diff --git a/data/hooks/conf_regen/16-letsencrypt b/data/hooks/conf_regen/16-letsencrypt
new file mode 100644
index 000000000..838e35d9f
--- /dev/null
+++ b/data/hooks/conf_regen/16-letsencrypt
@@ -0,0 +1,31 @@
+#!/bin/bash
+set -e 
+
+force=$1
+
+function safe_copy () {
+    if [ $force ]; then
+        sudo yunohost service safecopy \
+          -s letsencrypt \
+          $1 $2 \
+          --force
+    else
+        sudo yunohost service safecopy \
+          -s letsencrypt \
+          $1 $2
+    fi
+}
+
+# Install let's encrypt if not present
+if [ ! -d /etc/letsencrypt ]; then
+    cd /root
+    git clone https://github.com/letsencrypt/letsencrypt /root
+    mkdir -p /etc/letsencrypt/webrootauth
+fi
+
+domain_list=$(sudo yunohost domain list --plain)
+for domain in $domain_list; do
+    if [ ! -d /etc/letsencrypt/live/$domain ]; then
+        yunohost domain letsencrypt -c $domain
+    fi
+done
\ No newline at end of file
diff --git a/locales/en.json b/locales/en.json
index 02ddc02a2..0d3edebbb 100644
--- a/locales/en.json
+++ b/locales/en.json
@@ -57,6 +57,13 @@
     "domain_deleted" : "Domain successfully deleted",
     "no_internet_connection": "Server not connected to the Internet",
     "no_ipv6_connectivity": "IPv6 connectivity is not available",
+    "domain_letsencrypt_created" : "Let's encrypt certificate successfully created.",
+    "domain_letsencrypt_create_failed" : "Unable to create Let's encrypt certificate.",
+    "domain_letsencrypt_renewed" : "Let's encrypt certificate successfully renewed.",
+    "domain_letsencrypt_renew_failed" : "Unable to renew Let's encrypt certificate.",
+    "domain_letsencrypt_revoked" : "Let's encrypt certificate successfully revoked.",
+    "domain_letsencrypt_revoke_failed" : "Unable to revoke Let's encrypt certificate.",
+    "domain_letsencrypt_badarg" : "Bad argument, choose between create, renew or revoke.",
 
     "dyndns_key_generating" : "DNS key is being generated, it may take a while...",
     "dyndns_unavailable" : "Unavailable DynDNS subdomain",
diff --git a/src/yunohost/domain.py b/src/yunohost/domain.py
index 97449cfbe..6b288ab83 100644
--- a/src/yunohost/domain.py
+++ b/src/yunohost/domain.py
@@ -258,14 +258,14 @@ def domain_letsencrypt(auth, domain, create=False, renew=False, revoke=False):
         # backup self signed certificate if exist
         if os.path.exists('/etc/yunohost/certs/%s/cert.pem' % domain):
             os.system('mkdir -p /etc/yunohost/certs/%s/yunohost_self_signed' % domain)
-            os.system('mv /etc/yunohost/certs/%s/*.pem /etc/yunohost/certs/%s/*.cnf /etc/yunohost/certs/%s/yunohost_self_signed/' % domain)
-            os.system('rm -f /etc/yunohost/certs/%s/*.pem /etc/yunohost/certs/%s/*.cnf' % domain)
+            os.system('sudo mv /etc/yunohost/certs/%s/*.pem /etc/yunohost/certs/%s/*.cnf /etc/yunohost/certs/%s/yunohost_self_signed/' % domain)
+            os.system('sudo rm -f /etc/yunohost/certs/%s/*.pem /etc/yunohost/certs/%s/*.cnf' % domain)
 
         # create certificate
         try:
-            os.system('/root/letsencrypt/letsencrypt-auto -a webroot --renew-by-default --agree-dev-preview --agree-tos --webroot-path /etc/letsencrypt/webrootauth -m root@%s -d %s auth' % domain)
+            os.system('sudo /root/letsencrypt/letsencrypt-auto -a webroot --renew-by-default --agree-dev-preview --agree-tos --webroot-path /etc/letsencrypt/webrootauth -m root@%s -d %s auth' % domain)
             # restore right for metronome
-            os.system('chown root:metronome /etc/letsencrypt/archive/%s/*' % domain)
+            os.system('sudo chown root:metronome /etc/letsencrypt/archive/%s/*' % domain)
             # create cron
             os.system('echo "@monthly root yunohost domain letsencrypt -r %s" > /etc/cron.d/letsencrypt-%s' % domain)
             # symbolic link for cert and key
@@ -277,17 +277,17 @@ def domain_letsencrypt(auth, domain, create=False, renew=False, revoke=False):
 
     elif renew and not create and not revoke:
         try:
-            os.system('/root/letsencrypt/letsencrypt-auto -a webroot --renew-by-default --agree-dev-preview --agree-tos --webroot-path /etc/letsencrypt/webrootauth -m root@%s -d %s auth' % domain)
+            os.system('sudo /root/letsencrypt/letsencrypt-auto -a webroot --renew-by-default --agree-dev-preview --agree-tos --webroot-path /etc/letsencrypt/webrootauth -m root@%s -d %s auth' % domain)
             # restore right for metronome
-            os.system('chown root:metronome /etc/letsencrypt/archive/%s/*' % domain)
+            os.system('sudo chown root:metronome /etc/letsencrypt/archive/%s/*' % domain)
             msignals.display(m18n.n('domain_letsencrypt_renewed'), 'success')
         except:
             raise MoulinetteError(errno.EIO, m18n.n('domain_letsencrypt_renew_failed'))
     elif revoke and not create and not renew:
         try:
-            os.system('/root/letsencrypt/letsencrypt-auto -a webroot --renew-by-default --agree-dev-preview --agree-tos --webroot-path /etc/letsencrypt/webrootauth -m root@%s -d %s auth' % domain)
+            os.system('sudo /root/letsencrypt/letsencrypt-auto -a webroot --renew-by-default --agree-dev-preview --agree-tos --webroot-path /etc/letsencrypt/webrootauth -m root@%s -d %s auth' % domain)
             msignals.display(m18n.n('domain_letsencrypt_revoked'), 'success')
         except:
             raise MoulinetteError(errno.EIO, m18n.n('domain_letsencrypt_revoke_failed'))
     else:
-        raise MoulinetteError(errno.EIO, m18n.n('domain_letsencrypt_revoke_unknown'))
+        raise MoulinetteError(errno.EIO, m18n.n('domain_letsencrypt_badarg'))