diff --git a/roles/nginx/README.md b/roles/nginx/README.md
new file mode 100644
index 0000000..a5696ee
--- /dev/null
+++ b/roles/nginx/README.md
@@ -0,0 +1,3 @@
+Install nginx, set up generic HTTPS redirects and the .well-known directory.
+
+Also acquire Let’s Encrypt certificates for domains listed in the `tls_domains` context property (or just for the primary IP `dns_domain` if `tls_domains` is not set).
diff --git a/roles/nginx/tasks/main.yml b/roles/nginx/tasks/main.yml
index 2fb8a50..b3caf31 100644
--- a/roles/nginx/tasks/main.yml
+++ b/roles/nginx/tasks/main.yml
@@ -26,8 +26,8 @@
 
 - name: Get LE certificate
   command:
-    cmd: certbot certonly --non-interactive --agree-tos --register-unsafely-without-email --webroot --webroot-path /srv/http -d {{ dns_name }}
-    creates: '/etc/letsencrypt/renewal/{{ dns_name }}.conf'
+    cmd: certbot certonly --non-interactive --agree-tos --register-unsafely-without-email --webroot --webroot-path /srv/http -d {{ tls_domains|default([dns_name])|join(',') }}
+    creates: '/etc/letsencrypt/renewal/{{ tls_domains|default([dns_name])|first }}.conf'
 
 - name: Install certificate renewal deployment hook
   copy: