diff --git a/pillar/certificates/certificates.sls b/pillar/certificates/certificates.sls
new file mode 100644
--- /dev/null
+++ b/pillar/certificates/certificates.sls
@@ -0,0 +1,16 @@
+#   -------------------------------------------------------------
+#   Salt — Let's encrypt certificates
+#   - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+#   Project:        Nasqueron
+#   Created:        2017-04-27
+#   License:        Trivial work, not eligible to copyright
+#   -------------------------------------------------------------
+
+#   -------------------------------------------------------------
+#   Certificates 
+#   -------------------------------------------------------------
+
+certificates_letsencrypt:
+  eglide:
+    - www.eglide.org
+    - robot.paysannerebelle.com
diff --git a/roles/core/letsencrypt-renew/files/letsencrypt.service b/roles/core/letsencrypt/files/letsencrypt-renew.service
rename from roles/core/letsencrypt-renew/files/letsencrypt.service
rename to roles/core/letsencrypt/files/letsencrypt-renew.service
--- a/roles/core/letsencrypt-renew/files/letsencrypt.service
+++ b/roles/core/letsencrypt/files/letsencrypt-renew.service
@@ -18,5 +18,5 @@
 Description=Renew Let's encrypt certificates.
 
 [Service]
-Type=simple
-ExecStart=letsencrypt-renewal
+Type=oneshot
+ExecStart=/usr/local/sbin/letsencrypt-renewal
diff --git a/roles/core/letsencrypt-renew/files/letsencrypt.timer b/roles/core/letsencrypt/files/letsencrypt-renew.timer
rename from roles/core/letsencrypt-renew/files/letsencrypt.timer
rename to roles/core/letsencrypt/files/letsencrypt-renew.timer
--- a/roles/core/letsencrypt-renew/files/letsencrypt.timer
+++ b/roles/core/letsencrypt/files/letsencrypt-renew.timer
@@ -20,4 +20,6 @@
 [Timer]
 OnCalendar=*-*-26 12:15:00
 Persistent=yes
-Unit=letsencrypt.service
+
+[Install]
+WantedBy=timers.target
diff --git a/roles/core/letsencrypt-renew/files/letsencrypt-renewal.sh b/roles/core/letsencrypt/files/letsencrypt-renewal.sh
rename from roles/core/letsencrypt-renew/files/letsencrypt-renewal.sh
rename to roles/core/letsencrypt/files/letsencrypt-renewal.sh
--- a/roles/core/letsencrypt-renew/files/letsencrypt-renewal.sh
+++ b/roles/core/letsencrypt/files/letsencrypt-renewal.sh
@@ -28,4 +28,4 @@
 }
 
 
-letsencrypt renew && nginx_test && service nginx restart
+certbot renew && nginx_test && service nginx restart
diff --git a/roles/core/letsencrypt/init.sls b/roles/core/letsencrypt/init.sls
new file mode 100644
--- /dev/null
+++ b/roles/core/letsencrypt/init.sls
@@ -0,0 +1,11 @@
+#   -------------------------------------------------------------
+#   Salt — Let's encrypt certificates
+#   - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+#   Project:        Nasqueron
+#   Created:        2017-04-27
+#   License:        Trivial work, not eligible to copyright
+#   -------------------------------------------------------------
+
+include:
+  - .software
+  - .service
diff --git a/roles/core/letsencrypt/service.sls b/roles/core/letsencrypt/service.sls
new file mode 100644
--- /dev/null
+++ b/roles/core/letsencrypt/service.sls
@@ -0,0 +1,44 @@
+#   -------------------------------------------------------------
+#   Salt — Let's encrypt certificates
+#   - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+#   Project:        Nasqueron
+#   Created:        2017-04-27
+#   Description:    Provide a renewal service
+#   License:        Trivial work, not eligible to copyright
+#   -------------------------------------------------------------
+
+{% from "map.jinja" import services with context %}
+
+#   -------------------------------------------------------------
+#   Renew script
+#   -------------------------------------------------------------
+
+/usr/local/sbin/letsencrypt-renewal:
+  file.managed:
+    - source: salt://roles/core/letsencrypt/files/letsencrypt-renewal.sh
+    - mode: 0755
+
+#   -------------------------------------------------------------
+#   Unit configuration 
+#   -------------------------------------------------------------
+
+{% if services['manager'] == 'systemd' %}
+
+letsencrypt_renew_unit:
+  file.managed:
+    - name: /etc/systemd/system/letsencrypt-renew.service
+    - source: salt://roles/core/letsencrypt/files/letsencrypt-renew.service
+    - mode: 0644
+  module.run:
+    - name: service.force_reload
+    - m_name: letsencrypt-renew
+    - onchanges:
+       - file: letsencrypt_renew_unit
+
+letsencrypt_renew_enable:
+  service.enabled:
+    - name: letsencrypt-renew
+    - watch:
+      - module: letsencrypt_renew_unit
+
+{% endif %}
diff --git a/roles/core/letsencrypt/software.sls b/roles/core/letsencrypt/software.sls
new file mode 100644
--- /dev/null
+++ b/roles/core/letsencrypt/software.sls
@@ -0,0 +1,16 @@
+#   -------------------------------------------------------------
+#   Salt — Let's encrypt certificates
+#   - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+#   Project:        Nasqueron
+#   Created:        2017-04-27
+#   Description:    Provide a renewal service
+#   License:        Trivial work, not eligible to copyright
+#   -------------------------------------------------------------
+
+letsencrypt_software:
+  pkg.installed:
+    {% if grains['os'] == 'FreeBSD' %}
+    - name: py27-certbot
+    {% else %}
+    - name: certbot
+    {% endif %}
diff --git a/top.sls b/top.sls
--- a/top.sls
+++ b/top.sls
@@ -14,6 +14,7 @@
     - roles/core/motd
     - roles/core/rsyslog
     - roles/core/sshd
+    - roles/core/letsencrypt
   'eglide':
     - roles/shellserver/users
     - roles/shellserver/userland-software