diff --git a/src/cert_store.rs b/src/cert_store.rs
index eca39b9..a2f67ec 100644
--- a/src/cert_store.rs
+++ b/src/cert_store.rs
@@ -87,6 +87,9 @@ impl CertStore {
 		info!("Renewing certificate for {}", domain);
 
 		// ---- Acquire lock ----
+		// the lock is acquired for fifteen minutes,
+		// so that in case of an error we won't retry before
+		// that delay expires
 
 		let lock_path = format!("renew_lock/{}", domain);
 		let lock_name = format!("tricot/renew:{}@{}", domain, self.consul.local_node.clone());
@@ -94,12 +97,14 @@ impl CertStore {
 			.consul
 			.create_session(&ConsulSessionRequest {
 				name: lock_name.clone(),
-				node: Some(self.consul.local_node.clone()),
-				lock_delay: Some("30s".into()),
-				ttl: Some("1m".into()),
+				node: None,
+				lock_delay: Some("15m".into()),
+				ttl: Some("30m".into()),
 				behavior: Some("delete".into()),
 			})
 			.await?;
+		debug!("Lock session: {}", session);
+
 		if !self
 			.consul
 			.acquire(&lock_path, lock_name.clone().into(), &session)
@@ -141,7 +146,7 @@ impl CertStore {
 			let chall = auths[0].http_challenge().unwrap();
 			let chall_key = format!("challenge/{}", chall.http_token());
 			self.consul
-				.kv_put(&chall_key, chall.http_proof()?.into())
+				.acquire(&chall_key, chall.http_proof()?.into(), &session)
 				.await?;
 
 			info!("Validating challenge");