diff --git a/global/overlay/etc/puppet/modules/cdn/manifests/mqtt.pp b/global/overlay/etc/puppet/modules/cdn/manifests/mqtt.pp
index 29e44bf..0101471 100644
--- a/global/overlay/etc/puppet/modules/cdn/manifests/mqtt.pp
+++ b/global/overlay/etc/puppet/modules/cdn/manifests/mqtt.pp
@@ -3,8 +3,13 @@ class cdn::mqtt(
   String $dc = '',
   Array[String] $clients = [],
   Hash[String, Hash] $bridges = {},
+  Hash[String, String] $acme_url = {
+    test => 'https://internal-sto3-test-ca-1.cdn.sunet.se:9000/acme/acme/directory'
+  }
 )
 {
+  include sunet::packages::certbot
+
   package {'mosquitto': ensure => installed }
 
   file { '/etc/mosquitto/aclfile':
@@ -23,9 +28,20 @@ class cdn::mqtt(
     content => template('cdn/mqtt/cdn.conf.erb'),
   }
 
-  sunet::nftables::allow { "allow-step-ca-acme":
+  sunet::nftables::allow { 'allow-step-ca-acme':
     from  => 'any',
     port  => 80,
     proto => 'tcp',
   }
+
+  # From https://wiki.sunet.se/display/sunetops/Platform+naming+standards
+  $my_fqdn = $facts['networking']['fqdn']
+  $dot_split = split($my_fqdn, '[.]')
+  $my_hostname = $dot_split[0]
+  $dash_split = split($my_hostname,'[-]')
+  $environment = $dash_split[2]
+
+  exec { "certbot certonly -n --email patlu@sunet.se --no-eff-email --agree-tos --standalone -d ${my_fqdn} --server ${acme_url[$environment]}":
+      creates => "/etc/letsencrypt/live/${my_fqdn}/fullchain.pem"
+  }
 }