diff --git a/roles/haproxy/tasks/acme.yml b/roles/haproxy/tasks/acme.yml
index f89e8c0f3..901b1e13c 100644
--- a/roles/haproxy/tasks/acme.yml
+++ b/roles/haproxy/tasks/acme.yml
@@ -3,6 +3,8 @@
   ansible.builtin.user:
     name: acme
     state: present
+    groups: lbops,haproxy
+    append: yes
 
 - name: Install acl package so ansible can run as an unprivilegd user
   ansible.builtin.package:
@@ -17,7 +19,8 @@
 
 - name: Install the acme.sh script
   ansible.builtin.shell:
-    cmd: /opt/acmesh/acme.sh --install
+    cmd: sh /opt/acmesh/acme.sh --install
+    chdir: /opt/acmesh
     creates: /home/acme/.acme.sh/acme.sh
   become: true
   become_user: acme
@@ -25,6 +28,6 @@
 - name: Create the acme account
   ansible.builtin.shell:
     cmd: /home/acme/.acme.sh/acme.sh --register-account  --eab-kid {{ haproxy_acme_eab_kid }} --eab-hmac-key {{ haproxy_acme_eab_hmac_key }} --server https://acme.sectigo.com/v2/GEANTOV
-    creates: /home/acme/.acme.sh/account.conf
+    creates: /home/acme/.acme.sh/ca/acme.sectigo.com/v2/GEANTOV/account.key
   become: true
   become_user: acme
diff --git a/roles/haproxy/tasks/main.yml b/roles/haproxy/tasks/main.yml
index b316bb1bd..7390ec7cf 100644
--- a/roles/haproxy/tasks/main.yml
+++ b/roles/haproxy/tasks/main.yml
@@ -1,22 +1,36 @@
 ---
-- name: Include acme installation
-  ansible.builtin.include_tasks: acme.yml
-  when: haproxy_acme | bool
+- name: Download HAProxy GPG key
+  ansible.builtin.get_url:
+    url: https://haproxy.debian.net/bernat.debian.org.gpg
+    dest: /etc/apt/trusted.gpg.d/haproxy.asc
+    mode: '0644'
 
-- name: Create lbops group
-  ansible.builtin.group:
-    name: lbops
-    state: present
+- name: Add HAProxy repository to sources list
+  ansible.builtin.copy:
+    dest: /etc/apt/sources.list.d/haproxy.list
+    content: |
+       deb http://haproxy.debian.net bookworm-backports-3.0 main
+    mode: '0644'
 
 - name: Install haproxy and socat
   ansible.builtin.apt:
     name:
-      - haproxy
+      - haproxy=3.0.*
       - socat
+      - git
     state: present
   register: haproxy_package_installed
   until: haproxy_package_installed is succeeded
 
+- name: Include acme installation
+  ansible.builtin.include_tasks: acme.yml
+  when: haproxy_acme | bool
+
+- name: Create lbops group
+  ansible.builtin.group:
+    name: lbops
+    state: present
+
 - name: Copy haproxy sysconfig file
   ansible.builtin.copy:
     src: sysconfig_haproxy
@@ -125,9 +139,6 @@
   notify:
     - "reload haproxy"
 
-- name: include get_acme_certs
-  include_tasks: get_acme_certs.yml
-  when: haproxy_acme | bool and vhost_acls.changed
 
 - name: Copy haproxy maps
   ansible.builtin.template:
@@ -155,6 +166,10 @@
   notify:
     - "reload haproxy"
 
+- name: include get_acme_certs
+  include_tasks: get_acme_certs.yml
+  when: haproxy_acme | bool and vhost_acls.changed
+
 - name: Start and enable haproxy
   ansible.builtin.service:
     name: haproxy