diff --git a/ansible/roles/galaxy_labs_engine/tasks/certbot.yml b/ansible/roles/galaxy_labs_engine/tasks/certbot.yml
index 59d5364..bff2e5e 100644
--- a/ansible/roles/galaxy_labs_engine/tasks/certbot.yml
+++ b/ansible/roles/galaxy_labs_engine/tasks/certbot.yml
@@ -48,15 +48,15 @@
       register: certbot_certificates
       tags: certbot
 
+  always:
     - name: setup certbot renew cron job
       cron:
         name: "certbot-renew"
         minute: "0"
         hour: "0"
-        job: "cd {{ config_root }} && docker compose --profile certbot run --rm certbot renew"
-      tags: certbot
+        job: "sudo certbot renew --webroot --webroot-path /var/www/certbot/"
+      when: certbot_ssl
 
-  always:
     - name: run docker compose down
       shell: >
         docker compose --profile certbot down
diff --git a/ansible/roles/galaxy_labs_engine/tasks/main.yml b/ansible/roles/galaxy_labs_engine/tasks/main.yml
index 66776ff..557ec2d 100644
--- a/ansible/roles/galaxy_labs_engine/tasks/main.yml
+++ b/ansible/roles/galaxy_labs_engine/tasks/main.yml
@@ -4,6 +4,12 @@
   ansible.builtin.apt:
     update_cache: yes
 
+- name: install cerbot
+  ansible.builtin.apt:
+    name: certbot
+    state: present
+  tags: always
+
 - name: Docker pull labs-engine image
   ansible.builtin.docker_image:
     name: "{{ labs_engine_docker_image }}"
diff --git a/app/app/settings/prod.py b/app/app/settings/prod.py
index 3415df1..7f34f14 100644
--- a/app/app/settings/prod.py
+++ b/app/app/settings/prod.py
@@ -27,6 +27,10 @@
         (ADMIN_NAME, ADMIN_EMAIL),
     ]
 
+CSRF_TRUSTED_ORIGINS = [
+    f"https://{HOSTNAME}",
+]
+
 # Use manifest to manage static file versions for cache busting:
 STORAGES = {
     "default": {