diff --git a/cmd/acmetool/main.go b/cmd/acmetool/main.go
index 3c55eae..c5ebb96 100644
--- a/cmd/acmetool/main.go
+++ b/cmd/acmetool/main.go
@@ -10,7 +10,7 @@ import (
 	"path/filepath"
 	"strings"
 
-	//"github.com/hlandau/acme/acmeapi"
+	"github.com/hlandau/acme/acmeapi"
 	"github.com/hlandau/acme/hooks"
 	"github.com/hlandau/acme/interaction"
 	"github.com/hlandau/acme/redirector"
@@ -99,6 +99,7 @@ func main() {
 	adaptflag.Adapt()
 	cmd := kingpin.Parse()
 	hooks.DefaultPath = *hooksFlag
+	acmeapi.UserAgent = "acmetool"
 	xlogconfig.Init()
 
 	if *batchFlag {
diff --git a/storage/types.go b/storage/types.go
index 76ea9fa..2e6e765 100644
--- a/storage/types.go
+++ b/storage/types.go
@@ -5,6 +5,7 @@ import (
 	"encoding/base32"
 	"fmt"
 	"github.com/hlandau/acme/acmeapi"
+	"github.com/jmhodges/clock"
 	"github.com/satori/go.uuid"
 	"strings"
 	"time"
@@ -56,8 +57,8 @@ type Authorization struct {
 }
 
 // Returns true iff the authorization is unexpired.
-func (a *Authorization) IsValid() bool {
-	return time.Now().Before(a.Expires)
+func (a *Authorization) IsValid(clock clock.Clock) bool {
+	return clock.Now().Before(a.Expires)
 }
 
 // Represents the "satisfy" section of a target file.
diff --git a/storageops/reconcile.go b/storageops/reconcile.go
index c532117..59954fb 100644
--- a/storageops/reconcile.go
+++ b/storageops/reconcile.go
@@ -14,13 +14,16 @@ import (
 	"github.com/hlandau/acme/solver"
 	"github.com/hlandau/acme/storage"
 	"github.com/hlandau/xlog"
+	"github.com/jmhodges/clock"
 	"golang.org/x/net/context"
 	"sort"
-	"time"
 )
 
 var log, Log = xlog.New("acme.reconcilator")
 
+// Internal use only. Used for testing purposes. Do not change.
+var InternalClock = clock.Default()
+
 type reconcile struct {
 	store storage.Store
 }
@@ -87,9 +90,6 @@ func (r *reconcile) Relink() error {
 		log.Tracef("relink: best certificate satisfying %v is %v", tgt, c)
 
 		cprev, err := r.store.PreferredCertificateForHostname(name)
-		if err != nil {
-			log.Errore(err, "get preferred certificate for hostname")
-		}
 
 		if c != cprev || err != nil {
 			log.Debugf("relinking: %v -> %v (was %v)", name, c, cprev)
@@ -370,7 +370,7 @@ func (r *reconcile) determineNecessaryAuthorizations(names []string, a *storage.
 	}
 
 	for _, auth := range a.Authorizations {
-		if auth.IsValid() {
+		if auth.IsValid(InternalClock) {
 			delete(needed, auth.Name)
 		}
 	}
@@ -465,7 +465,7 @@ func (r *reconcile) getAccountByDirectoryURL(directoryURL string) (*storage.Acco
 }
 
 func (r *reconcile) createNewAccount(directoryURL string) (*storage.Account, error) {
-	pk, err := generateKey(&storage.TargetRequestKey{}) // TODO
+	pk, err := generateKey(&r.store.DefaultTarget().Request.Key)
 	if err != nil {
 		return nil, err
 	}
@@ -705,8 +705,8 @@ func CertificateNeedsRenewing(c *storage.Certificate) bool {
 		return false
 	}
 
-	renewSpan := renewTime(cc.NotBefore, cc.NotAfter)
-	needsRenewing := !time.Now().Before(renewSpan)
+	renewTime := renewTime(cc.NotBefore, cc.NotAfter)
+	needsRenewing := !InternalClock.Now().Before(renewTime)
 
 	log.Debugf("%v needsRenewing=%v notAfter=%v", c, needsRenewing, cc.NotAfter)
 	return needsRenewing