diff --git a/generate-and-sign-cert.sh b/generate-and-sign-cert.sh
index 19e4396..1d1d341 100755
--- a/generate-and-sign-cert.sh
+++ b/generate-and-sign-cert.sh
@@ -2,12 +2,15 @@
 
 set -e
 
-ACMEUSER="bw"
-WWWGROUP="www-data"
+ACMEUSER="acmeclient"
+WWWGROUP="ssl-cert"
 
 CERTS_DIR="$1"
 SUBJ="$2"
 EXT="$3"
+RELOADCMD="$4"
+FORCE="$5"
+TMP_DIR="/tmp"
 
 if [ -z "$CERTS_DIR" ] || [ -z "$SUBJ" ]; then
   echo "Usage:"
@@ -15,6 +18,8 @@ if [ -z "$CERTS_DIR" ] || [ -z "$SUBJ" ]; then
   echo "    /mysite/certs/dir/ \\"
   echo "    /CN=mysite.com \\"
   echo "    subjectAltName=DNS:mysite.com,DNS:www.mysite.com"
+  echo "    ./services-reload.sh"
+  echo "    [force]"
   exit 0
 fi
 
@@ -22,12 +27,19 @@ fi
 BASE_DIR=$(cd `dirname "$0"`; pwd)
 NAME=`date +%Y-%m-%d--%H-%M-%S--%N`
 PREFIX="$CERTS_DIR/$NAME"
+TMP_PREFIX="$TMP_DIR/$NAME"
 
 if openssl x509 -checkend 864000 -noout -in "$CERTS_DIR/public.crt"; then
   echo " -------------------------------------------- "
   echo " certifiate is actual now ($NAME) "
   echo " -------------------------------------------- "
-  exit 0
+  if [ "$FORCE" == "force" ]; then
+    echo " -------------------------------------------- "
+    echo " force renew the certificete "
+    echo " -------------------------------------------- "
+  else
+    exit 0
+  fi
 fi
 
 echo " -------------------------------------------- "
@@ -41,7 +53,20 @@ openssl req -newkey rsa:4096 -sha512 -nodes \
   -subj "$SUBJ" \
   -reqexts san \
   -config <(echo '[req]'; echo 'distinguished_name=req'; echo '[san]'; echo $EXT)
-sudo -u "$ACMEUSER" "$BASE_DIR/sign-cert.py" "$PREFIX.csr" "$PREFIX.crt"
+
+
+chmod 600 "$PREFIX.key"
+touch "$PREFIX.crt"
+chown "$ACMEUSER":"$ACMEUSER" "$PREFIX.crt"
+
+sudo -u "$ACMEUSER" "$BASE_DIR/sign-cert.py" "$PREFIX.csr" "$TMP_PREFIX.crt"
+cp "$TMP_PREFIX.crt" "$PREFIX.crt"
+rm "$TMP_PREFIX.crt"
+
+
+chown root:root "$PREFIX.crt"
+chmod 644 "$PREFIX.crt"
+
 
 echo "compare modulus"
 MODULUS_CRT=`openssl x509 -noout -modulus -in "$PREFIX.crt"`
@@ -62,8 +87,9 @@ cd "$CERTS_DIR"
 ln -fs "$NAME.key" "private.key"
 ln -fs "$NAME.crt" "public.crt"
 
-service nginx configtest
-service nginx reload
+echo "reload services"
+
+"$RELOADCMD"
 
 echo " -------------------------------------------- "
 echo " done $PREFIX "
diff --git a/sign-cert.py b/sign-cert.py
index afe5772..0ee4601 100755
--- a/sign-cert.py
+++ b/sign-cert.py
@@ -11,10 +11,10 @@ from jwcrypto import jwk, jws
 from jwcrypto.common import base64url_encode
 
 
-api_url             = 'https://acme-staging-v02.api.letsencrypt.org/directory'
-#api_url             = 'https://acme-v02.api.letsencrypt.org/directory'
-api_client_key_file = '/home/bw/work/dev/acmeclient-data/api-client-key.json'
-answers_prefix      = '/var/www/html/.well-known/acme-challenge/'
+#api_url             = 'https://acme-staging-v02.api.letsencrypt.org/directory'
+api_url             = 'https://acme-v02.api.letsencrypt.org/directory'
+api_client_key_file = '/home/acmeclient/acmeclient/api-client-key.json'
+answers_prefix      = '/home/acmeclient/acmeclient/challenge/'
 
 
 class Session: