use public_hostname because letsencrypt knows it by that name

roles/taskotron/ssl-taskotron/templates/ssl.conf.j2

@@ -101,14 +101,14 @@ SSLCipherSuite {{ ssl_ciphers }}
 # the certificate is encrypted, then you will be prompted for a
 # pass phrase.  Note that a kill -HUP will prompt again.  A new
 # certificate can be generated using the genkey(1) command.
-SSLCertificateFile /etc/pki/tls/certs/{{ inventory_hostname }}.crt
+SSLCertificateFile /etc/pki/tls/certs/{{ public_hostname }}.crt
 
 #   Server Private Key:
 #   If the key is not combined with the certificate, use this
 #   directive to point at the key file.  Keep in mind that if
 #   you've both a RSA and a DSA private key you can configure
 #   both in parallel (to also allow the use of DSA ciphers, etc.)
-SSLCertificateKeyFile /etc/pki/tls/private/{{ inventory_hostname }}.key
+SSLCertificateKeyFile /etc/pki/tls/private/{{ public_hostname }}.key
 
 #   Server Certificate Chain:
 #   Point SSLCertificateChainFile at a file containing the