diff --git a/host_vars/mailman.adm.crans.org.yml b/host_vars/mailman.adm.crans.org.yml
index c6f8791bd46135e7d141c9466987a2ddfba81adf..84b3a34d7e38ed32584def1d8f6ddaeb73c81fc7 100644
--- a/host_vars/mailman.adm.crans.org.yml
+++ b/host_vars/mailman.adm.crans.org.yml
@@ -2,3 +2,6 @@
 interfaces:
   adm: eth0
   srv: eth1
+
+loc_certbot:
+  domains: "*.crans.org"
diff --git a/hosts b/hosts
index 80ff7ef9ea3b440e5367f07704e8b5cad217d5d0..782d8eeef32c1e56dee7188aaa1082c3a28d92b7 100644
--- a/hosts
+++ b/hosts
@@ -92,6 +92,9 @@ linx.adm.crans.org
 [mailman]
 redisdead.adm.crans.org
 
+[mailman]
+mailman.adm.crans.org
+
 [monitoring]
 monitoring.adm.crans.org
 
diff --git a/plays/mailman.yml b/plays/mailman.yml
index 4f05430a91e1fcfacbb64d6744ec179bf306c0d0..e64869f15ee163f5d6d9b9fdea047e32b765c28b 100755
--- a/plays/mailman.yml
+++ b/plays/mailman.yml
@@ -21,8 +21,9 @@
     - nginx
 
 # Deploy Mailman3
-- hosts: mailman.adm.crans.org
+- hosts: mailman
   vars:
+    certbot: '{{ glob_certbot | default({}) | combine(loc_certbot | default({})) }}'
     mailman3:
       site_owner: root@crans.org
       database_user: "mailman3"
@@ -36,5 +37,6 @@
       web_database_pass: "{{ vault_mailman3_web_database_pass }}"
       web_domain: "mailman.crans.org"
   roles:
+    - certbot
     - mailman3
     - postfix-mailman3
diff --git a/roles/mailman3/tasks/main.yml b/roles/mailman3/tasks/main.yml
index 6bc4b2d7f423de1f5e1fc7e5829466792e59cbd0..cd0412535af26e08999ec39c4861238d70706ebd 100644
--- a/roles/mailman3/tasks/main.yml
+++ b/roles/mailman3/tasks/main.yml
@@ -11,8 +11,6 @@
       - postgresql
       - python3-pip  # CAS
       - python3-lxml  # CAS
-      - certbot  # cert
-      - python3-certbot-nginx
     install_recommends: false
   register: apt_result
   retries: 3
@@ -68,19 +66,8 @@
     state: link
   notify: Restart nginx
 
-- name: Create /etc/letsencrypt/conf.d
-  file:
-    path: /etc/letsencrypt/conf.d
-    state: directory
-
-- name: Add Certbot configuration
-  template:
-    src: "letsencrypt/conf.d/mailman.ini.j2"
-    dest: "/etc/letsencrypt/conf.d/mailman.ini"
-    mode: 0644
-
 - name: Indicate role in motd
   template:
     src: update-motd.d/05-service.j2
-    dest: /etc/update-motd.d/05-mailman3
+    dest: /etc/update-motd.d/04-mailman3
     mode: 0755
diff --git a/roles/mailman3/templates/nginx/sites-available/mailman3.j2 b/roles/mailman3/templates/nginx/sites-available/mailman3.j2
index 47ae1ebe67dbd65bf9710b21c594ef7a018e1c4a..2d664910339290417c1e1bb5f86637ebb3c210c3 100644
--- a/roles/mailman3/templates/nginx/sites-available/mailman3.j2
+++ b/roles/mailman3/templates/nginx/sites-available/mailman3.j2
@@ -42,8 +42,8 @@ server {
     server_tokens off;
 
     # SSL common conf
-    ssl_certificate /etc/letsencrypt/live/mailman.crans.org/fullchain.pem;
-    ssl_certificate_key /etc/letsencrypt/live/mailman.crans.org/privkey.pem;
+    ssl_certificate /etc/letsencrypt/live/crans.org/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/crans.org/privkey.pem;
     ssl_session_timeout 1d;
     ssl_session_cache shared:MozSSL:10m;
     ssl_session_tickets off;
@@ -55,7 +55,7 @@ server {
     # Enable OCSP Stapling, point to certificate chain
     ssl_stapling on;
     ssl_stapling_verify on;
-    ssl_trusted_certificate /etc/letsencrypt/live/mailman.crans.org/chain.pem;
+    ssl_trusted_certificate /etc/letsencrypt/live/crans.org/chain.pem;
 
     location / {
         uwsgi_pass mailman3;