diff --git a/roles/httpd/website/defaults/main.yml b/roles/httpd/website/defaults/main.yml
index cebeb4246e..3fed4bdc4a 100644
--- a/roles/httpd/website/defaults/main.yml
+++ b/roles/httpd/website/defaults/main.yml
@@ -11,3 +11,6 @@ sslonly: false
 SSLCertificateChainFile: wildcard-2017.fedoraproject.org.intermediate.cert
 gzip: false
 stssubdomains: true
+# set to true to enable the proxy to redirect the http01 challenge
+# to certgetter, set to false to disable (for migration)
+enable_certgetter: true
diff --git a/roles/httpd/website/templates/website.conf b/roles/httpd/website/templates/website.conf
index 931655e6a6..d759139128 100644
--- a/roles/httpd/website/templates/website.conf
+++ b/roles/httpd/website/templates/website.conf
@@ -12,7 +12,9 @@
   SetOutputFilter DEFLATE
 {% endif %}
 
+{% if enable_certgetter %}
   ProxyPass "/.well-known/acme-challenge" "http://certgetter01/.well-known/acme-challenge"
+{% endif %}
 
 {% if site_name == "fedoraproject.org" %}
   Include "conf.d/fedoraproject.org/expires.conf"