diff --git a/tools/ci-scripts/configure-tls/configure-badssl b/tools/ci-scripts/configure-tls/configure-badssl
index f0b04951cb..05d2a9a412 100755
--- a/tools/ci-scripts/configure-tls/configure-badssl
+++ b/tools/ci-scripts/configure-tls/configure-badssl
@@ -6,20 +6,23 @@
 
 set -euxo pipefail
 
-perl -p -i -e 's/ruby2\.4/ruby2.6/' Dockerfile
+DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null 2>&1 && pwd )"
+
+
+cp "$DIR/new-badssl-dockerfile" Dockerfile
 grep -q 'start of badssl\.test hosts' /etc/hosts || make list-hosts | sudo tee -a /etc/hosts
-# badssl fails to create dh480.pem on our Ubuntu host.
-# Create it manually inside the docker container.
-sed -i '/CMD /i \
-RUN echo "-----BEGIN DH PARAMETERS-----" >/var/www/badssl/_site/certs/sets/current/gen/dhparam/dh480.pem \
-RUN echo "MEICPQDZ/YFp3iEs3/k9iRGoC/5/To2+5pUF/C6GkO6VjXHHyRVy68I0rI0q7IAq" >>/var/www/badssl/_site/certs/sets/current/gen/dhparam/dh480.pem \
-RUN echo "VyyGQ7/5Q/Iu0QQnHT4X9uMCAQI=" >>/var/www/badssl/_site/certs/sets/current/gen/dhparam/dh480.pem \
-RUN echo "-----END DH PARAMETERS-----" >>/var/www/badssl/_site/certs/sets/current/gen/dhparam/dh480.pem \
-' Dockerfile
+
+# we manually create this in the dockerfile. Tell the makefile not to bother to generate it.
 sed -i '/ 480/c \\ttrue' certs/Makefile
 # badssl does not create an expired certificate;
 # it creates a certificate that expires after 1 day and waits for 1 day to run the "expired certificate" test.
 # This command patches this behavior to run the test immediately.
 # See: https://github.com/chromium/badssl.com/blob/df8d5a9d062f4b99fc19d8aacdea5333b399d624/certs/Makefile#L177
 sed -i 's%./tool sign $@ $(D) 1 sha256 req_v3_usr $^%faketime -f "-2d" ./tool sign $@ $(D) 1 sha256 req_v3_usr $^%' certs/Makefile
-screen -dmS badssl sudo make serve
+# there is a command "make serve" We don't want to actually run that because we want to error out early on `docker build`
+sudo make certs-test
+sudo make docker-build
+
+# manually invoke the "serve" part of things
+# if things are broken, try removing the screen session to see any failure logs.
+screen -dmS badssl sudo docker run -t -p 80:80 -p 443:443 -p 1000-1024:1000-1024 badssl
diff --git a/tools/ci-scripts/configure-tls/new-badssl-dockerfile b/tools/ci-scripts/configure-tls/new-badssl-dockerfile
new file mode 100644
index 0000000000..369b3e894b
--- /dev/null
+++ b/tools/ci-scripts/configure-tls/new-badssl-dockerfile
@@ -0,0 +1,88 @@
+# Why does this file exist?
+# badssl seems to be abandoned. The orginal Dockerfile was based on ubuntu 16.04 and all the bits were rotting.
+# I've updated the Dockerfilet l to ubuntu 22.04 which will hopefully let everything limp along a little longer.
+FROM ubuntu:22.04 as nginx
+# Install necessary packages for building NGINX
+RUN apt-get update && apt-get install -y \
+    build-essential \
+    libpcre3 \
+    libpcre3-dev \
+    zlib1g \
+    zlib1g-dev \
+    wget
+
+# Define NGINX version (this is the old version from ubuntu 16.04 to match)
+ARG NGINX_VERSION=1.14.2
+ARG OPEN_SSL_VERSION=1.0.2g
+
+RUN wget https://www.openssl.org/source/openssl-${OPEN_SSL_VERSION}.tar.gz \
+    && tar -xzvf openssl-${OPEN_SSL_VERSION}.tar.gz
+
+# Download NGINX source code
+RUN wget http://nginx.org/download/nginx-$NGINX_VERSION.tar.gz \
+    && tar -xzvf nginx-$NGINX_VERSION.tar.gz \
+    && cd nginx-$NGINX_VERSION
+
+
+# Configure NGINX before building it
+RUN cd nginx-$NGINX_VERSION \
+    && ./configure \
+        --prefix=/usr/local/nginx \
+        --with-http_ssl_module \
+        --with-openssl=../openssl-${OPEN_SSL_VERSION} \
+        --with-openssl-opt=enable-weak-ssl-ciphers \
+        --with-stream \
+        --with-threads \
+    && make -j 6 \
+    && make install -j 6
+
+RUN /usr/local/nginx/sbin/nginx -V
+
+FROM ubuntu:22.04
+
+EXPOSE 80 443
+RUN apt-get update && apt-get install -y apt-transport-https
+RUN apt-get install -y software-properties-common
+RUN apt-get update && apt-get install -y \
+    build-essential \
+    git \
+    libffi-dev \
+    make \
+    ruby3.0 \
+    ruby3.0-dev
+#RUN gem update --system
+RUN gem install jekyll
+
+COPY --from=nginx /usr/local/nginx /usr/local/nginx
+ENV PATH="/usr/local/nginx/sbin:${PATH}"
+
+# Install badssl.com
+ADD . badssl.com
+WORKDIR badssl.com
+
+RUN sed -i 's/SECLEVEL=2/SECLEVEL=0/' /etc/ssl/openssl.cnf
+RUN tail -n10 /etc/ssl/openssl.cnf
+
+RUN nginx -V
+RUN mkdir /etc/nginx
+# `make-in-docker` requires this file to exist.
+RUN ln -s /usr/local/nginx/conf/nginx.conf /etc/nginx/nginx.conf
+
+# Update the nginx config to include the badssl configs.
+RUN head -n-1 /etc/nginx/nginx.conf > wip.conf
+RUN echo "# Virtual Host Configs\ninclude /var/www/badssl/_site/nginx.conf;\n}" >> wip.conf
+RUN mv wip.conf /usr/local/nginx/conf/nginx.conf
+RUN make inside-docker
+
+# Allow unsecure certs
+RUN sed -i 's/SECLEVEL=2/SECLEVEL=0/' /etc/ssl/openssl.cnf
+
+# Fix DH key that can't be generated...works in docker bug not on github. Who knows.
+RUN echo "-----BEGIN DH PARAMETERS-----" > /var/www/badssl/_site/certs/sets/current/gen/dhparam/dh480.pem
+RUN echo "MEICPQDZ/YFp3iEs3/k9iRGoC/5/To2+5pUF/C6GkO6VjXHHyRVy68I0rI0q7IAq" >> /var/www/badssl/_site/certs/sets/current/gen/dhparam/dh480.pem
+RUN echo "VyyGQ7/5Q/Iu0QQnHT4X9uMCAQI=" >> /var/www/badssl/_site/certs/sets/current/gen/dhparam/dh480.pem
+RUN echo "-----END DH PARAMETERS-----" >> /var/www/badssl/_site/certs/sets/current/gen/dhparam/dh480.pem
+
+RUN nginx -t
+# Start things up!
+CMD nginx && tail -f /usr/local/nginx/logs/access.log /usr/local/nginx/logs/error.log