diff --git a/modules/openstack_project/manifests/static.pp b/modules/openstack_project/manifests/static.pp
index 041a76b9c7..21b31317e7 100644
--- a/modules/openstack_project/manifests/static.pp
+++ b/modules/openstack_project/manifests/static.pp
@@ -143,10 +143,17 @@ class openstack_project::static (
   # Tarballs
 
   ::httpd::vhost { 'tarballs.openstack.org':
-    port     => 80,
-    priority => '50',
-    docroot  => '/srv/static/tarballs',
-    require  => File['/srv/static/tarballs'],
+    port       => 443, # Is required despite not being used.
+    docroot    => '/srv/static/tarballs',
+    priority   => '50',
+    ssl        => true,
+    template   => 'openstack_project/static-http-and-https.vhost.erb',
+    vhost_name => 'tarballs.openstack.org',
+    require    => [
+      File['/srv/static/tarballs'],
+      File[$cert_file],
+      File[$key_file],
+    ],
   }
 
   file { '/srv/static/tarballs':
diff --git a/modules/openstack_project/templates/static-http-and-https.vhost.erb b/modules/openstack_project/templates/static-http-and-https.vhost.erb
new file mode 100644
index 0000000000..360c627d7e
--- /dev/null
+++ b/modules/openstack_project/templates/static-http-and-https.vhost.erb
@@ -0,0 +1,49 @@
+# ************************************
+# Managed by Puppet
+# ************************************
+
+<VirtualHost *:80>
+  ServerName <%= @vhost_name %>
+  DocumentRoot <%= @docroot %>
+  <Directory <%= @docroot %>>
+    Options Indexes FollowSymLinks MultiViews
+    AllowOverride None
+    Order allow,deny
+    allow from all
+    Satisfy Any
+  </Directory>
+  LogLevel warn
+  ErrorLog /var/log/apache2/<%= @vhost_name %>_error.log
+  CustomLog /var/log/apache2/<%= @vhost_name %>_access.log combined
+  ServerSignature Off
+</VirtualHost>
+
+<IfModule mod_ssl.c>
+<VirtualHost *:443>
+  ServerName <%= @vhost_name %>
+  DocumentRoot <%= @docroot %>
+  SSLEngine on
+  SSLProtocol All -SSLv2 -SSLv3
+  # Once the machine is using something to terminate TLS that supports ECDHE
+  # then this should be edited to remove the RSA+AESGCM:RSA+AES so that PFS
+  # only is guarenteed.
+  SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!AES256:!aNULL:!eNULL:!MD5:!DSS:!PSK:!SRP
+  SSLHonorCipherOrder on
+  SSLCertificateFile <%= scope['openstack_project::static::cert_file'] %>
+  SSLCertificateKeyFile <%= scope['openstack_project::static::key_file'] %>
+<% if scope['openstack_project::static::chain_file'] != '' %>
+  SSLCertificateChainFile <%= scope['openstack_project::static::chain_file'] %>
+<% end %>
+  <Directory <%= @docroot %>>
+    Options Indexes FollowSymLinks MultiViews
+    AllowOverride None
+    Order allow,deny
+    allow from all
+    Satisfy Any
+  </Directory>
+  LogLevel warn
+  ErrorLog /var/log/apache2/<%= @vhost_name %>_error.log
+  CustomLog /var/log/apache2/<%= @vhost_name %>_access.log combined
+  ServerSignature Off
+</VirtualHost>
+</IfModule>