diff --git a/app/Console/Commands/WizardDomains.php b/app/Console/Commands/WizardDomains.php
index 76a7048..9ba2980 100644
--- a/app/Console/Commands/WizardDomains.php
+++ b/app/Console/Commands/WizardDomains.php
@@ -86,8 +86,12 @@ class WizardDomains extends Command
             }
         }
 
-        file_put_contents(self::STATE_DIR . '/done', $helperOk ? '1' : '0');
-        Setting::set('ssl_configured', $helperOk ? '1' : '0');
+        // Shell-Script schreibt done bereits vor dem nginx-Switch — nicht überschreiben
+        $alreadyDone = trim((string) @file_get_contents(self::STATE_DIR . '/done')) === '1';
+        if (!$alreadyDone) {
+            file_put_contents(self::STATE_DIR . '/done', $helperOk ? '1' : '0');
+        }
+        Setting::set('ssl_configured', ($helperOk || $alreadyDone) ? '1' : '0');
 
         // SESSION_SECURE_COOKIE wird nicht automatisch gesetzt —
         // nginx leitet HTTP→HTTPS weiter, Secure-Flag wird im Admin gesetzt
diff --git a/installer.sh b/installer.sh
index 612f35c..ebd90ae 100644
--- a/installer.sh
+++ b/installer.sh
@@ -739,6 +739,7 @@ server {
   location / { try_files \$uri \$uri/ /index.php?\$query_string; }
   location ~ \.php\$ {
     include snippets/fastcgi-php.conf;
+    fastcgi_param HTTPS on;
     fastcgi_pass unix:${PHP_FPM_SOCK};
   }
   location ^~ /livewire/ { try_files \$uri /index.php?\$query_string; }
@@ -765,6 +766,7 @@ server {
   location / { try_files \$uri \$uri/ /index.php?\$query_string; }
   location ~ \.php\$ {
     include snippets/fastcgi-php.conf;
+    fastcgi_param HTTPS on;
     fastcgi_pass unix:${PHP_FPM_SOCK};
   }
   location ^~ /livewire/ { try_files \$uri /index.php?\$query_string; }
@@ -774,6 +776,17 @@ CONF
 fi
 ) > "${NGINX_SITE}"
 
+# State-Dateien VOR dem nginx-Switch schreiben damit der Browser
+# noch über HTTP redirecten kann bevor nginx auf HTTPS wechselt
+STATE_DIR="/var/lib/mailwolt/wizard"
+if [ -d "${STATE_DIR}" ]; then
+  for k in ui mail webmail; do
+    [ -f "${STATE_DIR}/${k}" ] && printf "done" > "${STATE_DIR}/${k}"
+  done
+  printf "1" > "${STATE_DIR}/done"
+  sleep 6  # 3 Poll-Zyklen (à 2s) — Browser hat Zeit zu redirecten
+fi
+
 nginx -t && systemctl reload nginx
 HELPER
 chmod 755 /usr/local/sbin/mailwolt-apply-domains