diff --git a/certbot.sh b/certbot.sh
index 6b03373..729e2ed 100644
--- a/certbot.sh
+++ b/certbot.sh
@@ -31,7 +31,7 @@ case $1 in
       | jq --raw-output .[] \
       | while read name; do
           # If the site name doesn't end with a dot, it's a subdomain
-          domain="$(echo "${name}" | sed "s/[^\.]$/&${SUTTY}/")"
+          domain="$(echo "${name}" | sed "s/[^\.]$/&.${SUTTY}/")"
           domain="${domain%.}"
 
           # Skip already existing domains
@@ -45,4 +45,9 @@ case $1 in
                                     --webroot-path /var/lib/letsencrypt \
                                     -d "${domain}"
         done
+
+    # Fix permissions, users in group ssl have read access
+    find /etc/letsencrypt -type d | xargs -r chmod 2750
+    find /etc/letsencrypt -type f | xargs -r chmod 640
+    chgrp -R ssl /etc/letsencrypt
 esac