diff --git a/init-server.py b/init-server.py
index c313ae7..61456a1 100755
--- a/init-server.py
+++ b/init-server.py
@@ -107,7 +107,6 @@ def ledns_writer(hostname, user, port):
     setup_ledns_writer(c)
 
 
-
 @cli.command()
 @common_options
 def debug(hostname, user, port):
diff --git a/scripts/ledns/rclone_write.sh b/scripts/ledns/rclone_write.sh
new file mode 100644
index 0000000..f4cd5f6
--- /dev/null
+++ b/scripts/ledns/rclone_write.sh
@@ -0,0 +1,10 @@
+#!/usr/bin/env bash
+
+#env > /data/ofm/ledns/env.txt
+
+RENEWED_DOMAINS=direct.openfreemap.org
+RENEWED_LINEAGE=/etc/letsencrypt/live/ofm_ledns
+
+rclone copy -v "$RENEWED_LINEAGE/fullchain.pem" "remote:ofm-secret/ledns/$RENEWED_DOMAINS/ofm_ledns.cert"
+rclone copy -v "$RENEWED_LINEAGE/privkey.pem" "remote:ofm-secret/ledns/$RENEWED_DOMAINS/ofm_ledns.key"
+
diff --git a/ssh_lib/tasks.py b/ssh_lib/tasks.py
index a14c554..e02cee2 100644
--- a/ssh_lib/tasks.py
+++ b/ssh_lib/tasks.py
@@ -186,37 +186,43 @@ def setup_ledns_writer(c):
     assert (CONFIG_DIR / 'rclone.conf').exists()
 
     rclone(c)
+    certbot(c)
+
     c.sudo(f'mkdir -p {REMOTE_CONFIG}')
 
     put(
         c,
         CONFIG_DIR / 'rclone.conf',
         f'{REMOTE_CONFIG}/rclone.conf',
-        permissions='600',
+        permissions=400,
     )
 
-    return
-
-    c.sudo('mkdir -p /root/.secrets')
-
     put(
         c,
         CONFIG_DIR / 'cloudflare.ini',
-        '/root/.secrets/ofm_ledns_cloudflare.ini',
+        f'{REMOTE_CONFIG}/cloudflare.ini',
         permissions=400,
     )
 
-    # TODO change to /data/ofm/config, owner root
-
-    sudo_cmd(
+    put(
         c,
-        'certbot certonly '
-        '--dns-cloudflare '
-        '--dns-cloudflare-credentials /root/.secrets/ofm_ledns_cloudflare.ini '
-        '--dns-cloudflare-propagation-seconds 60 '
-        '--staging '
-        f'--noninteractive -m {le_email} '
-        f'--agree-tos '
-        f'--cert-name=ofm_ledns '
-        f'-d {domain_ledns}',
+        SCRIPTS_DIR / 'ledns' / 'rclone_write.sh',
+        '/data/ofm/ledns/rclone_write.sh',
+        create_parent_dir=True,
+        permissions=500,
     )
+
+    #
+    # sudo_cmd(
+    #     c,
+    #     'certbot certonly '
+    #     '--dns-cloudflare '
+    #     f'--dns-cloudflare-credentials {REMOTE_CONFIG}/cloudflare.ini '
+    #     '--dns-cloudflare-propagation-seconds 20 '
+    #     '--staging '
+    #     f'--noninteractive -m {le_email} '
+    #     f'--agree-tos '
+    #     f'--cert-name=ofm_ledns '
+    #     f'--deploy-hook /data/ofm/ledns/rclone_write.sh '
+    #     f'-d {domain_ledns}',
+    # )