diff --git a/inventory/groups.yaml b/inventory/groups.yaml
index 55c289ab21..cdb16240ad 100644
--- a/inventory/groups.yaml
+++ b/inventory/groups.yaml
@@ -65,6 +65,7 @@ groups:
     - opendev-k8s*.opendev.org
   letsencrypt:
     - graphite01.opendev.org
+    - insecure-ci-registry[0-9]*.opendev.org
     - mirror[0-9]*.opendev.org
     - files[0-9]*.open*.org
     - static.openstack.org
diff --git a/playbooks/host_vars/insecure-ci-registry01.opendev.org.yaml b/playbooks/host_vars/insecure-ci-registry01.opendev.org.yaml
index 71b79291b7..5000fdd4f3 100644
--- a/playbooks/host_vars/insecure-ci-registry01.opendev.org.yaml
+++ b/playbooks/host_vars/insecure-ci-registry01.opendev.org.yaml
@@ -1 +1,5 @@
 ansible_python_interpreter: python3
+letsencrypt_certs:
+  insecure-ci-registry01-main:
+    - insecure-ci-registry01.opendev.org
+    - insecure-ci-registry.opendev.org
diff --git a/playbooks/roles/letsencrypt-create-certs/handlers/main.yaml b/playbooks/roles/letsencrypt-create-certs/handlers/main.yaml
index 87b831aae9..a6809d053f 100644
--- a/playbooks/roles/letsencrypt-create-certs/handlers/main.yaml
+++ b/playbooks/roles/letsencrypt-create-certs/handlers/main.yaml
@@ -31,6 +31,9 @@
 - name: letsencrypt updated logs-main
   include_tasks: roles/letsencrypt-create-certs/handlers/restart_apache.yaml
 
+- name: letsencrypt updated insecure-ci-registry01-main
+  include_tasks: roles/letsencrypt-create-certs/handlers/restart_zuul_registry.yaml
+
 # Mirrors
 
 - name: letsencrypt updated mirror01-dfw-rax-main
diff --git a/playbooks/roles/letsencrypt-create-certs/handlers/restart_zuul_registry.yaml b/playbooks/roles/letsencrypt-create-certs/handlers/restart_zuul_registry.yaml
new file mode 100644
index 0000000000..b76c29e730
--- /dev/null
+++ b/playbooks/roles/letsencrypt-create-certs/handlers/restart_zuul_registry.yaml
@@ -0,0 +1,39 @@
+- name: Ensure registry cert directy exists
+  file:
+    state: directory
+    path: "/var/registry/certs"
+    owner: root
+    group: root
+
+- name: Put key in place
+  copy:
+    remote_src: yes
+    src: /etc/letsencrypt-certs/{{ inventory_hostname }}/{{ inventory_hostname }}.key
+    dest: /var/registry/certs/domain.key
+    owner: root
+    group: root
+    mode: '0644'
+
+- name: Put cert in place
+  copy:
+    remote_src: yes
+    # Zuul-registry doesn't seem to accept separate ca chain and cert files.
+    # I believe it wants a single combined file as per fullchain.cer.
+    src: /etc/letsencrypt-certs/{{ inventory_hostname }}/fullchain.cer
+    dest: /var/registry/certs/domain.crt
+    owner: root
+    group: root
+    mode: '0644'
+
+- name: Check for running registry
+  command: pgrep -f zuul-registry
+  ignore_errors: yes
+  register: registry_pids
+
+- name: Restart registry if running
+  when: registry_pids.rc == 0
+  block:
+    - name: Restart registry
+      shell:
+        cmd: docker-compose restart registry
+        chdir: /etc/registry-docker/
diff --git a/playbooks/roles/registry/tasks/main.yaml b/playbooks/roles/registry/tasks/main.yaml
index 10e80b5fc4..a8d43399ce 100644
--- a/playbooks/roles/registry/tasks/main.yaml
+++ b/playbooks/roles/registry/tasks/main.yaml
@@ -10,14 +10,6 @@
     - certs
     - conf
     - etc
-- name: Write TLS private key
-  copy:
-    content: "{{ registry_tls_key }}"
-    dest: /var/registry/certs/domain.key
-- name: Write TLS certificate
-  copy:
-    content: "{{ registry_tls_cert }}{{ registry_tls_chain | default('') }}"
-    dest: /var/registry/certs/domain.crt
 - name: Write clouds.yaml
   template:
     src: clouds.yaml.j2