diff --git a/tasks/certbot.yml b/tasks/certbot.yml
new file mode 100644
index 0000000..9d42334
--- /dev/null
+++ b/tasks/certbot.yml
@@ -0,0 +1,55 @@
+---
+- name: install certbot
+  package:
+    name:
+     - certbot
+     - "{{ apache_ssl_packages }}"
+
+    state: present
+
+- name: install apache config file without ssl
+  vars:
+    apache_use_ssl: false
+  template:
+    src: vhost.conf.jj
+    dest: "{{ apache_config_dir }}/{{ apache_server_name }}.conf"
+    mode: 0644
+  notify: restart apache
+  register: result
+
+# cant use meta / flush handlers in conditionnals
+- name: if needed, we restart apache
+  service:
+    name: "{{ apache_service_name}}"
+    state: restarted
+  when: result.changed
+
+- name: generate certificates for domaine and subdomains
+  vars:
+    subdomains: "-d {{ apache_server_alias | join( ' -d ' ) }}"
+  command: certbot certonly --agree-tos --non-interactive -m {{ apache_ssl_root_email }} --webroot --webroot-path {{ apache_document_root }} -d {{ apache_server_name }} {{ subdomains }}
+  args:
+    creates: "{{ apache_ssl_chain }}"
+  when: apache_server_alias is defined
+
+- name: generate certificates
+  command: certbot certonly --agree-tos  --non-interactive -m {{ apache_ssl_root_email }} --webroot --webroot-path {{ apache_document_root }} -d {{ apache_server_name }}
+  args:
+    creates: "{{ apache_ssl_chain }}"
+  when: apache_server_alias is not defined
+
+- name: deploy ssl config file
+  template:
+    src: ssl.conf
+    dest: "{{ apache_config_dir }}"
+  notify: restart apache
+
+- name: create cronjob for renewal
+  cron:
+    name: certbot
+    cron_file: certbot
+    user: root
+    hour: "01"
+    minute: "00"
+    weekday: "6"
+    job: "/usr/bin/certbot renew"
diff --git a/tasks/main.yml b/tasks/main.yml
index 34b5291..6dd0d7c 100644
--- a/tasks/main.yml
+++ b/tasks/main.yml
@@ -1,8 +1,12 @@
 ---
 # tasks file for apache_vhost
 
+<<<<<<< HEAD
 - include_vars: "{{ ansible_os_family|lower }}.yml"
   tags: always
+=======
+- include_vars: "{{ ansible_os_family }}.yml"
+>>>>>>> certbot
 
 - name: create dedicated user
   user:
@@ -43,6 +47,17 @@
   include_tasks: dns.yml
   when: apache_use_dns
 
+- name: remove default site
+  ansible.builtin.file:
+    path: /etc/apache2/sites-enabled/000-default.conf
+    state: absent
+  notify: restart apache
+  when: ansible_os_family| lower == 'debian'
+
+- name: create certificate
+  include_tasks: certbot.yml
+  when: apache_use_ssl
+
 - name: vhost config file
   template:
     src: vhost.conf.jj
diff --git a/templates/ssl.conf b/templates/ssl.conf
index 7eec1bb..d47bcbd 100644
--- a/templates/ssl.conf
+++ b/templates/ssl.conf
@@ -1,4 +1,6 @@
+{% if ansible_os_family | lower =='redhat' %}
 Listen 443 https
+{% endif %}
 SSLSessionCache         shmcb:/run/httpd/sslcache(512000)
 SSLSessionCacheTimeout  300
 SSLCryptoDevice builtin
diff --git a/vars/Debian.yml b/vars/Debian.yml
new file mode 100644
index 0000000..e4e00a2
--- /dev/null
+++ b/vars/Debian.yml
@@ -0,0 +1,7 @@
+#/home/tom/Documents/Opendoor/Technique/Ansible/roles/tconstans.apache/vars/Debian.yml
+apache_config_dir: /etc/apache2/sites-enabled/
+apache_packages:
+- apache2
+apache_ssl_packages: openssl
+apache_service: apache2
+apache_group: www-data
diff --git a/vars/RedHat.yml b/vars/RedHat.yml
new file mode 100644
index 0000000..93a7abb
--- /dev/null
+++ b/vars/RedHat.yml
@@ -0,0 +1,8 @@
+
+#/home/tom/Documents/Opendoor/Technique/Ansible/roles/tconstans.apache/vars/Debian.yml
+apache_config_dir: /etc/httpd/conf.d/
+apache_packages:
+- httpd
+apache_service: httpd
+apache_ssl_packages: mod_ssl
+apache_group: apache