diff --git a/nyacme/__main__.py b/nyacme/__main__.py
index 540cffb..fb646d5 100644
--- a/nyacme/__main__.py
+++ b/nyacme/__main__.py
@@ -4,6 +4,7 @@ import subprocess
 import logging
 import shutil
 from datetime import datetime
+from pathlib import Path
 
 from .config import read_config
 
@@ -21,6 +22,7 @@ def main() -> None:
     args = parser.parse_args()
 
     config = read_config(args.config)
+    output_dir = Path(args.output)
 
     acquired = False
 
@@ -31,8 +33,8 @@ def main() -> None:
             uacme_domains = [ domain[2:], domain ]
             domain = domain[2:]
 
-        cert_path = f'{args.output}/{domain}/cert.pem'
-        if os.path.exists(cert_path):
+        cert_path = output_dir / domain / 'cert.pem'
+        if cert_path.is_file():
             out = subprocess.run([ 'openssl', 'x509', '-enddate', '-noout', '-in', cert_path ], stdout=subprocess.PIPE, check=True).stdout.decode('utf-8').strip()
             date = datetime.strptime(out, 'notAfter=%b %d %H:%M:%S %Y %Z')
             # if more than 1 month, skip
@@ -62,23 +64,23 @@ def main() -> None:
 
         if res.returncode == 0:
             acquired = True
-            private_key = os.path.join(args.output, f'private/{domain}/key.pem')
-            domain_key = os.path.join(args.output, f'{domain}/cert.pem.key')
-            domain_pem = os.path.join(args.output, f'{domain}/cert.pem')
+            private_key = output_dir / 'private' / domain / 'key.pem'
+            domain_key = output_dir / domain / 'cert.pem.key'
+            domain_pem = output_dir / domain / 'cert.pem'
 
-            os.unlink(domain_key)
-            os.link(private_key, domain_key)
+            domain_key.unlink(missing_ok=True)
+            private_key.hardlink_to(domain_key)
             # TODO: add user/group to config
             shutil.chown(domain_key, 'acme', 'acme')
-            os.chmod(domain_key, 0o440)
+            domain_key.chmod(0o440)
 
-            all_pem = os.path.join(args.output, f'all/{domain}.pem')
-            all_key = os.path.join(args.output, f'all/{domain}.pem.key')
+            all_pem = output_dir / 'all' / f'{domain}.pem'
+            all_key = output_dir / 'all' / f'{domain}.pem.key'
 
-            os.unlink(all_pem)
-            os.link(domain_pem, all_pem)
-            os.unlink(all_key)
-            os.link(domain_key, all_key)
+            all_pem.unlink(missing_ok=True)
+            domain_pem.hardlink_to(all_pem)
+            all_key.unlink(missing_ok=True)
+            domain_key.hardlink_to(all_key)
 
     if acquired:
         for cmd in config.post_acquire: