diff --git a/files/httpd/wcidff.org.conf b/files/httpd/wcidff.org.conf
new file mode 100644
index 0000000000..b38b68995a
--- /dev/null
+++ b/files/httpd/wcidff.org.conf
@@ -0,0 +1,2 @@
+RewriteEngine on
+RewriteRule ^/\.well-known/(.*) /srv/web/acme-challenge/.well-known/$1 [L]
diff --git a/playbooks/groups/proxies.yml b/playbooks/groups/proxies.yml
index da95bd15f1..fea8a786f2 100644
--- a/playbooks/groups/proxies.yml
+++ b/playbooks/groups/proxies.yml
@@ -47,6 +47,24 @@
         state=link
     when: inventory_hostname == 'proxy01.phx2.fedoraproject.org'
 
+  - name: install special wcidff.conf with letsencrypt info
+    copy: src={{ files }}/httpd/wcidff.org.conf dest=/etc/httpd/conf.d/whatcanidoforfedora.org/wcidff.conf
+    when: inventory_hostname == 'proxy01.phx2.fedoraproject.org'
+
+  - name: setup link to letsencrypt certs on proxy01
+    file: >
+        path=/etc/pki/tls/certs/whatcanidoforfedora.intermediate.cert
+        src=/etc/letsencrypt/live/whatcanidoforfedora.org/fullchain.pem
+        state=link
+    when: inventory_hostname == 'proxy01.phx2.fedoraproject.org'
+
+  - name: setup link to letsencrypt certs on proxy01
+    file: >
+        path=/etc/pki/tls/certs/whatcanidoforfedora.org.cert
+        src=/etc/letsencrypt/live/whatcanidoforfedora.org/cert.pem
+        state=link
+    when: inventory_hostname == 'proxy01.phx2.fedoraproject.org'
+
   - include: "{{ tasks_path }}/yumrepos.yml"
   - include: "{{ tasks_path }}/2fa_client.yml"
   - include: "{{ tasks_path }}/motd.yml"
diff --git a/playbooks/include/proxies-websites.yml b/playbooks/include/proxies-websites.yml
index 8251a8a51b..7588b706fb 100644
--- a/playbooks/include/proxies-websites.yml
+++ b/playbooks/include/proxies-websites.yml
@@ -398,12 +398,22 @@
     ssl: false
     cert_name: "{{wildcard_cert_name}}"
 
+  - role: httpd/website
+    name: whatcanidoforfedora.org
+    server_aliases:
+    - www.whatcanidoforfedora.org
+    ssl: true
+    cert_name: whatcanidoforfedora.org
+    SSLCertificateChainFile: whatcanidoforfedora.org.intermediate.cert
+    when: inventory_hostname == 'proxy01.phx2.fedoraproject.org'
+
   - role: httpd/website
     name: whatcanidoforfedora.org
     server_aliases:
     - www.whatcanidoforfedora.org
     ssl: false
     cert_name: "{{wildcard_cert_name}}"
+    when: inventory_hostname != 'proxy01.phx2.fedoraproject.org'
 
   - role: httpd/website
     name: fedoramagazine.org