diff --git a/Dockerfile b/Dockerfile
index 1b0ff4a..d1176fb 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -51,9 +51,13 @@ RUN pip3 install \
         /tmp/* \
         /root/.cache
 
-RUN mkdir -p \
-    /etc/letsencrypt/{accounts,live,renewal,renewal-hooks} \
-    /etc/letsencrypt/renewal-hooks/{deploy,post,pre}
+# RUN mkdir -p \
+#     /etc/letsencrypt/accounts \
+#     /etc/letsencrypt/live \
+#     /etc/letsencrypt/renewal \
+#     /etc/letsencrypt/renewal-hooks/deploy \
+#     /etc/letsencrypt/renewal-hooks/post \
+#     /etc/letsencrypt/renewal-hooks/pre
 
 RUN mkdir -p \
     /app \
diff --git a/root/defaults/deploy/01_deploy-certs.sh b/root/defaults/deploy/01_deploy-certs.sh
index 8d8aefd..184954f 100644
--- a/root/defaults/deploy/01_deploy-certs.sh
+++ b/root/defaults/deploy/01_deploy-certs.sh
@@ -10,43 +10,59 @@
 echo "Running deploy script ..."
 
 KEYPATH="/letsencrypt"
-echo "KEYPATH is ${KEYPATH}"
-echo "LINEAGE is ${RENEWED_LINEAGE}"
 
-# clean current KEYPATH contents
+# Figure out cert path
+. /config/.donoteditthisfile.conf
+if [ "${ORIGONLY_SUBDOMAINS}" = "true" ] && [ ! "${ORIGSUBDOMAINS}" = "wildcard" ]; then
+  ORIGDOMAIN="$(echo "${ORIGSUBDOMAINS}" | tr ',' ' ' | awk '{print $1}').${ORIGTLD}"
+  LINEAGE="/etc/letsencrypt/live/${ORIGDOMAIN}"
+else
+  ORIGDOMAIN="${ORIGTLD}"
+  LINEAGE="/etc/letsencrypt/live/${ORIGTLD}"
+fi
+RENEWED_LINEAGE=${RENEWED_LINEAGE:-$LINEAGE}
+
+echo "LINEAGE is ${RENEWED_LINEAGE}; KEYPATH is ${KEYPATH}"
+
+# Clean current KEYPATH contents
+echo "Clearing expired certs ..."
 rm -f ${KEYPATH}/*
 
-# copy certs to keypath dest
+# Copy certs to keypath dest
+echo "Copying current certs ..."
 cp -L ${RENEWED_LINEAGE}/* ${KEYPATH}
 # for CERTNAME in $(ls ${RENEWED_LINEAGE}); do
 #     cat crt >> ${KEYPATH}/${CERTNAME}
 # done
 
-# convert pems to cert and key
+# Convert pems to cert and key
 echo "Converting to tls.crt and tls.key ..."
 openssl crl2pkcs7 -nocrl \
--certfile "${KEYPATH}"/fullchain.pem | openssl pkcs7 -print_certs \
--out "${KEYPATH}"/tls.crt
+    -certfile "${KEYPATH}"/fullchain.pem | openssl pkcs7 -print_certs \
+    -out "${KEYPATH}"/tls.crt
 # openssl x509 -outform der -in fullchain.pem -out tls.crt
 # openssl pkey -outform der -in privkey.pem -out tls.key
 openssl rsa \
--in "${KEYPATH}"/privkey.pem \
--out "${KEYPATH}"/tls.key
+    -in "${KEYPATH}"/privkey.pem \
+    -out "${KEYPATH}"/tls.key
 
-# converting to pfx and priv-fullchain-bundle
+sleep 1
+
+# Convert to pfx and priv-fullchain-bundle
 echo "Converting to pfx and priv-fullchain-bundle.pem ..."
 openssl pkcs12 -export \
--certfile chain.pem \
--in "${KEYPATH}"/cert.pem -inkey "${KEYPATH}"/privkey.pem \
--out "${KEYPATH}"/privkey.pfx \
- -passout pass:
+    -certfile "${KEYPATH}"/chain.pem \
+    -in "${KEYPATH}"/cert.pem \
+    -inkey "${KEYPATH}"/privkey.pem \
+    -out "${KEYPATH}"/privkey.pfx \
+    -passout pass:
 sleep 1
 
 cat "${KEYPATH}"/{privkey,fullchain}.pem > "${KEYPATH}"/priv-fullchain-bundle.pem
+sleep 1
 
 # Allow read access to certs
 chmod 644 "${KEYPATH}"/*.pem
 chmod 644 "${KEYPATH}"/*.pfx
 chmod 644 "${KEYPATH}"/tls.*
 echo "Success."
-
diff --git a/root/etc/cont-init.d/50_lets-encrypt.sh b/root/etc/cont-init.d/50_lets-encrypt.sh
index 5d55afa..9150cd8 100644
--- a/root/etc/cont-init.d/50_lets-encrypt.sh
+++ b/root/etc/cont-init.d/50_lets-encrypt.sh
@@ -59,7 +59,8 @@ ln -s /config/crontabs /etc/crontabs
   chmod +x /config/deploy/*
 # Link /config/deploy
 echo "Linking /config/deploy -> /etc/letsencrypt/renewal-hooks/deploy ..."
-ln -s /config/deploy /etc/letsencrypt/renewal-hooks/deploy
+mkdir -p /etc/letsencrypt/renewal-hooks
+ln -s /config/deploy /etc/letsencrypt/renewal-hooks
 
 # chown -R abc:abc /config
 # chown -R abc:abc /letsencrypt
@@ -134,10 +135,10 @@ echo "${VALIDATION:="DNS"} validation via ${DNSPLUGIN} plugin is selected"
 # rm -rf /letsencrypt/keys
 if [ "${ONLY_SUBDOMAINS}" = "true" ] && [ ! "${SUBDOMAINS}" = "wildcard" ] ; then
   DOMAIN="$(echo "${SUBDOMAINS}" | tr ',' ' ' | awk '{print $1}').${TLD}"
-  LINEAGE="../etc/letsencrypt/live/${DOMAIN}"
+  LINEAGE="/etc/letsencrypt/live/${DOMAIN}"
 #   ln -s /letsencrypt/live/"${DOMAIN}" /letsencrypt/keys
 else
-  LINEAGE="../etc/letsencrypt/live/${TLD}"
+  LINEAGE="/etc/letsencrypt/live/${TLD}"
 #   ln -s /letsencrypt/live/"${TLD}" /letsencrypt/keys
 fi
 # # [[ ! -d "${LE_LOC}" ]] && \
@@ -171,10 +172,12 @@ if [ ! -f "/letsencrypt/fullchain.pem" ]; then
   echo "Generating new certificate"
   # shellcheck disable=SC2086
   certbot certonly --non-interactive --force-renewal --server ${ACMESERVER} ${PREFCHAL} --rsa-key-size 4096 ${EMAILPARAM} --agree-tos ${TLD_REAL}
-  RENEWED_LINEAGE="/etc/letsencrypt/live/${LINEAGE}"
-  echo $(printenv)
-  echo "RENEWED_LINEAGE is ${RENEWED_LINEAGE}"
-  /usr/bin/with-contenv bash /etc/letsencrypt/renewal-hooks/deploy/01-deploy_certs.sh
+  # RENEWED_LINEAGE="${LINEAGE}"
+  # export RENEWED_LINEAGE
+  # echo "RENEWED_LINEAGE is ${RENEWED_LINEAGE}"
+  if [ -f /etc/letsencrypt/renewal-hooks/deploy/01_deploy-certs.sh ]; then
+    /usr/bin/with-contenv bash /etc/letsencrypt/renewal-hooks/deploy/01_deploy-certs.sh
+  fi
 
   if [ -f /letsencrypt/fullchain.pem ]; then
     cd /letsencrypt || exit
diff --git a/scripts/backups/deploy-convert-certs.sh b/scripts/backups/deploy-convert-certs.sh
deleted file mode 100644
index f68059d..0000000
--- a/scripts/backups/deploy-convert-certs.sh
+++ /dev/null
@@ -1,30 +0,0 @@
-#!/bin/bash
-# convert to fullchain.pem and privkey.pem to tls.crt and tls.key
-
-# Identify key path
-. /config/.donoteditthisfile.conf
-if [ "${ORIGONLY_SUBDOMAINS}" = "true" ] && [ ! "${ORIGSUBDOMAINS}" = "wildcard" ]; then
-    ORIGDOMAIN="$(echo "${ORIGSUBDOMAINS}" | tr ',' ' ' | awk '{print $1}').${ORIGTLD}"
-    ORIGKEYPATH="/etc/letsencrypt/live/"${ORIGDOMAIN}""
-else
-    ORIGKEYPATH="/etc/letsencrypt/live/"${ORIGTLD}""
-fi
-
-# convert pems to cert and key
-echo "Converting to tls.crt and tls.key ..."
-if [ ! -f "${ORIGKEYPATH}/fullchain.pem" ] || [ ! -f "${ORIGKEYPATH}/privkey.pem" ]; then
-    echo "Error: fullchain.pem or privkey.pem not found in ${ORIGKEYPATH}"
-    sleep infinity
-else
-    openssl crl2pkcs7 -nocrl \
-    -certfile "${ORIGKEYPATH}"/fullchain.pem | openssl pkcs7 -print_certs \
-    -out "${ORIGKEYPATH}"/tls.crt
-    # openssl x509 -outform der -in fullchain.pem -out tls.crt
-    # openssl pkey -outform der -in privkey.pem -out tls.key
-    openssl rsa \
-    -in "${ORIGKEYPATH}"/privkey.pem \
-    -out "${ORIGKEYPATH}"/tls.key
-
-    # allow read all for tls.crt and tls.key
-    chmod 644 "${ORIGKEYPATH}"/tls.*
- fi
diff --git a/scripts/backups/root b/scripts/backups/root
deleted file mode 100644
index 6e34992..0000000
--- a/scripts/backups/root
+++ /dev/null
@@ -1,9 +0,0 @@
-# do daily/weekly/monthly maintenance
-# min   hour    day     month   weekday command
-*/15    *       *       *       *       run-parts /etc/periodic/15min
-0       *       *       *       *       run-parts /etc/periodic/hourly
-0       2       *       *       *       run-parts /etc/periodic/daily
-0       3       *       *       6       run-parts /etc/periodic/weekly
-0       5       1       *       *       run-parts /etc/periodic/monthly
-# renew letsencrypt certs
-8       2       *       *       *       /app/le-renew.sh >> /config/log/letsencrypt/letsencrypt.log 2>&1
\ No newline at end of file