diff --git a/docker-compose.yml b/docker-compose.yml
index e497f5d..38dbebc 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -44,5 +44,5 @@ services:
       - './data/acme-webroot:/srv/http/webroot'
       - './data/letsencrypt/etc:/etc/letsencrypt'
       - './data/letsencrypt/var:/var/lib/letsencrypt'
-    image: certbot/certbot
+    image: certbot/certbot:${LETSENCRYPT_TAG:-latest}
     entrypoint: "/bin/sh -c 'trap exit TERM; sleep 10; while :; do certbot renew -w /srv/http/webroot/ --webroot; sleep 12h & wait $${!}; done;'"
diff --git a/run b/run
index 80fd84b..5350df7 100755
--- a/run
+++ b/run
@@ -27,7 +27,7 @@ source .env
 
 if [ "$USE_TUNNELS" != "true" ]; then
   if [ ! -e ./data/letsencrypt/etc/renewal/chaotic.conf ]; then
-    docker run -p 80:80 -p 443:443 --rm -v "$PWD/data/letsencrypt/etc:/etc/letsencrypt" -v "$PWD/data/letsencrypt/var:/var/lib/letsencrypt" certbot/certbot certonly --standalone --non-interactive --agree-tos --cert-name chaotic -n -m "$EMAIL" -d "$DOMAIN_NAME"
+    docker run -p 80:80 -p 443:443 --rm -v "$PWD/data/letsencrypt/etc:/etc/letsencrypt" -v "$PWD/data/letsencrypt/var:/var/lib/letsencrypt" certbot/certbot:${LETSENCRYPT_TAG:-latest} certonly --standalone --non-interactive --agree-tos --cert-name chaotic -n -m "$EMAIL" -d "$DOMAIN_NAME"
   fi
 elif [ ! -e "./data/cloudflared/home/.cloudflared/cert.pem" ]; then
   docker-compose -f docker-compose-tunnels.yml run --rm cloudflared login