diff --git a/roles/postgres/defaults/main.yml b/roles/postgres/defaults/main.yml
index b55554eed7b9646c3dfe1d5776bc8f60e59133b4..bb3e2d00dce6b47d4111c67d384a69cd3457932b 100644
--- a/roles/postgres/defaults/main.yml
+++ b/roles/postgres/defaults/main.yml
@@ -4,9 +4,9 @@ postgres_max_connections: '100'
 
 postgres_ssl: 'off'
 postgres_ssl_prefer_server_ciphers: 'on'
-postgres_ssl_cert_file: '/etc/letsencrypt/live/{{ inventory_hostname }}/fullchain.pem'
-postgres_ssl_key_file: '/etc/letsencrypt/live/{{ inventory_hostname }}/privkey.pem'
-postgres_ssl_ca_file: '/etc/letsencrypt/live/{{ inventory_hostname }}/chain.pem'
+postgres_ssl_cert_file: '/var/lib/postgres/data/fullchain.pem'
+postgres_ssl_key_file: '/var/lib/postgres/data/privkey.pem'
+postgres_ssl_ca_file: '/var/lib/postgres/data/chain.pem'
 
 postgres_shared_buffers: '128MB'
 
diff --git a/roles/postgres/tasks/main.yml b/roles/postgres/tasks/main.yml
index 976f69f702548cbba7a8946b72e2e9de4347e674..19e50976bce0e72df95a78eb3b2a2a6b78152f30 100644
--- a/roles/postgres/tasks/main.yml
+++ b/roles/postgres/tasks/main.yml
@@ -30,3 +30,22 @@
   become: yes
   become_user: postgres
   become_method: su
+
+- name: install postgres cert renewal hook
+  template: src=letsencrypt.hook.d.j2 dest=/etc/letsencrypt/hook.d/postgres owner=root group=root mode=0755
+  when: postgres_ssl == 'on'
+
+- name: install postgres certificate
+  copy: src=/etc/letsencrypt/live/{{ inventory_hostname }}/fullchain.pem dest={{ postgres_ssl_cert_file }}
+        remote_src=true owner=postgres group=postgres mode=0400
+  when: postgres_ssl == 'on'
+
+- name: install postgres private key
+  copy: src=/etc/letsencrypt/live/{{ inventory_hostname }}/privkey.pem dest={{ postgres_ssl_key_file }}
+        remote_src=true owner=postgres group=postgres mode=0400
+  when: postgres_ssl == 'on'
+
+- name: install postgres ca
+  copy: src=/etc/letsencrypt/live/{{ inventory_hostname }}/chain.pem dest={{ postgres_ssl_ca_file }}
+        remote_src=true owner=postgres group=postgres mode=0400
+  when: postgres_ssl == 'on'
diff --git a/roles/postgres/templates/letsencrypt.hook.d.j2 b/roles/postgres/templates/letsencrypt.hook.d.j2
new file mode 100644
index 0000000000000000000000000000000000000000..5bd05178d08719c84b6027bbc59fd68f90a831b0
--- /dev/null
+++ b/roles/postgres/templates/letsencrypt.hook.d.j2
@@ -0,0 +1,15 @@
+#!/bin/sh
+
+test "$1" = renew || exit 0
+
+postgres_domain="{{ inventory_hostname }}"
+
+for domain in $RENEWED_DOMAINS; do
+    case "$domain" in
+        $postgres_domain)
+            for pem in /etc/letsencrypt/live/$postgres_domain/{privkey,fullchain,chain}.pem; do
+                install -o postgres -g postgres -m 400 $pem /var/lib/postgres/data/$pem
+            done
+            ;;
+    esac
+done