diff --git a/files/httpd/fpaste.org.conf b/files/httpd/fpaste.org.conf
new file mode 100644
index 0000000000..b38b68995a
--- /dev/null
+++ b/files/httpd/fpaste.org.conf
@@ -0,0 +1,2 @@
+RewriteEngine on
+RewriteRule ^/\.well-known/(.*) /srv/web/acme-challenge/.well-known/$1 [L]
diff --git a/playbooks/groups/proxies.yml b/playbooks/groups/proxies.yml
index f5fb7ee24e..d2747821d7 100644
--- a/playbooks/groups/proxies.yml
+++ b/playbooks/groups/proxies.yml
@@ -23,9 +23,14 @@
       when: env == "staging" or "'mirrorlist-proxy' in group_names" }
   - { role: openvpn/client,
       when: env != "staging" }
+  - { role: certbot,
+      when: inventory_hostname == 'proxy01.phx2.fedoraproject.org' }
   - apache
 
   tasks:
+  - name: install special fpaste.conf with letsencrypt info
+    copy: src={{ files }}/files/httpd/fpaste.conf dest=/etc/httpd/conf.d/fpaste.org/fpaste.org.conf
+    when: inventory_hostname == 'proxy01.phx2.fedoraproject.org'
   - include: "{{ tasks }}/yumrepos.yml"
   - include: "{{ tasks }}/2fa_client.yml"
   - include: "{{ tasks }}/motd.yml"
diff --git a/playbooks/include/proxies-websites.yml b/playbooks/include/proxies-websites.yml
index 370eddba2b..3946d6a9c4 100644
--- a/playbooks/include/proxies-websites.yml
+++ b/playbooks/include/proxies-websites.yml
@@ -463,11 +463,19 @@
 #
 # Make a website here so we can redirect it to paste.fedoraproject.org
 #
+  - role: httpd/website
+    name: fpaste.org
+    server_aliases:
+    - www.fpaste.org
+    cert_name: fpaste.org
+    when: inventory_hostname == 'proxy01.phx2.fedoraproject.org'
+
   - role: httpd/website
     name: fpaste.org
     server_aliases:
     - www.fpaste.org
     cert_name: "{{wildcard_cert_name}}"
+    when: inventory_hostname != 'proxy01.phx2.fedoraproject.org'
 
   - role: httpd/website
     name: koji.fedoraproject.org