diff --git a/roles/haproxy/tasks/main.yml b/roles/haproxy/tasks/main.yml
index 6df50e4..8e3bebc 100644
--- a/roles/haproxy/tasks/main.yml
+++ b/roles/haproxy/tasks/main.yml
@@ -1,7 +1,7 @@
 ---
-- name: Install HAProxy
+- name: Install HAProxy, acme.sh and snooze
   package:
-    name: haproxy
+    name: haproxy acme.sh
     state: present
   notify:
     - Restart HAProxy
@@ -114,8 +114,8 @@
     path: /usr/local/etc/haproxy
     state: directory
     owner: root
-    group: wheel
-    mode: 0755
+    group: acme
+    mode: 0770
 
 - name: Configure HAProxy
   template:
@@ -204,3 +204,55 @@
 
 - name: Flush handlers (again)
   meta: flush_handlers
+
+- name: "Register Let's Encrypt account"
+  command: env sudo -u acme acme.sh --register-account --home /var/db/acme
+  args:
+    creates: /var/db/acme/ca/acme-v02.api.letsencrypt.org/account.json
+
+- name: Use the example deploy hooks
+  file:
+    dest: /var/db/acme/deploy
+    src: /usr/local/share/examples/acme.sh/deploy
+    state: link
+    owner: acme
+    group: acme
+
+- name: Tell acme.sh where to find HAProxy on FreeBSD
+  lineinfile:
+    path: /var/db/acme/account.conf
+    create: yes
+    owner: acme
+    group: acme
+    regex: '^DEPLOY_HAPROXY_PEM_PATH='
+    state: present
+    line: 'DEPLOY_HAPROXY_PEM_PATH="/usr/local/etc/haproxy"'
+
+- name: Tell acme.sh how to reload HAProxy on FreeBSD
+  lineinfile:
+    path: /var/db/acme/account.conf
+    regex: '^DEPLOY_HAPROXY_RELOAD='
+    state: present
+    line: 'DEPLOY_HAPROXY_RELOAD="sudo s6-svc -h /run/service/haproxy"'
+
+- name: Allow acme user to reload haproxy
+  template:
+    dest: /usr/local/etc/sudoers.d/acme
+    src: acme.j2
+    owner: root
+    group: wheel
+    mode: '0444'
+
+- name: Request X.509 certificates
+  command: 'env sudo -u acme acme.sh --home /var/db/acme --standalone --httpport 8080 --issue --domain {{ item }}'
+  args:
+    creates: '/var/db/acme/{{ item }}/fullchain.cer'
+  with_items:
+      - '{{ ansible_fqdn }}'
+
+- name: Deploy X.509 certificates to HAProxy
+  command: 'env sudo -Hu acme acme.sh --debug --home /var/db/acme --deploy --domain {{ item }} --deploy-hook haproxy'
+  args:
+    creates: '/usr/local/etc/haproxy/{{ item }}.pem'
+  with_items:
+      - '{{ ansible_fqdn }}'
diff --git a/roles/haproxy/templates/acme.j2 b/roles/haproxy/templates/acme.j2
new file mode 100644
index 0000000..9c91c4a
--- /dev/null
+++ b/roles/haproxy/templates/acme.j2
@@ -0,0 +1 @@
+acme ALL=NOPASSWD:/usr/local/bin/s6-svc -h /run/service/haproxy
diff --git a/roles/haproxy/templates/http.cfg.j2 b/roles/haproxy/templates/http.cfg.j2
index 7032bad..0cdcd37 100644
--- a/roles/haproxy/templates/http.cfg.j2
+++ b/roles/haproxy/templates/http.cfg.j2
@@ -4,5 +4,10 @@ frontend http
         bind            ${BIND_V6}:80
 	http-request	set-src src,ipmask(16,56)
 
+	acl		acme_acl path_beg /.well-known/acme-challenge/ AND req.hdr(host) -m str /{{ ansible_fqdn }}/
+	use_backend     acme if acme_acl
+
         use_backend     %[req.hdr(host),lower,map(/usr/local/etc/haproxy/http.map)]
 
+backend acme
+        server          localhost 127.0.0.1:8080