Expect to be using certbot by default
diff --git a/gerrit/Dockerfile b/gerrit/Dockerfile
index 161f286..7ff4958 100644
--- a/gerrit/Dockerfile
+++ b/gerrit/Dockerfile
@@ -1,22 +1,35 @@
-FROM gerritcodereview/gerrit:3.8.0
+ARG SSL_VARIANT=letsencrypt
+ARG GERRIT_TAG=3.8.0
-COPY --from=sourcearcade-nginx /etc/ssl/certs/sa-selfsigned.crt /var/gerrit/etc/
-RUN \
+
+FROM gerritcodereview/gerrit:${GERRIT_TAG} as gerrit_letsencrypt
+
+# Nothing to do
+
+
+FROM gerritcodereview/gerrit:${GERRIT_TAG} as gerrit_selfsigned
+
+ONBUILD COPY --from=sourcearcade-nginx /etc/ssl/certs/sa-selfsigned.crt /var/gerrit/etc/
+ONBUILD RUN \
keytool -importcert -alias sa-selfsigned -file /var/gerrit/etc/sa-selfsigned.crt \
-keystore /var/gerrit/truststore -storepass uiaeuiae -noprompt && \
rm /var/gerrit/etc/sa-selfsigned.crt
-RUN \
+ONBUILD RUN \
echo | keytool -importkeystore \
-srckeystore /usr/lib/jvm/java-*/lib/security/cacerts \
-destkeystore /var/gerrit/truststore \
-deststorepass uiaeuiae -noprompt
-USER root
-RUN \
+ONBUILD USER root
+ONBUILD RUN \
printf 'JAVA_OPTIONS="%s %s"\n' \
-Djavax.net.ssl.trustStore=/var/gerrit/truststore \
-Djavax.net.ssl.trustStorePassword=uiaeuiae >>/etc/default/gerritcodereview
+
+FROM gerrit_${SSL_VARIANT}
+
+USER root
COPY gerrit/Dockerfile.entrypoint /privileged.sh
RUN chmod 544 /privileged.sh
COPY gerrit/Dockerfile.entrypoint-unprivileged /unprivileged.sh