diff --git a/src/cert/acme.js b/src/cert/acme.js
index edc5ee447..aae454db0 100644
--- a/src/cert/acme.js
+++ b/src/cert/acme.js
@@ -398,14 +398,8 @@ Acme.prototype.acmeFlow = function (domain, callback) {
 
 function getCertificate(domain, options, callback) {
     assert.strictEqual(typeof domain, 'string');
-
-    if (typeof options === 'function') {
-        callback = options;
-        options = { };
-    } else {
-        assert.strictEqual(typeof options, 'object');
-        assert.strictEqual(typeof callback, 'function');
-    }
+    assert.strictEqual(typeof options, 'object');
+    assert.strictEqual(typeof callback, 'function');
 
     var outdir = paths.APP_CERTS_DIR;
     var certUrl = safe.fs.readFileSync(path.join(outdir, domain + '.url'), 'utf8');
diff --git a/src/cert/caas.js b/src/cert/caas.js
index fd58f9c1f..b87ec6f32 100644
--- a/src/cert/caas.js
+++ b/src/cert/caas.js
@@ -7,8 +7,9 @@ exports = module.exports = {
 var assert = require('assert'),
 	debug = require('debug')('box:cert/caas.js');
 
-function getCertificate(domain, callback) {
+function getCertificate(domain, options, callback) {
 	assert.strictEqual(typeof domain, 'string');
+	assert.strictEqual(typeof options, 'object');
 	assert.strictEqual(typeof callback, 'function');
 
     debug('getCertificate: using fallback certificate', domain);
diff --git a/src/certificates.js b/src/certificates.js
index 1fdb8eaa8..f1b168472 100644
--- a/src/certificates.js
+++ b/src/certificates.js
@@ -61,7 +61,10 @@ function getApi(callback) {
 
         var api = tlsConfig.provider === 'caas' ? caas : acme;
 
-        callback(null, api);
+        var options = { };
+        options.prod = tlsConfig.provider.match(/.*-prod/ !== null);
+
+        callback(null, api, options);
     });
 }
 
@@ -110,14 +113,14 @@ function autoRenew(callback) {
 
     debug('autoRenew: %j needs to be renewed', certs);
 
-    getApi(function (error, api) {
+    getApi(function (error, api, apiOptions) {
         if (error) return callback(error);
 
         async.eachSeries(certs, function iterator(cert, iteratorCallback) {
             var domain = cert.match(/^(.*)\.cert$/)[1];
             if (domain === 'host') return iteratorCallback(); // cannot renew fallback cert
 
-            api.getCertificate(domain, function (error) {
+            api.getCertificate(domain, apiOptions, function (error) {
                 if (error) debug('autoRenew: could not renew cert for %s', domain, error);
 
                 iteratorCallback(); // move on to next cert
@@ -224,12 +227,12 @@ function ensureCertificate(domain, callback) {
         debug('ensureCertificate: %s cert require renewal', domain);
     }
 
-    getApi(function (error, api) {
+    getApi(function (error, api, apiOptions) {
         if (error) return callback(error);
 
         debug('ensureCertificate: getting certificate for %s', domain);
 
-        api.getCertificate(domain, function (error, certFilePath, keyFilePath) {
+        api.getCertificate(domain, apiOptions, function (error, certFilePath, keyFilePath) {
             if (error) {
                 debug('ensureCertificate: could not get certificate. using fallback certs', error);
                 return callback(null, 'cert/host.cert', 'cert/host.key'); // use fallback certs