diff --git a/site-modules/profile/manifests/letsencrypt.pp b/site-modules/profile/manifests/letsencrypt.pp
index 53e4fb01..fedabc55 100644
--- a/site-modules/profile/manifests/letsencrypt.pp
+++ b/site-modules/profile/manifests/letsencrypt.pp
@@ -1,41 +1,43 @@
 # Base configuration for Let's Encrypt
 
 class profile::letsencrypt {
-  include ::profile::letsencrypt::apt_config
-  include ::profile::letsencrypt::gandi_livedns_hook
+  contain ::profile::letsencrypt::apt_config
+  contain ::profile::letsencrypt::gandi_livedns_hook
 
   class {'letsencrypt':
     config => {
       email  => lookup('letsencrypt::account_email'),
       server => lookup('letsencrypt::server'),
-    }
+    },
   }
 
   $certificates = lookup('letsencrypt::certificates', Hash)
 
   $certificates.each |$key, $settings| {
     $domains = $settings['domains']
 
     $deploy_hook = pick($settings['deploy_hook'], 'puppet_export')
 
-    include "::profile::letsencrypt::${deploy_hook}_hook"
+    contain "::profile::letsencrypt::${deploy_hook}_hook"
     $deploy_hook_path = getvar("profile::letsencrypt::${deploy_hook}_hook::hook_path")
     $deploy_hook_extra_opts = getvar("profile::letsencrypt::${deploy_hook}_hook::hook_extra_opts")
 
     File[$deploy_hook_path]
     -> ::letsencrypt::certonly {$key:
       * => deep_merge({
         domains         => $domains,
         custom_plugin   => true,
         additional_args => [
           '--authenticator manual',
           '--preferred-challenges dns',
           '--manual-public-ip-logging-ok',
           "--manual-auth-hook '${::profile::letsencrypt::gandi_livedns_hook::hook_path} auth'",
           "--manual-cleanup-hook '${::profile::letsencrypt::gandi_livedns_hook::hook_path} cleanup'",
           "--deploy-hook '${deploy_hook_path}'",
         ],
-      }, $deploy_hook_extra_opts)
-    } -> Profile::Letsencrypt::Certificate <| title == $key |>
+      }, $deploy_hook_extra_opts),
+    }
   }
+
+  Letsencrypt::Certonly <| |> -> Profile::Letsencrypt::Certificate <| |>
 }