diff --git a/inventories/z9/host_vars/esphome.yaml b/inventories/z9/host_vars/esphome.yaml
index c410ce8..5ceee92 100644
--- a/inventories/z9/host_vars/esphome.yaml
+++ b/inventories/z9/host_vars/esphome.yaml
@@ -1,4 +1,11 @@
 esphome__version: "2023.3.2"
+cert__acme_account_email: jannes+letsencrypt-ccchh@grzb.de
+cert__domains:
+  - "esphome.ccchh.net"
+cert__bind_9_host: authoritative-dns
+cert__bind_9_zone: ccchh.net
+cert__handlers:
+  - Restart `nginx.service`
 nginx__version_spec: ""
 nginx__configurations:
   - name: esphome
diff --git a/playbooks/deploy_esphome.yaml b/playbooks/deploy_esphome.yaml
index c99c3ba..92a579b 100644
--- a/playbooks/deploy_esphome.yaml
+++ b/playbooks/deploy_esphome.yaml
@@ -4,4 +4,5 @@
   hosts: esphome
   roles:
     - esphome
+    - cert
     - nginx
diff --git a/playbooks/files/configs/esphome/nginx/esphome.conf b/playbooks/files/configs/esphome/nginx/esphome.conf
index ef33d32..f819334 100644
--- a/playbooks/files/configs/esphome/nginx/esphome.conf
+++ b/playbooks/files/configs/esphome/nginx/esphome.conf
@@ -7,10 +7,14 @@ server {
     listen 443 ssl http2;
     listen [::]:443 ssl http2;
 
-    ssl_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem;
-    ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key;
+    server_name esphome.ccchh.net;
 
-    server_name esphome.z9;
+    ssl_certificate /etc/ansible_certs/certs/esphome.ccchh.net/fullchain.pem;
+    ssl_certificate_key /etc/ansible_certs/certs/esphome.ccchh.net/privkey.pem;
+    # verify chain of trust of OCSP response using Root CA and Intermediate certs
+    ssl_trusted_certificate /etc/ansible_certs/certs/esphome.ccchh.net/chain.pem;
+
+    add_header Strict-Transport-Security "max-age=63072000" always;
 
     location / {
         proxy_set_header Host $host;