diff --git a/.env-sample b/.env-sample
index bfd3a82..b4d1335 100644
--- a/.env-sample
+++ b/.env-sample
@@ -1,4 +1,3 @@
-#!/usr/bin/bash
 # These env vars get templated into the configs in the respective containers via init scripts.
 #
 # If you want to make more customisations then either edit the templates to add more env variables below
diff --git a/compose.yml b/compose.yml
index 89981d5..1c0816e 100644
--- a/compose.yml
+++ b/compose.yml
@@ -95,7 +95,7 @@ services:
       - ${VOLUME_PATH}/data/ssl:/data/ssl
     entrypoint: "/bin/sh -c 'trap exit TERM; \
                  while [ -e /etc/letsencrypt/live ]; \
-                 do certbot --webroot -w /var/www/certbot renew; \
+                 do sleep 30; certbot --webroot -w /var/www/certbot renew; \
                  cp /etc/letsencrypt/live/$DOMAIN/*.pem /data/ssl; \
                  sleep 12h & wait $${!}; \
                  done;'"
diff --git a/init-letsencrypt.sh b/init-letsencrypt.sh
index dddb1fa..13dc8e3 100755
--- a/init-letsencrypt.sh
+++ b/init-letsencrypt.sh
@@ -2,15 +2,15 @@
 
 # taken from https://raw.githubusercontent.com/wmnnd/nginx-certbot/refs/heads/master/init-letsencrypt.sh
 
-set -x
+#set -x
 
 if ! [ -x "$(command -v docker)" ]; then
   echo 'Error: docker is not installed.' >&2
   exit 1
 fi
 
-. .env
-domains=$DOMAINS
+source .env
+domains=("${DOMAINS[@]}") # deep copy the array
 rsa_key_size=4096
 data_path="./data/certbot"
 read -p "admin email address for letsencrypt: " email
diff --git a/setup.sh b/setup.sh
index 04d751c..dd67ecd 100755
--- a/setup.sh
+++ b/setup.sh
@@ -1,7 +1,7 @@
 #!/bin/bash
 
 set -e
-set -x
+#set -x
 
 # set up data & secrets dir with the right ownerships in the default location
 # to stop docker autocreating them with random owners.
@@ -25,9 +25,8 @@ if [[ ! -e .env  ]]; then
     sed -ir s/example.com/$DOMAIN/ .env
 
     # SSL setup
-    mkdir -p data/certbot/{conf,www} # stop broken binds
     read -p "Use local mkcert CA for SSL? [y/n] " use_mkcert
-    if [[ use_mkcert =~ [Yy] ]]; then
+    if [[ "$use_mkcert" =~ ^[Yy]$ ]]; then
         if [[ ! -x mkcert ]]; then
             echo "Please install mkcert from brew/apt/yum etc"
 	    exit
@@ -40,10 +39,10 @@ if [[ ! -e .env  ]]; then
         cp "$(mkcert -CAROOT)"/rootCA.pem data/ssl/ca-certificates.crt
         # borrow letsencrypt's SSL config
         curl -s https://raw.githubusercontent.com/certbot/certbot/master/certbot-nginx/certbot_nginx/_internal/tls_configs/options-ssl-nginx.conf > "data/ssl/options-ssl-nginx.conf"
-          curl -s https://raw.githubusercontent.com/certbot/certbot/master/certbot/certbot/ssl-dhparams.pem > "data/ssl/ssl-dhparams.pem"
+        curl -s https://raw.githubusercontent.com/certbot/certbot/master/certbot/certbot/ssl-dhparams.pem > "data/ssl/ssl-dhparams.pem"
     else
         read -p "Use letsencrypt for SSL? [y/n] " use_letsencrypt
-        if [[ use_letsencrypt =~ [Yy] ]]; then
+        if [[ "$use_letsencrypt" =~ ^[Yy]$ ]]; then
 	    mkdir -p data/ssl
             touch data/ssl/ca-certificates.crt # will get overwritten by init-letsencrypt.sh
             source ./init-letsencrypt.sh