diff --git a/host_vars/nabia.binary.kitchen b/host_vars/nabia.binary.kitchen
new file mode 100644
index 0000000..ed636ad
--- /dev/null
+++ b/host_vars/nabia.binary.kitchen
@@ -0,0 +1,4 @@
+---
+acme_san_domains:
+- "librenms.binary.kitchen"
+- "racktables.binary.kitchen"
diff --git a/roles/acme/defaults/main.yml b/roles/acme/defaults/main.yml
new file mode 100644
index 0000000..daf80dd
--- /dev/null
+++ b/roles/acme/defaults/main.yml
@@ -0,0 +1,16 @@
+---
+acme_home: "/opt/acme"
+acme_staging: False
+
+acme_nsupdate_key: "/opt/acme/nsupdate.key"
+acme_nsupdate_keyalgo: "hmac-sha512"
+acme_nsupdate_server: "neon.binary-kitchen.net"
+
+acme_sh_url: "https://raw.githubusercontent.com/Neilpang/acme.sh/master/acme.sh"
+acme_dns_nsupdate_url: "https://raw.githubusercontent.com/Neilpang/acme.sh/master/dnsapi/dns_nsupdate.sh"
+
+acme_reloadcmd: "/etc/ssl/private/reload.sh"
+acme_key: "/etc/ssl/private/host.key"
+acme_cert: "/etc/ssl/private/host.cert"
+acme_ca: "/etc/ssl/private/host.ca"
+acme_fullchain: "/etc/ssl/private/host.fullchain"
diff --git a/roles/acme/files/reload.sh b/roles/acme/files/reload.sh
new file mode 100755
index 0000000..dd0b836
--- /dev/null
+++ b/roles/acme/files/reload.sh
@@ -0,0 +1,5 @@
+#!/bin/bash
+[ -d '/etc/reload.d' ] && for x in "/etc/reload.d/"*; do
+	[ -e "$x" ] && "$x"
+done
+exit 0
diff --git a/roles/acme/tasks/main.yml b/roles/acme/tasks/main.yml
new file mode 100644
index 0000000..d52a5c8
--- /dev/null
+++ b/roles/acme/tasks/main.yml
@@ -0,0 +1,86 @@
+---
+- name: Create acme home directory
+  file:
+    path: "{{ acme_home }}"
+    state: "directory"
+
+- name: Get nsupdate.key 
+  shell: "pdnsutil list-tsig-keys | grep '^acme-{{ inventory_hostname }}. {{ acme_nsupdate_keyalgo }}'"
+  register: "pdns_nsupdate_key"
+  failed_when: "False"
+  changed_when: "False"
+  delegate_to: "{{ acme_nsupdate_server }}"
+
+- name: Update updatepolicy.aliases
+  lineinfile:
+    path: "/etc/powerdns/updatepolicy.aliases"
+    regexp: '^alias\["{{ inventory_hostname}}\."\]'
+    line: 'alias["{{ inventory_hostname }}."] = {"{{ ''.","''.join(acme_san_domains) }}."} '
+  delegate_to: "{{ acme_nsupdate_server }}"
+
+- name: Generate nsupdate.key
+  shell: "pdnsutil generate-tsig-key 'acme-{{ inventory_hostname }}.' '{{ acme_nsupdate_keyalgo }}'"
+  register: "pdns_nsupdate_genkey"
+  when: "pdns_nsupdate_key is defined and pdns_nsupdate_key.rc != 0"
+  delegate_to: "{{ acme_nsupdate_server }}"
+  
+- name: Get nsupdate.key again
+  shell: "pdnsutil list-tsig-keys | grep '^acme-{{ inventory_hostname }}. {{ acme_nsupdate_keyalgo }}'"
+  register: "pdns_nsupdate_key"
+  when: "pdns_nsupdate_genkey is defined"
+  changed_when: "False"
+  delegate_to: "{{ acme_nsupdate_server }}"
+
+- name: Write nsupdate.key to file
+  template:
+      src: "nsupdate.key.j2"
+      dest: "{{ acme_nsupdate_key }}"
+  when: "pdns_nsupdate_key is defined"
+
+- name: Check acme.sh exists
+  stat:
+    path: "{{ acme_home }}/acme.sh"
+  register: "stat_acme_sh"
+
+- name: Fetch acme.sh
+  get_url:
+    url: "{{ acme_sh_url }}"
+    dest: "/tmp/acme.sh"
+    mode: "0755"
+  register: "fetch_acme_sh"
+  when: "not stat_acme_sh.stat.exists"
+
+- name: Install acme.sh
+  shell: "./acme.sh --home '{{ acme_home }}' --install"
+  args:
+    chdir: "/tmp"
+    creates: "{{ acme_home }}/acme.sh"
+  when: "fetch_acme_sh is defined"
+
+- name: Create acme dnsapi directory
+  file:
+    path: "{{ acme_home }}/dnsapi"
+    state: "directory"
+
+- name: Fetch acme.sh dns_nsupdate
+  get_url:
+    url: "{{ acme_dns_nsupdate_url }}"
+    dest: "{{ acme_home }}/dnsapi/"
+    mode: "0755"
+
+- name: Create acme certificate directory
+  file:
+    path: "{{ acme_home }}/{{ inventory_hostname }}"
+    state: "directory"
+
+- name: Copy reload.sh
+  copy:
+    src: "reload.sh"
+    dest: "{{ acme_reloadcmd }}"
+    mode: "0755"
+
+- name: Issue certificate
+  shell: "{{ lookup('template','acme.sh.request.j2').replace('\n',' ') }}"
+  args:
+    chdir: "{{ acme_home }}"
+    creates: "{{ acme_cert }}"
diff --git a/roles/acme/templates/acme.sh.request.j2 b/roles/acme/templates/acme.sh.request.j2
new file mode 100644
index 0000000..ff05d11
--- /dev/null
+++ b/roles/acme/templates/acme.sh.request.j2
@@ -0,0 +1,22 @@
+NSUPDATE_KEY="{{ acme_nsupdate_key }}"
+NSUPDATE_SERVER="{{ acme_nsupdate_server }}"
+"{{ acme_home }}/acme.sh"
+--home "{{ acme_home }}"
+--log
+--issue
+-k 4096
+-d "{{ inventory_hostname }}"
+--dns dns_nsupdate
+{% if acme_san_domains is defined %}
+{% for domain in acme_san_domains %}
+-d "{{ domain }}"
+{% endfor %}
+{% endif %}
+{% if acme_staging is defined and acme_staging %}
+--staging
+{% endif %}
+--cert-file "{{ acme_cert }}"
+--key-file "{{ acme_key }}"
+--ca-file "{{ acme_ca }}"
+--fullchain-file "{{ acme_fullchain }}"
+--reloadcmd "{{ acme_reloadcmd }}"
diff --git a/roles/acme/templates/nsupdate.key.j2 b/roles/acme/templates/nsupdate.key.j2
new file mode 100644
index 0000000..b1aad71
--- /dev/null
+++ b/roles/acme/templates/nsupdate.key.j2
@@ -0,0 +1,4 @@
+key acme-{{ inventory_hostname }}. {
+    algorithm {{ acme_nsupdate_keyalgo }};
+    secret "{{ pdns_nsupdate_key.stdout.split(' ')[2] }}";
+};
diff --git a/simulatepb.sh b/simulatepb.sh
old mode 100755
new mode 100644
index f0fbc93..98c5582
--- a/simulatepb.sh
+++ b/simulatepb.sh
@@ -2,3 +2,4 @@
 export ANSIBLE_NOCOWS=1
 test -e ./ansible.log && rm ./ansible.log
 ansible-playbook site.yml --check --diff
+
diff --git a/site.yml b/site.yml
index ea05559..3e8f145 100644
--- a/site.yml
+++ b/site.yml
@@ -27,6 +27,7 @@
   - librenms
   - racktables
   - uau
+  - acme
 
 - name: Install Check_MK Agent
   hosts: [bacon.binary.kitchen,forseti.binary.kitchen]