diff --git a/submodules/letsencrypt/drush/Provision/Service/Certificate/LetsEncrypt.php b/submodules/letsencrypt/drush/Provision/Service/Certificate/LetsEncrypt.php
index 10cadaf..a9b305a 100644
--- a/submodules/letsencrypt/drush/Provision/Service/Certificate/LetsEncrypt.php
+++ b/submodules/letsencrypt/drush/Provision/Service/Certificate/LetsEncrypt.php
@@ -108,6 +108,8 @@ class Provision_Service_Certificate_LetsEncrypt extends Provision_Service_Certif
     $config_file = $this->getConfigFile(d()->server->letsencrypt_ca);
     $script_path = d()->server->letsencrypt_script_path;
     $config_path = d()->server->letsencrypt_config_path;
+    $drush_alias = escapeshellarg('@' . d()->uri);
+
     $domain_list = $this->getDomainsString(d());
     $on_remote_server = !provision_is_local_host(d()->platform->web_server->remote_host);
     $le_hook = $script_path . '/dehydrated-hooks.sh';
@@ -117,7 +119,7 @@ class Provision_Service_Certificate_LetsEncrypt extends Provision_Service_Certif
     }
 
     drush_log(dt("Generating Let's Encrypt certificates."));
-    $cmd = "{$script_path}/script $le_options --config {$script_path}/{$config_file} --out {$config_path} {$domain_list}";
+    $cmd = "AEGIR_DRUSH_ALIAS={$drush_alias} {$script_path}/script $le_options --config {$script_path}/{$config_file} --out {$config_path} {$domain_list}";
     drush_log("Running: " . $cmd, 'notice');
     $result = drush_shell_exec($cmd);
     foreach (drush_shell_exec_output() as $line) {
diff --git a/submodules/letsencrypt/drush/bin/dehydrated-hooks.sh b/submodules/letsencrypt/drush/bin/dehydrated-hooks.sh
index e9f11ff..e5aff21 100755
--- a/submodules/letsencrypt/drush/bin/dehydrated-hooks.sh
+++ b/submodules/letsencrypt/drush/bin/dehydrated-hooks.sh
@@ -22,7 +22,13 @@ function deploy_challenge {
     #   TXT record. For HTTP validation it is the value that is expected
     #   be found in the $TOKEN_FILENAME file.
 
-    drush php-eval "d('@$DOMAIN')->service('http')->sync(d('@server_master')->aegir_root . '/config/letsencrypt.d/well-known/acme-challenge');"
+    # Since dehydrated does not always call us with the main domain name,
+    # use a drush alias passed in from the original invocation via the
+    # environment variable AEGIR_DRUSH_ALIAS to ensure we find
+    # the correct context.
+    local MAIN_DOMAIN="${AEGIR_DRUSH_ALIAS:-@$DOMAIN}"
+
+    drush php-eval "d('$MAIN_DOMAIN')->service('http')->sync(d('@server_master')->aegir_root . '/config/letsencrypt.d/well-known/acme-challenge');"
 }
 
 HANDLER="$1"; shift