diff --git a/files/get_cert.sh b/files/get_cert.sh
index 7ff86ad..b290c8f 100755
--- a/files/get_cert.sh
+++ b/files/get_cert.sh
@@ -5,13 +5,6 @@ IFS=$'\n\t'
 eval "$(jq -r '@sh "PUBKEY=\(.pubkey) HOST=\(.host) CAHOST=\(.cahost)"')"
 
 # TODO: Can this be done more eye-pleasingly?
-set +e
 CERT=$(ssh -o ConnectTimeout=3 -o ConnectionAttempts=1 root@$CAHOST '/root/ca.sh host "'"$PUBKEY"'" "'"$HOST"'".dmz')
-retval=$?
-set -e
-
-if [ retval -neq 0 ]; then
-	CERT="error"
-fi
 
 jq -n --arg cert "$CERT" '{"cert":$cert}'
diff --git a/main.tf b/main.tf
index 25f9f57..3df7c0a 100644
--- a/main.tf
+++ b/main.tf
@@ -50,6 +50,11 @@ resource "null_resource" "cert" {
     ignore_changes = [
       triggers
     ]
+    
+    postcondition {
+      condition = self.triggers["cert"] != "" || !var.use_host_cert
+      error_message = "Error retrieving host certificate."
+    }
   }
 }