diff --git a/Makefile b/Makefile
index d12bac5..8810694 100644
--- a/Makefile
+++ b/Makefile
@@ -43,6 +43,50 @@ publish: htmldocs pages
 	(cd pages; git push)
 	rm -rf pages
 
+###########################################################################
+#
+# Makefile targets `letsencrypt-register` and `letsencrypt-renew`
+# request LIVE certificates.
+#
+# To get the first certificate,
+#
+#     make letsencrypt-register DOMAIN=... ADMINEMAIL=...
+#
+# Add the following to `app`'s crontab to attempt renewal on the 2nd of
+# each month:
+#
+#     17 17 2 * * (cd /home/app/live/rmq; make letsencrypt-renew)
+#
+# Add the following to `root`'s crontab to restart `nginx` after
+# potential certificate renewal:
+#
+#     19 17 2 * * service nginx restart
+#
+
+letsencrypt-register: letsencrypt/etc/live/$(DOMAIN)
+letsencrypt/etc/live/$(DOMAIN):
+	[ -n "$$ADMINEMAIL" ]
+	[ -n "$$DOMAIN" ]
+	(certbot certonly \
+		--config-dir $(CURDIR)/letsencrypt/etc \
+		--work-dir $(CURDIR)/letsencrypt/tmp \
+		--logs-dir $(CURDIR)/letsencrypt/log \
+		--email $(ADMINEMAIL) \
+		--agree-tos \
+		--webroot \
+		-w $(CURDIR)/racketmq/htdocs \
+		-d $(DOMAIN) \
+		)
+
+letsencrypt-renew:
+	(certbot renew \
+		--config-dir $(CURDIR)/letsencrypt/etc \
+		--work-dir $(CURDIR)/letsencrypt/tmp \
+		--logs-dir $(CURDIR)/letsencrypt/log \
+		)
+
+###########################################################################
+
 post-receive-hook:
 	( cd ../syndicate/racket && git pull && \
 		( raco pkg update --auto --update-deps syndicate || true) )
diff --git a/nginx.conf b/nginx.conf
new file mode 100644
index 0000000..789df88
--- /dev/null
+++ b/nginx.conf
@@ -0,0 +1,34 @@
+# If you are running RacketMQ behind nginx, e.g. for letsencrypt
+# support, then "apt-get install nginx", remove the default symlink
+# from /etc/nginx/sites-enabled, and symlink this file into
+# /etc/nginx/sites-enabled. Then, restart nginx.
+
+server {
+    listen 80;
+    listen 443 default_server ssl;
+
+    access_log /var/log/nginx/access.log;
+    error_log /var/log/nginx/error.log;
+    # error_log /var/log/nginx/error.log debug;
+
+    client_body_in_file_only clean;
+    client_body_buffer_size 32K;
+    client_max_body_size 30M;
+    sendfile on;
+    send_timeout 300s;
+
+    ssl_certificate /home/app/live/letsencrypt/etc/live/websub.reversehttp.net/fullchain.pem;
+    ssl_certificate_key /home/app/live/letsencrypt/etc/live/websub.reversehttp.net/privkey.pem;
+    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
+    ssl_ciphers HIGH:!aNULL:!MD5;
+
+    error_page 500 502 503 504 /500.html;
+    location /500.html {
+        root /home/app/live/rmq/racketmq/htdocs;
+    }
+
+    location / {
+        proxy_set_header Host $host;
+        proxy_pass http://127.0.0.1:7827/;
+    }
+}
diff --git a/racketmq/htdocs/500.html b/racketmq/htdocs/500.html
new file mode 100644
index 0000000..33f2c86
--- /dev/null
+++ b/racketmq/htdocs/500.html
@@ -0,0 +1,23 @@
+<!DOCTYPE html>
+<html>
+<head>
+  <meta http-equiv="refresh" content="30">
+  <meta http-equiv="Content-Type" content="text/html; charset=utf-8">
+  <meta name="viewport" content="width=device-width, initial-scale=1.0">
+  <title>Temporary Site Error</title>
+</head>
+<body>
+  <div>
+    <h1>Temporary Site Error</h1>
+    <p>
+      Unfortunately, the site is currently unavailable. It may be
+      undergoing maintenance, or there may be some technical problem.
+    </p>
+    <h2>Please check back in a few minutes.</h2>
+    <p>
+      If you leave this page open, your browser will automatically
+      retry every 30 seconds.
+    </p>
+  </div>
+</body>
+</html>