diff --git a/defaults/main.yml b/defaults/main.yml
index 10b2c59..7e69824 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -75,6 +75,7 @@ haproxy_ssl_bind_options: "force-tlsv12"
 haproxy_ssl_letsencrypt_enable: false
 haproxy_ssl_letsencrypt_email: "example@example.com"
 haproxy_ssl_letsencrypt_download_url: "https://dl.eff.org/certbot-auto"
+haproxy_ssl_letsencrypt_venv: "/opt/eff.org/certbot/venv"
 haproxy_ssl_letsencrypt_config_path: "/etc/letsencrypt/live"
 haproxy_ssl_letsencrypt_install_path: "/opt/letsencrypt"
 haproxy_ssl_letsencrypt_cron_minute: "0"
diff --git a/tasks/haproxy_ssl_letsencrypt.yml b/tasks/haproxy_ssl_letsencrypt.yml
index 1489ae3..ae7ef95 100644
--- a/tasks/haproxy_ssl_letsencrypt.yml
+++ b/tasks/haproxy_ssl_letsencrypt.yml
@@ -35,6 +35,14 @@
     path: "{{ haproxy_ssl_letsencrypt_config_path }}/{{ external_lb_vip_address }}"
   register: lcdatadir
 
+- name: Install certbot
+  shell: >
+    PIP_INDEX_URL="https://pypi.org/simple/"
+    {{ haproxy_ssl_letsencrypt_install_path }}/{{ haproxy_ssl_letsencrypt_download_url | basename }}
+    --install-only
+  args:
+    creates: "{{ haproxy_ssl_letsencrypt_venv }}"
+
 - name: Stop haproxy for certbot activity
   service:
     name: "haproxy"
@@ -51,11 +59,12 @@
     --rsa-key-size 4096
     --email {{ haproxy_ssl_letsencrypt_email }}
     --domains {{ external_lb_vip_address }}
-    creates: "{{ haproxy_ssl_letsencrypt_config_path }}/{{ external_lb_vip_address }}/fullchain.pem"
+  args:
+    creates: "{{ haproxy_ssl_letsencrypt_config_path }}/{{ external_lb_vip_address }}-0001/fullchain.pem"
 
 - name: Create new pem file for haproxy
   assemble:
-    src: "{{ haproxy_ssl_letsencrypt_config_path }}/{{ external_lb_vip_address }}"
+    src: "{{ haproxy_ssl_letsencrypt_config_path }}/{{ external_lb_vip_address }}-0001"
     dest: "/etc/ssl/private/haproxy.pem"
     regexp: '(privkey|fullchain).pem$'
   notify:
diff --git a/templates/letsencrypt_renew.j2 b/templates/letsencrypt_renew.j2
index b259133..c64b2e5 100644
--- a/templates/letsencrypt_renew.j2
+++ b/templates/letsencrypt_renew.j2
@@ -1,7 +1,7 @@
 #!/bin/bash
 # renew cert if required and copy to haproxy destination
 
-certbot renew \
+{{ haproxy_ssl_letsencrypt_venv }}/bin/certbot renew \
     --standalone \
     --pre-hook "systemctl stop haproxy" \