diff --git a/certbotd.sh b/certbotd.sh
index 3065416..8daac84 100755
--- a/certbotd.sh
+++ b/certbotd.sh
@@ -11,26 +11,24 @@ updated=/tmp/certbot.updated
 ensure() {
   test -n "$1" && echo "ok - $1 received, exiting gracefully..." >&2
 
+  if test -f "${updated}" ; then
+    rm -f "${updated}"
+
+    # Fix permissions, users in group ssl have read access
+    find /etc/letsencrypt -type d | xargs -r chmod 2750
+    find /etc/letsencrypt -type f | xargs -r chmod 640
+    chgrp -R ssl /etc/letsencrypt
+
+    if ! ${SINGLE_NODE:-false}; then
+      for NODE in ${NODES}; do
+        rsync -avHAXL --delete-after /etc/letsencrypt/live/ ${NODE}/ || continue
+      done
+    fi
+  fi
+
+  # Remove the lock after synchronization
   rm -f "${lock}"
 
-  test -f "${updated}" || exit 0
-
-  rm -f "${updated}"
-
-  # Fix permissions, users in group ssl have read access
-  find /etc/letsencrypt -type d | xargs -r chmod 2750
-  find /etc/letsencrypt -type f | xargs -r chmod 640
-  chgrp -R ssl /etc/letsencrypt
-
-  ${SINGLE_NODE:-false} && exit 0
-
-  # Push certificates to nodes, we use SSH as a secure transport
-  # but this means we're synchronizing from container to host which is
-  # awkward.  A restricted rsync treats / as the remote location for the
-  # certificates.
-  for NODE in ${NODES}; do
-    rsync -avHAXL --delete-after /etc/letsencrypt/live/ ${NODE}/ || continue
-  done
 }
 
 for SIG in TERM QUIT INT HUP; do