diff --git a/roles/robosignatory/files/ask-password-robosignatory.conf b/roles/robosignatory/files/ask-password-robosignatory.conf
new file mode 100644
index 0000000000..8150439896
--- /dev/null
+++ b/roles/robosignatory/files/ask-password-robosignatory.conf
@@ -0,0 +1 @@
+a       /run/systemd/ask-password       -       -       -       -       u:robosignatory:rwx
diff --git a/roles/robosignatory/tasks/main.yml b/roles/robosignatory/tasks/main.yml
index e0524751f7..b0a7582017 100644
--- a/roles/robosignatory/tasks/main.yml
+++ b/roles/robosignatory/tasks/main.yml
@@ -192,12 +192,12 @@
   - robosignatory
 
 - name: Allow robosignatory to use systemd-ask-password
-  acl:
-    path: /run/systemd/ask-password
-    entity: robosignatory
-    etype: user
-    permissions: rwx
-    state: present
+  copy:
+    src: ask-password-robosignatory.conf
+    dest: /etc/tmpfiles.d/ask-password-robosignatory.conf
+    owner: root
+    group: root
+    mode: 0644
   tags:
   - config
   - robosignatory