diff --git a/global/overlay/etc/puppet/cosmos-rules.yaml b/global/overlay/etc/puppet/cosmos-rules.yaml
index f61cdf2..01f05e4 100644
--- a/global/overlay/etc/puppet/cosmos-rules.yaml
+++ b/global/overlay/etc/puppet/cosmos-rules.yaml
@@ -13,3 +13,4 @@
     x_remote_user: true
     groups:
       - 'sunet-cert'
+    certbot: false
diff --git a/global/overlay/etc/puppet/modules/soc/manifests/sso.pp b/global/overlay/etc/puppet/modules/soc/manifests/sso.pp
index ac5eb23..30eaf63 100644
--- a/global/overlay/etc/puppet/modules/soc/manifests/sso.pp
+++ b/global/overlay/etc/puppet/modules/soc/manifests/sso.pp
@@ -18,7 +18,7 @@
 #   If true, EPPN is put in the HTTP header X-Remote-User instead of REMOTE_USER.
 #
 # @param single_user
-#   If true, EPPN is discarded and X-Remote-User is set to "cnaas-user". This is useful in
+#   If true, EPPN is discarded and X-Remote-User is set to "soc-user". This is useful in
 #   cases where the service we reverse proxy for can't create new accounts automatically.
 #   We use this only for Graylog at the time of writing.
 #
@@ -113,7 +113,7 @@ class soc::sso(
 
     file { '/etc/letsencrypt/acme-dns-auth.py':
       ensure  => file,
-      content => file('cnaas/sso/acme-dns-auth.py'),
+      content => file('soc/sso/acme-dns-auth.py'),
       mode    => '0744',
     }