diff --git a/nix/pkgs/pomerium/module.nix b/nix/pkgs/pomerium/module.nix
index 14b367f753..f64d1fc726 100644
--- a/nix/pkgs/pomerium/module.nix
+++ b/nix/pkgs/pomerium/module.nix
@@ -30,9 +30,12 @@ with lib;
       after = [ "network.target" ];
       wantedBy = [ "multi-user.target" ];
 
+      Environment.AUTOCERT_DIR = "/var/lib/pomerium/autocert";
+
       serviceConfig = {
         DynamicUser = true;
         ExecStart = pkgs.writeShellScript "run-pomerium" ''
+          mkdir -p "$AUTOCERT_DIR"
           if [[ -v CREDENTIALS_DIRECTORY ]]; then
             cd "$CREDENTIALS_DIRECTORY"
           fi