diff --git a/CHANGELOG.md b/CHANGELOG.md
index 9e4f2e02..3669a90a 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,6 +1,21 @@
 CHANGELOG
 =========
 
+In Development
+--------------
+
+System:
+
+* We now use EFF's `certbot` to provision TLS certificates (from Let's Encrypt) instead of our home-grown ACME library.
+
+Contacts/Calendar:
+
+* Fix for Mac OS X autoconfig of the calendar.
+
+Setup:
+
+* Installing Z-Push broke because of what looks like a change or problem in their git server HTTPS certificate. That's fixed.
+
 v0.27 (June 14, 2018)
 ---------------------
 
diff --git a/Vagrantfile b/Vagrantfile
index b4bcb257..0161ae0d 100644
--- a/Vagrantfile
+++ b/Vagrantfile
@@ -19,9 +19,12 @@ Vagrant.configure("2") do |config|
   config.vm.network "private_network", ip: "192.168.50.4"
 
   config.vm.provision :shell, :inline => <<-SH
-	# Set environment variables so that the setup script does
-	# not ask any questions during provisioning. We'll let the
-	# machine figure out its own public IP.
+  # Set environment variables so that the setup script does
+  # not ask any questions during provisioning. We'll let the
+  # machine figure out its own public IP.
+  #
+  # Please note: NONINTERACTIVE=1 mode means that you'll automatically agree
+  # to Let's Encrypt's ACME Subscriber Agreement.
     export NONINTERACTIVE=1
     export PUBLIC_IP=auto
     export PUBLIC_IPV6=auto
diff --git a/conf/ios-profile.xml b/conf/ios-profile.xml
index 983b260d..f2011a4e 100644
--- a/conf/ios-profile.xml
+++ b/conf/ios-profile.xml
@@ -18,8 +18,6 @@
       <string>PRIMARY_HOSTNAME</string>
       <key>CalDAVPort</key>
       <real>443</real>
-      <key>CalDAVPrincipalURL</key>
-      <string>/cloud/remote.php/caldav/calendars/</string>
       <key>CalDAVUseSSL</key>
       <true/>
       <key>PayloadDescription</key>
diff --git a/management/ssl_certificates.py b/management/ssl_certificates.py
index bd5d7982..76b0f8fa 100755
--- a/management/ssl_certificates.py
+++ b/management/ssl_certificates.py
@@ -142,17 +142,17 @@ def get_ssl_certificates(env):
 	return ret
 
 def get_domain_ssl_files(domain, ssl_certificates, env, allow_missing_cert=False, use_main_cert=True):
-	# I moved the system_certificate declaration here, since otherwise we get a 
-	# "local variable 'system_certificate' referenced before assignment" error in the 
-        # elif not allow_missing_cert block
-	ssl_private_key = os.path.join(os.path.join(env["STORAGE_ROOT"], 'ssl', 'ssl_private_key.pem'))
-	ssl_certificate = os.path.join(os.path.join(env["STORAGE_ROOT"], 'ssl', 'ssl_certificate.pem'))
-	system_certificate = {
-		"private-key": ssl_private_key,
-		"certificate": ssl_certificate,
-		"primary-domain": env['PRIMARY_HOSTNAME'],
-		"certificate_object": load_pem(load_cert_chain(ssl_certificate)[0]),
-	}
+	if use_main_cert or not allow_missing_cert:
+		# Get the system certificate info.
+		ssl_private_key = os.path.join(os.path.join(env["STORAGE_ROOT"], 'ssl', 'ssl_private_key.pem'))
+		ssl_certificate = os.path.join(os.path.join(env["STORAGE_ROOT"], 'ssl', 'ssl_certificate.pem'))
+		system_certificate = {
+			"private-key": ssl_private_key,
+			"certificate": ssl_certificate,
+			"primary-domain": env['PRIMARY_HOSTNAME'],
+			"certificate_object": load_pem(load_cert_chain(ssl_certificate)[0]),
+		}
+
 	if use_main_cert:
 		if domain == env['PRIMARY_HOSTNAME']:
 			# The primary domain must use the server certificate because
@@ -226,7 +226,7 @@ def get_certificates_to_provision(env, limit_domains=None, show_valid_certs=True
 				# DNS is all good.
 
 				# Check for a good existing cert.
-				existing_cert = get_domain_ssl_files(domain, existing_certs, env, use_main_cert=False)
+				existing_cert = get_domain_ssl_files(domain, existing_certs, env, use_main_cert=False, allow_missing_cert=True)
 				if existing_cert:
 					existing_cert_check = check_certificate(domain, existing_cert['certificate'], existing_cert['private-key'],
 						warn_if_expiring_soon=14)
diff --git a/setup/start.sh b/setup/start.sh
index 86b34c8e..b13e80ca 100755
--- a/setup/start.sh
+++ b/setup/start.sh
@@ -139,7 +139,8 @@ echo "Mail-in-a-Box uses Let's Encrypt to provision free certificates"
 echo "to enable HTTPS connections to your box. You'll now be asked to agree"
 echo "to Let's Encrypt's terms of service."
 echo
-certbot register --register-unsafely-without-email --config-dir $STORAGE_ROOT/ssl/lets_encrypt
+certbot register $([ "$NONINTERACTIVE" == 1 ] && echo "--agree-tos") \
+    --register-unsafely-without-email --config-dir $STORAGE_ROOT/ssl/lets_encrypt
 fi
 
 # Done.
diff --git a/setup/zpush.sh b/setup/zpush.sh
index eac3a0a0..66bacbaf 100755
--- a/setup/zpush.sh
+++ b/setup/zpush.sh
@@ -23,6 +23,7 @@ phpenmod -v php7.0 imap
 
 # Copy Z-Push into place.
 VERSION=2.3.9
+TARGETHASH=60087b97e4b1c73db096e252cf893c75df556907
 needs_update=0 #NODOC
 if [ ! -f /usr/local/lib/z-push/version ]; then
 	needs_update=1 #NODOC
@@ -31,13 +32,12 @@ elif [[ $VERSION != `cat /usr/local/lib/z-push/version` ]]; then
 	needs_update=1 #NODOC
 fi
 if [ $needs_update == 1 ]; then
+	wget_verify http://download.z-push.org/final/2.3/z-push-$VERSION.tar.gz $TARGETHASH /tmp/z-push.tar.gz
+
 	rm -rf /usr/local/lib/z-push
-
-	git_clone https://stash.z-hub.io/scm/zp/z-push.git $VERSION '' /tmp/z-push
-
-	mkdir /usr/local/lib/z-push
-	cp -r /tmp/z-push/src/* /usr/local/lib/z-push
-	rm -rf /tmp/z-push
+	tar -xzf /tmp/z-push.tar.gz -C /usr/local/lib/
+	rm /tmp/z-push.tar.gz
+	mv /usr/local/lib/z-push-$VERSION /usr/local/lib/z-push
 
 	rm -f /usr/sbin/z-push-{admin,top}
 	ln -s /usr/local/lib/z-push/z-push-admin.php /usr/sbin/z-push-admin