diff --git a/.gitignore b/.gitignore
index 491047c3521c..23ea78d931b4 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,5 +1,7 @@
 *.pyc
 .*.swp
+.*.swo
+.*.swn
 
 .DS_Store
 _trial_temp/
diff --git a/synapse/app/homeserver.py b/synapse/app/homeserver.py
index 081e7cce5998..ab58a00af459 100755
--- a/synapse/app/homeserver.py
+++ b/synapse/app/homeserver.py
@@ -114,7 +114,7 @@ def _listener_http(self, config, listener_config):
         site_tag = listener_config.get("tag", port)
 
         if tls and config.no_tls:
-            return
+            raise RuntimeError('Listener is configured with tls enabled, but no_tls is set')
 
         resources = {}
         for res in listener_config["resources"]:
@@ -307,7 +307,10 @@ def setup(config_options):
 
     events.USE_FROZEN_DICTS = config.use_frozen_dicts
 
-    tls_server_context_factory = context_factory.ServerContextFactory(config)
+    if config.no_tls:
+        tls_server_context_factory = None
+    else:
+        tls_server_context_factory = context_factory.ServerContextFactory(config)
 
     database_engine = create_engine(config.database_config)
     config.database_config["args"]["cp_openfun"] = database_engine.on_new_connection
diff --git a/synapse/config/tls.py b/synapse/config/tls.py
index e081840a83a8..cf2cb43eb8da 100644
--- a/synapse/config/tls.py
+++ b/synapse/config/tls.py
@@ -27,36 +27,37 @@
 
 class TlsConfig(Config):
     def read_config(self, config):
-        self.tls_certificate = self.read_tls_certificate(
-            config.get("tls_certificate_path")
-        )
-        self.tls_certificate_file = config.get("tls_certificate_path")
-
         self.no_tls = config.get("no_tls", False)
 
         if self.no_tls:
             self.tls_private_key = None
+            self.tls_certificate = None
         else:
+            self.tls_certificate = self.read_tls_certificate(
+                config.get("tls_certificate_path")
+            )
+            self.tls_certificate_file = config.get("tls_certificate_path")
+
             self.tls_private_key = self.read_tls_private_key(
                 config.get("tls_private_key_path")
             )
 
-        self.tls_dh_params_path = self.check_file(
-            config.get("tls_dh_params_path"), "tls_dh_params"
-        )
+            self.tls_dh_params_path = self.check_file(
+                config.get("tls_dh_params_path"), "tls_dh_params"
+            )
 
-        self.tls_fingerprints = config["tls_fingerprints"]
+            self.tls_fingerprints = config["tls_fingerprints"]
 
-        # Check that our own certificate is included in the list of fingerprints
-        # and include it if it is not.
-        x509_certificate_bytes = crypto.dump_certificate(
-            crypto.FILETYPE_ASN1,
-            self.tls_certificate
-        )
-        sha256_fingerprint = encode_base64(sha256(x509_certificate_bytes).digest())
-        sha256_fingerprints = set(f["sha256"] for f in self.tls_fingerprints)
-        if sha256_fingerprint not in sha256_fingerprints:
-            self.tls_fingerprints.append({u"sha256": sha256_fingerprint})
+            # Check that our own certificate is included in the list of fingerprints
+            # and include it if it is not.
+            x509_certificate_bytes = crypto.dump_certificate(
+                crypto.FILETYPE_ASN1,
+                self.tls_certificate
+            )
+            sha256_fingerprint = encode_base64(sha256(x509_certificate_bytes).digest())
+            sha256_fingerprints = set(f["sha256"] for f in self.tls_fingerprints)
+            if sha256_fingerprint not in sha256_fingerprints:
+                self.tls_fingerprints.append({u"sha256": sha256_fingerprint})
 
         # This config option applies to non-federation HTTP clients
         # (e.g. for talking to recaptcha, identity servers, and such)
@@ -114,7 +115,7 @@ def default_config(self, config_dir_path, server_name, **kwargs):
         """ % locals()
 
     def read_tls_certificate(self, cert_path):
-        cert_pem = self.read_file(cert_path, "tls_certificate")
+        cert_pem = self.read_file(cert_path, "tls_certificate_path")
         return crypto.load_certificate(crypto.FILETYPE_PEM, cert_pem)
 
     def read_tls_private_key(self, private_key_path):
diff --git a/synapse/rest/key/v1/server_key_resource.py b/synapse/rest/key/v1/server_key_resource.py
index bd4fea57742f..f8c2fcaca8c3 100644
--- a/synapse/rest/key/v1/server_key_resource.py
+++ b/synapse/rest/key/v1/server_key_resource.py
@@ -63,14 +63,18 @@ def response_json_object(server_config):
             key_id = "%s:%s" % (key.alg, key.version)
             verify_keys[key_id] = encode_base64(verify_key_bytes)
 
-        x509_certificate_bytes = crypto.dump_certificate(
-            crypto.FILETYPE_ASN1,
-            server_config.tls_certificate
-        )
+        if server_config.no_tls:
+            x509_b64 = u""
+        else:
+            x509_certificate_bytes = crypto.dump_certificate(
+                crypto.FILETYPE_ASN1,
+                server_config.tls_certificate
+            )
+            x509_b64 = encode_base64(x509_certificate_bytes)
         json_object = {
             u"server_name": server_config.server_name,
             u"verify_keys": verify_keys,
-            u"tls_certificate": encode_base64(x509_certificate_bytes)
+            u"tls_certificate": x509_b64
         }
         for key in server_config.signing_key:
             json_object = sign_json(
diff --git a/synapse/rest/key/v2/local_key_resource.py b/synapse/rest/key/v2/local_key_resource.py
index be68d9a0969a..963d6c08c26d 100644
--- a/synapse/rest/key/v2/local_key_resource.py
+++ b/synapse/rest/key/v2/local_key_resource.py
@@ -91,7 +91,10 @@ def response_json_object(self):
                 u"expired_ts": key.expired_ts,
             }
 
-        tls_fingerprints = self.config.tls_fingerprints
+        if self.config.no_tls:
+            tls_fingerprints = []
+        else:
+            tls_fingerprints = self.config.tls_fingerprints
 
         json_object = {
             u"valid_until_ts": self.valid_until_ts,