diff --git a/bundles/letsencrypt/files/domains.txt b/bundles/letsencrypt/files/domains.txt
new file mode 100644
index 0000000..6895b83
--- /dev/null
+++ b/bundles/letsencrypt/files/domains.txt
@@ -0,0 +1,5 @@
+${node.hostname}
+
+% for domain, aliases in node.metadata.get('letsencrypt', {}).get('domains', {}).items():
+${domain} ${' '.join(aliases)}
+% endfor
diff --git a/bundles/letsencrypt/items.py b/bundles/letsencrypt/items.py
new file mode 100644
index 0000000..b8a5096
--- /dev/null
+++ b/bundles/letsencrypt/items.py
@@ -0,0 +1,24 @@
+assert node.has_bundle('nginx'), 'letsencrypt needs nginx'
+
+pkg_apt = {
+    'dehydrated': {},
+}
+
+actions = {
+    'letsencrypt_update_certificates': {
+        'command': 'dehydrated --cron --accept-terms --ocsp --challenge http-01',
+        'triggered': True,
+        'needs': {
+            'pkg_apt:dehydrated',
+        },
+    },
+}
+
+files = {
+    '/etc/dehydrated/domains.txt': {
+        'content_type': 'mako',
+        'triggers': {
+            'action:letsencrypt_update_certificates',
+        },
+    },
+}
diff --git a/bundles/nginx/files/port80.conf b/bundles/nginx/files/port80.conf
index 72299e0..6f1e79a 100644
--- a/bundles/nginx/files/port80.conf
+++ b/bundles/nginx/files/port80.conf
@@ -2,12 +2,12 @@ server {
     listen       80 default_server;
     listen       [::]:80 default_server;
     server_name  _;
-    
+
     location / {
         return 301 https://$host$request_uri;
     }
 
     location /.well-known/acme-challenge/ {
-        alias /var/www/default/.well-known/acme-challenge/;
+        alias /var/lib/dehydrated/acme-challenges/;
     }
 }
diff --git a/groups/all.py b/groups/all.py
index 8242284..433fb6c 100644
--- a/groups/all.py
+++ b/groups/all.py
@@ -5,6 +5,7 @@ groups['all'] = {
     'bundles': {
         'apt',
         'hostname',
+        'letsencrypt',
         'sudo',
         'systemd',
         'users',
diff --git a/nodes/htz-cloud/sewfile.py b/nodes/htz-cloud/sewfile.py
index 1a03c9e..9826d4a 100644
--- a/nodes/htz-cloud/sewfile.py
+++ b/nodes/htz-cloud/sewfile.py
@@ -7,6 +7,11 @@ nodes['htz-cloud.sewfile'] = {
         'seafile',
     ],
     'metadata': {
+        'letsencrypt': {
+            'domains': {
+                'sewfile.franzi.business': set(),
+            },
+        },
         'os': 'debian',
         'os_release': 'buster',
     },