diff --git a/howto/tls.md b/howto/tls.md
index 994fe430a2a965840f4e846e82c159dd2785befb..8f008a8c71c22c1c302e674677d4c69619772853 100644
--- a/howto/tls.md
+++ b/howto/tls.md
@@ -34,7 +34,7 @@ ones.
 
 The new keys and certs are being copied to the LDAP host
 (currently `pauli`) under
-`/srv/puppet.torproject.org/from-letsencrypt/`. Then [howto/Puppet](howto/Puppet) pick
+`/srv/puppet.torproject.org/from-letsencrypt/`. Then [Puppet](howto/puppet) pick
 those up in the `ssl` module. Use the `ssl::service` resource to
 deploy them.
 
@@ -270,11 +270,11 @@ time of writing (2020-04-15):
  * [Digicert][]: used by other teams to sign software releases for
    Windows
  * [Harica][]: used for HTTPS on the donate.tpo onion service
- * [howto/Puppet](howto/Puppet): our configuration management infrastructure has its own
+ * [Puppet](howto/Puppet): our configuration management infrastructure has its own
    X.509 certificate authority which allows "Puppet agents" to
    authenticate and verify the "Puppet Master", see [our
    documentation](howto/puppet) and [upstream documentation][] for details
- * [howto/ldap](howto/ldap): our OpenLDAP server uses a custom self-signed x.509
+ * [LDAP](howto/ldap): our OpenLDAP server uses a custom self-signed x.509
    certificate authority that is distributed to clients via Puppet, see
    [the documentation](howto/ldap#server-certificate-renewal) for instructions to
    renew this certificate manually