diff --git a/meta/main.yml b/meta/main.yml
index 4eb972f570107ee6013b1b0bf7c276f91aa5479b..128229f43f646813dd32287c9dee034e443501eb 100644
--- a/meta/main.yml
+++ b/meta/main.yml
@@ -2,3 +2,4 @@
 
 dependencies:
   - { role: common }
+  - { role: letsencrypt }
diff --git a/tasks/configure.yml b/tasks/configure.yml
index bee426ba2edb563fadd0792165fc972dddc79613..41c31c424e643e4bc6997de61df7aadd8920203f 100644
--- a/tasks/configure.yml
+++ b/tasks/configure.yml
@@ -5,6 +5,7 @@
   copy: src={{inventory_dir}}/files/ssl/{{item.file}}
         dest=/etc/haproxy/certs
   with_items: '{{ proxy_certificates }}'
+  when: not item.letsencrypt|default(false)
   notify: 'Proxy | Restart HAProxy'
 
 - name: "Proxy | Create host lists"
diff --git a/tasks/letsencrypt.yml b/tasks/letsencrypt.yml
new file mode 100644
index 0000000000000000000000000000000000000000..5d9594bfa415ddd46a4895e500b0bb99d3cc32da
--- /dev/null
+++ b/tasks/letsencrypt.yml
@@ -0,0 +1,16 @@
+---
+# file: roles/haproxy/tasks/letsencrypt.yml
+
+- set_fact: filename='/etc/letsencrypt/live/{{ item.domain }}/cert.pem'
+
+- name: "Check LetsEncrypt Requirement"
+  shell: ls {{ filename }}
+  register: cert_available
+  failed_when: false
+
+#- name: "Stop HAProxy"
+#  service: name=haproxy state=stopped
+
+- name: "Install New Cert"
+  shell: /opt/letsencrypt/letsencrypt-auto certonly -d {{ item.domain }} --standalone --text --email {{ apache_server_admin|default('admin@paragon-es.de') }} --agree-tos --redirect
+  when: cert_available is defined and cert_available.stdout != filename
diff --git a/tasks/main.yml b/tasks/main.yml
index 8a9ad40f47ad49e06be925c53111be56d6f5fb66..de7bb6bfbec4b1a03b6f65dffc06a2cdbb094e8c 100644
--- a/tasks/main.yml
+++ b/tasks/main.yml
@@ -1,6 +1,22 @@
 ---
 # file: roles/haproxy/tasks/main.yml
 
+- block:
+  - name: "LetsEncrypt Certificates"
+    include: letsencrypt.yml
+    with_items: '{{ proxy_certificates_letsencrypt }}'
+
+    # Renewing certificates is only possible generelly, not individually.
+  - name: "Renew Existing Cert"
+    shell: /opt/letsencrypt/letsencrypt-auto renew
+    ignore_errors: true
+
+  - name: "Create PEM file for HaProxy"
+    shell: cat /etc/letsencrypt/live/{{ item.domain }}/fullchain.pem /etc/letsencrypt/live/{{ item.domain }}/privkey.pem > /etc/haproxy/certs/{{ item.domain }}.pem
+    with_items: '{{ proxy_certificates_letsencrypt }}'
+
+  when: '"letsencrypt" not in excluded_roles'
+
 - block:
   - include: install.yml
   - include: configure.yml
diff --git a/templates/haproxy_cfg b/templates/haproxy_cfg
index 0be6aac3749fbc2e9a2739e1092808ccc757489f..05741d81111d4ec11c9a2b0b24a604da3a19e609 100644
--- a/templates/haproxy_cfg
+++ b/templates/haproxy_cfg
@@ -53,8 +53,8 @@ frontend http_in
   acl blockedip src  -i -f /etc/haproxy/blacklist
   http-request deny if blockedip
 {% if kibana_users is defined %}
-  acl kibana_present hdr_dom(host) -i '{{ inventory_hostname }}'
-  use_backend backend_kibana if kibana_present
+  acl kibana_present hdr_dom(host) -i '{{ kibana_domain|default(inventory_hostname) }}'
+  use_backend backend_redirect_ssl
 {% endif %}
 {% if varnish_host|default(false) %}
   acl static_content path_end .jpg .jpeg .gif .png .ico .swf .css .js .htm .html
@@ -81,6 +81,10 @@ frontend https_in_{{ cert.ip }}
   bind {{ cert.ip }}:443 ssl crt /etc/haproxy/certs/{{ cert.file }} no-sslv3
   acl blockedip src  -i -f /etc/haproxy/blacklist
   http-request deny if blockedip
+{% if kibana_users is defined %}
+  acl kibana_present hdr_dom(host) -i '{{ kibana_domain|default(inventory_hostname) }}'
+  use_backend backend_kibana if kibana_present
+{% endif %}
 {% if varnish_host|default(false) %}
   acl static_content path_end .jpg .jpeg .gif .png .ico .swf .css .js .htm .html
   use_backend backend_varnish if static_content