diff --git a/README.md b/README.md
index a9d68a61d858e791010d107a2dd33d9fc03b0df6..db846d8ae6244bb1f03bbf42390cec5bbb81104b 100644
--- a/README.md
+++ b/README.md
@@ -100,11 +100,11 @@ For any option that takes a file path as a parameter (e.g. SSH signing key, TLS
 - A [Vault](https://www.vaultproject.io) path + key starting with `/vault/` e.g. `/vault/secret/cashier/ssh_signing_key`. You should add a [vault](#vault) config as needed.
 
 ## server
-- `use_tls` : boolean. If this is set then `tls_key` and `tls_cert` are required.
+- `use_tls` : boolean. If this is set then either `tls_key` and `tls_cert` are required, or `letsencrypt_servername` is required.
 - `tls_key` : string. Path to the TLS key. See the [note](#a-note-on-files) on files above.
 - `tls_cert` : string. Path to the TLS cert. See the [note](#a-note-on-files) on files above.
 - `letsencrypt_servername`: string. If set will request a certificate from LetsEncrypt. This should match the expected FQDN of the server.
-- `letsencrypt_cachedir: string. Directory to cache the LetsEncrypt certificate.
+- `letsencrypt_cachedir`: string. Directory to cache the LetsEncrypt certificate.
 - `address` : string. IP address to listen on. If unset the server listens on all addresses.
 - `port` : int. Port to listen on.
 - `user` : string. User to which the server drops privileges to.
diff --git a/cmd/cashierd/main.go b/cmd/cashierd/main.go
index 52b6a8b9548bb6cc15978a64831c4d8c47522b76..fb67a36685f2e8077b2d587fd3eb10b4592987bc 100644
--- a/cmd/cashierd/main.go
+++ b/cmd/cashierd/main.go
@@ -357,6 +357,9 @@ func main() {
 			}
 			tlsConfig.GetCertificate = m.GetCertificate
 		} else {
+			if conf.Server.TLSCert == "" || conf.Server.TLSKey == "" {
+				log.Fatal("TLS cert or key not specified in config")
+			}
 			tlsConfig.Certificates = make([]tls.Certificate, 1)
 			tlsConfig.Certificates[0], err = loadCerts(conf.Server.TLSCert, conf.Server.TLSKey)
 			if err != nil {