diff --git a/playbooks/roles/certbot/README.md b/playbooks/roles/certbot/README.md
new file mode 100644
index 0000000..6b15ecc
--- /dev/null
+++ b/playbooks/roles/certbot/README.md
@@ -0,0 +1,13 @@
+# Role `certbot`
+
+A role for deploying Certbot and setting up certificates using it.
+
+Note: This role doesn't take care of deleting certificates.
+
+## Required Arguments
+
+For the required arguments look at the [`argument_specs.yaml`](./meta/argument_specs.yaml).
+
+## `hosts`
+
+The `hosts` for this role need to be the machines on which you want to make sure Certbot is deployed and given certificates are set up.
diff --git a/playbooks/roles/certbot/meta/argument_specs.yaml b/playbooks/roles/certbot/meta/argument_specs.yaml
new file mode 100644
index 0000000..b604bcb
--- /dev/null
+++ b/playbooks/roles/certbot/meta/argument_specs.yaml
@@ -0,0 +1,21 @@
+argument_specs:
+  main:
+    options:
+      certbot__version_spec:
+        description: >-
+          The version specification to use for installing the `certbot` package.
+          The provided version specification will be used like the following:
+          `cerbot={{ certbot__version_spec }}*`. This makes it possible to e.g.
+          specify until a minor version (like `1.3.`) and then have patch
+          versions be installed automatically (like `1.3.1` and so on).
+        type: str
+        required: true
+      certbot__acme_account_email_address:
+        description: The E-Mail address to give to certbot for the ACME account.
+        type: str
+        required: true
+      certbot__certificate_domains:
+        description: The domains for which to obtain a certificate.
+        type: list
+        elements: str
+        required: true
diff --git a/playbooks/roles/certbot/meta/main.yaml b/playbooks/roles/certbot/meta/main.yaml
new file mode 100644
index 0000000..b4a1c6f
--- /dev/null
+++ b/playbooks/roles/certbot/meta/main.yaml
@@ -0,0 +1,9 @@
+---
+dependencies:
+  - role: distribution_check
+    vars:
+      distribution_check__distribution_support_spec:
+        - name: Debian
+          major_versions:
+            - 11
+            - 12
diff --git a/playbooks/roles/certbot/tasks/main.yaml b/playbooks/roles/certbot/tasks/main.yaml
new file mode 100644
index 0000000..21f4207
--- /dev/null
+++ b/playbooks/roles/certbot/tasks/main.yaml
@@ -0,0 +1,7 @@
+- name: ensure certbot installation
+  ansible.builtin.import_tasks:
+    file: main/install.yaml
+
+- name: ensure certificates
+  ansible.builtin.import_tasks:
+    file: main/certs.yaml
diff --git a/playbooks/roles/certbot/tasks/main/cert.yaml b/playbooks/roles/certbot/tasks/main/cert.yaml
new file mode 100644
index 0000000..cea35e6
--- /dev/null
+++ b/playbooks/roles/certbot/tasks/main/cert.yaml
@@ -0,0 +1,22 @@
+- name: get expiry date before
+  ansible.builtin.command: /usr/bin/openssl x509 -enddate -noout -in /etc/letsencrypt/live/{{ item }}/fullchain.pem
+  ignore_errors: true
+  become: true
+  changed_when: false
+  register: certbot__cert_expiry_before
+
+- name: obtain the certificate using certbot
+  ansible.builtin.command: /usr/bin/certbot certonly --keep-until-expiring --agree-tos --non-interactive --email "{{ certbot__acme_account_email_address }}" --no-eff-email --webroot --webroot-path /webroot-for-acme-challenge -d "{{ item }}"
+  become: true
+  changed_when: false
+
+- name: get expiry date after
+  ansible.builtin.command: /usr/bin/openssl x509 -enddate -noout -in /etc/letsencrypt/live/{{ item }}/fullchain.pem
+  become: true
+  changed_when: false
+  register: certbot__cert_expiry_after
+
+- name: potentially report changed
+  ansible.builtin.debug:
+    msg: "If this reports changed, then the certificate expiry date and therefore the certificate changed."
+  changed_when: certbot__cert_expiry_before.stdout != certbot__cert_expiry_after.stdout
diff --git a/playbooks/roles/certbot/tasks/main/certs.yaml b/playbooks/roles/certbot/tasks/main/certs.yaml
new file mode 100644
index 0000000..7c03b10
--- /dev/null
+++ b/playbooks/roles/certbot/tasks/main/certs.yaml
@@ -0,0 +1,13 @@
+- name: ensure directory for the webroot exists
+  ansible.builtin.file:
+    path: /webroot-for-acme-challenge/
+    state: directory
+    mode: "0755"
+    owner: root
+    group: root
+  become: true
+
+- name: obtain certificates
+  loop: "{{ certbot__certificate_domains }}"
+  ansible.builtin.include_tasks:
+    file: main/cert.yaml
diff --git a/playbooks/roles/certbot/tasks/main/install.yaml b/playbooks/roles/certbot/tasks/main/install.yaml
new file mode 100644
index 0000000..895ef81
--- /dev/null
+++ b/playbooks/roles/certbot/tasks/main/install.yaml
@@ -0,0 +1,19 @@
+- name: make sure the `openssl` package is installed
+  ansible.builtin.apt:
+    name: openssl
+    state: present
+  become: true
+
+- name: make sure the `certbot` package is installed
+  ansible.builtin.apt:
+    name: certbot={{ certbot__version_spec }}*
+    state: present
+    allow_change_held_packages: true
+    update_cache: true
+  become: true
+
+- name: apt-mark hold `certbot`
+  ansible.builtin.dpkg_selections:
+    name: certbot
+    selection: hold
+  become: true