diff --git a/diskimage_builder/elements/gentoo/pre-install.d/02-gentoo-02-flags b/diskimage_builder/elements/gentoo/pre-install.d/02-gentoo-02-flags
index eda80b0ba..3d7dcdbd3 100755
--- a/diskimage_builder/elements/gentoo/pre-install.d/02-gentoo-02-flags
+++ b/diskimage_builder/elements/gentoo/pre-install.d/02-gentoo-02-flags
@@ -8,7 +8,15 @@ set -o pipefail
 
 # get the directories in order
 mkdir -p /etc/portage/profile
-mkdir -p /etc/portage/package.keywords
+if [ -f /etc/portage/package.keywords ]; then
+    mv /etc/portage/package.keywords /etc/portage/package.keywords.bak
+    mkdir -p /etc/portage/package.keywords
+    mv /etc/portage/package.keywords.bak /etc/portage/package.keywords/prebuilt-1
+else
+    mkdir -p /etc/portage/package.keywords
+fi
+[ -d /etc/portage/package.accept_keywords ] && mv /etc/portage/package.accept_keywords/* /etc/portage/package.keywords/ && rmdir /etc/portage/package.accept_keywords
+[ -f /etc/portage/package.accept_keywords ] && mv /etc/portage/package.accept_keywords /etc/portage/package.keywords/prebuilt-2
 mkdir -p /etc/portage/package.mask
 mkdir -p /etc/portage/package.unmask
 mkdir -p /etc/portage/package.use
diff --git a/diskimage_builder/elements/gentoo/pre-install.d/02-gentoo-03-enable-overlays b/diskimage_builder/elements/gentoo/pre-install.d/02-gentoo-03-enable-overlays
index 05d212e51..e27757221 100755
--- a/diskimage_builder/elements/gentoo/pre-install.d/02-gentoo-03-enable-overlays
+++ b/diskimage_builder/elements/gentoo/pre-install.d/02-gentoo-03-enable-overlays
@@ -24,18 +24,19 @@ if [[ ${GENTOO_OVERLAYS} != '' ]]; then
     # redistribution, so we have to use a version of openssl that works around
     # it (using fedora's patchset) and also use a version of cryptography that
     # depends on that version of openssl.
-    echo '=dev-python/cryptography-2.1.3 ~amd64' >> /etc/portage/package.keywords/layman
-    echo '=dev-libs/openssl-1.1.0g-r1 ~amd64' >> /etc/portage/package.keywords/layman
-    echo '=dev-libs/openssl-1.1.0g-r1' >> /etc/portage/package.unmask/layman
+    echo '=dev-python/cryptography-2.1.4-r2 ~amd64' >> /etc/portage/package.keywords/layman
+    echo '=dev-libs/openssl-1.0.2o-r6 ~amd64' >> /etc/portage/package.keywords/layman
     emerge -q --oneshot --jobs=2 openssl openssh
     # install layman
-    USE="-build" emerge --deep -q --jobs=2 layman
+    USE="-build" emerge --deep -q --jobs=2 --ignore-built-slot-operator-deps=y layman
     # sync the initial overlay list
     layman -S
-    # enable the various overlays
+    # enable the various overlays, ignore failures (overlay my already be enabled)
+    set +e
     for OVERLAY in ${GENTOO_OVERLAYS}; do
         layman -a "${OVERLAY}"
     done
+    set -e
 
     unfix_shm
 fi