diff --git a/config/service/letsencrypt/Containerfile b/config/service/letsencrypt/Containerfile
index 705222f..6f24a11 100644
--- a/config/service/letsencrypt/Containerfile
+++ b/config/service/letsencrypt/Containerfile
@@ -1 +1,9 @@
 FROM docker.io/goacme/lego:v4.4.0
+
+RUN addgroup --system --gid 10000 letsencrypt
+RUN adduser --system --uid 10000 --ingroup letsencrypt --home /var/lib/letsencrypt letsencrypt
+
+RUN apk --no-cache --no-progress add gosu
+COPY container/run-lego /run-lego
+
+ENTRYPOINT ["/run-lego"]
diff --git a/config/service/letsencrypt/container/run-lego b/config/service/letsencrypt/container/run-lego
new file mode 100755
index 0000000..5dfc875
--- /dev/null
+++ b/config/service/letsencrypt/container/run-lego
@@ -0,0 +1,7 @@
+#!/bin/sh
+
+# Correct permissions where needed.
+chown -R letsencrypt:letsencrypt /var/lib/letsencrypt
+
+# Run ACME verification with parameters given.
+gosu letsencrypt /usr/bin/lego "$@"