diff --git a/playbooks/include/proxies-websites.yml b/playbooks/include/proxies-websites.yml
index c45a9658e9..deb7511be3 100644
--- a/playbooks/include/proxies-websites.yml
+++ b/playbooks/include/proxies-websites.yml
@@ -904,6 +904,7 @@
     ssl: true
     sslonly: true
     certbot: true
+    certbot_addhost: pkgs02.fedoraproject.org
     tags:
     - pkgs.fedoraproject.org
     when: env == "production" and "phx2" in inventory_hostname
diff --git a/roles/distgit/tasks/main.yml b/roles/distgit/tasks/main.yml
index 5db8548987..1247adaf04 100644
--- a/roles/distgit/tasks/main.yml
+++ b/roles/distgit/tasks/main.yml
@@ -347,20 +347,6 @@
   notify:
   - reload httpd
 
-# Get the letsencrypt ssl cert for pkgs.fedoraproject.org from proxy01
-# It's stored there because the role that requests/updates it is called
-# via the proxy playbooks.
-
-- name: copy pkgs.fedoraproject.org ssl cert to pkgs machine
-  synchronize:
-    src: "{{ item }}"
-    dest: "{{ item }}"
-  with_items:
-  - /etc/pki/tls/certs/pkgs.fedoraproject.org.cert
-  - /etc/pki/tls/certs/pkgs.fedoraproject.org.intermediate.cert
-  - /etc/pki/tls/private/pkgs.fedoraproject.org.key
-  delegate_to: proxy01.phx2.fedoraproject.org
-
 # -- Lookaside Cache -------------------------------------
 # This is the annex to Dist Git, where we host source tarballs.
 - name: install the Lookaside Cache httpd configs
diff --git a/roles/letsencrypt/tasks/main.yml b/roles/letsencrypt/tasks/main.yml
index 20b121c60b..d4cdffb959 100644
--- a/roles/letsencrypt/tasks/main.yml
+++ b/roles/letsencrypt/tasks/main.yml
@@ -68,3 +68,45 @@
   - reload proxyhttpd
   tags:
   - letsencrypt
+
+- name: Install the certificate (additional host)
+  copy: >
+    dest=/etc/pki/tls/certs/{{site_name}}.cert
+    content="{{certbot_certificate.stdout}}"
+    owner=root
+    group=root
+    mode=0644
+  notify:
+  - reload proxyhttpd
+  tags:
+  - letsencrypt
+  delegate_to: "{{ certbot_addhost }}"
+  when: certbot_addhost is defined
+
+- name: Install the intermediate/chain certificate (additional host)
+  copy: >
+    dest=/etc/pki/tls/certs/{{site_name}}.intermediate.cert
+    content="{{certbot_chain.stdout}}"
+    owner=root
+    group=root
+    mode=0644
+  notify:
+  - reload proxyhttpd
+  tags:
+  - letsencrypt
+  delegate_to: "{{ certbot_addhost }}"
+  when: certbot_addhost is defined
+
+- name: Install the key (additional host)
+  copy: >
+    dest=/etc/pki/tls/private/{{site_name}}.key
+    content="{{certbot_key.stdout}}"
+    owner=root
+    group=root
+    mode=0600
+  notify:
+  - reload proxyhttpd
+  tags:
+  - letsencrypt
+  delegate_to: "{{ certbot_addhost }}"
+  when: certbot_addhost is defined