diff --git a/ansible/playbooks/site.yml b/ansible/playbooks/site.yml
index 4fdec0b..dfd6b71 100644
--- a/ansible/playbooks/site.yml
+++ b/ansible/playbooks/site.yml
@@ -4,5 +4,5 @@
 - import_playbook: vault-server.yml
 - import_playbook: consul-client.yml
 - import_playbook: nomad.yml
-  #- import_playbook: docker-registry.yml
+- import_playbook: docker-registry.yml
 ...
diff --git a/ansible/roles/consul_server/templates/consul.hcl.j2 b/ansible/roles/consul_server/templates/consul.hcl.j2
index f232a57..8439789 100644
--- a/ansible/roles/consul_server/templates/consul.hcl.j2
+++ b/ansible/roles/consul_server/templates/consul.hcl.j2
@@ -28,6 +28,7 @@ raft_protocol       = 3
 
 addresses {
  http = "0.0.0.0"
+ dns  = "0.0.0.0"
 }
 
 performance {
diff --git a/ansible/roles/docker_registry/tasks/main.yml b/ansible/roles/docker_registry/tasks/main.yml
index d9b67c9..866a4b8 100644
--- a/ansible/roles/docker_registry/tasks/main.yml
+++ b/ansible/roles/docker_registry/tasks/main.yml
@@ -1,28 +1,96 @@
 ---
-- name: debug
-  debug:
-    msg: "{{ lookup('hashi_vault', 'secret=pki_int/masked.name') }}"
+- name: check if server cert is expiring in the next 5 days
+  shell: "openssl x509 -checkend 432000 -noout -in /etc/pki/certs/docker_registry.crt"
+  args:
+    executable: /bin/bash
+  failed_when: False
+  check_mode: False
+  changed_when: False
+  register: exp
 
-- name: ensure docker registry dir
-  file:
-    path: "{{ docker_registry_mnt }}"
-    state: directory
+- name: get cert
+  shell: "vault write pki_int/issue/{{ vault_pki_policy }} common_name=docker.service.{{ main_dc_name }}.{{ consul_domain }} ttl=43200m"
+  args:
+    executable: /bin/bash
+  environment:
+    VAULT_ADDR: http://ivyking.minhas.io:8200
+    VAULT_TOKEN: "{{ lookup('file', lookup('env', 'HOME') + '/.vault-token') }}"
+    VAULT_FORMAT: json
+  register: cert_data
+  when: exp.rc != 0
+
+- name: write cert data to server
+  copy:
+    content: "{{ item.content }}"
+    dest: "/etc/pki/{{ item.path }}"
+    mode: '{{ item.mode }}'
     owner: root
     group: root
-    mode: 0755
-
+  when: cert_data.changed
+  loop:
+    - {
+        content: "{{ (cert_data.stdout | from_json).data.certificate }}",
+        path: "certs/docker_registry.crt",
+        mode: "0755"
+    }
+    - {
+        content: "{{ (cert_data.stdout | from_json).data.private_key }}",
+        path: "keys/docker_registry.key",
+        mode: "0600"
+    }
 - name: ensure python-docker is installed
   apt:
     name: python3-docker
     state: present
 
+- name: ensure docker registry ssl dir
+  file:
+    path: /etc/docker_registry/
+    state: directory
+    owner: root
+    group: root
+    mode: 0755
+
+- name: ensure docker registry cert
+  file:
+    state: hard
+    src: /etc/pki/certs/docker_registry.crt
+    dest: /etc/docker_registry/docker_registry.crt
+    owner: root
+    group: root
+    mode: 0644
+
+- name: ensure docker registry private key
+  file:
+    state: hard
+    src: /etc/pki/keys/docker_registry.key
+    dest: /etc/docker_registry/docker_registry.key
+    owner: root
+    group: root
+    mode: 0644
+
+- name: ensure docker registry key and cert are available
+  file:
+    src: "{{ item.src }}"
+    dest: "{{ item.dest }}"
+    state: hard
+  loop:
+    - { src: /etc/pki/certs/docker_registry.crt, dest: /etc/docker_registry/docker_registry.crt }
+    - { src: /etc/pki/keys/docker_registry.key, dest: /etc/docker_registry/docker_registry.key }
+
 - name: run docker registry
   docker_container:
     name: registry
     image: registry:2
+    env:
+      REGISTRY_HTTP_ADDR: 0.0.0.0:443
+      REGISTRY_HTTP_TLS_CERTIFICATE: /certs/docker_registry.crt
+      REGISTRY_HTTP_TLS_KEY: /certs/docker_registry.key
+      REGISTRY_HTTP_SECRET: "{{ lookup('hashi_vault', 'secret=kv/data/docker:data')['REGISTRY_HTTP_SECRET'] }}"
     ports:
-      - "5000:5000"
+      - "5000:443"
     volumes:
       - "{{ docker_registry_mnt }}:/var/lib/registry"
+      - "/etc/docker_registry:/certs"
     restart_policy: always
 ...