diff --git a/npm_install.py b/npm_install.py
index c6c7d90..102b01b 100644
--- a/npm_install.py
+++ b/npm_install.py
@@ -247,6 +247,23 @@ def setup_certbot_venv(venv_dir: Path = Path("/opt/certbot")):
         pip_ver = run_out([str(pip_path), "--version"], check=False) or ""
         print(f"Certbot: {cb_ver.strip()} | Pip: {pip_ver.strip()}")
 
+def configure_letsencrypt():
+    with step("configure letsencrypt"):
+        run(["chown", "-R", "npm:npm", "/opt/certbot"], check=False)
+        Path("/etc/letsencrypt").mkdir(parents=True, exist_ok=True)
+        run(["chown", "-R", "npm:npm", "/etc/letsencrypt"], check=False)
+        run(["apt-get", "install", "-y", "--no-install-recommends", "certbot"], check=False)
+        ini = """text = True
+non-interactive = True
+webroot-path = /data/letsencrypt-acme-challenge
+key-type = ecdsa
+elliptic-curve = secp384r1
+preferred-chain = ISRG Root X1
+"""
+        write_file(Path("/etc/letsencrypt.ini"), ini, 0o644)
+        run(["chown", "-R", "npm:npm", "/etc/letsencrypt"], check=False)
+
+
 def ensure_nginx_symlink():
     from pathlib import Path
     target = Path("/etc/angie")
@@ -1176,6 +1193,7 @@ def main():
     ensure_user_and_dirs()
     create_sudoers_for_npm()
     setup_certbot_venv()
+    configure_letsencrypt()
 
     npm_app_version = deploy_npm_app(args.npm_version)