diff --git a/site-cookbooks/kosmos-dirsrv/resources/instance.rb b/site-cookbooks/kosmos-dirsrv/resources/instance.rb
index 7faf1cd..79c5b5d 100644
--- a/site-cookbooks/kosmos-dirsrv/resources/instance.rb
+++ b/site-cookbooks/kosmos-dirsrv/resources/instance.rb
@@ -157,16 +157,16 @@ done
     end
 
     nginx_certbot_site new_resource.hostname do
-      notifies :run, "execute[letsencrypt cert for #{domain}]", :delayed
+      notifies :run, "execute[letsencrypt cert for #{new_resource.hostname}]", :delayed
     end
 
     # Generate a Let's Encrypt cert (only if the nginx vhost exists and no cert
     # has been generated before. The renew cron will take care of renewing
-    execute "letsencrypt cert for #{domain}" do
-      command "/usr/bin/certbot certonly --webroot --agree-tos --email ops@kosmos.org --webroot-path #{root_directory} --deploy-hook /etc/letsencrypt/renewal-hooks/deploy/dirsrv -d #{domain} -n"
+    execute "letsencrypt cert for #{new_resource.hostname}" do
+      command "/usr/bin/certbot certonly --webroot --agree-tos --email ops@kosmos.org --webroot-path #{root_directory} --deploy-hook /etc/letsencrypt/renewal-hooks/deploy/dirsrv -d #{new_resource.hostname} -n"
       only_if do
-        ::File.exist?("#{node['nginx']['dir']}/sites-enabled/#{domain}_certbot") &&
-          !::File.exist?("/etc/letsencrypt/live/#{domain}/fullchain.pem")
+        ::File.exist?("#{node['nginx']['dir']}/sites-enabled/#{new_resource.hostname}_certbot") &&
+          !::File.exist?("/etc/letsencrypt/live/#{new_resource.hostname}/fullchain.pem")
       end
       notifies :run, "execute[add tls config]", :immediately
     end