diff --git a/site-cookbooks/kosmos-ipfs/metadata.rb b/site-cookbooks/kosmos-ipfs/metadata.rb
index 18bbdd2..1eb2e3e 100644
--- a/site-cookbooks/kosmos-ipfs/metadata.rb
+++ b/site-cookbooks/kosmos-ipfs/metadata.rb
@@ -7,3 +7,4 @@ long_description IO.read(File.join(File.dirname(__FILE__), 'README.md'))
 version          '0.1.0'
 
 depends 'ipfs'
+depends 'kosmos-base'
diff --git a/site-cookbooks/kosmos-ipfs/recipes/default.rb b/site-cookbooks/kosmos-ipfs/recipes/default.rb
index 3d0a4f2..25fdefa 100644
--- a/site-cookbooks/kosmos-ipfs/recipes/default.rb
+++ b/site-cookbooks/kosmos-ipfs/recipes/default.rb
@@ -26,3 +26,5 @@ execute "ipfs config --json API.HTTPHeaders.Access-Control-Allow-Origin '[\"kred
   not_if "ipfs config API.HTTPHeaders.Access-Control-Allow-Origin | grep kredits.kosmos.org"
   notifies :restart, "service[ipfs]", :delayed
 end
+
+include_recipe "kosmos-ipfs::letsencrypt"
diff --git a/site-cookbooks/kosmos-ipfs/recipes/letsencrypt.rb b/site-cookbooks/kosmos-ipfs/recipes/letsencrypt.rb
new file mode 100644
index 0000000..51c7e47
--- /dev/null
+++ b/site-cookbooks/kosmos-ipfs/recipes/letsencrypt.rb
@@ -0,0 +1,47 @@
+#
+# Cookbook Name:: kosmos-ipfs
+# Recipe:: letsencrypt
+#
+# Copyright 2017, Kosmos
+#
+# All rights reserved - Do Not Redistribute
+#
+# nginx config to generate a Let's Encrypt cert
+
+include_recipe "kosmos-base::letsencrypt"
+
+root_directory = "/var/www/ipfs.kosmos.org"
+
+directory "#{root_directory}/.well-known" do
+  owner node["nginx"]["user"]
+  group node["nginx"]["group"]
+  action :create
+  recursive true
+end
+
+template "#{node['nginx']['dir']}/sites-available/ipfs.kosmos.org" do
+  source 'nginx_conf_ipfs.kosmos.org.erb'
+  owner 'www-data'
+  mode 0640
+  variables server_name:    'ipfs.kosmos.org',
+            root_directory: root_directory,
+            ssl_cert:       "/etc/letsencrypt/live/ipfs.kosmos.org/fullchain.pem",
+            ssl_key:        "/etc/letsencrypt/live/ipfs.kosmos.org/privkey.pem"
+  notifies :reload, 'service[nginx]', :delayed
+end
+
+nginx_site 'ipfs.kosmos.org' do
+  enable true
+end
+
+# Generate a Let's Encrypt cert (only if the nginx vhost exists and no cert
+# has been generated before. The renew cron will take care of renewing
+execute "letsencrypt cert for ipfs.kosmos.org" do
+  command "./certbot-auto certonly --webroot --agree-tos --email ops@5apps.com --webroot-path #{root_directory} -d ipfs.kosmos.org -n"
+  cwd "/usr/local/certbot"
+  only_if do
+    File.exist?("#{node['nginx']['dir']}/sites-enabled/ipfs.kosmos.org") &&
+    ! File.exist?("/etc/letsencrypt/live/ipfs.kosmos.org/fullchain.pem")
+  end
+  notifies :create, "template[#{node['nginx']['dir']}/sites-available/ipfs.kosmos.org]", :delayed
+end
diff --git a/site-cookbooks/kosmos-ipfs/templates/default/nginx_conf_ipfs.kosmos.org.erb b/site-cookbooks/kosmos-ipfs/templates/default/nginx_conf_ipfs.kosmos.org.erb
new file mode 100644
index 0000000..db0cfa5
--- /dev/null
+++ b/site-cookbooks/kosmos-ipfs/templates/default/nginx_conf_ipfs.kosmos.org.erb
@@ -0,0 +1,23 @@
+server {
+  listen 80; # For Let's Encrypt
+  <% if File.exist?(@ssl_cert) && File.exist?(@ssl_key) -%>
+  listen 443 ssl spdy;
+  <% end -%>
+
+  server_name <%= @server_name %>;
+
+  # Used by Let's Encrypt (certbot in webroot mode)
+  location /.well-known {
+    root "<%= @root_directory %>";
+  }
+
+  location / {
+    return 200 'Nothing to see here';
+    add_header Content-Type text/plain;
+  }
+
+  <% if File.exist?(@ssl_cert) && File.exist?(@ssl_key) -%>
+  ssl_certificate <%= @ssl_cert %>;
+  ssl_certificate_key <%= @ssl_key %>;
+  <% end -%>
+}