diff --git a/defaults/main.yml b/defaults/main.yml
index 4263b7d..b41313b 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -8,6 +8,8 @@ certificate_fullchain_file: "{{ certificate_directory }}/certs/{{ certificate_na
 certificate_private_key_file: "{{ certificate_directory }}/private/{{ certificate_name }}.key.pem"
 certificate_private_key_size: 4096
 
+certificate_letsencrypt_account_key_file: "{{ certificate_directory }}/private/letsencrypt.account-key.pem"
+
 certificate_signing_request_file: "{{ certificate_directory }}/csr/{{ certificate_name }}.csr.pem"
 certificate_signing_request_config_file: "{{ certificate_directory }}/cnf/{{ certificate_name }}.csr.cnf"
 
diff --git a/tasks/provider-letsencrypt.yml b/tasks/provider-letsencrypt.yml
index ed97d53..5f8ec2c 100644
--- a/tasks/provider-letsencrypt.yml
+++ b/tasks/provider-letsencrypt.yml
@@ -1 +1,77 @@
 ---
+
+- name: private key
+  command: openssl genrsa
+    -out "{{certificate_letsencrypt_account_key_file}}"
+    4096
+  args:
+    creates: "{{ certificate_letsencrypt_account_key_file }}"
+
+- include_tasks: key.yml
+- include_tasks: csr.yml
+
+- name: letsencrypt request
+  letsencrypt:
+    account_key: "{{certificate_letsencrypt_account_key_file}}"
+    csr: "{{certificate_signing_request_file}}"
+    dest: "{{certificate_file}}"
+    challenge: http-01
+    acme_directory: https://acme-v01.api.letsencrypt.org/directory
+    agreement: https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf
+  register: _letsencrypt_request
+
+# - debug:
+#     msg:
+#       _letsencrypt_request: "{{_letsencrypt_request}}"
+
+- block:
+    - name: acme http directory
+      file:
+        path: /var/www/default/.well-known/acme-challenge
+        state: directory
+
+    - name: copy acme challenge resource
+      copy:
+        dest: /var/www/default/{{ item.resource }}
+        content: "{{ item.resource_value }}"
+      with_items: "{{ _letsencrypt_request | json_query('challenge_data.*.\"http-01\"') }}"
+
+    - letsencrypt:
+        account_key: "{{certificate_letsencrypt_account_key_file}}"
+        csr: "{{certificate_signing_request_file}}"
+        dest: "{{certificate_file}}"
+        challenge: http-01
+        acme_directory: https://acme-v01.api.letsencrypt.org/directory
+        agreement: https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf
+        data: "{{ _letsencrypt_request }}"
+      register: _letsencrypt
+
+    # - debug:
+    #     msg:
+    #       _letsencrypt: "{{_letsencrypt}}"
+  when: _letsencrypt_request.changed
+
+- name: download letsencrypt certificate
+  get_url:
+    url: https://letsencrypt.org/certs/lets-encrypt-x3-cross-signed.pem.txt
+    dest: "{{certificate_chain_file}}"
+    checksum: sha512:0fa893f751f0880c7d89c398cae9708f5ff04d466832fb6160a824395032259ac52e02a44da531d0f8bf7e310298b0067b1e8257f816d3223034f391ecba491d
+
+- name: fetch certificate
+  fetch:
+    src: "{{ certificate_file }}"
+    dest: host_files/{{inventory_hostname}}/certificate/{{certificate_name}}.cert.pem
+    flat: yes
+    fail_on_missing: yes
+
+- name: fetch certificate chain
+  fetch:
+    src: "{{ certificate_chain_file }}"
+    dest: host_files/{{inventory_hostname}}/certificate/{{certificate_name}}.chain.pem
+    flat: yes
+    fail_on_missing: yes
+
+- name: create full certificate chain
+  template:
+    src: fullchain.pam.j2
+    dest: "{{ certificate_fullchain_file }}"
diff --git a/tasks/setup_Debian.yml b/tasks/setup_Debian.yml
index a1cee46..9836ff8 100644
--- a/tasks/setup_Debian.yml
+++ b/tasks/setup_Debian.yml
@@ -1,5 +1,8 @@
 ---
 
-- name: install openssl
+- name: install packages
   apt:
-    pkg: openssl
+    pkg: "{{item}}"
+  with_items:
+    - openssl
+    - certbot