diff --git a/mariadb.yml b/mariadb.yml
index c31de20..a4e53cd 100644
--- a/mariadb.yml
+++ b/mariadb.yml
@@ -71,7 +71,8 @@
           do
             touch ssl/${ssl}.pem
             [ -d ssl/${ssl}.pem ] && rm -r ssl/${ssl}.pem
-
+            
+            # wait if no cert is available
             until [ -s "ssl/${ssl}.pem.new" ]
             do
               cat /home/docker/traefik/letsencrypt/acme.json  | jq -r ".letsencrypt.Certificates[] | select(.domain.main==\"mariadb.{{inventory_hostname}}\") | .${ssl}" | base64 -d >ssl/${ssl}.pem.new
@@ -88,11 +89,14 @@
             fi
           done
 
-          chmod 440 ssl/*.pem
-          chown 999:33 ssl/*.pem
+          # make it readable for mysql user in the container
+          chmod 40 ssl/*.pem
+          chown 999:0 ssl/*.pem
 
+          # restart if new cert ist available
           if [ -n "$new" ]
           then
+            # wait if mariadb is not finished while initializing
             until [ -s "db-data/mysql_upgrade_info" ]
             do
               sleep 5