diff --git a/http/Provision/Config/Apache/Ssl/Server.php b/http/Provision/Config/Apache/Ssl/Server.php
deleted file mode 100644
index db695c04da514a102b60b95fda3d9b9cc9fdf044..0000000000000000000000000000000000000000
--- a/http/Provision/Config/Apache/Ssl/Server.php
+++ /dev/null
@@ -1,19 +0,0 @@
-<?php
-
-/**
- * Server config file for Apache + SSL.
- *
- * This configuration file replaces the Apache server configuration file, but
- * inside the template, the original file is once again included.
- *
- * This config is primarily reponsible for enabling the SSL relation settings,
- * so that individual sites can just enable them.
- */
-class Provision_Config_Apache_Ssl_Server extends Provision_Config_Http_Ssl_Server {
-  // We use the same extra_config as the apache_server config class.
-  function process() {
-    parent::process();
-    $this->data['extra_config'] = "# Extra configuration from modules:\n";
-    $this->data['extra_config'] .= join("\n", drush_command_invoke_all('provision_apache_server_config', $this->data));
-  }
-}
diff --git a/http/Provision/Config/Apache/Ssl/Site.php b/http/Provision/Config/Apache/Ssl/Site.php
deleted file mode 100644
index 3aa4489c2fab924d7e8b37aff4b6395fea6094a3..0000000000000000000000000000000000000000
--- a/http/Provision/Config/Apache/Ssl/Site.php
+++ /dev/null
@@ -1,15 +0,0 @@
-<?php
-
-/**
- * Virtual host config file for Apache + SSL.
- *
- * This file is created in addition to the existing virtual host, 
- * and includes some extra directives.
- */
-class Provision_Config_Apache_Ssl_Site extends Provision_Config_Http_Ssl_Site {
-  function process() {
-    parent::process();
-    $this->data['extra_config'] = "# Extra configuration from modules:\n";
-    $this->data['extra_config'] .= join("\n", drush_command_invoke_all('provision_apache_vhost_config', $this->uri, $this->data));
-  }
-}
diff --git a/http/Provision/Config/Apache/Ssl/server_ssl.tpl.php b/http/Provision/Config/Apache/Ssl/server_ssl.tpl.php
deleted file mode 100644
index 6b33a5e7f3703fe747bf9ff4c424e7f233400653..0000000000000000000000000000000000000000
--- a/http/Provision/Config/Apache/Ssl/server_ssl.tpl.php
+++ /dev/null
@@ -1,18 +0,0 @@
-NameVirtualHost <?php print "*:" . $http_ssl_port . "\n"; ?>
-
-<IfModule !ssl_module>
-  LoadModule ssl_module modules/mod_ssl.so
-</IfModule>
-
-<VirtualHost *:443>
-  SSLEngine on
-  SSLCertificateFile <?php print $ssl_cert . "\n"; ?>
-  SSLCertificateKeyFile <?php print $ssl_cert_key . "\n"; ?>
-<?php if (!empty($ssl_chain_cert)) : ?>
-  SSLCertificateChainFile <?php print $ssl_chain_cert . "\n"; ?>
-<?php endif; ?>
-  ServerName default
-  Redirect 404 /
-</VirtualHost>
-
-<?php include(provision_class_directory('Provision_Config_Apache_Server') . '/server.tpl.php'); ?>
diff --git a/http/Provision/Config/Apache/Ssl/vhost_ssl.tpl.php b/http/Provision/Config/Apache/Ssl/vhost_ssl.tpl.php
deleted file mode 100644
index f9cb9731ba5e6b0a7c87bf8aa4c4ebae9f72e105..0000000000000000000000000000000000000000
--- a/http/Provision/Config/Apache/Ssl/vhost_ssl.tpl.php
+++ /dev/null
@@ -1,104 +0,0 @@
-
-<?php if ($this->ssl_enabled && $this->ssl_key) : ?>
-
-  <VirtualHost <?php print "{$ip_address}:{$http_ssl_port}"; ?>>
-  <?php if ($this->site_mail) : ?>
-    ServerAdmin <?php  print $this->site_mail; ?>
-  <?php endif;?>
-
-<?php
-$aegir_root = drush_get_option('aegir_root');
-if (!$aegir_root && $server->aegir_root) {
-  $aegir_root = $server->aegir_root;
-}
-?>
-
-    DocumentRoot <?php print $this->root; ?>
-
-    ServerName <?php print $this->uri; ?>
-
-    SetEnv db_type  <?php print urlencode($db_type); ?>
-
-    SetEnv db_name  <?php print urlencode($db_name); ?>
-
-    SetEnv db_user  <?php print urlencode($db_user); ?>
-
-    SetEnv db_passwd  <?php print urlencode($db_passwd); ?>
-
-    SetEnv db_host  <?php print urlencode($db_host); ?>
-
-    SetEnv db_port  <?php print urlencode($db_port); ?>
-
-    # Enable SSL handling.
-
-    SSLEngine on
-
-    SSLCertificateFile <?php print $ssl_cert; ?>
-
-    SSLCertificateKeyFile <?php print $ssl_cert_key; ?>
-
-  <?php if (!empty($ssl_chain_cert)) : ?>
-    SSLCertificateChainFile <?php print $ssl_chain_cert; ?>
-  <?php endif; ?>
-
-<?php
-if (sizeof($this->aliases)) {
-  foreach ($this->aliases as $alias) {
-    print "  ServerAlias " . $alias . "\n";
-  }
-}
-?>
-
-<IfModule mod_rewrite.c>
-  RewriteEngine on
-<?php
-if ($this->redirection) {
-  print " # Redirect all aliases to the selected alias.\n";
-  print " RewriteCond %{HTTP_HOST} !^{$this->redirection}$ [NC]\n";
-  print " RewriteRule ^/*(.*)$ https://{$this->redirection}/$1 [NE,L,R=301]\n";
-}
-?>
-  RewriteRule ^/files/(.*)$ /sites/<?php print $this->uri; ?>/files/$1 [L]
-  RewriteCond <?php print $this->site_path; ?>/files/robots.txt -f
-  RewriteRule ^/robots.txt /sites/<?php print $this->uri; ?>/files/robots.txt [L]
-</IfModule>
-
-  <?php print $extra_config; ?>
-
-      # Error handler for Drupal > 4.6.7
-      <Directory ~ "sites/.*/files">
-        <Files *>
-          SetHandler This_is_a_Drupal_security_line_do_not_remove
-        </Files>
-        Options None
-        Options +FollowSymLinks
-
-        # If we know how to do it safely, disable the PHP engine entirely.
-        <IfModule mod_php5.c>
-          php_flag engine off
-        </IfModule>
-      </Directory>
-
-    # Prevent direct reading of files in the private dir.
-    # This is for Drupal7 compatibility, which would normally drop
-    # a .htaccess in those directories, but we explicitly ignore those
-    <Directory "<?php print $this->site_path; ?>/private/" >
-      <Files *>
-        SetHandler This_is_a_Drupal_security_line_do_not_remove
-      </Files>
-      Deny from all
-      Options None
-      Options +FollowSymLinks
-
-      # If we know how to do it safely, disable the PHP engine entirely.
-      <IfModule mod_php5.c>
-        php_flag engine off
-      </IfModule>
-    </Directory>
-
-  </VirtualHost>
-<?php endif; ?>
-
-<?php
-  include(provision_class_directory('Provision_Config_Apache_Site') . '/vhost.tpl.php');
-?>
diff --git a/http/Provision/Config/Apache/Ssl/vhost_ssl_disabled.tpl.php b/http/Provision/Config/Apache/Ssl/vhost_ssl_disabled.tpl.php
deleted file mode 100644
index a3e1a346c261fa1e7d67c7979289b078d978603a..0000000000000000000000000000000000000000
--- a/http/Provision/Config/Apache/Ssl/vhost_ssl_disabled.tpl.php
+++ /dev/null
@@ -1,37 +0,0 @@
-<?php if ($this->ssl_enabled && $this->ssl_key) : ?>
-
-  <VirtualHost <?php print "{$ip_address}:{$http_ssl_port}"; ?>>
-  <?php if ($this->site_mail) : ?>
-    ServerAdmin <?php  print $this->site_mail; ?> 
-  <?php endif;?>
-
-    DocumentRoot <?php print $this->root; ?> 
-      
-    ServerName <?php print $this->uri; ?>
-
-    # Enable SSL handling.
-     
-    SSLEngine on
-
-    SSLCertificateFile <?php print $ssl_cert; ?>
-
-    SSLCertificateKeyFile <?php print $ssl_cert_key; ?>
-
-<?php
-if (sizeof($this->aliases)) {
-  foreach ($this->aliases as $alias) {
-    print "  ServerAlias " . $alias . "\n";
-  }
-}
-?>
-
-    RewriteEngine on
-    # the ? at the end is to remove any query string in the original url
-    RewriteRule ^(.*)$ <?php print $this->platform->server->web_disable_url . '/' . $this->uri ?>?
-
-</VirtualHost>
-<?php endif; ?>
-
-<?php 
-  include(provision_class_directory('Provision_Config_Apache_Site') . '/vhost_disabled.tpl.php');
-?>
diff --git a/http/Provision/Config/Http/Ssl/Server.php b/http/Provision/Config/Http/Ssl/Server.php
deleted file mode 100644
index 02b33b06ad415af556a032fc77e6e3e7e61e113c..0000000000000000000000000000000000000000
--- a/http/Provision/Config/Http/Ssl/Server.php
+++ /dev/null
@@ -1,43 +0,0 @@
-<?php
-
-/**
- * Base class for SSL enabled server level config.
- */
-class Provision_Config_Http_Ssl_Server extends Provision_Config_Http_Server {
-  public $template = 'server_ssl.tpl.php';
-  public $description = 'encryption enabled webserver configuration';
-
-  function write() {
-    parent::write();
-
-    if ($this->ssl_enabled && $this->ssl_key) {
-      $path = dirname($this->data['ssl_cert']);
-      // Make sure the ssl.d directory in the server ssl.d exists.
-      provision_file()->create_dir($path,
-      dt("Creating SSL Certificate directory for %key on %server", array(
-        '%key' => $this->ssl_key,
-        '%server' => $this->data['server']->remote_host,
-      )), 0700);
-
-      // Copy the certificates to the server's ssl.d directory.
-      provision_file()->copy(
-        $this->data['ssl_cert_source'],
-        $this->data['ssl_cert'])
-        ->succeed('Copied default SSL certificate into place')
-        ->fail('Failed to copy default SSL certificate into place');
-      provision_file()->copy(
-        $this->data['ssl_cert_key_source'],
-        $this->data['ssl_cert_key'])
-        ->succeed('Copied default SSL key into place')
-        ->fail('Failed to copy default SSL key into place');
-      // Copy the chain certificate, if it is set.
-      if (!empty($this->data['ssl_chain_cert_source'])) {
-	      provision_file()->copy(
-          $this->data['ssl_chain_cert_source'],
-          $this->data['ssl_chain_cert'])
-          ->succeed('Copied default SSL chain certificate key into place')
-          ->fail('Failed to copy default SSL chain certificate into place');
-      }
-    }
-  }
-}
diff --git a/http/Provision/Config/Http/Ssl/Site.php b/http/Provision/Config/Http/Ssl/Site.php
deleted file mode 100644
index 3d91ef3429a787f28c1c99bc77c9e4f1540bfb3c..0000000000000000000000000000000000000000
--- a/http/Provision/Config/Http/Ssl/Site.php
+++ /dev/null
@@ -1,77 +0,0 @@
-<?php
-
-/**
- * Base class for SSL enabled virtual hosts.
- *
- * This class primarily abstracts the process of making sure the relevant keys
- * are synched to the server when the config files that use them get created.
- */
-class Provision_Config_Http_Ssl_Site extends Provision_Config_Http_Site {
-  public $template = 'vhost_ssl.tpl.php';
-  public $disabled_template = 'vhost_ssl_disabled.tpl.php';
-
-  public $description = 'encrypted virtual host configuration';
-
-  function write() {
-    parent::write();
-
-    if ($this->ssl_enabled && $this->ssl_key) {
-      $path = dirname($this->data['ssl_cert']);
-      // Make sure the ssl.d directory in the server ssl.d exists. 
-      provision_file()->create_dir($path, 
-      dt("SSL Certificate directory for %key on %server", array(
-        '%key' => $this->ssl_key,
-        '%server' => $this->data['server']->remote_host,
-      )), 0700);
-
-      // Touch a file in the server's copy of this key, so that it knows the key is in use.
-      // XXX: test. data structure may not be sound. try d($this->uri)
-      // if $this fails
-      Provision_Service_http_ssl::assign_certificate_site($this->ssl_key, $this);
-
-      // Copy the certificates to the server's ssl.d directory.
-      provision_file()->copy(
-        $this->data['ssl_cert_source'],
-        $this->data['ssl_cert'])
-        || drush_set_error('SSL_CERT_COPY_FAIL', dt('failed to copy SSL certificate in place'));
-      provision_file()->copy(
-        $this->data['ssl_cert_key_source'],
-        $this->data['ssl_cert_key'])
-        || drush_set_error('SSL_KEY_COPY_FAIL', dt('failed to copy SSL key in place'));
-      // Copy the chain certificate, if it is set.
-      if (!empty($this->data['ssl_chain_cert_source'])) {
-	      provision_file()->copy(
-          $this->data['ssl_chain_cert_source'],
-          $this->data['ssl_chain_cert'])
-        || drush_set_error('SSL_CHAIN_COPY_FAIL', dt('failed to copy SSL certficate chain in place'));
-      }
-      // Sync the key directory to the remote server.
-      $this->data['server']->sync($path, array(
-       'exclude' => "{$path}/*.receipt",  // Don't need to synch the receipts
-     ));
-    }
-  }
-
-  /**
-   * Remove a stale certificate file from the server.
-   */
-  function unlink() {
-    parent::unlink();
-
-    if ($this->ssl_enabled) {
-      // XXX: to be tested, not sure the data structure is sound
-      Provision_Service_http_ssl::free_certificate_site($this->ssl_key, $this);
-    }
-  }
-  
-  /**
-   * Small utility function to stop code duplication.
-   *
-   * @deprecated unused
-   * @see Provision_Service_http_ssl::free_certificate_site()
-   */
-  private function clear_certs($ssl_key) {
-    return FALSE;
-  }
-}
-
diff --git a/http/Provision/Config/Nginx/Ssl/Server.php b/http/Provision/Config/Nginx/Ssl/Server.php
deleted file mode 100644
index d952dfd9719f4f6bbf9c89d58604956c54ce598d..0000000000000000000000000000000000000000
--- a/http/Provision/Config/Nginx/Ssl/Server.php
+++ /dev/null
@@ -1,19 +0,0 @@
-<?php
-
-/**
- * Server config file for Nginx + SSL.
- *
- * This configuration file replaces the Nginx server configuration file, but
- * inside the template, the original file is once again included.
- *
- * This config is primarily reponsible for enabling the SSL relation settings,
- * so that individual sites can just enable them.
- */
-class Provision_Config_Nginx_Ssl_Server extends Provision_Config_Http_Ssl_Server {
-  // We use the same extra_config as the nginx_server config class.
-  function process() {
-    parent::process();
-    $this->data['extra_config'] = "# Extra configuration from modules:\n";
-    $this->data['extra_config'] .= join("\n", drush_command_invoke_all('provision_nginx_server_config', $this->data));
-  }
-}
diff --git a/http/Provision/Config/Nginx/Ssl/Site.php b/http/Provision/Config/Nginx/Ssl/Site.php
deleted file mode 100644
index d251d310866e26c010ca118b8b24db02a94a283d..0000000000000000000000000000000000000000
--- a/http/Provision/Config/Nginx/Ssl/Site.php
+++ /dev/null
@@ -1,15 +0,0 @@
-<?php
-
-/**
- * Virtual host config file for Nginx + SSL.
- *
- * This file is created in addition to the existing virtual host, 
- * and includes some extra directives.
- */
-class Provision_Config_Nginx_Ssl_Site extends Provision_Config_Http_Ssl_Site {
-  function process() {
-    parent::process();
-    $this->data['extra_config'] = "# Extra configuration from modules:\n";
-    $this->data['extra_config'] .= join("\n", drush_command_invoke_all('provision_nginx_vhost_config', $this->uri, $this->data));
-  }
-}
diff --git a/http/Provision/Config/Nginx/Ssl/server_ssl.tpl.php b/http/Provision/Config/Nginx/Ssl/server_ssl.tpl.php
deleted file mode 100644
index c1a1ef025df996668a2b4e54b9248ed5fb570d00..0000000000000000000000000000000000000000
--- a/http/Provision/Config/Nginx/Ssl/server_ssl.tpl.php
+++ /dev/null
@@ -1,27 +0,0 @@
-<?php include(provision_class_directory('Provision_Config_Nginx_Server') . '/server.tpl.php'); ?>
-
-#######################################################
-###  nginx default ssl server
-#######################################################
-
-<?php
-$satellite_mode = drush_get_option('satellite_mode');
-if (!$satellite_mode && $server->satellite_mode) {
-  $satellite_mode = $server->satellite_mode;
-}
-?>
-
-server {
-<?php foreach ($server->ip_addresses as $ip) :?>
-  listen       <?php print $ip . ':' . $http_ssl_port; ?>;
-<?php endforeach; ?>
-  server_name  _;
-  location / {
-<?php if ($satellite_mode == 'boa'): ?>
-    root   /var/www/nginx-default;
-    index  index.html index.htm;
-<?php else: ?>
-    return 404;
-<?php endif; ?>
-  }
-}
diff --git a/http/Provision/Config/Nginx/Ssl/vhost_ssl.tpl.php b/http/Provision/Config/Nginx/Ssl/vhost_ssl.tpl.php
deleted file mode 100644
index 9d032b35c72b370a885d8ff85d6f5bc82b341a4a..0000000000000000000000000000000000000000
--- a/http/Provision/Config/Nginx/Ssl/vhost_ssl.tpl.php
+++ /dev/null
@@ -1,127 +0,0 @@
-
-<?php if ($this->ssl_enabled && $this->ssl_key) : ?>
-
-<?php
-$satellite_mode = drush_get_option('satellite_mode');
-if (!$satellite_mode && $server->satellite_mode) {
-  $satellite_mode = $server->satellite_mode;
-}
-
-$nginx_has_http2 = drush_get_option('nginx_has_http2');
-if (!$nginx_has_http2 && $server->nginx_has_http2) {
-  $nginx_has_http2 = $server->nginx_has_http2;
-}
-
-if ($nginx_has_http2) {
-  $ssl_args = "ssl http2";
-}
-else {
-  $ssl_args = "ssl";
-}
-
-if ($satellite_mode == 'boa') {
-  $ssl_listen_ip = "*";
-}
-else {
-  $ssl_listen_ip = $ip_address;
-}
-?>
-
-<?php if ($this->redirection): ?>
-<?php foreach ($this->aliases as $alias_url): ?>
-server {
-  listen       <?php print "{$ssl_listen_ip}:{$http_ssl_port} {$ssl_args}"; ?>;
-<?php
-  // if we use redirections, we need to change the redirection
-  // target to be the original site URL ($this->uri instead of
-  // $alias_url)
-  if ($this->redirection && $alias_url == $this->redirection) {
-    $this->uri = str_replace('/', '.', $this->uri);
-    print "  server_name  {$this->uri};\n";
-  }
-  else {
-    $alias_url = str_replace('/', '.', $alias_url);
-    print "  server_name  {$alias_url};\n";
-  }
-?>
-  ssl                        on;
-  ssl_certificate_key        <?php print $ssl_cert_key; ?>;
-<?php if (!empty($ssl_chain_cert)) : ?>
-  ssl_certificate            <?php print $ssl_chain_cert; ?>;
-<?php else: ?>
-  ssl_certificate            <?php print $ssl_cert; ?>;
-<?php endif; ?>
-  return 301 $scheme://<?php print $this->redirection; ?>$request_uri;
-}
-<?php endforeach; ?>
-<?php endif; ?>
-
-server {
-  include       fastcgi_params;
-  fastcgi_param MAIN_SITE_NAME <?php print $this->uri; ?>;
-  set $main_site_name "<?php print $this->uri; ?>";
-  fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
-  fastcgi_param HTTPS on;
-<?php
-  // If any of those parameters is empty for any reason, like after an attempt
-  // to import complete platform with sites without importing their databases,
-  // it will break Nginx reload and even shutdown all sites on the system on
-  // Nginx restart, so we need to use dummy placeholders to avoid affecting
-  // other sites on the system if this site is broken.
-  if (!$db_type || !$db_name || !$db_user || !$db_passwd || !$db_host) {
-    $db_type = 'mysqli';
-    $db_name = 'none';
-    $db_user = 'none';
-    $db_passwd = 'none';
-    $db_host = 'localhost';
-  }
-?>
-  fastcgi_param db_type   <?php print urlencode($db_type); ?>;
-  fastcgi_param db_name   <?php print urlencode($db_name); ?>;
-  fastcgi_param db_user   <?php print urlencode($db_user); ?>;
-  fastcgi_param db_passwd <?php print urlencode($db_passwd); ?>;
-  fastcgi_param db_host   <?php print urlencode($db_host); ?>;
-<?php
-  // Until the real source of this problem is fixed elsewhere, we have to
-  // use this simple fallback to guarantee that empty db_port does not
-  // break Nginx reload which results with downtime for the affected vhosts.
-  if (!$db_port) {
-    $db_port = $this->server->db_port ? $this->server->db_port : '3306';
-  }
-?>
-  fastcgi_param db_port   <?php print urlencode($db_port); ?>;
-  listen        <?php print "{$ssl_listen_ip}:{$http_ssl_port} {$ssl_args}"; ?>;
-  server_name   <?php
-    // this is the main vhost, so we need to put the redirection
-    // target as the hostname (if it exists) and not the original URL
-    // ($this->uri)
-    if ($this->redirection) {
-      print str_replace('/', '.', $this->redirection);
-    } else {
-      print $this->uri;
-    }
-    if (!$this->redirection && is_array($this->aliases)) {
-      foreach ($this->aliases as $alias_url) {
-        if (trim($alias_url)) {
-          print " " . str_replace('/', '.', $alias_url);
-        }
-      }
-    } ?>;
-  root          <?php print "{$this->root}"; ?>;
-  ssl                        on;
-  ssl_certificate_key        <?php print $ssl_cert_key; ?>;
-<?php if (!empty($ssl_chain_cert)) : ?>
-  ssl_certificate            <?php print $ssl_chain_cert; ?>;
-<?php else: ?>
-  ssl_certificate            <?php print $ssl_cert; ?>;
-<?php endif; ?>
-<?php print $extra_config; ?>
-  include                    <?php print $server->include_path; ?>/nginx_vhost_common.conf;
-}
-
-<?php endif; ?>
-
-<?php
-  // Generate the standard virtual host too.
-  include(provision_class_directory('Provision_Config_Nginx_Site') . '/vhost.tpl.php');
-?>
diff --git a/http/Provision/Config/Nginx/Ssl/vhost_ssl_disabled.tpl.php b/http/Provision/Config/Nginx/Ssl/vhost_ssl_disabled.tpl.php
deleted file mode 100644
index 8d2362ffab05209effd0ec8e04d099d25752fc14..0000000000000000000000000000000000000000
--- a/http/Provision/Config/Nginx/Ssl/vhost_ssl_disabled.tpl.php
+++ /dev/null
@@ -1,54 +0,0 @@
-
-<?php if ($this->ssl_enabled && $this->ssl_key) : ?>
-
-<?php
-$satellite_mode = drush_get_option('satellite_mode');
-if (!$satellite_mode && $server->satellite_mode) {
-  $satellite_mode = $server->satellite_mode;
-}
-
-$nginx_has_http2 = drush_get_option('nginx_has_http2');
-if (!$nginx_has_http2 && $server->nginx_has_http2) {
-  $nginx_has_http2 = $server->nginx_has_http2;
-}
-
-if ($nginx_has_http2) {
-  $ssl_args = "ssl http2";
-}
-else {
-  $ssl_args = "ssl";
-}
-
-if ($satellite_mode == 'boa') {
-  $ssl_listen_ip = "*";
-}
-else {
-  $ssl_listen_ip = $ip_address;
-}
-?>
-
-server {
-  listen       <?php print "{$ssl_listen_ip}:{$http_ssl_port} {$ssl_args}"; ?>;
-  server_name  <?php print $this->uri . ' ' . implode(' ', str_replace('/', '.', $this->aliases)); ?>;
-<?php if ($satellite_mode == 'boa'): ?>
-  root         /var/www/nginx-default;
-  index        index.html index.htm;
-  ### Do not reveal Aegir front-end URL here.
-<?php else: ?>
-  return 302 <?php print $this->platform->server->web_disable_url . '/' . $this->uri ?>;
-<?php endif; ?>
-  ssl                        on;
-  ssl_certificate_key        <?php print $ssl_cert_key; ?>;
-<?php if (!empty($ssl_chain_cert)) : ?>
-  ssl_certificate            <?php print $ssl_chain_cert; ?>;
-<?php else: ?>
-  ssl_certificate            <?php print $ssl_cert; ?>;
-<?php endif; ?>
-}
-
-<?php endif; ?>
-
-<?php
-  // Generate the standard virtual host too.
-  include(provision_class_directory('Provision_Config_Nginx_Site') . '/vhost_disabled.tpl.php');
-?>
diff --git a/http/Provision/Service/http/apache/ssl.php b/http/Provision/Service/http/apache/ssl.php
deleted file mode 100644
index e4eae94ae8e7652f11d6a9c6f54642d5d41aa0b4..0000000000000000000000000000000000000000
--- a/http/Provision/Service/http/apache/ssl.php
+++ /dev/null
@@ -1,52 +0,0 @@
-<?php
-
-/**
- * Apache SSL service class.
- *
- * This class doesn't extend the apache service itself, so there may
- * be some duplication of code between them. The majority of the 
- * functionality is however implemented in the Provision_Service_http_public
- * class, which we do extend.
- */
-class Provision_Service_http_apache_ssl extends Provision_Service_http_ssl {
-  // We share the application name with apache.
-  protected $application_name = 'apache';
-  protected $has_restart_cmd = TRUE;
-  
-  function default_restart_cmd() {
-    // The apache service defines it's restart command as a static
-    // method so that we can make use of it here.
-    return Provision_Service_http_apache::apache_restart_cmd();
-  } 
-
-  public $ssl_enabled = TRUE;
-
-  function cloaked_db_creds() {
-    return TRUE;
-  }
-
-  /**
-   * Initialize the configuration files.
-   *
-   * These config classes are a mix of the SSL and Non-SSL apache
-   * classes. In some cases they extend the Apache classes too.
-   */
-  function init_server() {
-    parent::init_server();
-
-    // Replace the server config with our own. See the class for more info.
-    $this->configs['server'][] = 'Provision_Config_Apache_Ssl_Server';
-
-    // Just re-use the standard platform config.
-    $this->configs['platform'][] = 'Provision_Config_Apache_Platform';
-
-    $this->configs['site'][] = 'Provision_Config_Apache_Ssl_Site';
-  }
-
-  /**
-   * Restart apache to pick up the new config files.
-   */ 
-  function parse_configs() {
-    return $this->restart();
-  }
-}
diff --git a/http/Provision/Service/http/nginx/ssl.php b/http/Provision/Service/http/nginx/ssl.php
deleted file mode 100644
index 157bf8f6aed0f8d6caa86ac576f812366a3a2871..0000000000000000000000000000000000000000
--- a/http/Provision/Service/http/nginx/ssl.php
+++ /dev/null
@@ -1,165 +0,0 @@
-<?php
-
-/**
- * Nginx SSL service class.
- *
- * This class doesn't extend the nginx service itself, so there may
- * be some duplication of code between them. The majority of the
- * functionality is however implemented in the Provision_Service_http_public
- * class, which we do extend.
- */
-class Provision_Service_http_nginx_ssl extends Provision_Service_http_ssl {
-  // We share the application name with nginx.
-  protected $application_name = 'nginx';
-  protected $has_restart_cmd = TRUE;
-
-  function default_restart_cmd() {
-    // The nginx service defines it's restart command as a static
-    // method so that we can make use of it here.
-    return Provision_Service_http_nginx::nginx_restart_cmd();
-  }
-
-  public $ssl_enabled = TRUE;
-
-  function cloaked_db_creds() {
-    return TRUE;
-  }
-
-  /**
-   * Initialize the configuration files.
-   *
-   * These config classes are a mix of the SSL and Non-SSL nginx
-   * classes. In some cases they extend the Nginx classes too.
-   */
-  function init_server() {
-    parent::init_server();
-    // Replace the server config with our own. See the class for more info.
-    $this->configs['server'][] = 'Provision_Config_Nginx_Ssl_Server';
-    $this->configs['server'][] = 'Provision_Config_Nginx_Inc_Server';
-    $this->configs['site'][] = 'Provision_Config_Nginx_Ssl_Site';
-    $this->server->setProperty('nginx_config_mode', 'extended');
-    $this->server->setProperty('nginx_is_modern', FALSE);
-    $this->server->setProperty('nginx_has_http2', FALSE);
-    $this->server->setProperty('nginx_has_gzip', FALSE);
-    $this->server->setProperty('nginx_has_upload_progress', FALSE);
-    $this->server->setProperty('provision_db_cloaking', TRUE);
-    $this->server->setProperty('phpfpm_mode', 'port');
-    $this->server->setProperty('satellite_mode', 'vanilla');
-  }
-
-  function save_server() {
-    // Find nginx executable.
-    if (provision_file()->exists('/usr/local/sbin/nginx')->status()) {
-      $path = "/usr/local/sbin/nginx";
-    }
-    elseif (provision_file()->exists('/usr/sbin/nginx')->status()) {
-      $path = "/usr/sbin/nginx";
-    }
-    elseif (provision_file()->exists('/usr/local/bin/nginx')->status()) {
-      $path = "/usr/local/bin/nginx";
-    }
-    else {
-      return;
-    }
-    // Check if some nginx features are supported and save them for later.
-    $this->server->shell_exec($path . ' -V');
-    $this->server->nginx_is_modern = preg_match("/nginx\/1\.((1\.(8|9|(1[0-9]+)))|((2|3|4|5|6|7|8|9|[1-9][0-9]+)\.))/", implode('', drush_shell_exec_output()), $match);
-    $this->server->nginx_has_http2 = preg_match("/http_v2_module/", implode('', drush_shell_exec_output()), $match);
-    $this->server->nginx_has_upload_progress = preg_match("/upload/", implode('', drush_shell_exec_output()), $match);
-    $this->server->nginx_has_gzip = preg_match("/http_gzip_static_module/", implode('', drush_shell_exec_output()), $match);
-
-    // Use basic nginx configuration if this control file exists.
-    $nginx_config_mode_file = "/etc/nginx/basic_nginx.conf";
-    if (provision_file()->exists($nginx_config_mode_file)->status()) {
-      $this->server->nginx_config_mode = 'basic';
-      drush_log(dt('Basic Nginx Config Active -SAVE- YES control file found @path.', array('@path' => $nginx_config_mode_file)));
-    }
-    else {
-      $this->server->nginx_config_mode = 'extended';
-      drush_log(dt('Extended Nginx Config Active -SAVE- NO control file found @path.', array('@path' => $nginx_config_mode_file)));
-    }
-
-    // Check if there is php-fpm listening on unix socket, otherwise use port 9000 to connect
-    if (provision_file()->exists('/var/run/php5-fpm.sock')->status()) {
-      $this->server->phpfpm_mode = 'socket';
-      drush_log(dt('PHP-FPM unix socket mode detected -SAVE- YES socket found @path.', array('@path' => '/var/run/php5-fpm.sock')));
-    }
-    else {
-      $this->server->phpfpm_mode = 'port';
-      drush_log(dt('PHP-FPM port mode detected -SAVE- NO socket found @path.', array('@path' => '/var/run/php5-fpm.sock')));
-    }
-
-    // Check if there is BOA specific global.inc file to enable extra Nginx locations
-    if (provision_file()->exists('/data/conf/global.inc')->status()) {
-      $this->server->satellite_mode = 'boa';
-      drush_log(dt('BOA mode detected -SAVE- YES file found @path.', array('@path' => '/data/conf/global.inc')));
-    }
-    else {
-      $this->server->satellite_mode = 'vanilla';
-      drush_log(dt('Vanilla mode detected -SAVE- NO file found @path.', array('@path' => '/data/conf/global.inc')));
-    }
-  }
-
-  function verify_server_cmd() {
-    // Find nginx executable.
-    if (provision_file()->exists('/usr/local/sbin/nginx')->status()) {
-      $path = "/usr/local/sbin/nginx";
-    }
-    elseif (provision_file()->exists('/usr/sbin/nginx')->status()) {
-      $path = "/usr/sbin/nginx";
-    }
-    elseif (provision_file()->exists('/usr/local/bin/nginx')->status()) {
-      $path = "/usr/local/bin/nginx";
-    }
-    else {
-      return;
-    }
-    // Check if some nginx features are supported and save them for later.
-    $this->server->shell_exec($path . ' -V');
-    $this->server->nginx_is_modern = preg_match("/nginx\/1\.((1\.(8|9|(1[0-9]+)))|((2|3|4|5|6|7|8|9|[1-9][0-9]+)\.))/", implode('', drush_shell_exec_output()), $match);
-    $this->server->nginx_has_http2 = preg_match("/http_v2_module/", implode('', drush_shell_exec_output()), $match);
-    $this->server->nginx_has_upload_progress = preg_match("/upload/", implode('', drush_shell_exec_output()), $match);
-    $this->server->nginx_has_gzip = preg_match("/http_gzip_static_module/", implode('', drush_shell_exec_output()), $match);
-
-    // Use basic nginx configuration if this control file exists.
-    $nginx_config_mode_file = "/etc/nginx/basic_nginx.conf";
-    if (provision_file()->exists($nginx_config_mode_file)->status()) {
-      $this->server->nginx_config_mode = 'basic';
-      drush_log(dt('Basic Nginx Config Active -VERIFY- YES control file found @path.', array('@path' => $nginx_config_mode_file)));
-    }
-    else {
-      $this->server->nginx_config_mode = 'extended';
-      drush_log(dt('Extended Nginx Config Active -VERIFY- NO control file found @path.', array('@path' => $nginx_config_mode_file)));
-    }
-
-    // Check if there is php-fpm listening on unix socket, otherwise use port 9000 to connect
-    if (provision_file()->exists('/var/run/php5-fpm.sock')->status()) {
-      $this->server->phpfpm_mode = 'socket';
-      drush_log(dt('PHP-FPM unix socket mode detected -VERIFY- YES socket found @path.', array('@path' => '/var/run/php5-fpm.sock')));
-    }
-    else {
-      $this->server->phpfpm_mode = 'port';
-      drush_log(dt('PHP-FPM port mode detected -VERIFY- NO socket found @path.', array('@path' => '/var/run/php5-fpm.sock')));
-    }
-
-    // Check if there is BOA specific global.inc file to enable extra Nginx locations
-    if (provision_file()->exists('/data/conf/global.inc')->status()) {
-      $this->server->satellite_mode = 'boa';
-      drush_log(dt('BOA mode detected -VERIFY- YES file found @path.', array('@path' => '/data/conf/global.inc')));
-    }
-    else {
-      $this->server->satellite_mode = 'vanilla';
-      drush_log(dt('Vanilla mode detected -VERIFY- NO file found @path.', array('@path' => '/data/conf/global.inc')));
-    }
-
-    // Call the parent at the end. it will restart the server when it finishes.
-    parent::verify_server_cmd();
-  }
-
-  /**
-   * Restart/reload nginx to pick up the new config files.
-   */
-  function parse_configs() {
-    return $this->restart();
-  }
-}
diff --git a/http/Provision/Service/http/ssl.php b/http/Provision/Service/http/ssl.php
deleted file mode 100644
index 581c04db5dfb7bd766fe7f3413bfb3feb5376384..0000000000000000000000000000000000000000
--- a/http/Provision/Service/http/ssl.php
+++ /dev/null
@@ -1,288 +0,0 @@
-<?php
-/**
- * @file
- * The base implementation of the SSL capabale web service.
- */
-
-/**
- * The base class for SSL supporting servers.
- *
- * In general, these function the same as normal servers, but have an extra
- * port and some extra variables in their templates.
- */
-class Provision_Service_http_ssl extends Provision_Service_http_public {
-  protected $ssl_enabled = TRUE;
-
-  function default_ssl_port() {
-    return 443;
-  }
-
-  function init_server() {
-    parent::init_server();
-
-    // SSL Port.
-    $this->server->setProperty('http_ssl_port', $this->default_ssl_port());
-
-    // SSL certificate store.
-    // The certificates are generated from here, and distributed to the servers,
-    // as needed.
-    $this->server->ssld_path = "{$this->server->aegir_root}/config/ssl.d";
-
-    // SSL certificate store for this server.
-    // This server's certificates will be stored here.
-    $this->server->http_ssld_path = "{$this->server->config_path}/ssl.d";
-    $this->server->ssl_enabled = 1;
-    $this->server->ssl_key = 'default';
-  }
-
-  function init_site() {
-    parent::init_site();
-
-    $this->context->setProperty('ssl_enabled', 0);
-    $this->context->setProperty('ssl_key', NULL);
-    $this->context->setProperty('ip_addresses', array());
-  }
-
-
-  function config_data($config = NULL, $class = NULL) {
-    $data = parent::config_data($config, $class);
-    $data['http_ssl_port'] = $this->server->http_ssl_port;
-
-    if ($config == 'server') {
-      // Generate a certificate for the default SSL vhost, and retrieve the
-      // path to the cert and key files. It will be generated if not found.
-      $certs = $this->get_certificates('default');
-      $data = array_merge($data, $certs);
-    }
-
-    if ($config == 'site' && $this->context->ssl_enabled) {
-      foreach ($this->context->ip_addresses as $server => $ip_address) {
-        if ($server == $this->server->name || '@' . $server == $this->server->name) {
-          $data['ip_address'] = $ip_address;
-          break;
-        }
-      }
-      if (!isset($data['ip_address'])) {
-        drush_log(dt('No proper IP provided by the frontend for server %servername, using wildcard', array('%servername' => $this->server->name)), 'info');
-        $data['ip_address'] = '*';
-      }
-      if ($this->context->ssl_enabled == 2) {
-        $data['ssl_redirection'] = TRUE;
-        $data['redirect_url'] = "https://{$this->context->uri}";
-      }
-
-      if ($ssl_key = $this->context->ssl_key) {
-        // Retrieve the paths to the cert and key files.
-        // they are generated if not found.
-        $certs = $this->get_certificates($ssl_key);
-        $data = array_merge($data, $certs);
-      }
-    }
-
-    return $data;
-  }
-
-  /**
-   * Retrieve an array containing the actual files for this ssl_key.
-   *
-   * If the files could not be found, this function will proceed to generate
-   * certificates for the current site, so that the operation can complete
-   * succesfully.
-   */
-  function get_certificates($ssl_key) {
-    $source_path = "{$this->server->ssld_path}/{$ssl_key}";
-    $certs['ssl_cert_key_source'] = "{$source_path}/openssl.key";
-    $certs['ssl_cert_source'] = "{$source_path}/openssl.crt";
-
-    foreach ($certs as $cert) {
-      $exists = provision_file()->exists($cert)->status();
-      if (!$exists) {
-        // if any of the files don't exist, regenerate them.
-        $this->generate_certificates($ssl_key);
-
-        // break out of the loop.
-        break;
-      }
-    }
-
-    $path = "{$this->server->http_ssld_path}/{$ssl_key}";
-    $certs['ssl_cert_key'] = "{$path}/openssl.key";
-    $certs['ssl_cert'] = "{$path}/openssl.crt";
-
-    // If a certificate chain file exists, add it.
-    $chain_cert_source = "{$source_path}/openssl_chain.crt";
-    if (provision_file()->exists($chain_cert_source)->status()) {
-      $certs['ssl_chain_cert_source'] = $chain_cert_source;
-      $certs['ssl_chain_cert'] = "{$path}/openssl_chain.crt";
-    }
-    return $certs;
-  }
-
-  /**
-   * Generate a self-signed certificate for that key.
-   *
-   * Because we only generate certificates for sites we make some assumptions
-   * based on the uri, but this cert may be replaced by the admin if they
-   * already have an existing certificate.
-   */
-  function generate_certificates($ssl_key) {
-    $path = "{$this->server->ssld_path}/{$ssl_key}";
-
-    provision_file()->create_dir($path,
-      dt("SSL certificate directory for %ssl_key", array(
-        '%ssl_key' => $ssl_key
-      )), 0700);
-
-    if (provision_file()->exists($path)->status()) {
-      drush_log(dt('generating 2048 bit RSA key in %path/', array('%path' => $path)));
-      /* 
-       * according to RSA security and most sites I could read, 1024
-       * was recommended until 2010-2015 and 2048 is now the
-       * recommended length for more sensitive data. we are therefore
-       * taking the safest route.
-       *
-       * http://www.javamex.com/tutorials/cryptography/rsa_key_length.shtml
-       * http://www.vocal.com/cryptography/rsa-key-size-selection/
-       * https://en.wikipedia.org/wiki/Key_size#Key_size_and_encryption_system
-       * http://www.redkestrel.co.uk/Articles/CSR.html
-       */
-      drush_shell_exec('openssl genrsa -out %s/openssl.key 2048', $path)
-        || drush_set_error('SSL_KEY_GEN_FAIL', dt('failed to generate SSL key in %path', array('%path' => $path . '/openssl.key')));
-
-      // Generate the CSR to make the key certifiable by third parties
-      $domain = $ssl_key == 'default' ? 'default.invalid' : $this->context->uri;
-      $ident = "/CN={$domain}/emailAddress=abuse@{$domain}";
-      drush_shell_exec("openssl req -new -subj '%s' -key %s/openssl.key -out %s/openssl.csr -batch", $ident, $path, $path)
-        || drush_log(dt('failed to generate signing request for certificate in %path', array('%path' => $path . '/openssl.csr')));
-
-      // sign the certificate with itself, generating a self-signed
-      // certificate. this will make a SHA1 certificate by default in
-      // current OpenSSL.
-      drush_shell_exec("openssl x509 -req -days 365 -in %s/openssl.csr -signkey %s/openssl.key  -out %s/openssl.crt", $path, $path, $path)
-        || drush_set_error('SSL_CERT_GEN_FAIL', dt('failed to generate self-signed certificate in %path', array('%path' => $path . '/openssl.crt')));
-    }
-  }
-
-  /**
-   * Assign the given site to a certificate to mark its usage.
-   *
-   * This is necessary for the backend to figure out when it's okay to
-   * remove certificates.
-   *
-   * Should never fail unless the receipt file cannot be created.
-   *
-   * @return the path to the receipt file if allocation succeeded
-   */
-  static function assign_certificate_site($ssl_key, $site) {
-    $path = $site->data['server']->http_ssld_path . "/" . $ssl_key . "/" . $site->uri . ".receipt";
-    drush_log(dt("registering site %site with SSL certificate %key with receipt file %path", array("%site" => $site->uri, "%key" => $ssl_key, "%path" => $path)));
-    if (touch($path)) {
-      return $path;
-    }
-    else {
-      return FALSE;
-    }
-  }
-
-  /**
-   * Unallocate this certificate from that site.
-   *
-   * @return the path to the receipt file if removal was successful
-   */
-  static function free_certificate_site($ssl_key, $site) {
-    if (empty($ssl_key)) return FALSE;
-    $ssl_dir = $site->platform->server->http_ssld_path . "/" . $ssl_key . "/";
-    // Remove the file system reciept we left for this file
-    if (provision_file()->unlink($ssl_dir . $site->uri . ".receipt")->
-        succeed(dt("Deleted SSL Certificate association receipt for %site on %server", array(
-          '%site' => $site->uri,
-          '%server' => $site->server->remote_host)))->status()) {
-      if (!Provision_Service_http_ssl::certificate_in_use($ssl_key, $site->server)) {
-        drush_log(dt("Deleting unused SSL directory: %dir", array('%dir' => $ssl_dir)));
-        _provision_recursive_delete($ssl_dir);
-        $site->server->sync($path);
-      }
-      return $path;
-    }
-    else {
-      return FALSE;
-    }
-  }
-  
-  /**
-   * Assign the certificate it's own distinct IP address for this server.
-   *
-   * Each certificate needs a unique IP address on each server in order
-   * to be able to be encrypted.
-   *
-   * This code uses the filesystem by touching a reciept file in the
-   * server's ssl.d directory.
-   *
-   * @deprecated this is now based the site URI
-   * @see assign_certificate_site()
-   */
-  static function assign_certificate_ip($ssl_key, $server) {
-    return FALSE;
-  }
-
-  /**
-   * Remove the certificate's lock on the server's public IP.
-   *
-   * This function will delete the receipt file left behind by
-   * the assign_certificate_ip script, allowing the IP to be used
-   * by other certificates.
-   *
-   * @deprecated this is now based on the site URI
-   * @see free_certificate_site()
-   */
-  static function free_certificate_ip($ssl_key, $server) {
-    return FALSE;
-  }
-
-
-  /**
-   * Retrieve the status of a certificate on this server.
-   *
-   * This is primarily used to know when it's ok to remove the file.
-   * Each time a config file uses the key on the server, it touches
-   * a 'receipt' file, and every time the site stops using it,
-   * the receipt is removed.
-   *
-   * This function just checks if any of the files are still present.
-   */
-  static function certificate_in_use($ssl_key, $server) {
-    $pattern = $server->http_ssld_path . "/$ssl_key/*.receipt";
-    return sizeof(glob($pattern));
-  }
-
-
-  /**
-   * Check for an existing record for this IP address.
-   *
-   * @deprecated we only use the URI-based allocation now
-   */
-  static function get_ip_certificate($ip, $server) {
-    return FALSE;
-  }
-
-  /**
-   * Verify server.
-   */
-  function verify_server_cmd() {
-    if ($this->context->type === 'server') {
-      provision_file()->create_dir($this->server->ssld_path, dt("Central SSL certificate repository."), 0700);
-
-      provision_file()->create_dir($this->server->http_ssld_path,
-        dt("SSL certificate repository for %server",
-        array('%server' => $this->server->remote_host)), 0700);
-
-      $this->sync($this->server->http_ssld_path, array(
-        'exclude' => $this->server->http_ssld_path . '/*',  // Make sure remote directory is created
-      ));
-      $this->sync($this->server->http_ssld_path . '/default');
-    }
-
-    // Call the parent at the end. it will restart the server when it finishes.
-    parent::verify_server_cmd();
-  }
-}