diff --git a/roles/letsencrypt/files/cli.ini b/roles/letsencrypt/files/cli.ini
new file mode 100644
index 0000000000..104092bc1f
--- /dev/null
+++ b/roles/letsencrypt/files/cli.ini
@@ -0,0 +1,2 @@
+#key-type = ecdsa
+#elliptic-curve = secp384r1
diff --git a/roles/letsencrypt/tasks/main.yml b/roles/letsencrypt/tasks/main.yml
index a25597aa94..14da3aed7c 100644
--- a/roles/letsencrypt/tasks/main.yml
+++ b/roles/letsencrypt/tasks/main.yml
@@ -1,3 +1,13 @@
+- name: setup defaults file
+  copy: >
+    dest=/etc/letsencrypt/cli.ini
+    src=cli.ini
+    owner=root
+    group=root
+    mode=0644
+  tags:
+  - letsencrypt
+  
 - name: Generate (or renew) the certificate
   delegate_to: "certgetter01.iad2.fedoraproject.org"
   command: certbot certonly --expand --keep -n --webroot --webroot-path /var/www/html/ -d {{','.join([site_name] + server_aliases)}}