diff --git a/roles/debian/nginx/templates/vhost_letsencrypt.j2 b/roles/debian/nginx/templates/vhost_letsencrypt.j2
index b3f85d544..342041489 100644
--- a/roles/debian/nginx/templates/vhost_letsencrypt.j2
+++ b/roles/debian/nginx/templates/vhost_letsencrypt.j2
@@ -6,7 +6,9 @@ server {
     error_log {{ domain.error_log }} {{ domain.error_log_level }};
     access_log {{ domain.access_log }} {{ domain.access_log_format | default('main') }};
     # Proxy for certbot (LetsEncrypt)
-    location /.well-known/acme-challenge/ {
-        proxy_pass http://127.0.0.1:{{ domain.ssl.http_01_port }}$request_uri;
-    }
+    {% if domain.ssl.web_server | default('standalone') == 'standalone' %}
+        location /.well-known/acme-challenge/ {
+            proxy_pass http://127.0.0.1:{{ domain.ssl.http_01_port }}$request_uri;
+        }
+    {% endif %}
 }
diff --git a/roles/debian/nginx/templates/vhosts.j2 b/roles/debian/nginx/templates/vhosts.j2
index 68f423926..58344539a 100644
--- a/roles/debian/nginx/templates/vhosts.j2
+++ b/roles/debian/nginx/templates/vhosts.j2
@@ -30,14 +30,15 @@ server {
     include "/etc/nginx/conf.d/{{ domain.project_type }}";
     include "/etc/nginx/conf.d/_common";
 {% if domain.ssl is defined and domain.ssl.handling == 'letsencrypt' %}
-{% if domain.ssl.web_server | default('standalone') == 'standalone' %}
+
     # Proxy for certbot (LetsEncrypt)
     location ^~/.well-known/acme-challenge/ {
         auth_basic off;
+        {% if domain.ssl.web_server | default('standalone') == 'standalone' %}
         proxy_pass http://127.0.0.1:{{ domain.ssl.http_01_port }}$request_uri;
+        {% endif %}
     }
 {% endif %}
-{% endif %}
 
 {% if domain.basic_auth.auth_enabled is defined and domain.basic_auth.auth_enabled %}
 {% if _profile == 'asg' and domain.is_default is defined and domain.is_default %}
diff --git a/roles/debian/ssl/tasks/letsencrypt.yml b/roles/debian/ssl/tasks/letsencrypt.yml
index 8d3f26634..ae30d4705 100644
--- a/roles/debian/ssl/tasks/letsencrypt.yml
+++ b/roles/debian/ssl/tasks/letsencrypt.yml
@@ -59,7 +59,7 @@
     python_pip_packages:
       packages:
         - name: "certbot-{{ _ssl_web_server }}"
-  when: _ssl_web_server != "standalone" # there is no certbot-standalone package in PyPi
+  when: not (_ssl_web_server == "standalone" or _ssl_web_server == "webroot")
 
 - name: Define SSL base path.
   ansible.builtin.set_fact:
@@ -88,6 +88,10 @@
     - not _letsencrypt_cert.stat.exists
     - _ssl_services | length > 0
 
+- name: Clean up _letsencrypt_domain_string variable .
+  ansible.builtin.set_fact:
+    _letsencrypt_domain_string: ""
+
 - name: Build certificate domains string.
   ansible.builtin.set_fact:
     _letsencrypt_domain_string: "{{ _letsencrypt_domain_string | default('') + ' -d ' + certificate_domain }}"
@@ -96,10 +100,17 @@
     loop_var: certificate_domain
   when: not _letsencrypt_cert.stat.exists
 
-- name: Register certificate bypassing web server if needed.
+- name: Register certificate bypassing web server if needed - standalone.
   ansible.builtin.command: "{{ _venv_path }}/bin/certbot {{ ssl.certbot_register_command }} --cert-name {{ ssl_facts[_ssl_domains[0]].domain }} --http-01-port {{ ssl.http_01_port }} -m {{ ssl.email }} --{{ _ssl_web_server }}{{ _letsencrypt_domain_string }}"
   when:
     - not _letsencrypt_cert.stat.exists
+    - ssl.web_server == "standalone"
+
+- name: Register certificate bypassing web server if needed - webroot.
+  ansible.builtin.command: "{{ _venv_path }}/bin/certbot certonly --webroot -w {{ domain.webroot }} --cert-name {{ ssl_facts[_ssl_domains[0]].domain }} {{ _letsencrypt_domain_string }}"
+  when:
+    - not _letsencrypt_cert.stat.exists
+    - ssl.web_server == "webroot"
 
 - name: Restart services.
   ansible.builtin.service:
@@ -112,11 +123,10 @@
     - not _letsencrypt_cert.stat.exists
     - _ssl_services | length > 0
 
-# Because of the scripted command each SSL implementation needs it's own uniquely named cron script.
 - name: Create the certbot renewal script.
   ansible.builtin.template:
     src: le_cron.sh.j2
-    dest: "/usr/local/bin/le_cron_{{ ssl_facts[_ssl_domains[0]].domain | regex_replace('\\.', '_') }}.sh"
+    dest: "/usr/local/bin/le_cron.sh"
     owner: root
     group: root
     mode: 0755
diff --git a/roles/debian/ssl/templates/le_cron.sh.j2 b/roles/debian/ssl/templates/le_cron.sh.j2
index 71ba6355a..dba306dd1 100644
--- a/roles/debian/ssl/templates/le_cron.sh.j2
+++ b/roles/debian/ssl/templates/le_cron.sh.j2
@@ -1,4 +1,4 @@
-#!/bin/bash
+#!/bin/sh
 
 # Function to send email notification
 send_email_notification() {
@@ -30,7 +30,7 @@ for site in ${SITES[@]}; do
 done
 
 # run certbot and capture the output
-certbot_output=$( {{ _venv_path }}/bin/certbot {{ ssl.certbot_renew_command }} --{{ _ssl_web_server }} --http-01-port {{ ssl.http_01_port }} --expand$SITESSTRING 2>&1 )
+certbot_output=$( {{ _venv_path }}/bin/certbot renew 2>&1 )
 
 # Capture exit code of Certbot command
 certbot_exit_code=$?
@@ -54,3 +54,5 @@ if [ $certbot_exit_code -ne 0 ]; then
 $certbot_output"
     send_email_notification "$recipient" "$subject" "$body"
 fi
+
+/usr/sbin/service nginx reload