--- a/modules/website/manifests/https/redir.pp	Fri Nov 11 21:02:09 2016 +0000
+++ b/modules/website/manifests/https/redir.pp	Fri Nov 11 21:04:13 2016 +0000
@@ -34,15 +34,40 @@
     $siteroot = $docroot
   }
 
-  if $ssl_cert == undef {
+# These conditionals use an ugly cludge from
+# http://grokbase.com/t/gg/puppet-users/147by1key3/checking-a-variable-is-not-undef#20140713grem6zqsai7qjbgkmd2f4ia3qi
+# because if we don't then undef gets auto-cast to the empty string and the empty string matches our special "no CA chain" case
+# It'd be nicer to use "=~ Undef" to check types (https://puppet-on-the-edge.blogspot.co.uk/2013/12/lets-talk-about-undef.html),
+# but that threw syntax errors.
+  if $ssl_cert == undef and !("" in [$ssl_cert]) and $ssl_ca_chain == undef and !("" in [$ssl_ca_chain]) {
     $sslcert = "/etc/letsencrypt/live/${::fqdn}/cert.pem"
     $sslkey = "/etc/letsencrypt/live/${::fqdn}/privkey.pem"
+  } elsif $ssl_cert == undef and !("" in [$ssl_cert]) {
+    $sslcert = "${website::certdir}/${shortdomain}.crt"
+    $sslkey = "${website::certdir}/${shortdomain}.key"
+    File {
+      mode => '0400',
+      owner => 'root',
+      group => 'root',
+    }
+    file { $sslcert:
+      source => "puppet:///private/pki/custom/${shortdomain}.crt",
+      before => Apache::Vhost[$name],
+      notify => Service['httpd'],
+      ensure => present;
+    }
+    file { $sslkey:
+      source => "puppet:///private/pki/custom/${shortdomain}.key",
+      before => Apache::Vhost[$name],
+      notify => Service['httpd'],
+      ensure => present;
+    }
   } else {
     $sslcert = $ssl_cert
     $sslkey = $ssl_key
   } 
 
-  if $ssl_ca_chain == undef {
+  if $ssl_ca_chain == undef and !("" in [$ssl_ca_chain]) {
     $ssl_chain = $website::ca_chain
   }
   elsif $ssl_ca_chain == '' {