diff --git a/linux/k3s/certmanager/defaults/main.yml b/linux/k3s/certmanager/defaults/main.yml
new file mode 100644
index 0000000..f2b94c8
--- /dev/null
+++ b/linux/k3s/certmanager/defaults/main.yml
@@ -0,0 +1,2 @@
+certmanager_version: 1.10.0
+certmanager_letsencrypt_email: admin@example.org
diff --git a/linux/k3s/certmanager/files/traefik-https-redirect-middleware.yml b/linux/k3s/certmanager/files/traefik-https-redirect-middleware.yml
new file mode 100644
index 0000000..a84b60b
--- /dev/null
+++ b/linux/k3s/certmanager/files/traefik-https-redirect-middleware.yml
@@ -0,0 +1,8 @@
+apiVersion: traefik.containo.us/v1alpha1
+kind: Middleware
+metadata:
+  name: redirect-https
+spec:
+  redirectScheme:
+    scheme: https
+    permanent: true
diff --git a/linux/k3s/certmanager/tasks/main.yml b/linux/k3s/certmanager/tasks/main.yml
new file mode 100644
index 0000000..7fb4182
--- /dev/null
+++ b/linux/k3s/certmanager/tasks/main.yml
@@ -0,0 +1,24 @@
+- name: download cert-manager manifest
+  get_url:
+	url: "https://github.com/jetstack/cert-manager/releases/download/v{{ certmanager_version }}/cert-manager.yaml"
+	dest: "{{ certmanager_manifest_path }}"
+	mode: '0664'
+
+- name: apply cert-manager manifest
+  kubernetes.core.k8s:
+    apply: yes
+	src: "{{ certmanager_manifest_path }}"
+    wait: yes
+    wait_sleep: 10
+    wait_timeout: 300
+    wait_condition:
+      type: Complete
+      status: "True"
+
+- name: apply letsencrypt production ClusterIssuer
+  apply: yes
+  definition: "{{ lookup('file', 'letsencrypt-prod.yml') | from_yaml }}"
+
+- name: apply traefik https redirect middleware
+  apply: yes
+  template: 'traefik-https-redirect-middleware.yml' 
diff --git a/linux/k3s/certmanager/templates/letsencrypt-prod.yml b/linux/k3s/certmanager/templates/letsencrypt-prod.yml
new file mode 100644
index 0000000..bb4d1a1
--- /dev/null
+++ b/linux/k3s/certmanager/templates/letsencrypt-prod.yml
@@ -0,0 +1,14 @@
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: letsencrypt-prod
+spec:
+  acme:
+    email: "{{ certmanager_letsencrypt_email }}"
+    server: https://acme-v02.api.letsencrypt.org/directory
+    privateKeySecretRef:
+      name: letsencrypt-prod
+    solvers:
+    - http01:
+        ingress:
+          class: traefik
diff --git a/linux/k3s/certmanager/vars/main.yml b/linux/k3s/certmanager/vars/main.yml
new file mode 100644
index 0000000..3c762dd
--- /dev/null
+++ b/linux/k3s/certmanager/vars/main.yml
@@ -0,0 +1,2 @@
+certmanager_working_dir: ~/.ansible/k3s/certmanager
+certmanager_manifest_path: "{{ certmanager_working_dir }}/certmanager.yml"