diff --git a/roles/nginx/README.md b/roles/nginx/README.md
new file mode 100644
index 0000000..6392617
--- /dev/null
+++ b/roles/nginx/README.md
@@ -0,0 +1,3 @@
+Install nginx, set up generic HTTPS redirects and the .well-known directory.
+
+Acquire Let’s Encrypt certificates for the primary IP `dns_name` and any domains listed in the `tls_domains` context property.
diff --git a/roles/nginx/tasks/main.yml b/roles/nginx/tasks/main.yml
index 2fb8a50..e9e0f65 100644
--- a/roles/nginx/tasks/main.yml
+++ b/roles/nginx/tasks/main.yml
@@ -26,7 +26,7 @@
 
 - name: Get LE certificate
   command:
-    cmd: certbot certonly --non-interactive --agree-tos --register-unsafely-without-email --webroot --webroot-path /srv/http -d {{ dns_name }}
+    cmd: certbot certonly --non-interactive --agree-tos --register-unsafely-without-email --webroot --webroot-path /srv/http -d {{ ([dns_name] + tls_domains|default([])) | join(',') }}
     creates: '/etc/letsencrypt/renewal/{{ dns_name }}.conf'
 
 - name: Install certificate renewal deployment hook