diff --git a/dev/vars/webserver.yml b/dev/vars/webserver.yml
index 1f830b6..1ebb7b5 100644
--- a/dev/vars/webserver.yml
+++ b/dev/vars/webserver.yml
@@ -25,11 +25,15 @@ webserver:
   ### Traefik ###
   ###############
   #TRAEFIK_VERSION: latest
+  #TRAEFIK_ROOT_DOMAIN: local.freeitathens.org
   #TRAEFIK_DOMAIN: traefik.local.freeitathens.org
   #TRAEFIK_DASHBOARD: true
   #TRAEFIK_EXPOSED_DEFAULT: false
-  #TRAEFIK_TRAEFIK_ENABLE: true
+  #TRAEFIK_WEB_ENABLED: true
   TRAEFIK_DEBUG: true
+  TRAEFIK_ACME_PROVIDER: dreamhost
+  TRAEFIK_ACME_CASERVER: https://acme-v02.api.letsencrypt.org/directory
+  TRAEFIK_ACME_EMAIL: frita@example.org
 
   #################
   ### WordPress ###
@@ -39,5 +43,4 @@ webserver:
   #WORDPRESS_DB_HOST: host.docker.internal
   #WORDPRESS_DB_NAME: wordpress
   #WORDPRESS_DB_USER: wordpress
-  #WORDPRESS_WEB_ENABLED: true
   WORDPRESS_DB_PASSWORD: "{{ secret.WORDPRESS_DB_PASSWORD }}"
diff --git a/roles/webserver/files/docker-compose.yml b/roles/webserver/files/docker-compose.yml
index 6754beb..f1b5e2f 100644
--- a/roles/webserver/files/docker-compose.yml
+++ b/roles/webserver/files/docker-compose.yml
@@ -17,11 +17,16 @@ services:
       - --providers.docker=true
       - --providers.docker.exposedbydefault=${TRAEFIK_EXPOSED_DEFAULT:-false}
       - --entrypoints.web.address=:80
+      - --entrypoints.websecure.address=:443
+      - --entrypoints.local.address=:8443
       - --entrypoints.web.http.redirections.entrypoint.to=websecure
       - --entrypoints.web.http.redirections.entrypoint.scheme=https
       - --entrypoints.web.http.redirections.entrypoint.permanent=true
-      - --entrypoints.websecure.address=:443
-      - --entrypoints.local.address=:8443
+      - --certificatesresolvers.letsencrypt.acme.email=${TRAEFIK_ACME_EMAIL}
+      - --certificatesresolvers.letsencrypt.acme.storage=acme.json
+      - --certificatesresolvers.letsencrypt.acme.dnschallenge.provider=${TRAEFIK_ACME_PROVIDER}
+      - --certificatesresolvers.letsencrypt.acme.dnschallenge.delaybeforecheck=0
+      - --certificatesresolvers.letsencrypt.acme.caserver=${TRAEFIK_ACME_CASERVER:-https://acme-staging-v02.api.letsencrypt.org/directory}
     ports:
       - 80:80
       - 443:443
@@ -33,6 +38,8 @@ services:
       traefik.http.routers.api.entrypoints: local
       traefik.http.routers.api.service: api@internal
       traefik.http.routers.api.tls: true
+      traefik.http.routers.api.tls.domains[0].main: ${TRAEFIK_ROOT_DOMAIN:-local.freeitathens.org}
+      traefik.http.routers.api.tls.domains[0].sans: "*.${TRAEFIK_ROOT_DOMAIN:-local.freeitathens.org}"
       traefik.enable: ${TRAEFIK_WEB_ENABLED:-true}
     networks:
       - traefik