diff --git a/node/acme/manager.go b/node/acme/manager.go
index c04cdee9ee703e1eb354d391de03fab899474a87..d7dcb93c0a01474f29d5ba622e554594a657612b 100644
--- a/node/acme/manager.go
+++ b/node/acme/manager.go
@@ -80,6 +80,12 @@ func NewManager(ctx context.Context, cli *clientv3.Client, email, directoryURL s
 	// validation tokens on etcd.
 	acmeMgr := NewACME(email, directoryURL, newEtcdKeyStore(cli, keyPath), newEtcdTokenStore(cli))
 
+	m := &Manager{
+		ACME:  acmeMgr,
+		names: certNames,
+		cli:   cli,
+	}
+
 	// Try to fetch the existing certificate from etcd, or
 	// generate a self-signed one.
 	cert, rev, err := fetchCert(ctx, cli, certPath)
@@ -92,17 +98,9 @@ func NewManager(ctx context.Context, cli *clientv3.Client, email, directoryURL s
 			return nil, fmt.Errorf("failed to create self-signed certificate: %v", err)
 		}
 	}
-	tlsCert, err := cert.TLSCertificate()
-	if err != nil {
-		return nil, err
-	}
 
-	m := &Manager{
-		ACME:    acmeMgr,
-		names:   certNames,
-		cli:     cli,
-		cert:    cert,
-		tlsCert: tlsCert,
+	if err := m.setCert(cert); err != nil {
+		return nil, err
 	}
 
 	// Update m.cert using a watcher.
@@ -143,13 +141,15 @@ func (m *Manager) shouldRenew() bool {
 
 func (m *Manager) renewLoop(ctx context.Context) {
 	// Initial delay to stagger concurrent initialization.
-	time.Sleep(time.Duration(mrand.Intn(30)) * time.Second)
+	time.Sleep(time.Duration(mrand.Intn(300)) * time.Second)
 
 	for {
 		if m.shouldRenew() {
 			log.Printf("attempting to renew SSL certificate...")
 			if err := m.renew(ctx); err != nil {
 				log.Printf("renewal failed: %v", err)
+			} else {
+				log.Printf("successfully renewed SSL certificate")
 			}
 		}