diff --git a/src/Application.hs b/src/Application.hs
index a365b60..33ad98e 100644
--- a/src/Application.hs
+++ b/src/Application.hs
@@ -185,11 +185,11 @@ startApp foundation = do
     void . forkIO $ forever $ do
         putStrLn $ "DOMAIN: " <> registryHostname (appSettings foundation)
         putStrLn $ "CERT: " <> sslCertLocation (appSettings foundation)
-        runReaderT (renewSslCerts (sslCertLocation $ appSettings foundation)) foundation
+        runReaderT renewSslCerts foundation
         shouldRenew <- doesSslNeedRenew (sslCertLocation $ appSettings foundation)
         when shouldRenew $ do
             putStrLn @Text "Renewing SSL Certs."
-            runReaderT (renewSslCerts (sslCertLocation $ appSettings foundation)) foundation
+            runReaderT renewSslCerts foundation
         sleep 86_400
 
     startWeb foundation
diff --git a/src/Lib/Ssl.hs b/src/Lib/Ssl.hs
index 0c06e3e..3bd86d8 100644
--- a/src/Lib/Ssl.hs
+++ b/src/Lib/Ssl.hs
@@ -46,8 +46,10 @@ doesSslNeedRenew cert = do
     ec <- liftIO $ system [i|openssl x509 -checkend 2592000 -noout -in #{cert}|]
     pure $ ec /= ExitSuccess
 
-renewSslCerts :: FilePath -> ReaderT RegistryCtx IO ()
-renewSslCerts cert = do
-    domain <- asks $ registryHostname . appSettings
+renewSslCerts :: ReaderT RegistryCtx IO ()
+renewSslCerts = do
+    domain      <- asks $ registryHostname . appSettings
+    (cert, key) <- asks $ (sslCertLocation &&& sslKeyLocation) . appSettings
     void . liftIO $ system [i|certbot renew --dry-run|]
     void . liftIO $ system [i|cp /etc/letsencrypt/live/#{domain}/fullchain.pem #{cert}|]
+    void . liftIO $ system [i|cp /etc/letsencrypt/live/#{domain}/privkey.pem #{key}|]