migrations/20180131152200-domains-add-tlsConfigJson.js
+++ b/migrations/20180131152200-domains-add-tlsConfigJson.js
@@ -6,12 +6,13 @@ exports.up = function(db, callback) {
     db.all('SELECT * FROM settings WHERE name = ?', [ 'tls_config' ], function (error, result) {
         if (error) return callback(error);
 
-        var tlsConfigJson = (result[0] && result[0].value) ? result[0].value : JSON.stringify({ provider: 'le-prod'});
+        var tlsConfig = (result[0] && result[0].value) ? JSON.parse(result[0].value) : { provider: 'letsencrypt-prod'};
+        tlsConfig.provider = tlsConfig.provider.replace(/$le\-/, 'letsencrypt-'); // old cloudrons had le-prod/le-staging
 
         async.series([
             db.runSql.bind(db, 'START TRANSACTION;'),
             db.runSql.bind(db, 'ALTER TABLE domains ADD COLUMN tlsConfigJson TEXT'),
-            db.runSql.bind(db, 'UPDATE domains SET tlsConfigJson = ?', [ tlsConfigJson ]),
+            db.runSql.bind(db, 'UPDATE domains SET tlsConfigJson = ?', [ JSON.stringify(tlsConfig) ]),
             db.runSql.bind(db, 'COMMIT')
         ], callback);
     });
diff --git a/scripts/cloudron-setup b/scripts/cloudron-setup
index 3a30f6a7f..464f3976b 100755
--- a/scripts/cloudron-setup
+++ b/scripts/cloudron-setup
@@ -45,7 +45,7 @@ fi
 initBaseImage="true"
 # provisioning data
 provider=""
-tlsProvider="le-prod"
+tlsProvider="letsencrypt-prod"
 requestedVersion=""
 apiServerOrigin="https://api.cloudron.io"
 webServerOrigin="https://cloudron.io"
@@ -67,12 +67,12 @@ while true; do
         if [[ "$2" == "dev" ]]; then
             apiServerOrigin="https://api.dev.cloudron.io"
             webServerOrigin="https://dev.cloudron.io"
-            tlsProvider="le-staging"
+            tlsProvider="letsencrypt-staging"
             prerelease="true"
         elif [[ "$2" == "staging" ]]; then
             apiServerOrigin="https://api.staging.cloudron.io"
             webServerOrigin="https://staging.cloudron.io"
-            tlsProvider="le-staging"
+            tlsProvider="letsencrypt-staging"
             prerelease="true"
         fi
         shift 2;;
@@ -111,8 +111,8 @@ elif [[  \
     exit 1
 fi
 
-if [[ "${tlsProvider}" != "fallback" && "${tlsProvider}" != "le-prod" && "${tlsProvider}" != "le-staging" ]]; then
-    echo "--tls-provider must be one of: le-prod, le-staging, fallback"
+if [[ "${tlsProvider}" != "fallback" && "${tlsProvider}" != "letsencrypt-prod" && "${tlsProvider}" != "letsencrypt-staging" ]]; then
+    echo "--tls-provider must be one of: letsencrypt-prod, letsencrypt-staging, fallback"
     exit 1
 fi
 
diff --git a/src/domains.js b/src/domains.js
index 4ce30b250..5f5d6306b 100644
--- a/src/domains.js
+++ b/src/domains.js
@@ -120,7 +120,7 @@ function add(domain, zoneName, provider, config, fallbackCertificate, tlsConfig,
         if (error) return callback(new DomainError(DomainError.BAD_FIELD, error.message));
     }
 
-    if (tlsConfig.provider !== 'fallback' && tlsConfig.provider !== 'caas' && tlsConfig.provider.indexOf('le-') !== 0) {
+    if (tlsConfig.provider !== 'fallback' && tlsConfig.provider !== 'caas' && tlsConfig.provider.indexOf('letsencrypt-') !== 0) {
         return callback(new DomainError(DomainError.BAD_FIELD, 'tlsConfig.provider must be caas, fallback or le-*'));
     }
 
@@ -200,8 +200,8 @@ function update(domain, provider, config, fallbackCertificate, tlsConfig, callba
             if (error) return callback(new DomainError(DomainError.BAD_FIELD, error.message));
         }
 
-        if (tlsConfig.provider !== 'fallback' && tlsConfig.provider !== 'caas' && tlsConfig.provider.indexOf('le-') !== 0) {
-            return callback(new DomainError(DomainError.BAD_FIELD, 'tlsConfig.provider must be caas, fallback or le-*'));
+        if (tlsConfig.provider !== 'fallback' && tlsConfig.provider !== 'caas' && tlsConfig.provider.indexOf('letsencrypt-') !== 0) {
+            return callback(new DomainError(DomainError.BAD_FIELD, 'tlsConfig.provider must be caas, fallback or letsencrypt-*'));
         }
 
         sysinfo.getPublicIp(function (error, ip) {
diff --git a/src/reverseproxy.js b/src/reverseproxy.js
index c8edd6019..c6cc052c2 100644
--- a/src/reverseproxy.js
+++ b/src/reverseproxy.js
@@ -90,7 +90,7 @@ function getApi(app, callback) {
         if (domain.tlsConfig.provider === 'caas') {
             options.prod = true; // with altDomain, we will choose acme setting based on this
         } else { // acme
-            options.prod = domain.tlsConfig.provider.match(/.*-prod/) !== null;
+            options.prod = domain.tlsConfig.provider.match(/.*-prod/) !== null; // matches 'le-prod' or 'letsencrypt-prod'
         }
 
         // registering user with an email requires A or MX record (https://github.com/letsencrypt/boulder/issues/1197)
diff --git a/src/routes/domains.js b/src/routes/domains.js
index 65af5d509..f9a33c1ba 100644
--- a/src/routes/domains.js
+++ b/src/routes/domains.js
@@ -29,7 +29,7 @@ function add(req, res, next) {
     if ('tlsConfig' in req.body && typeof req.body.tlsConfig !== 'object') return next(new HttpError(400, 'tlsConfig must be a object with a provider string property'));
     if (req.body.tlsConfig && (!req.body.tlsConfig.provider || typeof req.body.tlsConfig.provider !== 'string')) return next(new HttpError(400, 'tlsConfig.provider must be a string'));
 
-    domains.add(req.body.domain, req.body.zoneName || '', req.body.provider, req.body.config, req.body.fallbackCertificate || null, req.body.tlsConfig || { provider: 'le-prod' }, function (error) {
+    domains.add(req.body.domain, req.body.zoneName || '', req.body.provider, req.body.config, req.body.fallbackCertificate || null, req.body.tlsConfig || { provider: 'letsencrypt-prod' }, function (error) {
         if (error && error.reason === DomainError.ALREADY_EXISTS) return next(new HttpError(409, error.message));
         if (error && error.reason === DomainError.BAD_FIELD) return next(new HttpError(400, error.message));
         if (error && error.reason === DomainError.INVALID_PROVIDER) return next(new HttpError(400, error.message));
@@ -72,7 +72,7 @@ function update(req, res, next) {
     if ('tlsConfig' in req.body && typeof req.body.tlsConfig !== 'object') return next(new HttpError(400, 'tlsConfig must be a object with a provider string property'));
     if (req.body.tlsConfig && (!req.body.tlsConfig.provider || typeof req.body.tlsConfig.provider !== 'string')) return next(new HttpError(400, 'tlsConfig.provider must be a string'));
 
-    domains.update(req.params.domain, req.body.provider, req.body.config, req.body.fallbackCertificate || null, req.body.tlsConfig || { provider: 'le-prod' }, function (error) {
+    domains.update(req.params.domain, req.body.provider, req.body.config, req.body.fallbackCertificate || null, req.body.tlsConfig || { provider: 'letsencrypt-prod' }, function (error) {
         if (error && error.reason === DomainError.NOT_FOUND) return next(new HttpError(404, error.message));
         if (error && error.reason === DomainError.BAD_FIELD) return next(new HttpError(400, error.message));
         if (error && error.reason === DomainError.INVALID_PROVIDER) return next(new HttpError(400, error.message));
diff --git a/src/routes/setup.js b/src/routes/setup.js
index ba052cb2f..51bfa5c48 100644
--- a/src/routes/setup.js
+++ b/src/routes/setup.js
@@ -75,7 +75,7 @@ function dnsSetup(req, res, next) {
     if ('tlsConfig' in req.body && typeof req.body.tlsConfig !== 'object') return next(new HttpError(400, 'tlsConfig must be an object'));
     if (req.body.tlsConfig && (!req.body.tlsConfig.provider || typeof req.body.tlsConfig.provider !== 'string')) return next(new HttpError(400, 'tlsConfig.provider must be a string'));
 
-    setup.dnsSetup(req.body.adminFqdn.toLowerCase(), req.body.domain.toLowerCase(), req.body.zoneName || '', req.body.provider, req.body.config, req.body.tlsConfig || { provider: 'le-prod' }, function (error) {
+    setup.dnsSetup(req.body.adminFqdn.toLowerCase(), req.body.domain.toLowerCase(), req.body.zoneName || '', req.body.provider, req.body.config, req.body.tlsConfig || { provider: 'letsencrypt-prod' }, function (error) {
         if (error && error.reason === SetupError.ALREADY_SETUP) return next(new HttpError(409, error.message));
         if (error && error.reason === SetupError.BAD_FIELD) return next(new HttpError(400, error.message));
         if (error) return next(new HttpError(500, error));
diff --git a/src/test/reverseproxy-test.js b/src/test/reverseproxy-test.js
index 3e5e74693..d10d05174 100644
--- a/src/test/reverseproxy-test.js
+++ b/src/test/reverseproxy-test.js
@@ -153,9 +153,9 @@ describe('Certificates', function () {
         });
     });
 
-    describe('getApi - le-prod', function () {
+    describe('getApi - letsencrypt-prod', function () {
         before(function (done) {
-            DOMAIN_0.tlsConfig = { provider: 'le-prod' };
+            DOMAIN_0.tlsConfig = { provider: 'letsencrypt-prod' };
 
             async.series([
                 setup,
@@ -193,9 +193,9 @@ describe('Certificates', function () {
         });
     });
 
-    describe('getApi - le-staging', function () {
+    describe('getApi - letsencrypt-staging', function () {
         before(function (done) {
-            DOMAIN_0.tlsConfig = { provider: 'le-staging' };
+            DOMAIN_0.tlsConfig = { provider: 'letsencrypt-staging' };
 
             async.series([
                 setup,