diff --git a/certbot.sh b/certbot.sh
index a382ef8..be8e570 100644
--- a/certbot.sh
+++ b/certbot.sh
@@ -44,6 +44,9 @@ case $1 in
             # Skip already existing domains
             test -d "/etc/letsencrypt/live/${d}" && continue
 
+            # Ignore non local domains
+            nslookup "${d}" 8.8.8.8 | grep -q "${SUTTY_ADDRESS}" || continue
+
             # Get the certificate for the domain, the webserver will need
             # access to this directory
             /usr/bin/certbot certonly --email "certbot@${SUTTY}" \
@@ -53,9 +56,16 @@ case $1 in
                                       -d "${d}"
           done
         done
-
-    # Fix permissions, users in group ssl have read access
-    find /etc/letsencrypt -type d | xargs -r chmod 2750
-    find /etc/letsencrypt -type f | xargs -r chmod 640
-    chgrp -R ssl /etc/letsencrypt
 esac
+
+# Fix permissions, users in group ssl have read access
+find /etc/letsencrypt -type d | xargs -r chmod 2750
+find /etc/letsencrypt -type f | xargs -r chmod 640
+chgrp -R ssl /etc/letsencrypt
+
+# Push certificates to nodes, we use SSH as a secure transport
+# but this means we're synchronizing from container to host which is
+# awkward.
+for NODE in ${NODES}; do
+  rsync -avHAX --delete-after /etc/letsencrypt/ ${NODE}:/srv/sutty/etc/letsencrypt/
+done