{
    use strict;
    use warnings;
    use esmith::ConfigDB;
    
    # $domain : current domain name
    # $DomainName : primary domain name
    # $domainname :  domain name related to current host

    my $configDB = esmith::ConfigDB->open_ro or die("can't open Config DB");
    my $domainsDB = esmith::ConfigDB->open_ro('domains')
        or die("can't connect to domains database");
    my $hostsDB = esmith::ConfigDB->open_ro('hosts')
        or die("can't connect to hosts database");
    
    my $letsencryptStatus = $configDB->get_prop( 'letsencrypt', 'status' )
        || 'disabled';
    
    return "# letsencrypt is disabled\n" if ( $letsencryptStatus eq 'disabled' ) ;
   
    # if disabled will only ask certs for host pointing to self. 
    # if set otherwise, will try to get one even if host set as remote or local.
    my $hostOverride = $configDB->get_prop( 'letsencrypt', 'hostOverride' )
                        || 'disabled';
 
    my @domains = $domainsDB->keys;
    my @hosts   = $hostsDB->keys;
    
    # Need to check here if we want ALL set if not explicitly disabled
    # all, domains, hosts, both, none
    my $letsencryptConfig = $configDB->get_prop( 'letsencrypt', 'configure' ) || 'none';
    
    # Put Primary domain at top : needs to be the main cert domain.
    my $DomainName = $configDB->get('DomainName')->value;
    my $mainDomainStatus = $domainsDB->get_prop( "$DomainName", 'letsencryptSSLcert' )
        || 'disabled';
    $OUT = "$DomainName " unless $mainDomainStatus eq 'disabled';
    
    foreach my $domain (@domains) {
        
        # If default set to all or domains then do all except if explicitly disabled
        if ( $letsencryptConfig eq 'all' || $letsencryptConfig eq 'domains' ) {
            my $domainEnabled = $domainsDB->get_prop( "$domain", 'letsencryptSSLcert' )
                || 'enabled';
            $OUT .= "$domain " unless ( $domainEnabled eq 'disabled' || $DomainName eq $domain) ;
        }
        # otherwise only do if explicitly enabled
        else {
            my $domainEnabled = $domainsDB->get_prop( "$domain", 'letsencryptSSLcert' )
                || 'disabled';
            if ( $domainEnabled eq 'enabled' ) {
                $OUT .= "$domain " unless $DomainName eq $domain;
            }
        }
        
        # Now check for this domain hosts
        foreach my $fqdn (@hosts) {
            
            # exclude host identical to primary domain, already done
            next if $DomainName eq $fqdn;
            # exclude host identical to current domain, already done
            next if $domain eq $fqdn;

            # overide hostOverride : default disabled do not ask if host is not self
            my $type = $hostsDB->get_prop( "$fqdn", 'HostType' ) || "Self";
            next unless ( $type eq "Self" || $hostOverride eq "yes");

            # check if host related to current domain
            # Lets get the hostname
            my $hostname = $fqdn;
            $hostname =~ s/\..*//;
            # Lets get the domain name
            my $domainname = $fqdn;
            $domainname =~ s/.*?\.//;
            next unless ($domainname eq $domain);
            
            # If we are set to all or hosts just do it
            if ( $letsencryptConfig eq 'all' || $letsencryptConfig eq 'hosts' ) {
                my $hostEnabled = $hostsDB->get_prop( "$fqdn", 'letsencryptSSLcert' )
                    || 'enabled';
                $OUT .= "$fqdn " unless $hostEnabled eq 'disabled';
            }
            else {
                # the same as that in the domains file ?
                my $hostEnabled = $hostsDB->get_prop( "$fqdn", 'letsencryptSSLcert' )
                    || 'disabled';
                $OUT .= "$fqdn " unless $hostEnabled eq 'disabled';
                    
            }
        }
    }
}
