diff --git a/matrix/element-call/README.md b/matrix/element-call/README.md
index 71b03c6..f032b78 100644
--- a/matrix/element-call/README.md
+++ b/matrix/element-call/README.md
@@ -107,7 +107,7 @@ After=network.target
 Restart=always
 User=www-data
 Group=www-data
-#WorkingDirectory=/opt/lk-jwt-service
+WorkingDirectory=/etc/lk-jwt-service
 EnvironmentFile=/etc/lk-jwt-service/config
 ExecStart=/usr/local/sbin/lk-jwt-service
 
@@ -115,8 +115,7 @@ ExecStart=/usr/local/sbin/lk-jwt-service
 WantedBy=multi-user.target
 ```
 
-Not sure about the `WorkingDirectory`, so it's commented out until it turns
-out to be necessary. We read the options from `/etc/lk-jwt-service/config`,
+We read the options from `/etc/lk-jwt-service/config`,
 which we make read-only for group `www-data` and non-accessible by anyone
 else.
 
@@ -201,7 +200,7 @@ from the outside world.
 
 The certificate files are not in the usual place under
 `/etc/letsencrypt/live`, see [DNS and
-certificate](../coturn/README.md#dnscert) why that is.
+certificate (coturn)](../coturn/README.md#dnscert) why that is.
 
 The `xxx: xxxx` is the key and secret as generated before.
 
diff --git a/matrix/nginx/README.md b/matrix/nginx/README.md
index 16b1f89..122bd59 100644
--- a/matrix/nginx/README.md
+++ b/matrix/nginx/README.md
@@ -41,6 +41,28 @@ certbot certonly --nginx --agree-tos -m system@example.com --non-interactive -d
 Substitute the correct e-mailaddress and FQDN, or course.
 
 
+## Automatic renewal {#certrenew}
+
+Certificates have a limited lifetime, and need to be updated every once in a
+while. This should be done automatically by Certbot, see if `systemctl
+list-timers` lists `certbot.timer`.
+
+However, renewing the certificate means you'll have to restart the software
+that's using it. We have 2 or 3 pieces of software that use certificates:
+[coturn](../cotorun) and/or [LiveKit](../livekit), and [nginx](../nginx).
+
+Coturn/LiveKit are special with regards to the certificate, see their
+respective pages. For nginx it's pretty easy: tell Letsencrypt to restart it
+after a renewal.
+
+You do this by adding this line to the \[renewalparams\] in
+`/etc/letsencrypt/renewal/<certificate name>`:
+
+```
+renew_hook = systemctl try-reload-or-restart nginx
+```
+
+
 # Configuration
 
 Almost all traffic should be encrypted, so a redirect from http to https seems