diff --git a/pillar/role/pagure.sls b/pillar/role/pagure.sls
index 905293e..b0bf64d 100644
--- a/pillar/role/pagure.sls
+++ b/pillar/role/pagure.sls
@@ -41,6 +41,14 @@ nginx:
                 - listen:
                     - '[::]:80'
                     - default_server
+                - listen:
+                    - 443
+                    - ssl
+                - listen:
+                    - '[::]:443'
+                    - ssl
+                - ssl_certificate: /etc/dehydrated/certs/code.opensuse.org/fullchain.crt
+                - ssl_certificate_key: /etc/dehydrated/certs/code.opensuse.org/privkey.key
                 - location @pagure:
                     - client_max_body_size: 0
                     - proxy_set_header: Host $http_host
@@ -63,6 +71,14 @@ nginx:
                 - listen:
                     - '[::]:80'
                     - default_server
+                - listen:
+                    - 443
+                    - ssl
+                - listen:
+                    - '[::]:443'
+                    - ssl
+                - ssl_certificate: /etc/dehydrated/certs/code.opensuse.org/fullchain.crt
+                - ssl_certificate_key: /etc/dehydrated/certs/code.opensuse.org/privkey.key
                 - location /:
                     - alias: /srv/www/pagure-releases/
                     - autoindex: 'on'
@@ -76,6 +92,14 @@ nginx:
                 - listen:
                     - '[::]:80'
                     - default_server
+                - listen:
+                    - 443
+                    - ssl
+                - listen:
+                    - '[::]:443'
+                    - ssl
+                - ssl_certificate: /etc/dehydrated/certs/code.opensuse.org/fullchain.crt
+                - ssl_certificate_key: /etc/dehydrated/certs/code.opensuse.org/privkey.key
                 - location @pagure_ev:
                     - proxy_set_header: Host $http_host
                     - proxy_set_header: X-Real-IP $remote_addr
@@ -94,6 +118,14 @@ nginx:
                 - listen:
                     - '[::]:80'
                     - default_server
+                - listen:
+                    - 443
+                    - ssl
+                - listen:
+                    - '[::]:443'
+                    - ssl
+                - ssl_certificate: /etc/dehydrated/certs/code.opensuse.org/fullchain.crt
+                - ssl_certificate_key: /etc/dehydrated/certs/code.opensuse.org/privkey.key
                 - location @pagure_docs:
                     - proxy_set_header: Host $http_host
                     - proxy_set_header: X-Real-IP $remote_addr
diff --git a/salt/profile/crtmgr/dehydrated.sls b/salt/profile/crtmgr/dehydrated.sls
index 7bfdc80..b69115a 100644
--- a/salt/profile/crtmgr/dehydrated.sls
+++ b/salt/profile/crtmgr/dehydrated.sls
@@ -2,3 +2,15 @@ dehydrated:
   pkg.installed:
     - pkgs:
       - dehydrated
+
+/etc/dehydrated/postrun-hooks.d/reloadhttpd.sh:
+  file.managed:
+    - mode: 755
+    - contents: |
+        #!/bin/sh
+        if [ -e /usr/lib/systemd/system/apache2.service ] ; then
+          systemctl reload apache2
+        fi
+        if [ -e /usr/lib/systemd/system/nginx.service ] ; then
+          systemctl reload nginx
+        fi
diff --git a/salt/profile/pagure/init.sls b/salt/profile/pagure/init.sls
index 90f2789..e23945c 100644
--- a/salt/profile/pagure/init.sls
+++ b/salt/profile/pagure/init.sls
@@ -1,4 +1,5 @@
 include:
+  - profile.crtmgr
   - profile.pagure.redis
 
 pagure_pgks: