diff --git a/package-lock.json b/package-lock.json
index b9b26d0..3593b6a 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -1,12 +1,12 @@
 {
   "name": "domcloud-bridge",
-  "version": "0.35.1",
+  "version": "0.36.0",
   "lockfileVersion": 2,
   "requires": true,
   "packages": {
     "": {
       "name": "domcloud-bridge",
-      "version": "0.35.1",
+      "version": "0.36.0",
       "license": "MIT",
       "dependencies": {
         "axios": "^1.6.3",
diff --git a/package.json b/package.json
index d3f9410..636a9bc 100644
--- a/package.json
+++ b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "domcloud-bridge",
-  "version": "0.35.1",
+  "version": "0.36.0",
   "description": "Deployment runner for DOM Cloud",
   "main": "app.js",
   "engines": {
diff --git a/sudocleanssl.js b/sudocleanssl.js
new file mode 100644
index 0000000..106cf3e
--- /dev/null
+++ b/sudocleanssl.js
@@ -0,0 +1,60 @@
+#!/usr/bin/env node
+
+// stop renewing failed SSL certs if found
+
+import shelljs, { ShellString, cat } from 'shelljs';
+const { exec } = shelljs;
+
+// | DOMAIN NAME | PATH TO CERTIFICATE FILE | VALID UNTIL | EXPIRES IN | STATUS |
+const certsExpiryRegexp = /^\| (\S+)\s+\| (\/.+?)\s+\| (.+?)\s+\| (.*?)\s+\| (\S+)\s+\|$/gm;
+const cmdListCertsExpiry = 'virtualmin list-certs-expiry --all-domains';
+const cmdListCertsRenewals = 'virtualmin list-domains --name-only --with-feature letsencrypt_renew';
+const askDomainDetailPrefix = 'virtualmin list-domains --simple-multiline --domain ';
+
+/**
+ * @param {string} str
+ */
+function cmd(str) {
+    return exec(str, {
+        silent: true,
+        fatal: true,
+    }).stdout.trim();
+}
+
+const listCertsExpiry = cmd(cmdListCertsExpiry).split('\n')
+    .slice(5).map(x => x.match(certsExpiryRegexp)).filter(x => x);
+const listCertsRenewals = cmd(cmdListCertsRenewals).split('\n');
+
+console.log(`Certs currently active: ${listCertsExpiry.length}, domains in active renewal: ${listCertsRenewals.length}`);
+
+let count = 0;
+
+for (const domain of listCertsRenewals) {
+    const expData = listCertsExpiry.find(x => x[1] == domain);
+    if (!expData) {
+        console.error(`Cert info not found for ${domain}`)
+        continue;
+    }
+    if (expData[5] == 'EXPIRED' || (expData[4].includes(' day') && parseInt(expData[4]) < 30)) {
+        const domainDetail = cmd(askDomainDetailPrefix + domain);
+        const lastIssuedDateExp = domainDetail.match(/Lets Encrypt cert issued: (.+)/);
+        const domainFileExp = domainDetail.match(/File: (.+)/);
+        if (lastIssuedDateExp && domainFileExp) {
+            const lastIssuedDate = Date.parse(lastIssuedDateExp[1]);
+            const domainFile = domainFileExp[1];
+            if (Date.now() - lastIssuedDate < 86400000) {
+                console.log(`Disabling renewal for ${domain}`);
+                var c = cat(domainFile).replace('/\nletsencrypt_renew=1/', '');
+                new ShellString(c).to(domainFile);
+                count++;
+            }
+        }
+    }
+}
+
+if (count == 0) {
+    console.log('Done and nothing changed');
+} else {
+    console.log(`Change applied for ${count} domains`);
+    console.log(`Total domains in active renewal: ${cmd(cmdListCertsRenewals).split('\n').length}`)
+}