diff --git a/roles/certbot/files/cli.ini b/roles/certbot/files/cli.ini
new file mode 100644
index 0000000..969e786
--- /dev/null
+++ b/roles/certbot/files/cli.ini
@@ -0,0 +1,14 @@
+# Use 4096 bit RSA keys
+rsa-key-size = 4096
+
+# Use text interface instead of ncurses/dialog
+text = True
+
+# Custom work and log directory
+config-dir = /srv/letsencrypt
+work-dir = /srv/letsencrypt
+logs-dir = /srv/letsencrypt/log
+
+# Use webroot for authenticator
+authenticator = webroot
+webroot-path = /srv/web/certbot.home.foo.sh
diff --git a/roles/certbot/meta/main.yml b/roles/certbot/meta/main.yml
index 1a57416..b95ceec 100644
--- a/roles/certbot/meta/main.yml
+++ b/roles/certbot/meta/main.yml
@@ -1,3 +1,3 @@
 ---
 dependencies:
-  - { role: nginx/server }
+  - {role: nginx/server}
diff --git a/roles/certbot/tasks/main.yml b/roles/certbot/tasks/main.yml
index 87a52fa..3d82e1c 100644
--- a/roles/certbot/tasks/main.yml
+++ b/roles/certbot/tasks/main.yml
@@ -56,3 +56,12 @@
     owner: root
     group: "{{ ansible_wheel }}"
     state: link
+    follow: false
+
+- name: create certbot config
+  copy:
+    dest: /etc/letsencrypt/cli.ini
+    src: cli.ini
+    mode: 0644
+    owner: root
+    group: "{{ ansible_wheel }}"