--- a/host/renewSsl.sh	Tue Dec 09 17:41:26 2025 -0800
+++ b/host/renewSsl.sh	Tue Dec 09 17:53:16 2025 -0800
@@ -23,10 +23,11 @@
     [ -d "$SITEROOT" ] || continue
 
     DOMAIN=$(basename "$SITEROOT")
-    CSRFILE="$SITEROOT/$DOMAIN.csr"
-    FULLCHAIN="$SITEROOT/fullchain.cer"
-    CHALLENGEDIR="$SITEROOT/site/.well-known/acme-challenge"
-    TMPOUT="/tmp/$DOMAIN.crt"
+    SSLDIR="$SITEROOT/ssl"
+    CSRFILE="$SSLDIR/$DOMAIN.csr"
+    FULLCHAIN="$SSLDIR/fullchain.cer"
+    CHALLENGEDIR="$SITEROOT/.well-known/acme-challenge"
+    TMPOUT="$SSLDIR/$DOMAIN.crt.tmp"
     echo "Processing domain: $DOMAIN"
 
     # local_https.sh does not create a csr file, assume
@@ -44,9 +45,8 @@
       --acme-dir "$CHALLENGEDIR" \
       >"$TMPOUT"
 
-    wc -c <$TMPOUT
-
     # If TMPOUT is empty, something failed.
+    # Do not modify the current fullchain.
     if [ ! -s "$TMPOUT" ]; then
       echo "Error: $TMPOUT is empty - please see previous output for details.\nContinuing to next domain..."
       rm -f "$TMPOUT"