diff --git a/caddytls/config.go b/caddytls/config.go
index e30d2a1d3..9525682b0 100644
--- a/caddytls/config.go
+++ b/caddytls/config.go
@@ -338,6 +338,10 @@ func MakeTLSConfig(configs []*Config) (*tls.Config, error) {
 				configs[i-1].Hostname, lastConfProto, cfg.Hostname, thisConfProto)
 		}
 
+		if !cfg.Enabled {
+			continue
+		}
+
 		// Union cipher suites
 		for _, ciph := range cfg.Ciphers {
 			if _, ok := ciphersAdded[ciph]; !ok {
@@ -348,7 +352,7 @@ func MakeTLSConfig(configs []*Config) (*tls.Config, error) {
 
 		// Can't resolve conflicting PreferServerCipherSuites settings
 		if i > 0 && cfg.PreferServerCipherSuites != configs[i-1].PreferServerCipherSuites {
-			return nil, fmt.Errorf("cannot both use PreferServerCipherSuites and not use it")
+			return nil, fmt.Errorf("cannot both PreferServerCipherSuites and not prefer them")
 		}
 		config.PreferServerCipherSuites = cfg.PreferServerCipherSuites
 
diff --git a/caddytls/config_test.go b/caddytls/config_test.go
index 2cdadce5d..c12c98a0e 100644
--- a/caddytls/config_test.go
+++ b/caddytls/config_test.go
@@ -39,6 +39,20 @@ func TestMakeTLSConfigPreferServerCipherSuites(t *testing.T) {
 	if got, want := result.PreferServerCipherSuites, true; got != want {
 		t.Errorf("Expected PreferServerCipherSuites==%v but got %v", want, got)
 	}
+
+	// make sure we don't get an error if there's a conflict
+	// when both of the configs have TLS disabled
+	configs = []*Config{
+		{Enabled: false, PreferServerCipherSuites: false},
+		{Enabled: false, PreferServerCipherSuites: true},
+	}
+	result, err = MakeTLSConfig(configs)
+	if err != nil {
+		t.Fatalf("Did not expect an error when TLS is disabled, but got '%v'", err)
+	}
+	if result != nil {
+		t.Errorf("Expected nil result because TLS disabled, got: %+v", err)
+	}
 }
 
 func TestMakeTLSConfigTLSEnabledDisabled(t *testing.T) {