diff --git a/dehydrated.changes b/dehydrated.changes
index 28a7bb8..532aab0 100644
--- a/dehydrated.changes
+++ b/dehydrated.changes
@@ -1,3 +1,9 @@
+-------------------------------------------------------------------
+Fri Oct 20 10:55:26 UTC 2017 - mrueckert@suse.de
+
+- actually try to find the real path to bash and don't hardcode
+  /usr/bin/bash
+
 -------------------------------------------------------------------
 Thu Oct 19 08:11:20 UTC 2017 - daniel.molkentin@suse.com
 
diff --git a/dehydrated.service.in b/dehydrated.service.in
index 6038ab0..bf4121f 100644
--- a/dehydrated.service.in
+++ b/dehydrated.service.in
@@ -7,7 +7,8 @@ Wants=acmeresponder.socket
 [Service]
 Type=oneshot
 ExecStartPost=-/usr/bin/find -L @POSTRUNHOOKS_DIR@ -maxdepth 1 -executable -type f -exec {} \;
-ExecStart=/usr/bin/dehydrated --cron
+EnvironmentFile=/etc/dehydrated/config
+ExecStart=/usr/bin/su -s /bin/bash -c "/usr/bin/dehydrated --cron" -g $DEHYDRATED_GROUP $DEHYDRATED_USER
 
 # dehydrated --cron will drop permissions and run critical code as dehydrated user.
 User=root
diff --git a/dehydrated.spec b/dehydrated.spec
index a1c32c3..3552df1 100644
--- a/dehydrated.spec
+++ b/dehydrated.spec
@@ -207,7 +207,7 @@ mkdir -p %{buildroot}%{_postrunhooks}
 cat %{SOURCE8} | gzip > %{buildroot}%{_mandir}/man1/dehydrated.1.gz
 
 # Silence E: env-script-interpreter
-find \( -name \*.sh -o -name dehydrated \) -exec sed -i 's,#!/usr/bin/env bash,#!/usr/bin/bash,g' {} \;
+find \( -name \*.sh -o -name dehydrated \) -exec sed -i "s,#!/usr/bin/env bash,#!$(command -v bash),g" {} \;
 
 sed -i "s,#WELLKNOWN=.*,WELLKNOWN=%{_challengedir},g" docs/examples/config
 install -m 0644 docs/examples/* %{buildroot}%{_home}