diff --git a/inventory/group_vars/jenkins-cloud b/inventory/group_vars/jenkins-cloud
index 3f0b42b789..bbefeaf0a9 100644
--- a/inventory/group_vars/jenkins-cloud
+++ b/inventory/group_vars/jenkins-cloud
@@ -1 +1,10 @@
 postfix_group: jenkins-cloud
+
+# These are consumed by a task in roles/fedmsg/base/main.yml
+fedmsg_certs:
+- service: shell
+  owner: root
+  group: root
+- service: jenkins
+  owner: root
+  group: jenkins
diff --git a/playbooks/groups/jenkins-cloud.yml b/playbooks/groups/jenkins-cloud.yml
index 5cdb6e44d7..ebd6b7d0ac 100644
--- a/playbooks/groups/jenkins-cloud.yml
+++ b/playbooks/groups/jenkins-cloud.yml
@@ -29,6 +29,7 @@
 
   roles:
    - base
+   - fedmsg/base
 
   tasks:
   - include: "{{ tasks }}/cloud_setup_basic.yml"
@@ -224,6 +225,24 @@
   handlers:
   - include: "{{ handlers }}/restart_services.yml"
 
+- name: setup fedmsg for the master (after jenkins has been installed)
+  hosts: 209.132.184.153
+  user: root
+  gather_facts: True
+  tags:
+   - jenkins_master
+
+  vars_files:
+   - /srv/web/infra/ansible/vars/global.yml
+   - "{{ private }}/vars.yml"
+   - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml
+
+  roles:
+   - fedmsg/base
+
+  handlers:
+  - include: "{{ handlers }}/restart_services.yml"
+
 ###################################################
 # jenkins slaves
 
diff --git a/roles/fedmsg/base/templates/relay.py.j2 b/roles/fedmsg/base/templates/relay.py.j2
index b70cbf4c3b..f1bd9fc2d6 100644
--- a/roles/fedmsg/base/templates/relay.py.j2
+++ b/roles/fedmsg/base/templates/relay.py.j2
@@ -24,7 +24,7 @@ config = dict(
     # It is also used by the mediawiki php plugin which, due to the oddities of
     # php, can't maintain a single passive-bind endpoint of it's own.
     relay_inbound=[
-        {% if 'persistent-cloud' in group_names %}
+        {% if 'persistent-cloud' in group_names or 'jenkins-cloud' in group_names %}
 
         # Stuff from the cloud has to go through our external proxy first..
         #"tcp://hub.fedoraproject.org:9941",
diff --git a/roles/fedmsg/base/templates/ssl.py.j2 b/roles/fedmsg/base/templates/ssl.py.j2
index e37d6c93ca..d9f0e4eba6 100644
--- a/roles/fedmsg/base/templates/ssl.py.j2
+++ b/roles/fedmsg/base/templates/ssl.py.j2
@@ -178,6 +178,10 @@ config = dict(
         ("copr.dhcp-client03", "copr-copr-be.cloud.fedoraproject.org"),
         ("copr.copr-be-i-00000407", "copr-copr-be.cloud.fedoraproject.org"),
         ("copr.copr-be", "copr-copr-be.cloud.fedoraproject.org"),
+
+        # Jenkins, also being a cloud node, is weird.  Like copr.
+        ("shell.jenkins-master-unknown", "shell-jenkins.cloud.fedoraproject.org"),
+        ("jenkins.jenkins-master-unknown", "jenkins-jenkins.cloud.fedoraproject.org"),
     ]),
 )