How do I make my QualityBox site secure (HTTPS)?

QualityBox is configured to run using HTTPS by default. We use HAProxy to act as the front-end load-balancer (you can run with an unmanaged load-balancer if desired). The certificates are provisioned by the EFF’s LetsEncrypt project.

What certs do I have?
sudo certbot certificates

How do I expand a cert to include some sub-domains? (wildcard certs are not supported)
Assuming you have a certificate for ‘’ and want to expand it to include a few sub-domains.
sudo certbot certonly --cert-name --expand -d -d -d

How do I cleanup my old/test certificates?
sudo certbot revoke --cert-path /etc/letsencrypt/live/$DOMAIN/cert.pem
sudo certbot delete --cert-name $DOMAIN

How do I obtain a new certificate?
Either run certbot on the host.
certbot certonly -d --dry-run
certbot certonly -d

Or, run the ansible-certbot role on a control host.
ansible-playbook -i hosts letsencrypt.yml