system-config/playbooks/roles/static/files/50-zuul-ci.org.conf

<VirtualHost *:80>
    ServerName zuul-ci.org
    ServerAlias www.zuul-ci.org
    ServerAlias zuulci.org
    ServerAlias www.zuulci.org

    RewriteEngine on
    RewriteRule ^/(.*) https://zuul-ci.org/$1 [last,redirect=permanent]

    ErrorLog /var/log/apache2/zuul-ci.org_error.log
    LogLevel warn
    CustomLog /var/log/apache2/zuul-ci.org_access.log combined
    ServerSignature Off
</VirtualHost>

<IfModule mod_ssl.c>
<VirtualHost *:443>
    ServerName zuul-ci.org
    ServerAlias www.zuul-ci.org
    ServerAlias zuulci.org
    ServerAlias www.zuulci.org

    RewriteEngine on

    SSLEngine on
    SSLProtocol All -SSLv2 -SSLv3
    # Once the machine is using something to terminate TLS that supports ECDHE
    # then this should be edited to remove the RSA+AESGCM:RSA+AES so that PFS
    # only is guarenteed.
    SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!AES256:!aNULL:!eNULL:!MD5:!DSS:!PSK:!SRP
    SSLHonorCipherOrder on
    SSLCertificateFile /etc/letsencrypt-certs/zuul-ci.org/zuul-ci.org.cer
    SSLCertificateKeyFile /etc/letsencrypt-certs/zuul-ci.org/zuul-ci.org.key
    SSLCertificateChainFile /etc/letsencrypt-certs/zuul-ci.org/ca.cer

    DocumentRoot /afs/openstack.org/project/zuul-ci.org/www
    <Directory /afs/openstack.org/project/zuul-ci.org/www>
        Options Indexes FollowSymLinks MultiViews
        Require all granted
        AllowOverride None
        # Allow mod_rewrite rules
        AllowOverrideList Redirect RedirectMatch
        ErrorDocument 404 /errorpage.html
    </Directory>

    ErrorLog /var/log/apache2/zuul-ci.org_error.log
    LogLevel warn
    CustomLog /var/log/apache2/zuul-ci.org_access.log combined
    ServerSignature Off
</VirtualHost>
</IfModule>