diff --git a/tls-configuration.md b/tls-configuration.md
index 82b5be43732c814df7e0c35125f68528bf857a60..491e7a89c2f7e8dd728e781c9ca35f82c82eeecb 100644
--- a/tls-configuration.md
+++ b/tls-configuration.md
@@ -22,82 +22,82 @@ Changes performed:
 To reproduce the config:
 
 1. deploy certbot from the fork:
-```
-git clone https://github.com/certbot/certbot/
-cd certbot
-git remote add -f hpax https://github.com/hpax/certbot.git
-git checkout hpa/rfc-2136-cname-fix
-apt install python3-venv
-python3 -m venv ~/.virtualenv/certbot
-cd certbot
-~/.virtualenv/certbot/bin/pip3 install .
-cd ../certbot-dns-rfc2136
-~/.virtualenv/certbot/bin/pip3 install .
-```
+
+        git clone https://github.com/certbot/certbot/
+        cd certbot
+        git remote add -f hpax https://github.com/hpax/certbot.git
+        git checkout hpa/rfc-2136-cname-fix
+        apt install python3-venv
+        python3 -m venv ~/.virtualenv/certbot
+        cd certbot
+        ~/.virtualenv/certbot/bin/pip3 install .
+        cd ../certbot-dns-rfc2136
+        ~/.virtualenv/certbot/bin/pip3 install .
+
 1. configure a `/etc/letsencrypt/rfc2136-credentials.ini` file with the following content (e.g. on che), the `dns_rfc2136_name`, `dns_rfc2136_secret` and `dns_rfc2136_algorithm` parameters are magic and come from the DNS primary :
-```
-# Target DNS server
-#dns_rfc2136_server = ns2.riseup.net.
-1. https://github.com/certbot/certbot/issues/7871
-dns_rfc2136_server = 204.13.164.8
-1. Target DNS port
-dns_rfc2136_port = 53
-1. TSIG key name
-dns_rfc2136_name = che_ircd_key
-1. TSIG key secret
-dns_rfc2136_secret = [CENSORED]==
-1. TSIG key algorithm
-dns_rfc2136_algorithm = HMAC-SHA512
-```
+
+        # Target DNS server
+        #dns_rfc2136_server = ns2.riseup.net.
+        # https://github.com/certbot/certbot/issues/7871
+        dns_rfc2136_server = 204.13.164.8
+        # Target DNS port
+        dns_rfc2136_port = 53
+        # TSIG key name
+        dns_rfc2136_name = che_ircd_key
+        # TSIG key secret
+        dns_rfc2136_secret = [CENSORED]==
+        # TSIG key algorithm
+        dns_rfc2136_algorithm = HMAC-SHA512
+
 1. create the certificate:
-```
-~/.virtualenv/certbot/bin/certbot --dns-rfc2136-credentials /etc/letsencrypt/rfc2136-credentials.ini  certonly -d irc.indymedia.org --register-unsafely-without-email --dns-rfc2136 --reuse-key
-```
+
+        ~/.virtualenv/certbot/bin/certbot --dns-rfc2136-credentials /etc/letsencrypt/rfc2136-credentials.ini  certonly -d irc.indymedia.org --register-unsafely-without-email --dns-rfc2136 --reuse-key
+
 1. change permissions on the generated cert:
-```
-chown -R :ssl-cert /etc/letsencrypt/archive/
-chmod -R g+rX /etc/letsencrypt/archive/
-```
+
+        chown -R :ssl-cert /etc/letsencrypt/archive/
+        chmod -R g+rX /etc/letsencrypt/archive/
+
 1. add the cert to `/etc/charybdis/ircd.conf` and restart the ircd
-```
-service charybdis restart
-```
+
+        service charybdis restart
+
 1. extract the new SHA256 private key fingerprint:
-```
-certtool --pubkey-info --load-privkey /etc/letsencrypt/live/irc.indymedia.org/privkey.pem |  grep -i sha256 | grep -v pin-
-```
+
+        certtool --pubkey-info --load-privkey /etc/letsencrypt/live/irc.indymedia.org/privkey.pem |  grep -i sha256 | grep -v pin-
+
 1. add that key to the `connect` block on the other servers, and restarted those ircds:
-```
-service charybdis restart
-```
+
+        service charybdis restart
+
 1. create cronjob to use patched certbot for renewals:
-```
-cat > /etc/cron.daily/certbot-rfc2136 <<EOF
-1. We need to use our patched version of certbot to renew certs so that DNS-01
-1. challenges can be completed
-
-SHELL=/bin/sh
-PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
-
-0 */12 * * * root /usr/local/bin/patched_certbot_renew
-EOF
-cat > /usr/local/bin/patched_certbot_renew <<EOF
-#!/bin/sh
-
-1. Use the patched certbot to renew certificates
-/root/.virtualenv/certbot/bin/certbot -q renew
-EOF
-chmod a+x /usr/local/bin/patched_certbot_renew
-```
+
+        cat > /etc/cron.daily/certbot-rfc2136 <<EOF
+        # We need to use our patched version of certbot to renew certs so that DNS-01
+        # challenges can be completed
+
+        SHELL=/bin/sh
+        PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
+
+        0 */12 * * * root /usr/local/bin/patched_certbot_renew
+        EOF
+        cat > /usr/local/bin/patched_certbot_renew <<EOF
+        #!/bin/sh
+
+        # Use the patched certbot to renew certificates
+        /root/.virtualenv/certbot/bin/certbot -q renew
+        EOF
+        chmod a+x /usr/local/bin/patched_certbot_renew
+
 1. create renewal hook so that charybdis takes on the new certificates automatically
-```
-cat > /etc/letsencrypt/renewal-hooks/deploy/charybdis <<EOF
-#!/bin/sh
 
-/usr/sbin/service charybdis reload
-EOF
-chmod a+x /etc/letsencrypt/renewal-hooks/deploy/charybdis
-```
+        cat > /etc/letsencrypt/renewal-hooks/deploy/charybdis <<EOF
+        #!/bin/sh
+
+        /usr/sbin/service charybdis reload
+        EOF
+        chmod a+x /etc/letsencrypt/renewal-hooks/deploy/charybdis
+
 
 To configure a DNS primary server, the following command need to be issued: