diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..796f0d2
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1,2 @@
+.vscode
+bin/
diff --git a/Makefile b/Makefile
index 4d8fc8b..f3b902e 100644
--- a/Makefile
+++ b/Makefile
@@ -15,3 +15,7 @@ fmt:
 		-v ~/.cache/golangci-lint/$(GOLANGCI_LINT_VERSION):/root/.cache \
 		-w /app \
 		golangci/golangci-lint:$(GOLANGCI_LINT_VERSION) golangci-lint run --fix
+
+.PHONY: build
+build:
+	GOOS=linux GOARCH=arm CGO_ENABLED=0 go build -o bin/ ./...
diff --git a/internal/certmanager/certmanager.go b/internal/certmanager/certmanager.go
index 978e15d..10b6f48 100644
--- a/internal/certmanager/certmanager.go
+++ b/internal/certmanager/certmanager.go
@@ -3,6 +3,7 @@ package certmanager
 import (
 	"context"
 	"crypto/x509"
+	"encoding/pem"
 	"errors"
 	"fmt"
 	"os"
@@ -25,11 +26,11 @@ func NewCertManager(ssl *sslpaths.SSLPaths) *CertManager {
 const (
 	certDirPerms  = 0o755
 	certFilePerms = 0o644
-	closeToExpire = -7 * 24 * time.Hour
+	week          = -7 * 24 * time.Hour
 )
 
 var (
-	ErrExpiringSoon = errors.New("connection error")
+	ErrExpiringSoon = errors.New("cert is expiring soon")
 	ErrDoesNotExist = errors.New("cert does not exist")
 )
 
@@ -49,14 +50,19 @@ func (c *CertManager) CheckCert() error {
 		return fmt.Errorf("failed to read cert file: %w", err)
 	}
 
-	cert, err := x509.ParseCertificate(b)
+	pBlock, _ := pem.Decode(b)
+	if pBlock == nil {
+		return errors.New("failed to decode cert file")
+	}
+
+	cert, err := x509.ParseCertificate(pBlock.Bytes)
 	if err != nil {
-		return fmt.Errorf("failed to parse cert: %w", err)
+		return fmt.Errorf("failed to parse cert block: %w", err)
 	}
 
-	renewIfAfter := time.Now().Add(closeToExpire)
-	if cert.NotAfter.After(renewIfAfter) {
-		return ErrExpiringSoon
+	remainingTime := time.Until(cert.NotAfter)
+	if remainingTime < week {
+		return fmt.Errorf("cert expriring in %s: %w", remainingTime.String(), ErrExpiringSoon)
 	}
 
 	return nil
diff --git a/internal/tailscale/client.go b/internal/tailscale/client.go
index a0efc99..bf1e9f9 100644
--- a/internal/tailscale/client.go
+++ b/internal/tailscale/client.go
@@ -3,6 +3,7 @@ package tailscale
 import (
 	"context"
 	"fmt"
+	"strings"
 
 	ts "tailscale.com/client/tailscale"
 )
@@ -16,7 +17,7 @@ func GetDomain(ctx context.Context) (string, error) {
 		return "", fmt.Errorf("failed to get status: %w", err)
 	}
 
-	return statusResp.Self.DNSName, nil
+	return strings.TrimSuffix(statusResp.Self.DNSName, "."), nil
 }
 
 // CertPair generates the cert pair for the given domain
diff --git a/main.go b/main.go
index 656674d..c87d8b3 100644
--- a/main.go
+++ b/main.go
@@ -30,7 +30,7 @@ func main() {
 
 		if err := certManager.CheckCert(); err != nil {
 			if errors.Is(err, certmanager.ErrDoesNotExist) || errors.Is(err, certmanager.ErrExpiringSoon) {
-				slog.Info("cert is missing or expiring soon, generating new cert", "reason", err)
+				slog.Warn("cert is missing or expiring soon, generating new cert", "reason", err)
 
 				if err := pikvm.SetFSReadWrite(); err != nil {
 					slog.Error("failed filesystem mode change", "error", err)
@@ -39,10 +39,11 @@ func main() {
 
 				genCert(ctx, certManager)
 			} else {
-				slog.Error("failed to check cert", "error", err)
+				slog.Error("failed to check cert", "error", err, "cert_path", ssl.GetCertPath())
 			}
 		}
 
+		slog.Info("sleeping", "duration", timeToSleep)
 		time.Sleep(timeToSleep)
 	}
 }