diff --git a/go.mod b/go.mod
index 5b21e5f11c..771a13601f 100644
--- a/go.mod
+++ b/go.mod
@@ -92,7 +92,7 @@ require github.com/hashicorp/go-dbw v0.0.0-20220412153211-c470aec9369f // this i
 require (
 	github.com/DATA-DOG/go-sqlmock v1.5.0
 	github.com/hashicorp/go-kms-wrapping/extras/kms/v2 v2.0.0-20220711120347-32232bae6803
-	github.com/hashicorp/nodeenrollment v0.1.7
+	github.com/hashicorp/nodeenrollment v0.1.8
 )
 
 require (
diff --git a/go.sum b/go.sum
index 061c875426..5164cc087a 100644
--- a/go.sum
+++ b/go.sum
@@ -740,8 +740,8 @@ github.com/hashicorp/golang-lru v0.5.4 h1:YDjusn29QI/Das2iO9M0BHnIbxPeyuCHsjMW+l
 github.com/hashicorp/golang-lru v0.5.4/go.mod h1:iADmTwqILo4mZ8BN3D2Q6+9jd8WM5uGBxy+E8yxSoD4=
 github.com/hashicorp/hcl v1.0.0 h1:0Anlzjpi4vEasTeNFn2mLJgTSwt0+6sfsiTG8qcWGx4=
 github.com/hashicorp/hcl v1.0.0/go.mod h1:E5yfLk+7swimpb2L/Alb/PJmXilQ/rhwaUYs4T20WEQ=
-github.com/hashicorp/nodeenrollment v0.1.7 h1:t6BD0DXzIXwPdcmR15M3YLttQPgnJYq0D8w+v3k/Nd0=
-github.com/hashicorp/nodeenrollment v0.1.7/go.mod h1:LIPKi+g0g/vl3xhpbzugCalHSxX1PMeqnatkAsxRgyM=
+github.com/hashicorp/nodeenrollment v0.1.8 h1:U5Mt8qimWQOtHZCtX090W7A5o1Qweao6chKZh/ue07g=
+github.com/hashicorp/nodeenrollment v0.1.8/go.mod h1:LIPKi+g0g/vl3xhpbzugCalHSxX1PMeqnatkAsxRgyM=
 github.com/hashicorp/vault/api v1.3.1 h1:pkDkcgTh47PRjY1NEFeofqR4W/HkNUi9qIakESO2aRM=
 github.com/hashicorp/vault/api v1.3.1/go.mod h1:QeJoWxMFt+MsuWcYhmwRLwKEXrjwAFFywzhptMsTIUw=
 github.com/hashicorp/vault/sdk v0.1.13/go.mod h1:B+hVj7TpuQY1Y/GPbCpffmgd+tSEwvhkWnjtSYCaS2M=
diff --git a/internal/daemon/worker/listeners.go b/internal/daemon/worker/listeners.go
index f81984a121..3ee07516e5 100644
--- a/internal/daemon/worker/listeners.go
+++ b/internal/daemon/worker/listeners.go
@@ -135,7 +135,18 @@ func (w *Worker) configureForWorker(ln *base.ServerListener, logger *log.Logger,
 		return nil, fmt.Errorf("error instantiating node auth listener: %w", err)
 	}
 
-	w.workerAuthSplitListener = nodeenet.NewSplitListener(interceptingListener)
+	w.workerAuthSplitListener, err = nodeenet.NewSplitListener(interceptingListener)
+	if err != nil {
+		return nil, fmt.Errorf("error instantiating split listener: %w", err)
+	}
+	workerListener, err := w.workerAuthSplitListener.GetListener(nodeenet.AuthenticatedNonSpecificNextProto)
+	if err != nil {
+		return nil, fmt.Errorf("error instantiating worker split listener: %w", err)
+	}
+	nonWorkerListener, err := w.workerAuthSplitListener.GetListener(nodeenet.UnauthenticatedNextProto)
+	if err != nil {
+		return nil, fmt.Errorf("error instantiating non-worker split listener: %w", err)
+	}
 
 	downstreamServer := grpc.NewServer(
 		grpc.MaxRecvMsgSize(math.MaxInt32),
@@ -158,11 +169,11 @@ func (w *Worker) configureForWorker(ln *base.ServerListener, logger *log.Logger,
 
 	return func() {
 		go w.workerAuthSplitListener.Start()
-		go httpServer.Serve(w.workerAuthSplitListener.OtherListener())
+		go httpServer.Serve(nonWorkerListener)
 		go ln.GrpcServer.Serve(
 			&eventingListener{
 				ctx:    cancelCtx,
-				baseLn: w.workerAuthSplitListener.NodeEnrollmentListener(),
+				baseLn: workerListener,
 			},
 		)
 	}, nil
@@ -173,30 +184,8 @@ func (w *Worker) stopServersAndListeners() error {
 	mg.Go(w.stopHttpServer)
 	mg.Go(w.stopClusterGrpcServer)
 
-	// FIXME (jeff): For some reason, unlike the controller, the grpc server
-	// really likes to hang on closing. Maybe because it's never served a
-	// connection? This is a workaround to force it until I can dig in.
-	var cancel context.CancelFunc
-	if w.workerAuthSplitListener != nil {
-		var ctx context.Context
-		ctx, cancel = context.WithTimeout(w.baseContext, 2*time.Second)
-		go func() {
-			<-ctx.Done()
-			w.workerAuthSplitListener.Stop()
-			cancel()
-		}()
-	}
-
 	stopErrors := mg.Wait()
 
-	if w.workerAuthSplitListener != nil {
-		cancel()
-		err := w.workerAuthSplitListener.Stop()
-		if err != nil {
-			stopErrors = multierror.Append(stopErrors, err)
-		}
-	}
-
 	err := w.stopAnyListeners()
 	if err != nil {
 		stopErrors = multierror.Append(stopErrors, err)
@@ -240,19 +229,11 @@ func (w *Worker) stopAnyListeners() error {
 	if w.proxyListener == nil {
 		return nil
 	}
-	var closeErrors *multierror.Error
-	var err error
-	if w.workerAuthSplitListener != nil {
-		err = w.workerAuthSplitListener.Stop()
-	} else if w.proxyListener.ProxyListener != nil {
-		err = w.proxyListener.ProxyListener.Close()
-	}
-	err = listenerCloseErrorCheck("proxy", err)
-	if err != nil {
-		closeErrors = multierror.Append(closeErrors, err)
+	if w.proxyListener.ProxyListener == nil {
+		return nil
 	}
 
-	return closeErrors.ErrorOrNil()
+	return listenerCloseErrorCheck("proxy", w.proxyListener.ProxyListener.Close())
 }
 
 // listenerCloseErrorCheck does some validation on an error returned