diff --git a/tools/ansible/provision.yml b/tools/ansible/provision.yml
index 92e5283..26c5eb7 100644
--- a/tools/ansible/provision.yml
+++ b/tools/ansible/provision.yml
@@ -8,6 +8,7 @@
   roles:
     - name: geerlingguy.firewall
     - name: geerlingguy.security
+    - name: geerlingguy.certbot
     - name: geerlingguy.mysql
     - name: geerlingguy.nginx
     - name: geerlingguy.php-versions
diff --git a/tools/ansible/requirements.yml b/tools/ansible/requirements.yml
index 880c990..cd876e9 100644
--- a/tools/ansible/requirements.yml
+++ b/tools/ansible/requirements.yml
@@ -3,6 +3,8 @@
   version: 3.4.0
 - name: ansistrano.rollback
   version: 3.0.0
+- name: geerlingguy.certbot
+  version: 3.0.3
 - name: geerlingguy.composer
   version: 1.7.3
 - name: geerlingguy.firewall
diff --git a/tools/ansible/vars/provision_vars.yml b/tools/ansible/vars/provision_vars.yml
index 6bbd352..f932cbe 100644
--- a/tools/ansible/vars/provision_vars.yml
+++ b/tools/ansible/vars/provision_vars.yml
@@ -30,10 +30,18 @@ nginx_remove_default_vhost: true
 nginx_server_tokens: 'off'
 nginx_vhosts:
   - listen: 80
+    server_name: d8.oliverdavies.uk
+    return: 301 https://d8.oliverdavies.uk$request_uri
+    filename: d8.oliverdavies.uk.80.conf
+
+  - listen: 443 ssl
     server_name: d8.oliverdavies.uk
     root: '{{ project_root_path }}/{{ ansistrano_current_dir }}/{{ project_web_dir }}'
     index: index.php
     extra_parameters: |
+      ssl_certificate     /etc/letsencrypt/live/d8.oliverdavies.uk/fullchain.pem;
+      ssl_certificate_key /etc/letsencrypt/live/d8.oliverdavies.uk/privkey.pem;
+ 
       location = /favicon.ico {
           log_not_found off;
           access_log off;
@@ -122,3 +130,9 @@ nginx_vhosts:
       if ($request_uri ~* "^(.*/)index\.php(.*)") {
           return 307 $1$2;
       }
+
+certbot_create_if_missing: true
+certbot_create_method: standalone
+certbot_admin_email: oliver+certbot@oliverdavies.uk
+certbot_certs:
+  - domains: [d8.oliverdavies.uk]