diff --git a/roles/ceph/files/restart-ceph-rgw.sh b/roles/ceph/files/restart-ceph-rgw.sh
new file mode 100644
index 0000000..6996a95
--- /dev/null
+++ b/roles/ceph/files/restart-ceph-rgw.sh
@@ -0,0 +1,3 @@
+#!/bin/sh
+
+systemctl restart "ceph-*@rgw.*.$(hostname -s).*.service"
diff --git a/roles/ceph/tasks/cert.yml b/roles/ceph/tasks/cert.yml
new file mode 100644
index 0000000..52cff0b
--- /dev/null
+++ b/roles/ceph/tasks/cert.yml
@@ -0,0 +1,34 @@
+- name: Get DNS names
+  set_fact:
+    domains: '{{ interfaces | selectattr("name", "==", "lo")
+             | map(attribute="ip_addresses") | flatten | map(attribute="dns_name")
+             | sort | unique }}'
+
+- name: Install certbot
+  package:
+    name: certbot
+
+- name: Get LE certificate
+  command:
+    cmd: ip vrf exec default certbot certonly --non-interactive --agree-tos --register-unsafely-without-email --standalone -d {{ domains | join(',') }}
+    creates: '/etc/letsencrypt/renewal/{{ domains | first }}.conf'
+
+- name: Create common directory for ceph nodes
+  file:
+    path: /etc/ceph
+    state: directory
+
+- name: Link key and certificate to common location
+  file:
+    dest: '/etc/ceph/{{ item }}'
+    src: '/etc/letsencrypt/live/{{ domains | first }}/{{ item }}'
+    state: link
+  loop:
+    - privkey.pem
+    - fullchain.pem
+
+- name: Install certificate deploy hook
+  copy:
+    dest: /etc/letsencrypt/renewal-hooks/deploy/
+    src: restart-ceph-rgw.sh
+    mode: 0755
diff --git a/roles/ceph/tasks/main.yml b/roles/ceph/tasks/main.yml
index 5542598..8f6bdbf 100644
--- a/roles/ceph/tasks/main.yml
+++ b/roles/ceph/tasks/main.yml
@@ -39,3 +39,5 @@
     mode: 0755
 
 - include_tasks: firewall.yml
+
+- include_tasks: cert.yml
diff --git a/roles/ceph/templates/nftables.conf.j2 b/roles/ceph/templates/nftables.conf.j2
index e50c6f6..a5d51e0 100644
--- a/roles/ceph/templates/nftables.conf.j2
+++ b/roles/ceph/templates/nftables.conf.j2
@@ -54,6 +54,8 @@ table inet filter {
         ip saddr @allowed accept # TODO remove exceptions
         ip6 saddr @allowed/6 accept # TODO remove exceptions
 
+        meta nfproto ipv6 tcp dport 80 accept comment "for certificate renewal"
+
 {% for service in cluster_services %}
 {% set prefixes = service | allowed_prefixes %}
 {% set ports = service.ports | compact_numlist %}