diff --git a/playbooks/hosts/java-deptools.fedorainfracloud.org b/playbooks/hosts/java-deptools.fedorainfracloud.org
index cd3506f00e..0a142a293b 100644
--- a/playbooks/hosts/java-deptools.fedorainfracloud.org
+++ b/playbooks/hosts/java-deptools.fedorainfracloud.org
@@ -30,4 +30,5 @@
 
   roles:
   - basessh
+  - certbot
   - java-deptools
diff --git a/roles/java-deptools/files/proxy.conf b/roles/java-deptools/files/proxy.conf
index 407c754aab..f305c7af40 100644
--- a/roles/java-deptools/files/proxy.conf
+++ b/roles/java-deptools/files/proxy.conf
@@ -1,8 +1,24 @@
+ServerName java-deptools.fedorainfracloud.org
+
 <Proxy *>
     AddDefaultCharset off
     Order deny,allow
     Allow from all
 </Proxy>
 
-ProxyPass         /   http://localhost:9000/
-ProxyPassReverse  /   http://localhost:9000/
+<VirtualHost *:443>
+    SSLEngine on
+    SSLCertificateFile /etc/letsencrypt/live/java-deptools.fedorainfracloud.org/cert.pem
+    SSLCertificateKeyFile /etc/letsencrypt/live/java-deptools.fedorainfracloud.org/privkey.pem
+    SSLCertificateChainFile /etc/letsencrypt/live/java-deptools.fedorainfracloud.org/fullchain.pem
+    SSLHonorCipherOrder On
+    SSLCipherSuite RC4-SHA:AES128-SHA:ALL:!ADH:!EXP:!LOW:!MD5:!SSLV2:!NULL
+    SSLProtocol ALL -SSLv2
+
+    ProxyPass         /   http://localhost:9000/
+    ProxyPassReverse  /   http://localhost:9000/
+</VirtualHost>
+
+RewriteEngine On
+RewriteCond %{HTTPS} off
+RewriteRule (.*) https://%{SERVER_NAME}/$1 [R,L]
diff --git a/roles/java-deptools/tasks/main.yml b/roles/java-deptools/tasks/main.yml
index 1677d2e58d..48ba5dccb6 100644
--- a/roles/java-deptools/tasks/main.yml
+++ b/roles/java-deptools/tasks/main.yml
@@ -7,6 +7,7 @@
   package: name={{ item }} state=present
   with_items:
   - httpd
+  - mod_ssl
   - postgresql-server
   - postgresql
   - java-deptools
@@ -65,6 +66,13 @@
   tags:
   - service
 
+- name: Obtain letsencrypt certificate
+  shell: certbot certonly -n --standalone --agree-tos -m sysadmin-koschei-members@fedoraproject.org -d {{ inventory_hostname }}
+  args:
+    creates: /etc/letsencrypt/live/{{ inventory_hostname }}/fullchain.pem
+  tags:
+  - config
+
 - name: Install proxy config
   copy: src=proxy.conf dest=/etc/httpd/conf.d/java-deptools-proxy.conf