diff --git a/roles/lego/README.md b/roles/lego/README.md
index 97026a0..3627a5b 100644
--- a/roles/lego/README.md
+++ b/roles/lego/README.md
@@ -40,3 +40,7 @@ By default, the lego distribution for `linux` on `amd64` is downloaded. If your
 ### User management
 
 The role will attempt to create user+group for each seperate lego instance for data isolation (i.e. to avoid leaking a TSIG key from one lego instance to other services). The user and group are of the form `acme-{{ lego_instance }}`. Beware that changing this in `lego_cert_{user,group}` also requires `lego_systemd_{user,group}` to be adjusted!
+
+### Binding to ports < 1024 (HTTP-01 challenge)
+
+Set `lego_binary_allow_net_bind_service: true` to allow the lego binary to bind to ports in the 'privileged' (< 1024) port range.
diff --git a/roles/lego/defaults/main.yml b/roles/lego/defaults/main.yml
index 4c02459..1363714 100644
--- a/roles/lego/defaults/main.yml
+++ b/roles/lego/defaults/main.yml
@@ -58,6 +58,7 @@ lego_systemd_timer_calendar: "*-*-* *:00/15:00"
 
 lego_architecture: "amd64"
 lego_os: "linux"
+lego_binary_allow_net_bind_service: false
 
 lego_release_archive_server: "https://github.com"
 lego_release_archive_filename: >-
diff --git a/roles/lego/tasks/main.yml b/roles/lego/tasks/main.yml
index 368e841..4e2e678 100644
--- a/roles/lego/tasks/main.yml
+++ b/roles/lego/tasks/main.yml
@@ -63,6 +63,13 @@
         remote_src: true
       when: lego_binary_info.rc != 0
 
+    - name: Ensure lego is allowed to bind to ports < 1024
+      community.general.capabilities:
+        path: "/usr/local/bin/lego"
+        capability: "cap_net_bind_service+ep"
+        state: present
+      when: lego_binary_allow_net_bind_service
+
     - name: Ensure intermediate data is gone
       ansible.builtin.file:
         path: "{{ item }}"