# You can add any Apache2 config to the VHost config
additional_config: |
ProxyPass / http://localhost:8080/
ProxyPassReverse / http://localhost:8080/
```
To tell the certbot role which certificates to issue, create another hostvars file such as `host_vas/web01.example.org/certbot.yml`:
```yaml
certbot_certificates:
foo.example.org:
webroot_map:
foo.example.org: /var/www/foo.example.org/html
bar.example.org:
webroot_map:
bar.example.org: /var/www/bar.example.org/html
baz.example.org: /var/www/bar.example.org/html
```
### Bootstrap
The bootstrap mechanism works in two steps:
- When the configured certificate files do not exist yet, the apache2 role instead uses Debian's default "snakeoil" certificate, resulting in a valid configuration, but using self-signed certificates.
- After the ACME challenge has been completed - which can be done with invalid certs - and the Apache2 role is applied a second time, it now configures the certificates issued by Let's Encrypt.
This can either be achieved by running the playbook from the previous example twice, or by invoking the Apache2 role twice in the same playbook (but in a second play):