diff --git a/bin/goldilocks.js b/bin/goldilocks.js
index c03e12b..21717de 100755
--- a/bin/goldilocks.js
+++ b/bin/goldilocks.js
@@ -30,6 +30,8 @@ function mergeSettings(orig, changes) {
 function fixRawConfig(config) {
   var updated = false;
 
+  // First converge all of the `bind` properties for protocols that are on top
+  // of TCP to `tcp.bind`.
   if (config.tcp && config.tcp.bind && !Array.isArray(config.tcp.bind)) {
     config.tcp.bind = [ config.tcp.bind ];
     updated = true;
@@ -47,12 +49,47 @@ function fixRawConfig(config) {
     updated = true;
   }
 
+  // Then we rename dns to udp since the only thing we currently do with those
+  // modules is proxy the packets without inspecting them at all.
   if (config.dns) {
     config.udp = config.dns;
     delete config.dns;
     updated = true;
   }
 
+  // This we take the old way of defining ACME options and put them into a tls module.
+  if (config.tls) {
+    var oldPropMap = {
+      email:              'email'
+    , acme_directory_url: 'server'
+    , challenge_type:     'challenge_type'
+    , servernames:        'approved_domains'
+    };
+    if (Object.keys(oldPropMap).some(config.tls.hasOwnProperty, config.tls)) {
+      updated = true;
+      if (config.tls.acme) {
+        console.warn('TLS config has `acme` field and old style definitions');
+      } else {
+        config.tls.acme = {};
+        Object.keys(oldPropMap).forEach(function (oldKey) {
+          if (config.tls[oldKey]) {
+            config.tls.acme[oldPropMap[oldKey]] = config.tls[oldKey];
+          }
+        });
+      }
+    }
+    if (config.tls.acme) {
+      updated = true;
+      config.tls.acme.domains = config.tls.acme.approved_domains;
+      delete config.tls.acme.approved_domains;
+      config.tls.modules = config.tls.modules || [];
+      config.tls.modules.push(Object.assign({}, config.tls.acme, {type: 'acme'}));
+      delete config.tls.acme;
+    }
+  }
+
+  // Then we make sure all modules have an ID and type, and makes sure all domains
+  // are in the right spot and also have an ID.
   function updateModules(list) {
     if (!Array.isArray(list)) {
       return;
@@ -100,9 +137,9 @@ function fixRawConfig(config) {
       }
 
       var newDom = {
-        id:    crypto.randomBytes(4).toString('hex'),
-        names: dom.names,
-        modules: {}
+        id:    crypto.randomBytes(4).toString('hex')
+      , names: dom.names
+      , modules: {}
       };
       newDom.modules[name] = dom.modules;
       config.domains.push(newDom);
diff --git a/lib/admin/config.js b/lib/admin/config.js
index 26dcbb7..9cdb3a9 100644
--- a/lib/admin/config.js
+++ b/lib/admin/config.js
@@ -43,9 +43,9 @@ var moduleSchemas = {
     type: 'object'
   , required: [ 'email' ]
   , properties: {
-      email:         { type: 'string' }
-    , server:        { type: 'string' }
-    , challengeType: { type: 'string' }
+      email:          { type: 'string' }
+    , server:         { type: 'string' }
+    , challenge_type: { type: 'string' }
     }
   }
 };
@@ -120,21 +120,10 @@ var tlsSchema = {
 , properties: {
     modules: { type: 'array', items: addDomainRequirement({ oneOf: moduleRefs.tls }) }
 
-  , acme: {
-      type: 'object'
-      // These properties should be snake_case to match the API and config format
-    , required: [ 'email', 'approved_domains' ]
-    , properties: {
-        email:            { type: 'string' }
-      , server:           { type: 'string' }
-      , challenge_type:   { type: 'string' }
-      , approved_domains: { type: 'array', items: { type: 'string' }, minLength: 1}
-
-        // these are forbidden deprecated settings.
-      , bind:    { not: {} }
-      , domains: { not: {} }
-      }
-    }
+    // these are forbidden deprecated settings.
+  , acme:    { not: {} }
+  , bind:    { not: {} }
+  , domains: { not: {} }
   }
 };
 
@@ -273,8 +262,8 @@ class DomainList extends IdList {
     this._itemName = 'domain';
     this.forEach(function (dom) {
       dom.modules = {
-        http: new ModuleList((dom.modules || {}).http),
-        tls:  new ModuleList((dom.modules || {}).tls),
+        http: new ModuleList((dom.modules || {}).http)
+      , tls:  new ModuleList((dom.modules || {}).tls)
       };
     });
   }
@@ -288,8 +277,8 @@ class DomainList extends IdList {
     }
 
     var modLists = {
-      http: new ModuleList(),
-      tls:  new ModuleList()
+      http: new ModuleList()
+    , tls:  new ModuleList()
     };
     if (dom.modules && Array.isArray(dom.modules.http)) {
       dom.modules.http.forEach(modLists.http.add, modLists.http);
diff --git a/lib/modules/tls.js b/lib/modules/tls.js
index 0c30936..2b9a614 100644
--- a/lib/modules/tls.js
+++ b/lib/modules/tls.js
@@ -174,26 +174,6 @@ module.exports.create = function (deps, config, netHandler) {
         return;
       }
 
-      var defAcmeConf;
-      if (config.tls.acme) {
-        defAcmeConf = config.tls.acme;
-      } else {
-        defAcmeConf = {
-          email: config.tls.email
-        , server: config.tls.acmeDirectoryUrl || le.server
-        , challengeType: config.tls.challengeType || le.challengeType
-        , approvedDomains: config.tls.servernames
-        };
-      }
-
-      // Check config for domain name
-      // TODO: if `approvedDomains` isn't defined check all other modules to see if they can
-      // handle this domain (and what other domains it's grouped with).
-      if (-1 !== (defAcmeConf.approvedDomains || []).indexOf(opts.domain)) {
-        complete(defAcmeConf, defAcmeConf.approvedDomains);
-        return;
-      }
-
       cb(new Error('domain is not allowed'));
     }
   });