diff --git a/files/check_cert.sh b/files/check_cert.sh
index b7505aa..727abca 100644
--- a/files/check_cert.sh
+++ b/files/check_cert.sh
@@ -3,6 +3,10 @@
 # this script compares the existing cert against the new cert in vault, and
 # replaces existing cert only if it is newer and valid.
 
+# TODO serious refactoring to apply DRY 
+# TODO help / argument checking
+# TODO need a force flag - also something that checks if all things match
+
 # function defs
 get_fingerprint() {
     openssl x509 -noout -fingerprint -in <(echo "$1") | awk -F= '{print $2}'
@@ -15,13 +19,18 @@ get_enddate() {
 deploy_cert() {
     NEWCERT=$1
     NEWKEY=$2
-    EXISTING_CERT_PATH=$3
-    EXISTING_KEY_PATH=$4
+    NEWCHAIN=$3
+    NEWFULLCHAIN=$4
+    EXISTING_CERT_PATH=$5
+    EXISTING_KEY_PATH=$6
+    EXISTING_CHAIN_PATH=$7
+    EXISTING_FULLCHAIN_PATH=$8
     
     echo "deploying cert to $EXISTING_CERT_PATH"
-    #mkdir $EXISTING_CERT_DIR || true  #TODO MOVE
     echo "$NEWCERT" > $EXISTING_CERT_PATH
     echo "$NEWKEY"  > $EXISTING_KEY_PATH
+    echo "$NEWCHAIN"  > $EXISTING_CHAIN_PATH
+    echo "$NEWFULLCHAIN"  > $EXISTING_FULLCHAIN_PATH
 
 }
 
@@ -31,6 +40,8 @@ CERT_PREFIX=$2
 EXISTING_CERT_DIR="${CERT_PREFIX}/${DOMAIN}"
 EXISTING_CERT_PATH="${EXISTING_CERT_DIR}/cert.pem"
 EXISTING_KEY_PATH="${EXISTING_CERT_DIR}/cert.key"
+EXISTING_CHAIN_PATH="${EXISTING_CERT_DIR}/chain.pem"
+EXISTING_FULLCHAIN_PATH="${EXISTING_CERT_DIR}/fullchain.pem"
 
 # variables
 ONE_WEEK=604800
@@ -39,10 +50,14 @@ TODAY=$(date --iso-8601)
 
 NEWCERT_VAULT_PATH="/secret/letsencrypt/${DOMAIN}/cert.pem"
 NEWKEY_VAULT_PATH="/secret/letsencrypt/${DOMAIN}/cert.key"
+NEWCHAIN_VAULT_PATH="/secret/letsencrypt/${DOMAIN}/chain.pem"
+NEWFULLCHAIN_VAULT_PATH="/secret/letsencrypt/${DOMAIN}/fullchain.pem"
 
 # Get new cert info
 NEWCERT=$(vault read -field=value $NEWCERT_VAULT_PATH) || exit -1
 NEWKEY=$(vault read -field=value $NEWKEY_VAULT_PATH) || exit -1
+NEWCHAIN=$(vault read -field=value $NEWCHAIN_VAULT_PATH) || exit -1
+NEWFULLCHAIN=$(vault read -field=value $NEWFULLCHAIN_VAULT_PATH) || exit -1
 NEWCERT_FINGERPRINT=$(get_fingerprint "$NEWCERT")
 NEWCERT_ENDDATE=$(get_enddate "$NEWCERT")
 
@@ -70,7 +85,7 @@ else
     then 
         mkdir -p $EXISTING_CERT_DIR
     fi
-    deploy_cert "$NEWCERT" "$NEWKEY" "$EXISTING_CERT_PATH" "$EXISTING_KEY_PATH"
+    deploy_cert "$NEWCERT" "$NEWKEY" "$NEWCHAIN" "$NEWFULLCHAIN" "$EXISTING_CERT_PATH" "$EXISTING_KEY_PATH" "$EXISTING_CHAIN_PATH" "$EXISTING_FULLCHAIN_PATH"
     exit 0
 fi
 
@@ -101,7 +116,7 @@ fi
 
 # if we made it this far, the cert looks good, replace it
 
-deploy_cert "$NEWCERT" "$NEWKEY" "$EXISTING_CERT_PATH" "$EXISTING_KEY_PATH"
+deploy_cert "$NEWCERT" "$NEWKEY" "$NEWCHAIN" "$NEWFULLCHAIN" "$EXISTING_CERT_PATH" "$EXISTING_KEY_PATH" "$EXISTING_CHAIN_PATH" "$EXISTING_FULLCHAIN_PATH"
 
 
 
diff --git a/manifests/common.pp b/manifests/common.pp
index 48321da..017aba8 100644
--- a/manifests/common.pp
+++ b/manifests/common.pp
@@ -7,6 +7,7 @@ class acme_vault::common (
     $home_dir           = $::acme_vault::params::home_dir,
     $contact_email      = $::acme_vault::params::contact_email,
     $domains            = $::acme_vault::params::domains,
+    $overrides          = $::acme_vault::params::overrides,
 
     $vault_token        = $::acme_vault::params::vault_token,
     $vault_addr         = $::acme_vault::params::vault_addr,
diff --git a/manifests/params.pp b/manifests/params.pp
index f53f666..82ac7d0 100644
--- a/manifests/params.pp
+++ b/manifests/params.pp
@@ -6,6 +6,9 @@ class acme_vault::params {
     $home_dir   = '/home/acme_vault'
     $contact_email = ''
     $domains     = undef
+    # overrides is a list of challenge-alias overrides.  It defaults to the domain itself.
+    # see https://github.com/Neilpang/acme.sh/wiki/DNS-alias-mode
+    $overrides   = {}
 
     # authentication
     $vault_token = undef
diff --git a/manifests/request.pp b/manifests/request.pp
index 7e314ea..97dffa6 100644
--- a/manifests/request.pp
+++ b/manifests/request.pp
@@ -7,6 +7,7 @@ class acme_vault::request (
     $home_dir           = $::acme_vault::common::home_dir,
     $contact_email      = $::acme_vault::common::contact_email,
     $domains            = $::acme_vault::common::domains,
+    $overrides          = $::acme_vault::common::overrides,
 
     $staging            = $::acme_vault::params::staging,
     $staging_url        = $::acme_vault::params::staging_url,
@@ -87,6 +88,7 @@ END
           staging     => $staging,
           staging_url => $staging_url,
           prod_url    => $prod_url,
+          overrides   => $overrides,
           }
         )
       }
diff --git a/templates/domain.epp b/templates/domain.epp
index e22fb1e..3fb2668 100644
--- a/templates/domain.epp
+++ b/templates/domain.epp
@@ -7,13 +7,32 @@
 --staging \
 --server <%= $staging_url %> \
 <% } else { -%>
---server <%= $prod_url %>
+--server <%= $prod_url %> \
 <% } -%>
 --dns dns_lexicon \
---dnssleep 600 \
---domain "<%= $domain %>" \
-<% $domains.each |$d| { -%>
---domain "<%= $d %>" \
+--dnssleep 1800 \
+--domain "<%= $domain %>" --challenge-alias <%= "$domain" %> \
+<% $domains.each |$d| {
+    # this uses the challenge-alias override if specified, otherwise
+    # uses the sld.tld of the given domain
+    if $overrides[$d] {
+        $ca = $overrides[$d]
+    }
+    else {
+        # we need to calculate the challenge-alias
+        $ds = split($d, '[.]')
+
+        # we don't want to count the wildcard, so strip it off
+        if $ds[0] == "*" {
+            $clean = $ds[1, -1]
+        }
+        else {
+            $clean = $ds[0, -1]
+        }
+        $ca = join($clean, ".")
+    }
+    -%>
+--domain "<%= $d %>"  --challenge-alias <%= "${ca}" %> \
 <% } -%>
  > /dev/null && \
 <%= $acme_script %> \