diff --git a/files/compose/docker-compose.yaml b/files/compose/docker-compose.yaml
index 6b63f66..499cf40 100644
--- a/files/compose/docker-compose.yaml
+++ b/files/compose/docker-compose.yaml
@@ -50,10 +50,10 @@ services:
       source: "/etc/localtime"
       target: "/etc/localtime"
       read_only: true
-    # For TLS certificate
-    #- type: "bind"
-    #  source: ""
-    #  target: ""
+    # Traefik TLS volume
+    - type: "bind"
+      source: "${TRAEFIK_TLS_HOST_DIR}"
+      target: "${TRAEFIK_TLS_CONTAINER_DIR}"
   # -- Code flow --
   gitea:
     container_name: "code-flow"
diff --git a/files/gitea/dynamic_git.yaml b/files/gitea/dynamic_git.yaml
index f4f57a2..be25e9f 100644
--- a/files/gitea/dynamic_git.yaml
+++ b/files/gitea/dynamic_git.yaml
@@ -6,7 +6,8 @@ http:
       - "https"
       rule: "Host(`${GITEA_DOMAIN}`)"
       service: "git"
-      tls: {}
+      tls:
+        certResolver: resolver
   services:
     git:
       loadBalancer:
diff --git a/files/scripts/bootstrap.sh b/files/scripts/bootstrap.sh
index 63ab171..6cc3791 100644
--- a/files/scripts/bootstrap.sh
+++ b/files/scripts/bootstrap.sh
@@ -98,6 +98,16 @@ while [[ $# -gt 0 ]]; do
             shift
             shift
             ;;
+        --traefik-acme-ca-server)
+            TRAEFIK_ACME_CA_SERVER=$2
+            shift
+            shift
+            ;;
+        --traefik-acme-email)
+            TRAEFIK_ACME_EMAIL=$2
+            shift
+            shift
+            ;;
         *)
             # unknown argument
             shift
@@ -138,12 +148,22 @@ export TRAEFIK_LOG_LEVEL="${TRAEFIK_LOG_LEVEL:-info}"
 export TRAEFIK_SEND_ANONYMOUS_USAGE="${TRAEFIK_SEND_ANONYMOUS_USAGE:-false}"
 export TRAEFIK_VERSION="${TRAEFIK_VERSION:-v2.6.3}"
 export TRAEFIK_CONTAINER_IPV4_ADDRESS="${TRAEFIK_CONTAINER_IPV4_ADDRESS:-172.20.0.2}"
+export TRAEFIK_ACME_CA_SERVER="${TRAEFIK_ACME_CA_SERVER:-https://acme-v02.api.letsencrypt.org/directory}"
+export TRAEFIK_ACME_EMAIL="${TRAEFIK_ACME_EMAIL:-admin@localhost}"
 export TRAEFIK_SHARED_MOUNT_POINT="/flow/shared/traefik"
+export TRAEFIK_TLS_HOST_DIR="/mnt/flow/traefik/tls"
+export TRAEFIK_TLS_CONTAINER_DIR="/flow/traefik/tls"
 
 mkdir -p "${DOCKER_ROOT}"
 envsubst < "${ROOT_SETUP_DIRECTORY}/template/compose/docker-compose.yaml" > "${DOCKER_ROOT}/docker-compose.yaml"
 
 ## -- Traefik setup section --
+if ! [ -d ${TRAEFIK_TLS_HOST_DIR} ]; then
+    mkdir -p ${TRAEFIK_TLS_HOST_DIR}
+    chown root:root ${TRAEFIK_TLS_HOST_DIR}
+    chmod a-rwx,u+rwx ${TRAEFIK_TLS_HOST_DIR}
+fi
+
 mkdir -p "${TRAEFIK_DOCKER_DIR}"
 cp "${ROOT_SETUP_DIRECTORY}/template/traefik/Dockerfile" "${TRAEFIK_DOCKER_DIR}/Dockerfile"
 
diff --git a/files/traefik/dynamic_dashboard.yaml b/files/traefik/dynamic_dashboard.yaml
index 0e3009c..90afb4d 100644
--- a/files/traefik/dynamic_dashboard.yaml
+++ b/files/traefik/dynamic_dashboard.yaml
@@ -6,4 +6,5 @@ http:
       - "https"
       rule: "Host(`${ROOT_DOMAIN}`) && (PathPrefix(`/api`) || PathPrefix(`/dashboard`))"
       service: "api@internal"
-      tls: {}
+      tls:
+        certResolver: resolver
diff --git a/files/traefik/traefik.yaml b/files/traefik/traefik.yaml
index 6faa5cf..a436b0a 100644
--- a/files/traefik/traefik.yaml
+++ b/files/traefik/traefik.yaml
@@ -23,5 +23,13 @@ providers:
   file:
     watch: true
     directory: "${TRAEFIK_SHARED_MOUNT_POINT}/dynamic"
+certificatesResolvers:
+  resolver:
+    acme:
+      caServer: "${TRAEFIK_ACME_CA_SERVER}"
+      email: "${TRAEFIK_ACME_EMAIL}"
+      storage: "${TRAEFIK_TLS_CONTAINER_DIR}/acme.json"
+      keyType: "RSA4096"
+      tlsChallenge: {}
 log:
   level: "${TRAEFIK_LOG_LEVEL}"