diff --git a/cdist/conf/type/__letsencrypt_cert/explorer/exists b/cdist/conf/type/__letsencrypt_cert/explorer/exists
new file mode 100644
index 00000000..cb967663
--- /dev/null
+++ b/cdist/conf/type/__letsencrypt_cert/explorer/exists
@@ -0,0 +1,5 @@
+domain=$__object_id
+
+if [ -f "/etc/letsencrypt/live/$domain/fullchain.pem" ]; then
+   echo yes
+fi
diff --git a/cdist/conf/type/__letsencrypt_cert/gencode-remote b/cdist/conf/type/__letsencrypt_cert/gencode-remote
new file mode 100644
index 00000000..62ada241
--- /dev/null
+++ b/cdist/conf/type/__letsencrypt_cert/gencode-remote
@@ -0,0 +1,18 @@
+domain="$__object_id"
+
+exists=$(cat "$__object/explorer/exists")
+webroot="$(cat "$__object/parameter/webroot")"
+admin_email="$(cat "$__object/parameter/admin-email")"
+
+if [ -n "$exists" ]; then
+	exit 0
+fi
+
+cat <<EOF
+if [ ! -d "$webroot" ]; then
+	mkdir -p "$webroot"
+fi
+
+certbot certonly -n --agree-tos --email '$admin_email' --quiet --webroot \
+	-w '$webroot' -d '$domain'
+EOF
diff --git a/cdist/conf/type/__letsencrypt_cert/man.rst b/cdist/conf/type/__letsencrypt_cert/man.rst
new file mode 100644
index 00000000..81a65e66
--- /dev/null
+++ b/cdist/conf/type/__letsencrypt_cert/man.rst
@@ -0,0 +1,46 @@
+cdist-type__letsencrypt_cert(7)
+===============================
+
+NAME
+----
+cdist-type__letsencrypt_cert - Get an SSL certificate from Let's Encrypt
+
+
+DESCRIPTION
+-----------
+Automatically obtain a Let's Encrypt SSL certificate. Uses certbot's webroot
+method. You must set up your web server to work with webroot.
+
+
+REQUIRED PARAMETERS
+-------------------
+webroot
+   The path to your webroot, as set up in your webserver config.
+
+
+OPTIONAL PARAMETERS
+-------------------
+admin-email
+   Where to send Let's Encrypt emails like "certificate needs renewal". Defaults to root@localhost.
+
+
+EXAMPLES
+--------
+
+.. code-block:: sh
+
+    __letsencrypt_cert example.com --webroot /data/letsencrypt/root
+
+
+AUTHORS
+-------
+Nico Schottelius <nico-cdist--@--schottelius.org>
+Kamila Součková <kamila--@--ksp.sk>
+
+
+COPYING
+-------
+Copyright \(C) 2017 Nico Schottelius, Kamila Součková. You can redistribute it
+and/or modify it under the terms of the GNU General Public License as
+published by the Free Software Foundation, either version 3 of the
+License, or (at your option) any later version.
diff --git a/cdist/conf/type/__letsencrypt_cert/manifest b/cdist/conf/type/__letsencrypt_cert/manifest
new file mode 100644
index 00000000..0dbb281e
--- /dev/null
+++ b/cdist/conf/type/__letsencrypt_cert/manifest
@@ -0,0 +1,62 @@
+os=$(cat "$__global/explorer/os")
+os_version=$(cat "$__global/explorer/os_version")
+
+case "$os" in
+    debian)
+        case "$os_version" in
+            8*)
+                __apt_source jessie-backports \
+                             --uri http://http.debian.net/debian \
+                             --distribution jessie-backports \
+                             --component main
+
+                require="__apt_source/jessie-backports" __package_apt python-certbot --target-release jessie-backports
+                require="__apt_source/jessie-backports" __package_apt certbot --target-release jessie-backports
+                # Seems to be a missing dependency on debian 8
+                __package python-ndg-httpsclient
+                ;;
+            *)
+                echo "Unsupported OS version: $os_version" >&2
+                exit 1
+                ;;
+        esac
+
+        certbot_fullpath=/usr/bin/certbot
+        ;;
+    devuan)
+        case "$os_version" in
+            jessie)
+                __apt_source jessie-backports \
+                             --uri http://auto.mirror.devuan.org/merged \
+                             --distribution jessie-backports \
+                             --component main
+
+                require="__apt_source/jessie-backports" __package_apt python-certbot --target-release jessie-backports
+                require="__apt_source/jessie-backports" __package_apt certbot --target-release jessie-backports
+                # Seems to be a missing dependency on debian 8
+                __package python-ndg-httpsclient
+                ;;
+            *)
+                echo "Unsupported OS version: $os_version" >&2
+                exit 1
+                ;;
+        esac
+
+        certbot_fullpath=/usr/bin/certbot
+        ;;
+    freebsd)
+        __package py27-certbot
+
+        certbot_fullpath=/usr/local/bin/certbot
+        ;;
+    *)
+        echo "Unsupported os: $os" >&2
+        exit 1
+        ;;
+esac
+
+
+__cron letsencrypt-certbot  \
+    --user root \
+    --command "$certbot_fullpath renew -q" \
+    --hour 0
diff --git a/cdist/conf/type/__letsencrypt_cert/parameter/default/admin-email b/cdist/conf/type/__letsencrypt_cert/parameter/default/admin-email
new file mode 100644
index 00000000..8da2d115
--- /dev/null
+++ b/cdist/conf/type/__letsencrypt_cert/parameter/default/admin-email
@@ -0,0 +1 @@
+root@localhost
diff --git a/cdist/conf/type/__letsencrypt_cert/parameter/optional b/cdist/conf/type/__letsencrypt_cert/parameter/optional
new file mode 100644
index 00000000..bfe77226
--- /dev/null
+++ b/cdist/conf/type/__letsencrypt_cert/parameter/optional
@@ -0,0 +1 @@
+admin-email
diff --git a/cdist/conf/type/__letsencrypt_cert/parameter/required b/cdist/conf/type/__letsencrypt_cert/parameter/required
new file mode 100644
index 00000000..fc7c3e96
--- /dev/null
+++ b/cdist/conf/type/__letsencrypt_cert/parameter/required
@@ -0,0 +1 @@
+webroot