diff --git a/ssl-update.py b/ssl-update.py
index 71968d4..f59ef69 100755
--- a/ssl-update.py
+++ b/ssl-update.py
@@ -42,10 +42,9 @@ systemd_services = {
     'git': 'gitea',
     'plex': 'plexmediaserver',
     'read': 'kavita',
+    'nextcloud': 'php-fpm',
 }
 
-cert_files = ['privkey1.pem', 'fullchain1.pem', 'chain1.pem', 'cert1.pem']
-
 router = 'danknasty'
 router_user = 'luke131'
 router_key = '/root/.ssh/id_autofirewall'
@@ -211,25 +210,32 @@ def main(args):
   cmd = ['/usr/bin/certbot', 'certonly', '--manual', '-d', fqdn]
   log.info(f'certbot cmd: "{" ".join(cmd)}"')
   cb = pexpect.spawnu(' '.join(cmd))
-  res = cb.expect(
-      ['Create a file containing just this data:\r\n\r\n([^\r]+)\r',
-       ('You have an existing certificate that has exactly the '
-        "same domains or certificate name you requested and isn't "
-        'close to expiry'), pexpect.TIMEOUT, pexpect.EOF],
-                  timeout=20)
-  if res > 1:
-    sys.exit('Timed out')
-  if res == 1:
-    log.info('Current cert is not yet expired')
-    res = cb.expect_exact(['cancel):', pexpect.TIMEOUT, pexpect.EOF])
-    if res > 0:
-      sys.exit('Timed out in setup with existing cert')
-    cb.sendline('2')
+  cb.logfile = sys.stderr
+  while True:
     res = cb.expect(
         ['Create a file containing just this data:\r\n\r\n([^\r]+)\r',
-         pexpect.TIMEOUT, pexpect.EOF], timeout=20)
-    if res > 1:
+         ('You have an existing certificate that has exactly the '
+          "same domains or certificate name you requested and isn't "
+          'close to expiry'),'\(U\)pdate key type\/\(K\)eep existing key type:',
+          pexpect.TIMEOUT, pexpect.EOF], timeout=20)
+    if res > 2:
       sys.exit('Timed out')
+    if res == 2:
+      cb.sendline('U')
+      continue
+    if res == 1:
+      log.info('Current cert is not yet expired')
+      res = cb.expect_exact(['cancel):', pexpect.TIMEOUT, pexpect.EOF])
+      if res > 0:
+        sys.exit('Timed out in setup with existing cert')
+      cb.sendline('2')
+      res = cb.expect(
+          ['Create a file containing just this data:\r\n\r\n([^\r]+)\r',
+           pexpect.TIMEOUT, pexpect.EOF], timeout=20)
+      if res > 1:
+        sys.exit('Timed out')
+    if res == 0:
+      break
 
   data = cb.match.group(1)
   log.info(f'secret data: {data}')
@@ -311,10 +317,12 @@ def main(args):
   os.chown(live, uid, gid)
   log.info(f'live keypath chmodded')
   os.chown(archive, uid, gid)
+
   log.info(f'archive keypath chmodded')
-  for cert_file in cert_files:
-    os.chown(archive / pathlib.Path(cert_file), uid, gid)
-    log.info(f'{cert_file} chowned to service user')
+  for dirpath, dirnames, filenames in os.walk(archive):
+    os.chown(dirpath, uid, gid)
+    for filename in filenames:
+      os.chown(os.path.join(dirpath, filename), uid, gid)
   log.info(f'chmodded new keys from certbot')
 
   restart(service)