diff --git a/.zuul.yaml b/.zuul.yaml
index 3d531ac967..c32cceb8fb 100644
--- a/.zuul.yaml
+++ b/.zuul.yaml
@@ -958,6 +958,7 @@
           label: ubuntu-bionic
     vars:
       run_playbooks:
+        - playbooks/service-letsencrypt.yaml
         - playbooks/service-gitea-lb.yaml
         - playbooks/remote_puppet_git.yaml
       run_test_playbook: playbooks/test-gitea.yaml
@@ -979,6 +980,7 @@
       - playbooks/roles/gitea/
       - playbooks/roles/gitea-git-repos/
       - playbooks/roles/haproxy/
+      - playbooks/roles/letsencrypt-create-certs/handlers/restart_gitea.yaml
       - testinfra/test_gitea.py
       - testinfra/test_gitea_lb.py
       # From gitea_files -- If we rebuild the image, we want to run
diff --git a/inventory/groups.yaml b/inventory/groups.yaml
index 89b0e9c4a3..92d02a26ab 100644
--- a/inventory/groups.yaml
+++ b/inventory/groups.yaml
@@ -68,6 +68,8 @@ groups:
     - mirror[0-9]*.opendev.org
     - files[0-9]*.open*.org
     - static.openstack.org
+    - gitea01.opendev.org
+    - gitea99.opendev.org
   logstash:
     - logstash[0-9]*.open*.org
   logstash-worker:
diff --git a/playbooks/host_vars/gitea01.opendev.org.yaml b/playbooks/host_vars/gitea01.opendev.org.yaml
new file mode 100644
index 0000000000..08cf199982
--- /dev/null
+++ b/playbooks/host_vars/gitea01.opendev.org.yaml
@@ -0,0 +1,4 @@
+letsencrypt_certs:
+  gitea01-main:
+    - gitea01.opendev.org
+    - opendev.org
diff --git a/playbooks/roles/gitea/tasks/main.yaml b/playbooks/roles/gitea/tasks/main.yaml
index 3947119f20..46c5d300da 100644
--- a/playbooks/roles/gitea/tasks/main.yaml
+++ b/playbooks/roles/gitea/tasks/main.yaml
@@ -20,14 +20,6 @@
     - logs
     - certs
     - db
-- name: Write TLS private key
-  copy:
-    content: "{{ gitea_tls_key }}"
-    dest: /var/gitea/certs/key.pem
-- name: Write TLS certificate
-  copy:
-    content: "{{ gitea_tls_cert }}"
-    dest: /var/gitea/certs/cert.pem
 - name: Write app.ini
   template:
     src: app.ini.j2
diff --git a/playbooks/roles/letsencrypt-create-certs/handlers/main.yaml b/playbooks/roles/letsencrypt-create-certs/handlers/main.yaml
index cba3e15114..56fafe0278 100644
--- a/playbooks/roles/letsencrypt-create-certs/handlers/main.yaml
+++ b/playbooks/roles/letsencrypt-create-certs/handlers/main.yaml
@@ -58,3 +58,11 @@
 
 - name: letsencrypt updated mirror01-openafs-provider-opendev-org-main
   include_tasks: roles/letsencrypt-create-certs/handlers/restart_apache.yaml
+
+- name: letsencrypt updated gitea99-main
+  include_tasks: roles/letsencrypt-create-certs/handlers/restart_gitea.yaml
+
+# We split out handlers for each gitea host as handlers should be run in order
+# This allows us to do a rolling restart of the gitea backends.
+- name: letsencrypt updated gitea01-main
+  include_tasks: roles/letsencrypt-create-certs/handlers/restart_gitea.yaml
diff --git a/playbooks/roles/letsencrypt-create-certs/handlers/restart_gitea.yaml b/playbooks/roles/letsencrypt-create-certs/handlers/restart_gitea.yaml
new file mode 100644
index 0000000000..9fc58eda53
--- /dev/null
+++ b/playbooks/roles/letsencrypt-create-certs/handlers/restart_gitea.yaml
@@ -0,0 +1,49 @@
+- name: Ensure gitea cert directy exists
+  file:
+    state: directory
+    path: "/var/gitea/certs"
+    owner: 1000
+    group: 1000
+
+- name: Put key in place
+  copy:
+    remote_src: yes
+    src: /etc/letsencrypt-certs/{{ inventory_hostname }}/{{ inventory_hostname }}.key
+    dest: /var/gitea/certs/key.pem
+    owner: root
+    group: root
+    mode: '0644'
+
+- name: Put cert in place
+  copy:
+    remote_src: yes
+    # Gitea doesn't seem to accept separate ca chain and cert files.
+    # I believe it wants a single combined file as per fullchain.cer.
+    src: /etc/letsencrypt-certs/{{ inventory_hostname }}/fullchain.cer
+    dest: /var/gitea/certs/cert.pem
+    owner: root
+    group: root
+    mode: '0644'
+
+- name: Check for running gitea
+  command: pgrep -f gitea
+  ignore_errors: yes
+  register: gitea_pids
+
+- name: Restart gitea if running
+  when: gitea_pids.rc == 0
+  block:
+    - name: Restart gitea web
+      shell:
+        cmd: docker-compose restart gitea-web
+        chdir: /etc/gitea-docker/
+
+    - name: Wait for service to start and have valid users
+      uri:
+        url: "https://localhost:3000/api/v1/users/root"
+        validate_certs: false
+        status_code: 200, 404
+      register: root_user_check
+      delay: 1
+      retries: 300
+      until: root_user_check and root_user_check.status in (200, 404)
diff --git a/playbooks/zuul/run-base.yaml b/playbooks/zuul/run-base.yaml
index 661e687cb9..fe42556df8 100644
--- a/playbooks/zuul/run-base.yaml
+++ b/playbooks/zuul/run-base.yaml
@@ -85,6 +85,7 @@
         - host_vars/bridge.openstack.org.yaml
         - host_vars/letsencrypt01.opendev.org.yaml
         - host_vars/letsencrypt02.opendev.org.yaml
+        - host_vars/gitea99.opendev.org.yaml
         - host_vars/mirror01.openafs.provider.opendev.org.yaml
         - host_vars/mirror-update01.opendev.org.yaml
         - host_vars/backup-test01.opendev.org.yaml
diff --git a/playbooks/zuul/templates/group_vars/gitea.yaml.j2 b/playbooks/zuul/templates/group_vars/gitea.yaml.j2
index b793353ddb..d0dfb8a845 100644
--- a/playbooks/zuul/templates/group_vars/gitea.yaml.j2
+++ b/playbooks/zuul/templates/group_vars/gitea.yaml.j2
@@ -7,54 +7,3 @@ gitea_db_password: 5bfuOBKtltff0XZX
 gitea_root_password: BUbBcpToMwR05ZCB
 gitea_no_log: false
 gitea_gerrit_password: yVpMWIUIvT7f6NwA
-gitea_tls_cert: |
-  -----BEGIN CERTIFICATE-----
-  MIIDXTCCAkWgAwIBAgIJANOV6XqCusL0MA0GCSqGSIb3DQEBCwUAMEUxCzAJBgNV
-  BAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBX
-  aWRnaXRzIFB0eSBMdGQwHhcNMTkwMjE1MjIwNjI0WhcNMTkwMzE3MjIwNjI0WjBF
-  MQswCQYDVQQGEwJBVTETMBEGA1UECAwKU29tZS1TdGF0ZTEhMB8GA1UECgwYSW50
-  ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
-  CgKCAQEAvXpjO7ViMSG5IuSi7Y76wGUML2WpVyjGKeJur2BQkQQwy+5daUAwM0sr
-  sSa31IDya9hlDetQpLFE1QPFrwkNe2MT9+V/vIJJDoRbt2Tgrzj1ZL/DSws1FikF
-  L7vI8Je0Hb4Ylhd66xeuoz3jQW6ky9huJi8ZEkc4DNa1ehkyZd2nUXsu5DizQEU6
-  b+I5LneikWPrMSNOMSw3BrC9P6j9X8/j2Txpmkww3sC+TegsQKQSNTBvz8HUM6m6
-  OlT/yezjkNCDd/HHR49veMiOgvwJK6ZVGXl7Pg/tb+piXlI4lrXD0tjzEY+4jPJW
-  6m55r3l+yFvVoomStAjc7mDDnYul+wIDAQABo1AwTjAdBgNVHQ4EFgQUbVQz03pc
-  RO167fYlsXNtSFPP7oYwHwYDVR0jBBgwFoAUbVQz03pcRO167fYlsXNtSFPP7oYw
-  DAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAQV+91n6+Wb4kj3byEJL9
-  X75geYQ7oz2HgWyJ8EB/cfxhZDxe4AqaTOnTsz2hf+QLh46wnc1Kkwn6REtq2izn
-  uLRYQJ1RklhGFMNEanweMwwVOcqsclFzX/u5dDl6jGaVaz2G/chvhPScmqoZGc9u
-  4K0DE5kQTHwYwyBSuOmZ0K+zlEzTaXt5Uadc8OpQ8Axx8sR9yhb5mDq2To6jBjU3
-  aT8Nwcpc2QchAA/dlJFfqm9YHCjcqtPdBuNrsRHP3FABr8OlmNTx3hm6ox7Zhijx
-  ROGRUmwjV78T87Z1gF5cpBEUj5BgiyMyoaK5HjWg9HJfPolul20PN88o+n17hkK8
-  lw==
-  -----END CERTIFICATE-----
-gitea_tls_key: |
-  -----BEGIN PRIVATE KEY-----
-  MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQC9emM7tWIxIbki
-  5KLtjvrAZQwvZalXKMYp4m6vYFCRBDDL7l1pQDAzSyuxJrfUgPJr2GUN61CksUTV
-  A8WvCQ17YxP35X+8gkkOhFu3ZOCvOPVkv8NLCzUWKQUvu8jwl7QdvhiWF3rrF66j
-  PeNBbqTL2G4mLxkSRzgM1rV6GTJl3adRey7kOLNARTpv4jkud6KRY+sxI04xLDcG
-  sL0/qP1fz+PZPGmaTDDewL5N6CxApBI1MG/PwdQzqbo6VP/J7OOQ0IN38cdHj294
-  yI6C/AkrplUZeXs+D+1v6mJeUjiWtcPS2PMRj7iM8lbqbnmveX7IW9WiiZK0CNzu
-  YMOdi6X7AgMBAAECggEBAJcQLnF6KTD2q/3vvx4a8jvV1CMtsBb3QRY/mvNjnJgh
-  eS39eqfhLwyWD92K+uEHdT8aJWc1hvPnCPOzsDXex8rpsQ/g/zgxv0E9sUnDuYa5
-  qJuMb40zAD4Msj/ePVPj/wv/dOalDbDFDszDGJ4gMm76vMbgoeJ6uWsy+zi/QfkH
-  oI36pUnk165oGQtLVljKhclVpFcdno+E1LhrGpTgkHHNgx7P3J0mpsmjhIuQy9qk
-  Ugp9sPdvevgiduLW3qAWurn0lbQ1xcXt+BrGsqEU9m5wY6r4RLdqvHqfwgRCNOAC
-  blfXLacvh48Hpic4/LzXZmif83F6ntK4gierOp7aq+ECgYEA7ieBsvG5Dz2IasSu
-  n/1cNv7OtGn0cRuaW4zChraR4gKwOt93TL8jB0vjFr2Dp7SQsLdKfzuWMgnuI5wG
-  GZzx6nKM9hboCnh8p7jTF08HdAcXp5Bmfq8e9TUz2OUuU88PPcZDFwBL7Pk/lSn+
-  L7U3zLnjzqkbcqiyH4khWef22JkCgYEAy60g/Nnc+AWFhJToKEbd1JRwDDyYa6Ub
-  7zmcR0C1e3sUXfZf67qBEeXVNPV7mOwQ94ff/A7InzckAIAeWPT95idZ2MTdC097
-  NWC81IAvJODK/Y69AuPcyz69QYnRLKUfPwE4iTl77iev8tIwXDbkdhiW6dq4O93z
-  843PGEnkq7MCgYEAkr9XRSt7q+9votKlA8K70st6FWOAkz2+BJGcwCO5irm7W9ud
-  CHZyoClbugR3Hpy915Zp2jKeXyENU3XtsFSsIJoLUAxXWTRbI4JY2HEDF7TTF5Z8
-  Aa3o9pGc7BZ0UIIzUw5bAs5U+qWvTzu7/Cu/QXB99jbvydw3PgVivqKX0WkCgYAn
-  jZSFZe2igLgAGkbHY5O6r6Tey3myFdtJ5r8xmyBjPXCkGq9gANUF28M+yJlbBiT5
-  XPqjYV+Wg8fLDRZXoiQYaPXqwbhHdQTxRbsF7Wq6V6kz+l88S3HaSnHIY3IqoFpk
-  CuGmzHIDutNRbX4Uulg9kuLjwSTcA2tXledsyRTOPwKBgHHRUWkzf2GHHOcla9td
-  TEUmEM3gpXQmtjec976VjSnD7N8aitTfknLUtyq7f3VfPA/Oj/eug2lNX9+cCKMG
-  0nN3kZLVaUvxJ5YPiaQ9EzGqRoDOMto+CRksuSnBUGDcvpBX6Z+09qZgzqP3En1K
-  eZ6Mi1Y0bWwKXCyd8tbbqi9p
-  -----END PRIVATE KEY-----
diff --git a/playbooks/zuul/templates/host_vars/gitea99.opendev.org.yaml.j2 b/playbooks/zuul/templates/host_vars/gitea99.opendev.org.yaml.j2
new file mode 100644
index 0000000000..5f975777af
--- /dev/null
+++ b/playbooks/zuul/templates/host_vars/gitea99.opendev.org.yaml.j2
@@ -0,0 +1,4 @@
+letsencrypt_certs:
+  gitea99-main:
+    - gitea99.opendev.org
+    - opendev.org