diff --git a/roles/edpm_nova/defaults/main.yml b/roles/edpm_nova/defaults/main.yml
index 861aab547..77892c475 100644
--- a/roles/edpm_nova/defaults/main.yml
+++ b/roles/edpm_nova/defaults/main.yml
@@ -31,7 +31,10 @@ edpm_nova_compute_image: "quay.io/podified-antelope-centos9/openstack-nova-compu
 
 # Libvirt TLS
 edpm_nova_live_migration_tls: "{{ edpm_tls_certs_enabled | default(False) }}"
-edpm_nova_live_migration_native_tls: "{{ edpm_tls_certs_enabled | default(False) }}"
+# FIXME(owalsh): Disable NBD TLS until issues are resolved:
+#   https://issues.redhat.com/browse/RHEL-33754
+#   https://issues.redhat.com/browse/RHEL-33781
+edpm_nova_live_migration_native_tls: false
 
 # NOTE(sean-k-mooney): nova will use unix sockets for libvirt and communicate with ovs via tcp
 # so we will not need the libvirt or ovs client certs or ca. nova will communicate other services
diff --git a/roles/edpm_nova/templates/02-nova-host-specific.conf.j2 b/roles/edpm_nova/templates/02-nova-host-specific.conf.j2
index 005e2890b..4114e61e6 100644
--- a/roles/edpm_nova/templates/02-nova-host-specific.conf.j2
+++ b/roles/edpm_nova/templates/02-nova-host-specific.conf.j2
@@ -8,8 +8,3 @@ live_migration_with_native_tls = {{ edpm_nova_live_migration_native_tls|bool }}
 {% if edpm_nova_live_migration_tls|bool %}
 live_migration_uri = qemu+tls://%s/system
 {% endif %}
-
-{% if edpm_nova_live_migration_native_tls|bool %}
-# FIXME(owalsh): workaround https://issues.redhat.com/browse/LIBVIRT-1113
-live_migration_permit_post_copy = False
-{% endif %}