diff --git a/roles/graphite/grafana/files/grafana.conf b/roles/graphite/grafana/files/grafana.conf
deleted file mode 100644
index 4c25da333f..0000000000
--- a/roles/graphite/grafana/files/grafana.conf
+++ /dev/null
@@ -1,7 +0,0 @@
-<VirtualHost *:80>
-  ServerName grafana.cloud.fedoraproject.org
-  ErrorLog /var/log/httpd/grafana-error.log
-  CustomLog /var/log/httpd/grafana-access.log common
-  ProxyPass / http://localhost:3000/
-  ProxyPassReverse / http://localhost:3000/
-</VirtualHost>
diff --git a/roles/graphite/grafana/tasks/main.yml b/roles/graphite/grafana/tasks/main.yml
index faa56212ba..119c55fd8a 100644
--- a/roles/graphite/grafana/tasks/main.yml
+++ b/roles/graphite/grafana/tasks/main.yml
@@ -36,7 +36,7 @@
   - grafana
 
 - name: grafana apache proxy config file
-  copy: src=grafana.conf dest=/etc/httpd/conf.d/grafana.conf owner=root group=root mode=644
+  template: src=grafana.conf dest=/etc/httpd/conf.d/grafana.conf owner=root group=root mode=644
   notify:
   - restart apache
   tags:
diff --git a/roles/graphite/grafana/templates/grafana.conf b/roles/graphite/grafana/templates/grafana.conf
new file mode 100644
index 0000000000..a6ecc8123a
--- /dev/null
+++ b/roles/graphite/grafana/templates/grafana.conf
@@ -0,0 +1,28 @@
+<VirtualHost *:80>
+  ServerName grafana.cloud.fedoraproject.org
+  ServerAlias grafana.fedorainfracloud.org
+  ErrorLog /var/log/httpd/grafana-error.log
+  CustomLog /var/log/httpd/grafana-access.log common
+  ProxyPass / http://localhost:3000/
+  ProxyPassReverse / http://localhost:3000/
+
+  RewriteEngine on
+  RewriteRule ^/\.well-known/(.*) /srv/web/acme-challenge/.well-known/$1 [L]
+</VirtualHost>
+
+<VirtualHost {{public_ip}}:443 _default_:443>
+  ServerName grafana.cloud.fedoraproject.org
+  ServerAlias grafana.fedorainfracloud.org
+
+  SSLEngine on
+  SSLCertificateFile    /etc/letsencrypt/live/grafana.cloud.fedoraproject.org/cert.pem
+  SSLCertificateKeyFile /etc/letsencrypt/live/grafana.cloud.fedoraproject.org/privkey.pem
+  SSLCertificateChainFile /etc/letsencrypt/live/grafana.cloud.fedoraproject.org/fullchain.pem
+  SSLHonorCipherOrder On
+  SSLCipherSuite RC4-SHA:AES128-SHA:ALL:!ADH:!EXP:!LOW:!MD5:!SSLV2:!NULL
+  SSLProtocol ALL -SSLv2
+
+  ProxyPass / http://localhost:3000/
+  ProxyPassReverse / http://localhost:3000/
+</VirtualHost>
+