diff --git a/inventories/z9/host_vars/wiki.yml b/inventories/z9/host_vars/wiki.yml
index 81dc42f..ea1bce3 100644
--- a/inventories/z9/host_vars/wiki.yml
+++ b/inventories/z9/host_vars/wiki.yml
@@ -5,3 +5,9 @@ nginx__configurations:
     content: "{{ lookup('ansible.builtin.file', 'configs/wiki/nginx/http_handler.conf') }}"
   - name: wiki.ccchh.net
     content: "{{ lookup('ansible.builtin.file', 'configs/wiki/nginx/wiki.ccchh.net.conf') }}"
+
+cert__acme_account_email: j+letsencrypt-ccchh@jsts.xyz
+cert__domains:
+  - "wiki.ccchh.net"
+cert__bind_9_host: authoritative-dns
+cert__bind_9_zone: ccchh.net
diff --git a/playbooks/deploy_dokuwiki.yml b/playbooks/deploy_dokuwiki.yml
index 9dc3d23..55c9f6a 100644
--- a/playbooks/deploy_dokuwiki.yml
+++ b/playbooks/deploy_dokuwiki.yml
@@ -4,6 +4,7 @@
   hosts: wiki
   roles:
     - nginx
+    - cert
   tasks:
     # TODO: make this a role
     - name: Install php-fpm
diff --git a/playbooks/files/configs/wiki/nginx/wiki.ccchh.net.conf b/playbooks/files/configs/wiki/nginx/wiki.ccchh.net.conf
index 856db70..c875c71 100644
--- a/playbooks/files/configs/wiki/nginx/wiki.ccchh.net.conf
+++ b/playbooks/files/configs/wiki/nginx/wiki.ccchh.net.conf
@@ -14,10 +14,10 @@ server {
 
     server_name wiki.ccchh.net;
 
-    ssl_certificate /etc/letsencrypt/live/wiki.ccchh.net/fullchain.pem;
-    ssl_certificate_key /etc/letsencrypt/live/wiki.ccchh.net/privkey.pem;
+    ssl_certificate /etc/ansible_certs/certs/wiki.ccchh.net/fullchain.pem;
+    ssl_certificate_key /etc/ansible_certs/certs/wiki.ccchh.net/privkey.pem;
     # verify chain of trust of OCSP response using Root CA and Intermediate certs
-    ssl_trusted_certificate /etc/letsencrypt/live/wiki.ccchh.net/chain.pem;
+    ssl_trusted_certificate /etc/ansible_certs/certs/wiki.ccchh.net/chain.pem;
 
     # HSTS (ngx_http_headers_module is required) (63072000 seconds)
     add_header Strict-Transport-Security "max-age=63072000" always;