diff --git a/README.md b/README.md
index e69de29bb2d1d6434b8b29ae775ad8c2e48c5391..f121ed39365de25212df5d505499cc69704be130 100644
--- a/README.md
+++ b/README.md
@@ -0,0 +1,35 @@
+# Class: geant_acme::server
+
+## server side
+
+the server configuration is defined in hiera as following:
+
+```yaml
+certificates_hash:
+  cert_1.geant.org:
+    ensure: 'present'
+    clients:
+      - 'test-nas01.geant.org'
+      - 'test-jump01.geant.org'
+    verbose: 'yes'
+  cert_2.geant.org:
+    ensure: 'present'
+    multi_domain:
+      - cert_3.geant.org
+      - cert_4.geant.org
+    clients:
+      - 'test-nas01.geant.org'
+      - 'test-jump01.geant.org'
+```
+
+## client side
+
+the client runs a resource as following:
+
+```puppet
+  geant_acme::client { 'postgres.geant.org':
+    cert_owner => 'postgres',
+    cert_group => 'postgres',
+    notify     => Service['postgresql-9.6'];
+  }
+```
diff --git a/files/geant_acme.py b/files/geant_acme.py
index 5b9142bd7e7d09fe1515cebc313ec016dbd03e20..23ff5f35e660c20114b09b89fb1796d8e3c443a8 100755
--- a/files/geant_acme.py
+++ b/files/geant_acme.py
@@ -21,7 +21,7 @@ import requests
 from requests.packages.urllib3.exceptions import InsecureRequestWarning #pylint: disable=E0401
 
 
-BASE_URL = 'https://infoblox.geant.org/wapi/v2.6.1'
+API_URL = 'https://infoblox.geant.org/wapi/v2.6.1'
 SEP = '+' + 72*'-' + '+'
 
 
@@ -44,7 +44,7 @@ def get_reference(iblox_domain, iblox_user, iblox_pw):
     requests.packages.urllib3.disable_warnings(InsecureRequestWarning) #pylint: disable=E1101
     ref_obj = requests.get(
         '{}/record:txt?name=_acme-challenge.{}&_return_as_object=1'.format(
-            BASE_URL, iblox_domain),
+            API_URL, iblox_domain),
         auth=(iblox_user, iblox_pw),
         verify=False
     )
@@ -69,7 +69,7 @@ def delete_challenge(object_reference, iblox_user, iblox_pw):
     """ delete txt record """
     requests.packages.urllib3.disable_warnings(InsecureRequestWarning) #pylint: disable=E1101
     del_req = requests.delete(
-        '{}/{}'.format(BASE_URL, object_reference),
+        '{}/{}'.format(API_URL, object_reference),
         auth=(iblox_user, iblox_pw),
         verify=False
     )
@@ -83,7 +83,7 @@ def create_challenge(iblox_domain, acme_token, iblox_user, iblox_pw):
     print('{}\ncreating challenge _acme-challenge.{}'.format(SEP, iblox_domain))
     requests.packages.urllib3.disable_warnings(InsecureRequestWarning) #pylint: disable=E1101
     post_req = requests.post(
-        '{}/record:txt'.format(BASE_URL),
+        '{}/record:txt'.format(API_URL),
         auth=(iblox_user, iblox_pw),
         data={
             'name': '_acme-challenge.{}'.format(iblox_domain),
diff --git a/manifests/client.pp b/manifests/client.pp
index 96a3361a3e44d64f7ace1ac56252bf095e5e7385..30579f244e5e18430b4dd4543988f9439a3ce669 100644
--- a/manifests/client.pp
+++ b/manifests/client.pp
@@ -53,7 +53,7 @@ define geant_acme::client (
   exec { 'fix_keydir_permissions':
     path    => '/usr/bin:/usr/sbin:/bin',
     command => "chown ${cert_owner}:${cert_group} ${cert_dir}/private",
-    unless  => "stat -c \"%U%G\" ${cert_dir}/private|grep \"${cert_owner}${cert_group}\"",
+    unless  => "stat -c \"%U%G\" ${cert_dir}/private | grep \"${cert_owner}${cert_group}\"",
     returns => [0, 1],
     require => Package['ca-certificates'];
   }
diff --git a/manifests/files.pp b/manifests/files.pp
index b71651580662878e5c54bd88f6236f50ce33f2e8..595a1c41f245cc616446a9620d87da4550a724cb 100644
--- a/manifests/files.pp
+++ b/manifests/files.pp
@@ -1,22 +1,18 @@
 # == Class: geant_acme::files
 #
 class geant_acme::files (
-  $wrapped_vault_token,
-  $wrapped_puppet_token,
+  $vault_token,
+  $puppet_token,
   $wildcard_domain,
   $redis_host,
   $vault_host,
   $puppetdb_host,
   $puppetdb_port,
   $acme_server,
-  $wrapped_iblox_password,
+  $iblox_password,
   $iblox_user,
 ) {
 
-  $vault_token = unwrap($wrapped_vault_token)
-  $puppet_token = unwrap($wrapped_puppet_token)
-  $iblox_password = unwrap($wrapped_iblox_password)
-
   if $::environment == 'production' {
     file { '/etc/letsencrypt':
       ensure => link,
diff --git a/manifests/server.pp b/manifests/server.pp
index 592b25710bb2b2f9dbf72e15db815194f1ae29e2..0ce91145c56cd8266009ec719481431a49fe7fac 100644
--- a/manifests/server.pp
+++ b/manifests/server.pp
@@ -28,8 +28,9 @@ class geant_acme::server ($certificates_hash) {
 
     # if there is multi_domain join them as following: 'cert_2.geant.org -d cert_3.geant.org'
     if $certificates_hash[$certificate]['multi_domain'] {
-      $_cert_list = join($certificates_hash[$certificate]['multi_domain'], ' -d ')
-      $cert_list = "${certificate} -d ${_cert_list}"
+      $concat_cert_list = concat($certificates_hash[$certificate]['multi_domain'], $certificate)
+      $unique_cert_list = unique($concat_cert_list)
+      $cert_list = join($concat_cert_list, ' -d ')
     } else {
       $cert_list = $certificate
     }
diff --git a/templates/geant_acme.ini.epp b/templates/geant_acme.ini.epp
index 8b405912610cc312f558e62bc0a000a258c6f4fe..269a9e056f992502bb2584831da739a41535d87a 100644
--- a/templates/geant_acme.ini.epp
+++ b/templates/geant_acme.ini.epp
@@ -1,14 +1,14 @@
 [geant_acme]
 # Infoblox credentials
-iblox_pass = <%= $geant_acme::files::iblox_password %>
+iblox_pass = <%= $geant_acme::files::iblox_password.unwrap %>
 iblox_user = <%= $geant_acme::files::iblox_user %>
 
 # Redis parameters
-redis_token = <%= $geant_acme::files::puppet_token %>
+redis_token = <%= $geant_acme::files::puppet_token.unwrap %>
 redis_host = <%= $geant_acme::files::redis_host %>
 
 # Vault parameters
-vault_token = <%= $geant_acme::files::vault_token %>
+vault_token = <%= $geant_acme::files::vault_token.unwrap %>
 vault_host = <%= $geant_acme::files::vault_host %>
 
 # PuppetDB parameters