diff --git a/apps/fnux-playground/README.md b/apps/fnux-playground/README.md
index 7c8d134..c8c71ef 100644
--- a/apps/fnux-playground/README.md
+++ b/apps/fnux-playground/README.md
@@ -5,10 +5,14 @@ Tests made by Timothée for ungleich.
 ## OpenLDAP
 
 Simple chart based on [Osixia's OpenLDAP
-image](https://github.com/osixia/docker-openldap).
+image](https://github.com/osixia/docker-openldap). A TLS certificate is
+automatically generated via Let'sEncrypt, but renewal is not handled yet.
+
+TODO: handle TLS certificate renewal.
 
 ```
-helm install ldap1 ./openldap
+kubectl create secret generic ldap1-openldap --from-literal=LDAP_ADMIN_PASSWORD=secretsecretsectet
+helm install ldap1 ./openldap -f ldap1.fnux-playground.yaml
 ```
 
 ## Matrix Synapse
diff --git a/apps/fnux-playground/ldap1.fnux-playground.yaml b/apps/fnux-playground/ldap1.fnux-playground.yaml
new file mode 100644
index 0000000..9026f01
--- /dev/null
+++ b/apps/fnux-playground/ldap1.fnux-playground.yaml
@@ -0,0 +1,6 @@
+clusterDomain: "c1.k8s.ooo"
+
+# See https://www.openldap.org/doc/admin24/slapdconf2.html section 5.2.1.2;
+ldapLogLevel: "256"
+ldapOrganisation: "ungleich glarus ag"
+ldapDomain: "ungleich.ch"
diff --git a/apps/fnux-playground/openldap/templates/deployment.yaml b/apps/fnux-playground/openldap/templates/deployment.yaml
index 9668566..7bd9e91 100644
--- a/apps/fnux-playground/openldap/templates/deployment.yaml
+++ b/apps/fnux-playground/openldap/templates/deployment.yaml
@@ -6,6 +6,10 @@ metadata:
     app: openldap
 spec:
   replicas: 1
+  strategy:
+    # Delete old pod before starting the new one - slapd doesn't react well
+    # with two instances hitting the same database.
+    type: "Recreate"
   selector:
     matchLabels:
       app: "{{ tpl .Values.identifier . }}-openldap"
@@ -14,10 +18,20 @@ spec:
       labels:
         app: "{{ tpl .Values.identifier . }}-openldap"
     spec:
+      initContainers:
+        - name: wait-for-cert
+          image: busybox
+          command:
+            - "sh"
+            - "-c"
+            - "until ls /etc/letsencrypt/live/{{ tpl .Values.fqdn . }}/fullchain.pem; do sleep 5; done"
+          volumeMounts:
+            - name: "{{ tpl .Values.identifier . }}-letsencrypt-certs"
+              mountPath: /etc/letsencrypt
       containers:
         - name: "openldap"
           image: "osixia/openldap:{{ .Chart.AppVersion }}"
-          args: ["--loglevel", "info"]
+          args: ["--loglevel", "debug"]
           ports:
             - name: ldap
               containerPort: 389
@@ -47,8 +61,16 @@ spec:
             - name: LDAP_ADMIN_PASSWORD
               valueFrom:
                 secretKeyRef:
-                  name: "{{ tpl .Values.identifier . }}-openldap"
-                  key: LDAP_ADMIN_PASSWORD
+                  name: "{{ tpl .Values.ldapAdminPasswordSecretRef . }}"
+                  key: "{{ tpl .Values.ldapAdminPasswordSecretKey . }}"
+            - name: LDAP_TLS_CRT_FILENAME
+              value: "live/{{ tpl .Values.fqdn . }}/cert.pem"
+            - name: LDAP_TLS_KEY_FILENAME
+              value: "live/{{ tpl .Values.fqdn . }}/privkey.pem"
+            - name: LDAP_TLS_CA_CRT_FILENAME
+              value: "live/{{ tpl .Values.fqdn . }}/fullchain.pem"
+            - name: LDAP_TLS_VERIFY_CLIENT
+              value: "try"
           volumeMounts:
             - name: "{{ tpl .Values.identifier . }}-openldap-data"
               mountPath: "/etc/ldap/slapd.d"
@@ -56,10 +78,48 @@ spec:
             - name: "{{ tpl .Values.identifier . }}-openldap-data"
               mountPath: "/var/lib/ldap"
               subPath: database
-            - name: "{{ tpl .Values.identifier . }}-openldap-data"
+            - name: "{{ tpl .Values.identifier . }}-letsencrypt-certs"
               mountPath: /container/service/slapd/assets/certs
-              subPath: certs
       volumes:
         - name: "{{ tpl .Values.identifier . }}-openldap-data"
           persistentVolumeClaim:
             claimName: "{{ tpl .Values.identifier . }}-openldap-data"
+        - name: "{{ tpl .Values.identifier . }}-letsencrypt-certs"
+          persistentVolumeClaim:
+            claimName: {{ tpl .Values.identifier . }}-letsencrypt-certs
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: {{ tpl .Values.identifier . }}-getcert
+spec:
+  template:
+    metadata:
+      labels:
+        app: {{ tpl .Values.identifier . }}-openldap
+    spec:
+      restartPolicy: Never
+      containers:
+      - name: certbot
+        image: ungleich/ungleich-certbot
+        ports:
+          - containerPort: 80
+        env:
+          - name: ONLYGETCERT
+            value: "yes"
+          - name: DOMAIN
+            value: "{{ tpl .Values.fqdn . }}"
+          - name: EMAIL
+            value: "{{ .Values.letsencryptEmail }}"
+          {{ if eq .Values.letsencryptStaging "no" }}
+          - name: STAGING
+            value: "no"
+          {{ end }}
+        volumeMounts:
+          - name: "{{ tpl .Values.identifier . }}-letsencrypt-certs"
+            mountPath: /etc/letsencrypt
+      volumes:
+        - name: "{{ tpl .Values.identifier . }}-letsencrypt-certs"
+          persistentVolumeClaim:
+            claimName: {{ tpl .Values.identifier . }}-letsencrypt-certs
+  backoffLimit: 3
diff --git a/apps/fnux-playground/openldap/templates/pvc.yaml b/apps/fnux-playground/openldap/templates/pvc.yaml
index 66d55ad..360eb6f 100644
--- a/apps/fnux-playground/openldap/templates/pvc.yaml
+++ b/apps/fnux-playground/openldap/templates/pvc.yaml
@@ -4,8 +4,22 @@ metadata:
   name: "{{ tpl .Values.identifier . }}-openldap-data"
 spec:
   accessModes:
-    - ReadWriteMany
+    - ReadWriteOnce
   resources:
     requests:
       storage: 1Gi
   storageClassName: rook-cephfs
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: "{{ tpl .Values.identifier . }}-letsencrypt-certs"
+spec:
+  accessModes:
+    - ReadWriteMany
+  resources:
+    requests:
+      storage: 50Mi
+  storageClassName: rook-cephfs
+
+
diff --git a/apps/fnux-playground/openldap/templates/service.yaml b/apps/fnux-playground/openldap/templates/service.yaml
index 8028395..43e86d2 100644
--- a/apps/fnux-playground/openldap/templates/service.yaml
+++ b/apps/fnux-playground/openldap/templates/service.yaml
@@ -1,13 +1,18 @@
 apiVersion: v1
 kind: Service
 metadata:
-  name: "{{ tpl .Values.identifier . }}"
+  name: "{{ .Release.Name }}"
   labels:
     app: openldap
 spec:
   type: ClusterIP
+  selector:
+    app: "{{ tpl .Values.identifier . }}-openldap"
   ports:
     - port: 389
       name: ldap
     - port: 636
       name: ldaps
+    # Required for TLS certificate generation via LetsEncrypt.
+    - port: 80
+      name: http
diff --git a/apps/fnux-playground/openldap/values.yaml b/apps/fnux-playground/openldap/values.yaml
index 9ca7b47..f0c48f9 100644
--- a/apps/fnux-playground/openldap/values.yaml
+++ b/apps/fnux-playground/openldap/values.yaml
@@ -2,6 +2,13 @@ clusterDomain: "c1.k8s.ooo"
 fqdn: "{{ .Release.Name }}.{{ .Release.Namespace }}.svc.{{ .Values.clusterDomain }}"
 identifier: "{{ .Release.Name }}"
 
+# See https://www.openldap.org/doc/admin24/slapdconf2.html section 5.2.1.2;
 ldapLogLevel: "256"
 ldapOrganisation: "ungleich glarus ag"
 ldapDomain: "{{ tpl .Values.fqdn . }}"
+ldapAdminPasswordSecretRef: "{{ tpl .Values.identifier . }}-openldap"
+ldapAdminPasswordSecretKey: "LDAP_ADMIN_PASSWORD"
+
+# TLS certificate generation.
+letsencryptEmail: "technik@ungleich.ch"
+letsencryptStaging: "no"