diff --git a/letsencrypt/config.sls b/letsencrypt/config.sls
index 4cdce14..c1cee5d 100644
--- a/letsencrypt/config.sls
+++ b/letsencrypt/config.sls
@@ -13,7 +13,10 @@ letsencrypt-config-directory:
 letsencrypt-config:
   file.managed:
     - name: {{ letsencrypt.config_dir.path }}/cli.ini
+    - template: jinja
+    - source: salt://letsencrypt/files/cli.ini.jinja
     - user: {{ letsencrypt.config_dir.user }}
     - group: {{ letsencrypt.config_dir.group }}
     - makedirs: true
-    - contents_pillar: letsencrypt:config
+    - context:
+        config: {{ letsencrypt.config | json }}
diff --git a/letsencrypt/defaults.yaml b/letsencrypt/defaults.yaml
index 477a396..aa9b661 100644
--- a/letsencrypt/defaults.yaml
+++ b/letsencrypt/defaults.yaml
@@ -4,7 +4,7 @@
 letsencrypt:
   use_package: true
   pkgs:
-    - python-certbot-apache
+    - python3-certbot-apache
   service: certbot.timer
   # Only used for the git install method (use_package: false)
   cli_install_dir: /opt/letsencrypt
@@ -17,6 +17,12 @@ letsencrypt:
     user: root
     group: root
     mode: 755
+  config:
+    server: https://acme-v02.api.letsencrypt.org/directory
+    agree-tos: true
+    keep-until-expiring: true
+    expand: true
+    max-log-backups: 0
   # The post_renew cmds are executed via renew_letsencrypt_cert.sh after every
   # run. For more fine grain control, consider placing scripts in the pre,
   # post, and/or deploy directories within /etc/letsencrypt/renewal-hooks/. For
diff --git a/letsencrypt/files/cli.ini.jinja b/letsencrypt/files/cli.ini.jinja
new file mode 100644
index 0000000..c594421
--- /dev/null
+++ b/letsencrypt/files/cli.ini.jinja
@@ -0,0 +1,11 @@
+########################################################################
+# File managed by Salt at <{{ source }}>.
+# Your changes will be overwritten.
+########################################################################
+{%- if config is string %}
+{{ config }}
+{%- else %}
+  {%- for k, v in config.items() %}
+{{ k }} = {{ v }}
+  {%- endfor %}
+{%- endif %}
diff --git a/letsencrypt/map.jinja b/letsencrypt/map.jinja
index 3a88039..94bec05 100644
--- a/letsencrypt/map.jinja
+++ b/letsencrypt/map.jinja
@@ -4,13 +4,18 @@
 {#- Start with  defaults from defaults.sls #}
 {% import_yaml 'letsencrypt/defaults.yaml' as defaults %}
 {% import_yaml 'letsencrypt/osfamilymap.yaml' as osfamilymap %}
+{% import_yaml 'letsencrypt/osmap.yaml' as osmap %}
 
 {% set letsencrypt = salt['grains.filter_by'](
     defaults,
     merge = salt['grains.filter_by'](
         osfamilymap,
         grain='os_family',
-        merge = salt['pillar.get']('letsencrypt', {}),
+        merge=salt['grains.filter_by'](
+            osmap,
+            grain='os',
+            merge = salt['pillar.get']('letsencrypt', {}),
+        ),
     ),
     base='letsencrypt')
 %}
diff --git a/letsencrypt/osfamilymap.yaml b/letsencrypt/osfamilymap.yaml
index 4016d69..11531bc 100644
--- a/letsencrypt/osfamilymap.yaml
+++ b/letsencrypt/osfamilymap.yaml
@@ -2,6 +2,4 @@
 # vim: ft=yaml
 ---
 RedHat:
-  pkgs:
-    - python2-certbot-apache
   service: certbot-renew.timer
diff --git a/letsencrypt/osmap.yaml b/letsencrypt/osmap.yaml
new file mode 100644
index 0000000..dedbc74
--- /dev/null
+++ b/letsencrypt/osmap.yaml
@@ -0,0 +1,16 @@
+# -*- coding: utf-8 -*-
+# vim: ft=yaml
+#
+# Setup variables using grains['os'] based logic.
+# You just need to add the key:values for an `os` that differ
+# from `defaults.yaml` + `osarch.yaml` + `os_family.yaml`.
+# Only add an `os` which is/will be supported by the formula.
+#
+# If you do not need to provide defaults via the `os` grain,
+# you will need to provide at least an empty dict in this file, e.g.
+# osmap: {}
+---
+# os_family: RedHat
+Amazon:
+  pkgs:
+    - python2-certbot-apache
diff --git a/pillar.example b/pillar.example
index 4c4c7e6..14609ad 100644
--- a/pillar.example
+++ b/pillar.example
@@ -15,13 +15,27 @@ letsencrypt:
   # have specific version of certbot you can enable it. The version value
   # should match a certbot/certbot branch.
   version: 0.30.x
-  config: |
-    server = https://acme-v01.api.letsencrypt.org/directory
-    email = webmaster@example.com
-    authenticator = webroot
-    webroot-path = /var/lib/www
-    agree-tos = True
-    renew-by-default = True
+  # Any parameter from the cli can be specified in the config file
+  # check https://certbot.eff.org/docs/using.html#configuration-file
+  config:
+    server: https://acme-v02.api.letsencrypt.org/directory
+    email: webmaster@example.com
+    authenticator: webroot
+    webroot-path: /var/lib/www
+    agree-tos: true
+    keep-until-expiring: true
+    expand: true
+  # For backward compatibility, config can be passed as a string
+  # (although it's discouraged, as this format might be dropped in a future
+  # release)
+  # config: |
+  #   server = https://acme-v01.api.letsencrypt.org/directory
+  #   email = webmaster@example.com
+  #   authenticator = webroot
+  #   webroot-path = /var/lib/www
+  #   agree-tos = True
+  #   keep-until-expiring = True
+  #   expand = True
   config_dir:
     path: /etc/letsencrypt
     user: root
diff --git a/test/integration/deb/controls/letsencrypt_spec.rb b/test/integration/deb/controls/letsencrypt_spec.rb
index 22f300e..d41d800 100644
--- a/test/integration/deb/controls/letsencrypt_spec.rb
+++ b/test/integration/deb/controls/letsencrypt_spec.rb
@@ -14,6 +14,7 @@
     should match 'server = https://acme-staging.api.letsencrypt.org/directory'
   end
   its('content') { should match 'authenticator = webroot' }
+  its('content') { should match 'File managed by Salt' }
 end
 
 describe file('/usr/bin/letsencrypt') do
diff --git a/test/integration/git/controls/letsencrypt_spec.rb b/test/integration/git/controls/letsencrypt_spec.rb
index aee0b47..ba619e6 100644
--- a/test/integration/git/controls/letsencrypt_spec.rb
+++ b/test/integration/git/controls/letsencrypt_spec.rb
@@ -18,4 +18,5 @@
     should match 'server = https://acme-staging.api.letsencrypt.org/directory'
   end
   its('content') { should match 'authenticator = standalone' }
+  its('content') { should match 'File managed by Salt' }
 end
diff --git a/test/integration/rpm/controls/letsencrypt_spec.rb b/test/integration/rpm/controls/letsencrypt_spec.rb
index e54af7c..6fe709b 100644
--- a/test/integration/rpm/controls/letsencrypt_spec.rb
+++ b/test/integration/rpm/controls/letsencrypt_spec.rb
@@ -15,6 +15,7 @@
     should match 'server = https://acme-staging.api.letsencrypt.org/directory'
   end
   its('content') { should match 'authenticator = webroot' }
+  its('content') { should match 'File managed by Salt' }
 end
 
 describe file('/usr/bin/letsencrypt') do
diff --git a/test/salt/pillar/rpm.sls b/test/salt/pillar/rpm.sls
index eeb2215..5865b85 100644
--- a/test/salt/pillar/rpm.sls
+++ b/test/salt/pillar/rpm.sls
@@ -3,13 +3,13 @@
 ---
 letsencrypt:
   use_package: true
-  config: |
-    server = https://acme-staging.api.letsencrypt.org/directory
-    email = saltstack-letsencrypt-formula@example.com
-    authenticator = webroot
-    webroot-path = /var/www/html
-    agree-tos = true
-    renew-by-default = true
+  config:
+    server: https://acme-staging.api.letsencrypt.org/directory
+    email: saltstack-letsencrypt-formula@example.com
+    authenticator: webroot
+    webroot-path: /var/www/html
+    agree-tos: true
+    renew-by-default: true
   domainsets:
     www:
       - letsencrypt-formula.example.com