diff --git a/cmd/certs.go b/cmd/certs.go
index c9bdacb..4adf076 100644
--- a/cmd/certs.go
+++ b/cmd/certs.go
@@ -85,11 +85,11 @@ func migrateCerts(ctx *cli.Context) error {
 }
 
 func listCerts(ctx *cli.Context) error {
-	certDB, close, err := openCertDB(ctx)
+	certDB, closeFn, err := openCertDB(ctx)
 	if err != nil {
 		return err
 	}
-	defer close()
+	defer closeFn()
 
 	items, err := certDB.Items(0, 0)
 	if err != nil {
@@ -115,11 +115,11 @@ func removeCert(ctx *cli.Context) error {
 
 	domains := ctx.Args().Slice()
 
-	certDB, close, err := openCertDB(ctx)
+	certDB, closeFn, err := openCertDB(ctx)
 	if err != nil {
 		return err
 	}
-	defer close()
+	defer closeFn()
 
 	for _, domain := range domains {
 		fmt.Printf("Removing domain %s from the database...\n", domain)
diff --git a/cmd/main.go b/cmd/main.go
index ff5cfe2..eb22d10 100644
--- a/cmd/main.go
+++ b/cmd/main.go
@@ -74,11 +74,11 @@ func Serve(ctx *cli.Context) error {
 	}
 
 	// Init ssl cert database
-	certDB, close, err := openCertDB(ctx)
+	certDB, closeFn, err := openCertDB(ctx)
 	if err != nil {
 		return err
 	}
-	defer close()
+	defer closeFn()
 
 	keyCache := cache.NewKeyValueCache()
 	challengeCache := cache.NewKeyValueCache()
diff --git a/cmd/setup.go b/cmd/setup.go
index 01cd71c..3d1d6ee 100644
--- a/cmd/setup.go
+++ b/cmd/setup.go
@@ -9,7 +9,7 @@ import (
 	"codeberg.org/codeberg/pages/server/database"
 )
 
-func openCertDB(ctx *cli.Context) (certDB database.CertDB, close func(), err error) {
+func openCertDB(ctx *cli.Context) (certDB database.CertDB, closeFn func(), err error) {
 	if ctx.String("db-type") != "" {
 		log.Trace().Msg("use xorm mode")
 		certDB, err = database.NewXormDB(ctx.String("db-type"), ctx.String("db-conn"))
@@ -35,11 +35,11 @@ The simplest way is, to use './pages certs migrate' and set environment var DB_T
 		}
 	}
 
-	close = func() {
+	closeFn = func() {
 		if err := certDB.Close(); err != nil {
 			log.Error().Err(err)
 		}
 	}
 
-	return certDB, close, nil
+	return certDB, closeFn, nil
 }
diff --git a/server/certificates/certificates.go b/server/certificates/certificates.go
index 62b2e64..98ffe11 100644
--- a/server/certificates/certificates.go
+++ b/server/certificates/certificates.go
@@ -208,7 +208,7 @@ func retrieveCertFromDB(sni, mainDomainSuffix, dnsProvider string, acmeUseRateLi
 
 	tlsCertificate, err := tls.X509KeyPair(res.Certificate, res.PrivateKey)
 	if err != nil {
-		panic(err)
+		log.Error().Err(err).Msgf("could not create tlsCert from key pair: %v", res)
 	}
 
 	// TODO: document & put into own function
@@ -423,7 +423,7 @@ func SetupCertificates(mainDomainSuffix, dnsProvider string, acmeConfig *lego.Co
 	// getting main cert before ACME account so that we can fail here without hitting rate limits
 	mainCertBytes, err := certDB.Get(mainDomainSuffix)
 	if err != nil {
-		return fmt.Errorf("cert database is not working")
+		return fmt.Errorf("cert database is not working: %w", err)
 	}
 
 	acmeClient, err = lego.NewClient(acmeConfig)
@@ -477,7 +477,7 @@ func SetupCertificates(mainDomainSuffix, dnsProvider string, acmeConfig *lego.Co
 func MaintainCertDB(ctx context.Context, interval time.Duration, mainDomainSuffix, dnsProvider string, acmeUseRateLimits bool, certDB database.CertDB) {
 	for {
 		// delete expired certs that will be invalid until next clean up
-		threshold := time.Now().Add(-interval)
+		threshold := time.Now().Add(interval)
 		expiredCertCount := 0
 
 		certs, err := certDB.Items(0, 0)
@@ -515,15 +515,18 @@ func MaintainCertDB(ctx context.Context, interval time.Duration, mainDomainSuffi
 			log.Error().Msgf("Couldn't renew certificate for main domain %q expected main domain cert to exist, but it's missing - seems like the database is corrupted", mainDomainSuffix)
 		} else {
 			tlsCertificates, err := certcrypto.ParsePEMBundle(res.Certificate)
-
-			// renew main certificate 30 days before it expires
-			if tlsCertificates[0].NotAfter.Before(time.Now().Add(30 * 24 * time.Hour)) {
-				go (func() {
-					_, err = obtainCert(mainDomainAcmeClient, []string{"*" + mainDomainSuffix, mainDomainSuffix[1:]}, res, "", dnsProvider, mainDomainSuffix, acmeUseRateLimits, certDB)
-					if err != nil {
-						log.Error().Err(err).Msg("Couldn't renew certificate for main domain")
-					}
-				})()
+			if err != nil {
+				log.Error().Err(fmt.Errorf("could not parse cert for mainDomainSuffix: %w", err))
+			} else {
+				// renew main certificate 30 days before it expires
+				if tlsCertificates[0].NotAfter.Before(time.Now().Add(30 * 24 * time.Hour)) {
+					go (func() {
+						_, err = obtainCert(mainDomainAcmeClient, []string{"*" + mainDomainSuffix, mainDomainSuffix[1:]}, res, "", dnsProvider, mainDomainSuffix, acmeUseRateLimits, certDB)
+						if err != nil {
+							log.Error().Err(err).Msg("Couldn't renew certificate for main domain")
+						}
+					})()
+				}
 			}
 		}
 
diff --git a/server/database/xorm.go b/server/database/xorm.go
index 398df0e..68ff18c 100644
--- a/server/database/xorm.go
+++ b/server/database/xorm.go
@@ -67,10 +67,9 @@ func (x xDB) Get(domain string) (*certificate.Resource, error) {
 
 	cert := new(Cert)
 	log.Trace().Str("domain", domain).Msg("get cert from db")
-	if _, err := x.engine.ID(domain).Get(&cert); err != nil {
+	if found, err := x.engine.ID(domain).Get(cert); err != nil {
 		return nil, err
-	}
-	if cert == nil {
+	} else if !found {
 		return nil, fmt.Errorf("%w: name='%s'", ErrNotFound, domain)
 	}
 	return cert.Raw(), nil