diff --git a/feeds/tip/cloud_discovery/files/usr/bin/est_client b/feeds/tip/cloud_discovery/files/usr/bin/est_client
index a250ebac0..72ef2b8f8 100755
--- a/feeds/tip/cloud_discovery/files/usr/bin/est_client
+++ b/feeds/tip/cloud_discovery/files/usr/bin/est_client
@@ -3,7 +3,6 @@
 'use strict';
 
 import { ulog_open, ulog, ULOG_SYSLOG, ULOG_STDIO, LOG_DAEMON, LOG_INFO } from 'log';
-import { query } from 'resolv';
 import * as fs from 'fs';
 import * as libuci from 'uci';
 
@@ -13,22 +12,26 @@ let est_server = 'est.certificates.open-lan.org';
 let cert_prefix = 'operational';
 
 function cert_prefix_determine() {
+	let cloud_config = fs.readfile('/tmp/cloud.json');
+	if (cloud_config) {
+		let cloud = json(cloud_config);
+		if (cloud?.dhcp_server) {
+			let fqdn = split(cloud.dhcp_server, ':')[0];
+			ulog(LOG_INFO, `Using controller-specific cert prefix from cloud.json: ${fqdn}\n`);
+			return fqdn;
+		}
+	}
+
 	let discovery_method = trim(fs.readfile('/tmp/discovery.method') || 'OpenLAN');
+	ulog(LOG_INFO, `Discovery method from file: ${discovery_method}\n`);
 
 	if (discovery_method == 'OpenLAN') {
+		ulog(LOG_INFO, 'Using operational cert prefix\n');
 		return 'operational';
 	}
 
-	let cloud_config = fs.readfile('/tmp/cloud.json');
-	if (!cloud_config)
-		return 'operational';
-
-	let cloud = json(cloud_config);
-	if (!cloud || !cloud.dhcp_server)
-		return 'operational';
-
-	let fqdn = split(cloud.dhcp_server, ':')[0];
-	return fqdn;
+	ulog(LOG_INFO, 'Using operational cert prefix as fallback\n');
+	return 'operational';
 }
 
 function discover_est_server_via_caa() {
@@ -47,19 +50,17 @@ function discover_est_server_via_caa() {
 
 	ulog(LOG_INFO, `Attempting CAA lookup for controller FQDN: ${controller_fqdn}\n`);
 
-	let result = query([controller_fqdn], { type: ['CAA'] });
+	let pipe = fs.popen(`dig @localhost ${controller_fqdn} CAA +short | cut -d'"' -f2`);
+	let est_server = pipe.read('all');
+	pipe.close();
 
-	if (!result || !result[controller_fqdn] || !result[controller_fqdn].CAA)
+	if (!est_server)
 		return null;
 
-	let caa_records = result[controller_fqdn].CAA;
-
-	for (let record in caa_records) {
-		if (record.tag == 'issue') {
-			let est_server = trim(record.value, '" ');
-			ulog(LOG_INFO, `Found EST server via CAA: ${est_server}\n`);
-			return est_server;
-		}
+	est_server = trim(est_server);
+	if (est_server) {
+		ulog(LOG_INFO, `Found EST server via CAA: ${est_server}\n`);
+		return est_server;
 	}
 
 	return null;
@@ -156,11 +157,13 @@ function call_est_server(path, cert, target) {
 	if (generate_csr(cert))
 		return 1;
 
-	set_est_server();	
+	set_est_server();
 
-	let ret = system('curl -m 10 -X POST https://' + est_server + '/.well-known/est/' + path + ' -d @/tmp/csr.nohdr.p10 -H "Content-Type: application/pkcs10" --cert ' + cert + ' --key /etc/ucentral/key.pem --cacert /etc/ucentral/insta.pem -o /tmp/operational.nohdr.p7');
+	let curl_cmd = 'curl -m 10 -X POST https://' + est_server + '/.well-known/est/' + path + ' -d @/tmp/csr.nohdr.p10 -H "Content-Type: application/pkcs10" --cert ' + cert + ' --key /etc/ucentral/key.pem --cacert /etc/ucentral/insta.pem -o /tmp/operational.nohdr.p7';
+	ulog(LOG_INFO, `Executing: ${curl_cmd}\n`);
+	let ret = system(curl_cmd);
 	if (ret) {
-		ulog(LOG_INFO, 'Failed to request operational certificate\n');
+		ulog(LOG_INFO, `Failed to request operational certificate (exit code: ${ret})\n`);
 		return 1;
 	}
 	ulog(LOG_INFO, 'EST succeeded\n');
@@ -171,12 +174,14 @@ function call_est_server(path, cert, target) {
 
 function simpleenroll() {
 	cert_prefix = cert_prefix_determine();
+	ulog(LOG_INFO, `Checking for certificate: /etc/ucentral/${cert_prefix}.pem\n`);
 
 	if (fs.stat('/etc/ucentral/' + cert_prefix + '.pem')) {
 		ulog(LOG_INFO, 'Operational certificate is present\n');
 		return 0;
 	}
 
+	ulog(LOG_INFO, 'Operational certificate not found, enrolling...\n');
 	if (call_est_server('simpleenroll', '/etc/ucentral/cert.pem', '/etc/ucentral/' + cert_prefix + '.pem'))
 		return 1;
 
@@ -214,11 +219,13 @@ function load_operational_ca() {
 
 	set_est_server();
 
-	let ret = system('curl -m 10 -X GET https://' + est_server + '/.well-known/est/cacerts --cert /etc/ucentral/' + cert_prefix + '.pem --key /etc/ucentral/key.pem --cacert /etc/ucentral/insta.pem -o /tmp/' + cert_prefix + '.ca.nohdr.p7');
+	let curl_cmd = 'curl -m 10 -X GET https://' + est_server + '/.well-known/est/cacerts --cert /etc/ucentral/' + cert_prefix + '.pem --key /etc/ucentral/key.pem --cacert /etc/ucentral/insta.pem -o /tmp/' + cert_prefix + '.ca.nohdr.p7';
+	ulog(LOG_INFO, `Executing: ${curl_cmd}\n`);
+	let ret = system(curl_cmd);
 	if (!ret)
 		ret = p7_too_pem('/tmp/' + cert_prefix + '.ca.nohdr.p7', '/etc/ucentral/' + cert_prefix + '.ca');
 	if (ret) {
-		ulog(LOG_INFO, 'Failed to load CA\n');
+		ulog(LOG_INFO, `Failed to load CA (exit code: ${ret})\n`);
 		return 1;
 	}
 	system('cat /etc/ucentral/openlan.pem >> /etc/ucentral/' + cert_prefix + '.ca');