diff --git a/certbot/files/cron_jessie b/certbot/files/cron_jessie
new file mode 100644
index 00000000..0ed929fc
--- /dev/null
+++ b/certbot/files/cron_jessie
@@ -0,0 +1,11 @@
+# /etc/cron.d/certbot: crontab entries for the certbot package
+#
+# Upstream recommends attempting renewal twice a day
+#
+# Eventually, this will be an opportunity to validate certificates
+# haven't been revoked, etc.  Renewal will only occur if expiration
+# is within 30 days.
+SHELL=/bin/sh
+PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
+
+0 */12 * * * root test -x /usr/local/bin/certbot && perl -e 'sleep int(rand(3600))' && /usr/local/bin/certbot --no-self-update -q renew
diff --git a/certbot/handlers/main.yml b/certbot/handlers/main.yml
index 903fe696..7c7c3d8c 100644
--- a/certbot/handlers/main.yml
+++ b/certbot/handlers/main.yml
@@ -14,3 +14,7 @@
   service:
     name: haproxy
     state: reloaded
+
+- name: systemd daemon-reload
+  systemd:
+    daemon_reload: yes
diff --git a/certbot/tasks/install-package.yml b/certbot/tasks/install-package.yml
new file mode 100644
index 00000000..06247db4
--- /dev/null
+++ b/certbot/tasks/install-package.yml
@@ -0,0 +1,6 @@
+---
+
+- name: certbot package is installed
+  apt:
+    name: certbot
+    state: latest
diff --git a/certbot/tasks/install-sources.yml b/certbot/tasks/install-sources.yml
new file mode 100644
index 00000000..6c24cc48
--- /dev/null
+++ b/certbot/tasks/install-sources.yml
@@ -0,0 +1,34 @@
+---
+
+- name: certbot package is removed
+  apt:
+    name: certbot
+    state: absent
+
+- include_role:
+    name: evolix/remount-usr
+
+- name: Certbot script is downloaded
+  get_url:
+    url: https://dl.eff.org/certbot-auto
+    dest: /usr/local/bin/certbot
+    mode: '0755'
+    owner: root
+    group: root
+    force: no
+
+- name: systemd artefacts are absent
+  file:
+    dest: "{{ item }}"
+    state: absent
+  loop:
+    - /etc/systemd/system/certbot.service
+    - /etc/systemd/system/certbot.service.d
+    - /etc/systemd/system/certbot.timer
+  notify: systemd daemon-reload
+
+- name: custom crontab is present
+  copy:
+    src: cron_jessie
+    dest: /etc/cron.d/certbot
+    force: yes
diff --git a/certbot/tasks/main.yml b/certbot/tasks/main.yml
index 14983504..ed8e8b85 100644
--- a/certbot/tasks/main.yml
+++ b/certbot/tasks/main.yml
@@ -4,13 +4,20 @@
   assert:
     that:
       - ansible_distribution == "Debian"
-      - ansible_distribution_major_version is version('9', '>=')
+      - ansible_distribution_major_version is version('8', '>=')
     msg: only compatible with Debian 9+
 
-- name: certbot package is installed
-  apt:
-    name: certbot
-    state: latest
+- name: Install from sources on Debian 8
+  include: install-sources.yml
+  when:
+    - ansible_distribution == "Debian"
+    - ansible_distribution_major_version is version('8', '=')
+
+- name: Install package on Debian 9+
+  include: install-package.yml
+  when:
+    - ansible_distribution == "Debian"
+    - ansible_distribution_major_version is version('9', '>=')
 
 - include: acme-challenge.yml