diff --git a/host_vars/nabia.binary.kitchen b/host_vars/nabia.binary.kitchen
new file mode 100644
index 0000000..ed636ad
--- /dev/null
+++ b/host_vars/nabia.binary.kitchen
@@ -0,0 +1,4 @@
+---
+acme_san_domains:
+- "librenms.binary.kitchen"
+- "racktables.binary.kitchen"
diff --git a/roles/acme/defaults/main.yml b/roles/acme/defaults/main.yml
new file mode 100644
index 0000000..dc7ceb0
--- /dev/null
+++ b/roles/acme/defaults/main.yml
@@ -0,0 +1,10 @@
+---
+acme_home: "/opt/acme"
+acme_staging: False
+
+acme_nsupdate_key: "/opt/acme/nsupdate.key"
+acme_nsupdate_keyalgo: "hmac-sha512"
+acme_nsupdate_server: "neon.binary-kitchen.net"
+
+acme_sh_url: "https://raw.githubusercontent.com/Neilpang/acme.sh/master/acme.sh"
+acme_dns_nsupdate_url: "https://raw.githubusercontent.com/Neilpang/acme.sh/master/dnsapi/dns_nsupdate.sh"
diff --git a/roles/acme/files/reload.sh b/roles/acme/files/reload.sh
new file mode 100755
index 0000000..e69de29
diff --git a/roles/acme/tasks/main.yml b/roles/acme/tasks/main.yml
new file mode 100644
index 0000000..21b567f
--- /dev/null
+++ b/roles/acme/tasks/main.yml
@@ -0,0 +1,79 @@
+---
+- name: Create acme home directory
+  file:
+    path: "{{ acme_home }}"
+    state: "directory"
+
+- name: Get nsupdate.key 
+  shell: "pdnsutil list-tsig-keys | grep '^acme-{{ inventory_hostname }}. {{ acme_nsupdate_keyalgo }}'"
+  register: "pdns_nsupdate_key"
+  failed_when: "False"
+  changed_when: "False"
+  delegate_to: "{{ acme_nsupdate_server }}"
+
+- name: Generate nsupdate.key
+  shell: "pdnsutil generate-tsig-key 'acme-{{ inventory_hostname }}.' '{{ acme_nsupdate_keyalgo }}'"
+  register: "pdns_nsupdate_genkey"
+  when: "pdns_nsupdate_key is defined and pdns_nsupdate_key.rc != 0"
+  delegate_to: "{{ acme_nsupdate_server }}"
+  
+- name: Get nsupdate.key again
+  shell: "pdnsutil list-tsig-keys | grep '^acme-{{ inventory_hostname }}. {{ acme_nsupdate_keyalgo }}'"
+  register: "pdns_nsupdate_key"
+  when: "pdns_nsupdate_genkey is defined"
+  changed_when: "False"
+  delegate_to: "{{ acme_nsupdate_server }}"
+
+- name: Write nsupdate.key to file
+  template:
+      src: "nsupdate.key.j2"
+      dest: "{{ acme_nsupdate_key }}"
+  when: "pdns_nsupdate_key is defined"
+
+- name: Check acme.sh exists
+  stat:
+    path: "{{ acme_home }}/acme.sh"
+  register: "stat_acme_sh"
+
+- name: Fetch acme.sh
+  get_url:
+    url: "{{ acme_sh_url }}"
+    dest: "/tmp/acme.sh"
+    mode: "0755"
+  register: "fetch_acme_sh"
+  when: "not stat_acme_sh.stat.exists"
+
+- name: Install acme.sh
+  shell: "./acme.sh --home '{{ acme_home }}' --install"
+  args:
+    chdir: "/tmp"
+    creates: "{{ acme_home }}/acme.sh"
+  when: "fetch_acme_sh is defined"
+
+- name: Create acme dnsapi directory
+  file:
+    path: "{{ acme_home }}/dnsapi"
+    state: "directory"
+
+- name: Fetch acme.sh dns_nsupdate
+  get_url:
+    url: "{{ acme_dns_nsupdate_url }}"
+    dest: "{{ acme_home }}/dnsapi/"
+    mode: "0755"
+
+- name: Create acme certificate directory
+  file:
+    path: "{{ acme_home }}/{{ inventory_hostname }}"
+    state: "directory"
+
+- name: Copy reload.sh
+  copy:
+    src: "reload.sh"
+    dest: "{{ acme_home }}/{{ inventory_hostname }}/reload.sh"
+    mode: "0755"
+
+- name: Issue certificate
+  shell: "{{ lookup('template','acme.sh.request.j2').replace('\n',' ') }}"
+  args:
+    chdir: "{{ acme_home }}"
+    creates: "{{ acme_home }}/{{ inventory_hostname }}/{{ inventory_hostname }}.key"
diff --git a/roles/acme/templates/acme.sh.request.j2 b/roles/acme/templates/acme.sh.request.j2
new file mode 100644
index 0000000..53358e3
--- /dev/null
+++ b/roles/acme/templates/acme.sh.request.j2
@@ -0,0 +1,19 @@
+NSUPDATE_KEY="{{ acme_nsupdate_key }}"
+NSUPDATE_SERVER="{{ acme_nsupdate_server }}"
+"{{ acme_home }}/acme.sh"
+--home "{{ acme_home }}"
+--reloadCmd "{{ acme_home }}/{{ inventory_hostname }}/reload.sh"
+--log
+--issue
+-k 4096
+-d "{{ inventory_hostname }}"
+--dns dns_nsupdate
+{% if acme_san_domains is defined %}
+{% for domain in acme_san_domains %}
+-d "{{ domain }}"
+{% endfor %}
+{% endif %}
+{% if acme_staging is defined and acme_staging %}
+--staging
+{% endif %}
+;
diff --git a/roles/acme/templates/nsupdate.key.j2 b/roles/acme/templates/nsupdate.key.j2
new file mode 100644
index 0000000..b1aad71
--- /dev/null
+++ b/roles/acme/templates/nsupdate.key.j2
@@ -0,0 +1,4 @@
+key acme-{{ inventory_hostname }}. {
+    algorithm {{ acme_nsupdate_keyalgo }};
+    secret "{{ pdns_nsupdate_key.stdout.split(' ')[2] }}";
+};
diff --git a/simulatepb.sh b/simulatepb.sh
old mode 100755
new mode 100644
index f0fbc93..e69de29
--- a/simulatepb.sh
+++ b/simulatepb.sh
@@ -1,4 +0,0 @@
-#!/bin/bash
-export ANSIBLE_NOCOWS=1
-test -e ./ansible.log && rm ./ansible.log
-ansible-playbook site.yml --check --diff
diff --git a/site.yml b/site.yml
index ea05559..3e8f145 100644
--- a/site.yml
+++ b/site.yml
@@ -27,6 +27,7 @@
   - librenms
   - racktables
   - uau
+  - acme
 
 - name: Install Check_MK Agent
   hosts: [bacon.binary.kitchen,forseti.binary.kitchen]