diff --git a/playbooks/roles/letsencrypt-acme-sh-install/files/driver.sh b/playbooks/roles/letsencrypt-acme-sh-install/files/driver.sh
index d9b3b05638..12ab4e3fc7 100644
--- a/playbooks/roles/letsencrypt-acme-sh-install/files/driver.sh
+++ b/playbooks/roles/letsencrypt-acme-sh-install/files/driver.sh
@@ -59,7 +59,13 @@ if [[ ${1} == "issue" ]]; then
             echo "Valid and current certificate found" >> ${LOG_FILE}
             exit 0
         elif [[ ${_exit_code} == 3 ]]; then
+            # acme.sh really wants to talk to your SAAS DNS API for
+            # you to setup the challenge-reponse and then issue the
+            # cert; the "dns manual mode" requires the odd flags and
+            # also returns a separate error code when issuing a cert.
+            # For our purposes, this is a success.
             echo "Certificate request issued" >> ${LOG_FILE}
+            exit 0
         else
             echo "Unknown failure: ${_exit_code}" >> ${LOG_FILE}
             exit ${_exit_code}
@@ -112,6 +118,7 @@ elif [[ ${1} == "renew" ]]; then
             exit 0
         elif [[ ${_exit_code} == 0 ]]; then
             echo "Certificate renewed" >> ${LOG_FILE}
+            exit 0
         else
             echo "Unknown failure: ${_exit_code}" >> ${LOG_FILE}
             exit ${_exit_code}
@@ -119,6 +126,9 @@ elif [[ ${1} == "renew" ]]; then
     done
 elif [[ ${1} == "selfsign" ]]; then
     # For testing, simulate the key generation
+    # Note as above "arg" is a compound argument where each
+    # request is a space-separated separate string, e.g.
+    #  "-d foo.com -d foo1.com" "-d bar.com -d bar1.com"
     shift;
     for arg in "$@"; do
         {