diff --git a/hbd b/hbd
index 4e19e8e..6bc1962 100755
--- a/hbd
+++ b/hbd
@@ -2,13 +2,15 @@
 # $Id: hbd,v 1.38 2013/07/14 02:25:05 andreas Exp $
 # Wait for heartbeat messages and act on them (or their absence)
 #
-VER = 4.1
+VER = 4.2
 
 import time
 import os
 import string
 import sys
 import socket
+import ssl
+import pathlib
 import atexit
 import select
 import socketserver
@@ -36,6 +38,9 @@ from subprocess import Popen, STDOUT, PIPE
 #from hbdclass import *
 import hbdclass
 
+CERT_PATH="/usr/local/etc/letsencrypt/live/w02.wrede.ca/"
+WSS_PEM = CERT_PATH + "fullchain.pem"
+WSS_KEY = CERT_PATH + "privkey.pem"
 
 NSUPDATE_BIN = "/usr/local/bin/nsupdate"		# override in .hbrc possible
 
@@ -59,6 +64,7 @@ PORT = 50003
 TPORT = 50004
 THOST = ""
 WSPORT = 50005
+WSSPORT = 50006
 
 verbose = False
 
@@ -856,7 +862,10 @@ async def ws_serve(websocket, path):
 			jmsg = json.dumps({'type': 'message', 'data': m })
 			await websocket.send(jmsg)
 
-	del ws_connections[websocket]
+	try:
+		del ws_connections[websocket]
+	except Exception as e:
+		print(f"warning: failed to delete websocket: {e}")
 
 def websocketupdater():
 	loop.run_forever()
@@ -1108,7 +1117,17 @@ except:
 
 
 loop = asyncio.get_event_loop()
+
+ssl_context = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER)
+wss_pem = pathlib.Path(WSS_PEM)
+wss_key = pathlib.Path(WSS_KEY)
+
+ssl_context.load_cert_chain(wss_pem, keyfile=wss_key)
+wss_start_server = websockets.serve(ws_serve, hbd_host, WSSPORT, ssl=ssl_context)
+loop.run_until_complete(wss_start_server)
+
 ws_start_server = websockets.serve(ws_serve, hbd_host, WSPORT)
+
 loop.run_until_complete(ws_start_server)
 
 servthread = threading.Thread(target=serv.serve_forever)