diff --git a/INSTALL.md b/INSTALL.md
index 21cc0e0..06e1dc8 100644
--- a/INSTALL.md
+++ b/INSTALL.md
@@ -2,19 +2,17 @@
 
 ## Install
 
-Start by installing Go and Git.  On Debian, run:
+You'll need Go version 1.19 or later.
+
+Fetch and build the program:
 
 ```
-apt install golang git
+go install tildegit.org/nervuri/client-hello-mirror@latest
 ```
 
-Then fetch and build the program:
+The same command can be used to update it.
 
-```
-go get tildegit.org/nervuri/client-hello-mirror
-```
-
-The resulting binary should now be at `~/go/bin/client-hello-mirror`.  You can make it available to all users on the system:
+The resulting binary should now be at `~/go/bin/client-hello-mirror`.  Put it somewhere in $PATH, if you wish:
 
 ```
 ln -s ~/go/bin/client-hello-mirror /usr/local/bin/
@@ -64,16 +62,12 @@ systemctl enable client-hello-mirror.service
 systemctl start client-hello-mirror.service
 ```
 
-## Drop root
+Remember, if you are using a program such as `certbot` to automatically renew the TLS certificate, then you'll also want to restart `client-hello-mirror` afterward, for it to use the new certificate.
 
-A standard web-facing setup involves using a CA-signed certificate and binding to privileged port 443.  For security reasons, the program will drop root privileges imediately after loading the certificate and binding to the specified port.  Use the `-u` option to select a user to switch to.  If you really want to run as root, set `-u root` (not recommended).
+## Drop root privileges
+
+A standard web-facing setup involves using a CA-signed certificate and binding to privileged port 443.  For security reasons, the program will drop root privileges immediately after loading the certificate and binding to the specified port.  Use the `-u` option to select a user to switch to.
 
 ## Redirect http:// to https://
 
 For this you'll need to use another web server, such as nginx.
-
-## Update
-
-```
-go get -u tildegit.org/nervuri/client-hello-mirror
-```