Expect to be using certbot by default
diff --git a/gerrit/Dockerfile b/gerrit/Dockerfile
index 161f286..7ff4958 100644
--- a/gerrit/Dockerfile
+++ b/gerrit/Dockerfile
@@ -1,22 +1,35 @@
-FROM gerritcodereview/gerrit:3.8.0
+ARG SSL_VARIANT=letsencrypt
+ARG GERRIT_TAG=3.8.0
 
-COPY --from=sourcearcade-nginx /etc/ssl/certs/sa-selfsigned.crt /var/gerrit/etc/
-RUN \
+
+FROM gerritcodereview/gerrit:${GERRIT_TAG} as gerrit_letsencrypt
+
+# Nothing to do
+
+
+FROM gerritcodereview/gerrit:${GERRIT_TAG} as gerrit_selfsigned
+
+ONBUILD COPY --from=sourcearcade-nginx /etc/ssl/certs/sa-selfsigned.crt /var/gerrit/etc/
+ONBUILD RUN \
 	keytool -importcert -alias sa-selfsigned -file /var/gerrit/etc/sa-selfsigned.crt \
 		-keystore /var/gerrit/truststore -storepass uiaeuiae -noprompt && \
 	rm /var/gerrit/etc/sa-selfsigned.crt
-RUN \
+ONBUILD RUN \
 	echo | keytool -importkeystore \
 		-srckeystore /usr/lib/jvm/java-*/lib/security/cacerts \
 		-destkeystore /var/gerrit/truststore \
 		-deststorepass uiaeuiae -noprompt
 
-USER root
-RUN \
+ONBUILD USER root
+ONBUILD RUN \
 	printf 'JAVA_OPTIONS="%s %s"\n' \
 		-Djavax.net.ssl.trustStore=/var/gerrit/truststore \
 		-Djavax.net.ssl.trustStorePassword=uiaeuiae >>/etc/default/gerritcodereview
 
+
+FROM gerrit_${SSL_VARIANT}
+
+USER root
 COPY gerrit/Dockerfile.entrypoint /privileged.sh
 RUN chmod 544 /privileged.sh
 COPY gerrit/Dockerfile.entrypoint-unprivileged /unprivileged.sh