diff --git a/.gitignore b/.gitignore
index 49db277..9ca22fa 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,2 +1,4 @@
 secret.yaml
-tls-cert.yaml
\ No newline at end of file
+tls-cert.yaml
+cloudflare-certbot.ini
+*.pem
\ No newline at end of file
diff --git a/scripts/get-ssl-certs.sh b/scripts/get-ssl-certs.sh
new file mode 100644
index 0000000..722538a
--- /dev/null
+++ b/scripts/get-ssl-certs.sh
@@ -0,0 +1,39 @@
+#!/bin/bash
+set -x
+set -e
+
+if [ "$EUID" -ne 0 ]
+  then echo "Please run as root"
+  exit
+fi
+
+if [ ! -f ./cloudflare-certbot.ini ]; then
+    echo "Please create cloudflare-certbot.ini"
+    exit
+fi
+
+# check if certbot is installed
+if ! [ -x "$(command -v certbot)" ]; then
+    echo "Certbot is not installed. Installing..."
+    sudo apt install snapd -y
+    sudo snap install core; sudo snap refresh core
+    sudo snap install --classic certbot
+    sudo ln -s /snap/bin/certbot /usr/bin/certbot
+    sudo snap set certbot trust-plugin-with-root=ok
+    sudo snap install certbot-dns-cloudflare
+fi
+
+cat <<EOF > ./cloudflare-certbot.ini
+# Cloudflare API credentials used by Certbot
+dns_cloudflare_api_token = abcxyz
+EOF
+
+sudo certbot certonly --dns-cloudflare --dns-cloudflare-credentials \
+    ./cloudflare-certbot.ini -d '*.efiss.tech' -d 'efiss.tech'
+
+mkdir -p certs/
+sudo cp -L /etc/letsencrypt/live/efiss.tech/fullchain.pem certs/
+sudo cp -L /etc/letsencrypt/live/efiss.tech/privkey.pem certs/
+
+sudo chown -R $USER:$USER certs
+sudo chmod -R 755 certs