diff --git a/config/settings.yml b/config/settings.yml
index 6780d74..7cda8fe 100644
--- a/config/settings.yml
+++ b/config/settings.yml
@@ -29,7 +29,7 @@ ip-from-header: "_env:YESOD_IP_FROM_HEADER:false"
 # See https://github.com/yesodweb/yesod/wiki/Configuration#parsing-numeric-values-as-strings
 
 app-compatibility-path: "_env:APP_COMPATIBILITY_CONFIG:/etc/start9/registry/compatibility.json"
-resources-path: "_env:RESOURCES_PATH:/var/www/html/resources" 
+resources-path: "_env:RESOURCES_PATH:/var/www/html/resources"
 ssl-path: "_env:SSL_PATH:/var/ssl"
 registry-hostname: "_env:REGISTRY_HOSTNAME:registry.start9labs.com"
 
diff --git a/src/Application.hs b/src/Application.hs
index eb355bc..a1f0dac 100644
--- a/src/Application.hs
+++ b/src/Application.hs
@@ -170,12 +170,6 @@ appMain = do
         -- allow environment variables to override
         useEnv
 
-    void . forkIO $ forever $ do
-        shouldRenew <- doesSslNeedRenew (sslCertLocation settings)
-        when shouldRenew $ do
-            putStrLn @Text "Renewing SSL Certs."
-            renewSslCerts (sslCertLocation settings)
-        sleep 86_400
 
     -- Generate the foundation from the settings
     makeFoundation settings >>= startApp
@@ -186,6 +180,15 @@ startApp foundation = do
     putStrLn @Text "Setting up SSL"
     _ <- setupSsl $ appSettings foundation
     putStrLn @Text "SSL Setup Complete"
+
+    -- certbot renew loop
+    void . forkIO $ forever $ do
+        shouldRenew <- doesSslNeedRenew (sslCertLocation $ appSettings foundation)
+        when shouldRenew $ do
+            putStrLn @Text "Renewing SSL Certs."
+            runReaderT (renewSslCerts (sslCertLocation $ appSettings foundation)) foundation
+        sleep 86_400
+
     startWeb foundation
 
 startWeb :: RegistryCtx -> IO ()
diff --git a/src/Lib/Ssl.hs b/src/Lib/Ssl.hs
index 7dc8eff..00cadfc 100644
--- a/src/Lib/Ssl.hs
+++ b/src/Lib/Ssl.hs
@@ -9,6 +9,7 @@ import           Data.String.Interpolate.IsString
 import           System.Directory
 import           System.Process
 
+import           Foundation
 import           Settings
 
 -- openssl genrsa -out key.pem 2048
@@ -45,7 +46,8 @@ doesSslNeedRenew cert = do
     ec <- liftIO $ system [i|openssl x509 -checkend 2592000 -noout -in #{cert}|]
     pure $ ec /= ExitSuccess
 
-renewSslCerts :: FilePath -> IO ()
+renewSslCerts :: FilePath -> ReaderT RegistryCtx IO ()
 renewSslCerts cert = do
+    domain <- asks $ registryHostname . appSettings
     void . liftIO $ system [i|certbot renew|]
-    void . liftIO $ system [i|cp /etc/letsencrypt/live/beta-registry.start9labs.com/fullchain.pem #{cert}|]
+    void . liftIO $ system [i|cp /etc/letsencrypt/live/#{domain}/fullchain.pem #{cert}|]