diff --git a/cmd/hello/hello.go b/cmd/hello/hello.go
index 710de49cd..2c3954fc7 100644
--- a/cmd/hello/hello.go
+++ b/cmd/hello/hello.go
@@ -9,7 +9,6 @@ import (
 	"crypto/tls"
 	_ "embed"
 	"encoding/json"
-	"errors"
 	"flag"
 	"html/template"
 	"log"
@@ -76,22 +75,7 @@ func main() {
 			hs := &http.Server{
 				Addr: *httpsAddr,
 				TLSConfig: &tls.Config{
-					GetCertificate: func(hi *tls.ClientHelloInfo) (*tls.Certificate, error) {
-						switch hi.ServerName {
-						case "hello.ts.net":
-							return localClient.GetCertificate(hi)
-						case "hello.ipn.dev":
-							c, err := tls.LoadX509KeyPair(
-								"/etc/hello/hello.ipn.dev.crt",
-								"/etc/hello/hello.ipn.dev.key",
-							)
-							if err != nil {
-								return nil, err
-							}
-							return &c, nil
-						}
-						return nil, errors.New("invalid SNI name")
-					},
+					GetCertificate: localClient.GetCertificate,
 				},
 				IdleTimeout:       30 * time.Second,
 				ReadHeaderTimeout: 20 * time.Second,
@@ -155,8 +139,7 @@ func tailscaleIP(who *apitype.WhoIsResponse) string {
 func root(w http.ResponseWriter, r *http.Request) {
 	if r.TLS == nil && *httpsAddr != "" {
 		host := r.Host
-		if strings.Contains(r.Host, "100.101.102.103") ||
-			strings.Contains(r.Host, "hello.ipn.dev") {
+		if strings.Contains(r.Host, "100.101.102.103") {
 			host = "hello.ts.net"
 		}
 		http.Redirect(w, r, "https://"+host, http.StatusFound)
@@ -166,10 +149,6 @@ func root(w http.ResponseWriter, r *http.Request) {
 		http.Redirect(w, r, "/", http.StatusFound)
 		return
 	}
-	if r.TLS != nil && *httpsAddr != "" && strings.Contains(r.Host, "hello.ipn.dev") {
-		http.Redirect(w, r, "https://hello.ts.net", http.StatusFound)
-		return
-	}
 	tmpl, err := getTmpl()
 	if err != nil {
 		w.Header().Set("Content-Type", "text/plain")