--- a/host/renewSsl.sh	Sun Nov 09 02:38:09 2025 -0800
+++ b/host/renewSsl.sh	Tue Nov 11 01:45:02 2025 -0800
@@ -1,31 +1,48 @@
 #!/bin/bash
 
+set -e
 cd "$1" || exit 1
+
 ROOTPWD=$(pwd)
-
+KEYFILE="$ROOTPWD/local/tiny_account.key"
 for SITEROOT in "$ROOTPWD"/sites/*; do
-	# Skip if not a directory
-	[ -d "$SITEROOT" ] || continue
+  {
+    # Skip if not a directory
+    [ -d "$SITEROOT" ] || continue
 
-	DOMAIN=$(basename "$SITEROOT")
-	echo "Processing domain: $DOMAIN"
-
-	mkdir -p "$SITEROOT/site/.well-known/acme-challenge"
+    DOMAIN=$(basename "$SITEROOT")
+    CSRFILE="$SITEROOT/$DOMAIN.csr"
+    FULLCHAIN="$SITEROOT/fullchain.cer"
+    CHALLENGEDIR="$SITEROOT/site/.well-known/acme-challenge"
+    TMPOUT="/tmp/$DOMAIN.crt"
+    echo "Processing domain: $DOMAIN"
 
-	python3 "$ROOTPWD/acme_tiny.py" \
-		--account-key "$ROOTPWD/local/tiny_account.key" \
-		--csr "$SITEROOT/$DOMAIN.csr" \
-		--acme-dir "$SITEROOT/site/.well-known/acme-challenge" \
-		> "/tmp/$DOMAIN.crt"
+    # local_https.sh does not create a csr file, assume
+    # it is a self-signed local cert if it doesn't exist
+    if [ ! -f "$CSRFILE" ]; then
+      echo "CSR file not found, assuming self-signed and skipping."
+      continue
+    fi
+
+    mkdir -p "$CHALLENGEDIR"
 
-	# check if exists
-	if [ -f "$SITEROOT/fullchain.cer" ]; then
-		mv "$SITEROOT/fullchain.cer" "$SITEROOT/fullchain.cer.old"
-	fi
+    python3 "$ROOTPWD/acme_tiny.py" \
+      --account-key "$KEYFILE" \
+      --csr "$CSRFILE" \
+      --acme-dir "$CHALLENGEDIR" \
+      > "$TMPOUT"
 
-	mv "/tmp/$DOMAIN.crt" "$SITEROOT/fullchain.cer"
+    # check if exists
+    if [ -f "$FULLCHAIN" ]; then
+      mv $FULLCHAIN "$FULLCHAIN.old"
+    fi
 
-	echo "Renewed certificate for $DOMAIN"
+    mv "$TMPOUT" "$FULLCHAIN"
+
+    echo "Renewed certificate for $DOMAIN"
+  } || {
+    echo "Error processing $SITEROOT — skipping."
+  }
 done
 
 sudo /usr/local/bin/nginx -s reload