diff --git a/README.md b/README.md
index 3614169..1361067 100644
--- a/README.md
+++ b/README.md
@@ -1,11 +1,8 @@
-# fmsg-webapi
-
 [![Build & Test](https://github.com/markmnl/fmsg-webapi/actions/workflows/build-test.yml/badge.svg)](https://github.com/markmnl/fmsg-webapi/actions/workflows/build-test.yml)
 
-HTTP API providing user/client message handling for an fmsg host. Exposes CRUD
-operations for a messaging datastore backed by PostgreSQL. Authentication is
-delegated to an external system — this service validates JWT tokens and enforces
-fine-grained authorisation rules based on the user identity they contain.
+# fmsg-webapi
+
+HTTP API providing user/client message handling for an fmsg host. Exposes CRUD operations for a messaging datastore backed by PostgreSQL. Authentication is delegated to an external system — this service validates JWT tokens and enforces fine-grained authorisation rules based on the user identity they contain.
 
 ## Environment Variables
 
@@ -17,7 +14,6 @@ fine-grained authorisation rules based on the user identity they contain.
 | `FMSG_TLS_KEY`      | *(optional)*             | Path to the TLS private key file (e.g. `/etc/letsencrypt/live/example.com/privkey.pem`). Must be set together with `FMSG_TLS_CERT`. |
 | `FMSG_API_PORT`     | `8000`                   | TCP port for plain HTTP mode (ignored when TLS is enabled) |
 | `FMSG_ID_URL`       | `http://127.0.0.1:8080`  | Base URL of the fmsgid identity service                 |
-| `FMSG_ACME_DIR`     | `/var/www/letsencrypt`   | Directory containing `.well-known/acme-challenge` for Let's Encrypt certificate renewal (TLS mode only) |
 
 Standard PostgreSQL environment variables (`PGHOST`, `PGPORT`, `PGUSER`,
 `PGPASSWORD`, `PGDATABASE`) are used for database connectivity.
@@ -45,9 +41,7 @@ go test ./...
 
 ### TLS mode (production)
 
-Set `FMSG_TLS_CERT` and `FMSG_TLS_KEY` to enable HTTPS on port `443`. A plain
-HTTP server on port `80` serves Let's Encrypt ACME challenges from `FMSG_ACME_DIR`
-(default `/var/www/letsencrypt`) and redirects all other requests to HTTPS.
+Set `FMSG_TLS_CERT` and `FMSG_TLS_KEY` to enable HTTPS on port `443`.
 
 ```bash
 export FMSG_DATA_DIR=/opt/fmsg/data
diff --git a/src/main.go b/src/main.go
index 143c295..e36a02d 100644
--- a/src/main.go
+++ b/src/main.go
@@ -4,9 +4,7 @@ import (
 	"context"
 	"encoding/base64"
 	"log"
-	"net/http"
 	"os"
-	"path/filepath"
 	"strings"
 
 	"github.com/gin-gonic/gin"
@@ -79,22 +77,6 @@ func main() {
 	}
 
 	if tlsEnabled {
-		// Start HTTP server on port 80 for ACME challenges and HTTPS redirect.
-		acmeDir := envOrDefault("FMSG_ACME_DIR", "/var/www/letsencrypt")
-		httpRouter := gin.New()
-		httpRouter.Use(gin.Recovery())
-		httpRouter.Static("/.well-known/acme-challenge", filepath.Join(acmeDir, ".well-known", "acme-challenge"))
-		httpRouter.NoRoute(func(c *gin.Context) {
-			target := "https://" + c.Request.Host + c.Request.RequestURI
-			c.Redirect(http.StatusMovedPermanently, target)
-		})
-		go func() {
-			if err := http.ListenAndServe(":80", httpRouter); err != nil {
-				log.Fatalf("HTTP :80 server error: %v", err)
-			}
-		}()
-		log.Println("listening on :80 (ACME + HTTPS redirect)")
-
 		log.Println("fmsg-webapi starting on :443")
 		if err = router.RunTLS(":443", tlsCert, tlsKey); err != nil {
 			log.Fatalf("server error: %v", err)