diff --git a/le.sh b/le.sh
index ef3b0388..4a53af1e 100755
--- a/le.sh
+++ b/le.sh
@@ -384,29 +384,44 @@ _clearup () {
   _restoreApache
 }
 
-# webroot  removelevel tokenfile
+# webroot removelevel tokenfile
+_tokenlevel() {
+  __path="$1/.well-known"
+  if [ "$2" != '1' ]; then
+    __path="$__path/acme-challenge"
+    if [ "$2" == '3' ]; then
+      __path="$__path/$3"
+    elif [ "$2" != '2' ]; then
+      _err "removelevel invalid: $2"
+      return 1
+    fi
+  fi
+  echo "$__path"
+}
+
+# webroot removelevel tokenfile
+_fixtokenperms() {
+  __path=$(_tokenlevel "$@")
+  _debug "Setting world-readable permissions on $__path"
+  chmod -R og=u-w "$__path"
+  if [ "$EUID" == '0' ]; then
+    webroot_owner=$(stat -c '%U:%G' "$1")
+    _debug "Changing owner/group of $__path to $webroot_owner"
+    chown -R "$webroot_owner" "$__path"
+  fi
+}
+
+# webroot removelevel tokenfile
 _clearupwebbroot() {
   __webroot="$1"
   if [ -z "$__webroot" ] ; then
     _debug "no webroot specified, skip"
     return 0
   fi
-  
-  if [ "$2" == '1' ] ; then
-    _debug "remove $__webroot/.well-known"
-    rm -rf "$__webroot/.well-known"
-  elif [ "$2" == '2' ] ; then
-    _debug "remove $__webroot/.well-known/acme-challenge"
-    rm -rf "$__webroot/.well-known/acme-challenge"
-  elif [ "$2" == '3' ] ; then
-    _debug "remove $__webroot/.well-known/acme-challenge/$3"
-    rm -rf "$__webroot/.well-known/acme-challenge/$3"
-  else
-    _info "skip for removelevel:$2"
-  fi
-  
-  return 0
 
+  __path=$(_tokenlevel "$@")
+  _debug "remove $__path"
+  rm -rf "$__path"
 }
 
 issue() {
@@ -652,11 +667,8 @@ issue() {
 
         mkdir -p "$wellknown_path"
         echo -n "$keyauthorization" > "$wellknown_path/$token"
+        _fixtokenperms "$Le_Webroot" "$removelevel" "$token"
 
-        webroot_owner=$(stat -c '%U:%G' $Le_Webroot)
-        _debug "Changing owner/group of .well-known to $webroot_owner"
-        chown -R $webroot_owner "$Le_Webroot/.well-known"
-        
       fi
     fi