diff --git a/auth-hook.sh b/auth-hook.sh
new file mode 100755
index 0000000..1af3f95
--- /dev/null
+++ b/auth-hook.sh
@@ -0,0 +1,15 @@
+# ownDynDNS auth script for certbot dns-01 challenge
+
+# install curl
+$(apk --no-cache add curl)
+
+ACME_PREFIX="_acme-challenge"
+
+if [ -z "${DDNS_HOST}" ]; then DDNS_HOST=${ACME_PREFIX}; else DDNS_HOST=${ACME_PREFIX}.${DDNS_HOST}; fi
+
+PAYLOAD="force=true&user=${DDNS_USER}&password=${DDNS_PASS}&txt=${CERTBOT_VALIDATION}&domain=${DDNS_DOMAIN}&host=${DDNS_HOST}&create=true"
+
+# echo ${PAYLOAD}
+
+curl -sSL -X POST --data "${PAYLOAD}" ${DDNS_SCRIPT} \
+&& sleep 300
diff --git a/docker-compose.yml b/docker-compose.yml
index 39616f7..3d25462 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -3,11 +3,11 @@ services:
     container_name: dyndns
     image: niiwiicamo/owndyndns
     environment:
-      DDNS_USER: changeme
-      DDNS_PASS: changeme
-      NETCUP_APIKEY: 12345asdf
-      NETCUP_APIPASS: asdf12345
-      NETCUP_CUSTOMERID: 01234
+      DDNS_USER: ${DDNS_USER}
+      DDNS_PASS: ${DDNS_PASS}
+      NETCUP_APIKEY: ${NETCUP_APIKEY}
+      NETCUP_APIPASS: ${NETCUP_APIPASS}
+      NETCUP_CUSTOMERID: ${NETCUP_CUSTOMERID}
       DDNS_DEBUG: 0  # optional, default: 0
       DDNS_LOG: 0  # optional, default: 1
       # DDNS_LOGFILE: log.json  # optional, default: log.json
@@ -16,5 +16,26 @@ services:
       # DDNS_RESTRICTDOMAIN: 0  # optional, default: 0
       # DDNS_FORCEDDOMAIN: example.net  # optional, default empty
       # DDNS_FORCEDHOST: hostname  # optional, default empty
-    ports:
-      - 8080:8080
+    # ports:
+    #   - 8080:8080
+
+  certbot:
+    container_name: certbot
+    image: certbot/certbot
+    depends_on:
+      owndyndns:
+        condition: service_healthy
+    environment:
+      DDNS_USER: ${DDNS_USER}
+      DDNS_PASS: ${DDNS_PASS}
+      DDNS_HOST: ${DDNS_HOST}
+      DDNS_DOMAIN: ${DDNS_DOMAIN}
+      DDNS_SCRIPT: http://dyndns:8080/update.php
+      DDNS_EMAIL: ${DDNS_EMAIL} # the email used for LetsEncrypt registration
+    volumes:
+      - ./auth-hook.sh:/auth-hook.sh
+      - letsencrypt:/etc/letsencrypt
+    command: "certonly --manual --preferred-challenges=dns --agree-tos --email ${DDNS_EMAIL} --non-interactive --manual-auth-hook /auth-hook.sh -d ${DDNS_HOST}.${DDNS_DOMAIN}"
+
+volumes:
+  letsencrypt:
\ No newline at end of file