diff --git a/roles/libravatar/templates/httpd/libravatar.conf b/roles/libravatar/templates/httpd/libravatar.conf
index f8b97e211e..d05ce30af4 100644
--- a/roles/libravatar/templates/httpd/libravatar.conf
+++ b/roles/libravatar/templates/httpd/libravatar.conf
@@ -17,6 +17,19 @@ RewriteEngine on
     RewriteRule "^/?(.*)" "https://%{HTTP_HOST}/$1" [L,R=301,NE]
 </VirtualHost>
 
+<VirtualHost *:443>
+    ServerName cdn.libravatar.org
+
+    SSLCertificateFile    /etc/letsencrypt/live/cdn.libravatar.org/cert.pem
+    SSLCertificateKeyFile  /etc/letsencrypt/live/cdn.libravatar.org/privkey.pem
+    SSLCertificateChainFile /etc/letsencrypt/live/cdn.libravatar.org/fullchain.pem
+    Header always add Strict-Transport-Security "max-age=31536000; preload; includeSubDomains"
+
+    RewriteRule ^/\.well-known/(.*) /var/www/html/.well-known/$1 [L]
+
+    Include /etc/httpd/conf.d/libravatar-app.include
+</VirtualHost>
+
 <VirtualHost *:443>
     ServerName {{ server_seccdn_name }}