diff --git a/roles/configure-mirrors/README.rst b/roles/configure-mirrors/README.rst
index d7d6570d0..8152ce499 100644
--- a/roles/configure-mirrors/README.rst
+++ b/roles/configure-mirrors/README.rst
@@ -7,6 +7,13 @@ An ansible role to configure services to use mirrors.
 
    The base host for mirror servers.
 
+.. zuul:rolevar:: mirror_use_ssl
+   :default: False
+
+   Use ssl to communicate to mirror endpoints. Note if the platform
+   cannot use ssl (for example Ubuntu Xenial apt needs additional packages)
+   this will still use http instead of https when set for that platform.
+
 .. zuul:rolevar:: pypi_fqdn
    :default: {{ mirror_fqdn }}
 
diff --git a/roles/configure-mirrors/defaults/main.yaml b/roles/configure-mirrors/defaults/main.yaml
index 4a07e2c90..7cd665bb7 100644
--- a/roles/configure-mirrors/defaults/main.yaml
+++ b/roles/configure-mirrors/defaults/main.yaml
@@ -1,5 +1,12 @@
+set_apt_mirrors_trusted: False
 mirror_fqdn: "{{ zuul_site_mirror_fqdn|default(omit) }}"
 pypi_fqdn: "{{ mirror_fqdn }}"
-pypi_mirror: "http://{{ pypi_fqdn }}/pypi/simple"
-set_apt_mirrors_trusted: False
-wheel_mirror: "http://{{ mirror_fqdn }}/wheel/{{ ansible_distribution | lower }}-{{ ansible_distribution_version }}-{{ ansible_architecture | lower }}"
+mirror_use_ssl: False
+http_or_https: >-
+  {%- if mirror_use_ssl and ansible_distribution_release not in ['xenial', 'stretch'] -%}
+  https
+  {%- else -%}
+  http
+  {%- endif -%}
+pypi_mirror: "{{ http_or_https }}://{{ pypi_fqdn }}/pypi/simple"
+wheel_mirror: "{{ http_or_https }}://{{ mirror_fqdn }}/wheel/{{ ansible_distribution | lower }}-{{ ansible_distribution_version }}-{{ ansible_architecture | lower }}"
diff --git a/roles/configure-mirrors/vars/CentOS.yaml b/roles/configure-mirrors/vars/CentOS.yaml
index 79ea83ed0..7821347ea 100644
--- a/roles/configure-mirrors/vars/CentOS.yaml
+++ b/roles/configure-mirrors/vars/CentOS.yaml
@@ -1,2 +1,2 @@
-package_mirror: "http://{{ mirror_fqdn }}/{{ ansible_distribution | lower }}"
-epel_mirror: "http://{{ mirror_fqdn }}/epel"
+package_mirror: "{{ http_or_https }}://{{ mirror_fqdn }}/{{ ansible_distribution | lower }}"
+epel_mirror: "{{ http_or_https }}://{{ mirror_fqdn }}/epel"
diff --git a/roles/configure-mirrors/vars/Debian.yaml b/roles/configure-mirrors/vars/Debian.yaml
index 37406c126..8b24e3331 100644
--- a/roles/configure-mirrors/vars/Debian.yaml
+++ b/roles/configure-mirrors/vars/Debian.yaml
@@ -1,2 +1,2 @@
-package_mirror: "http://{{ mirror_fqdn }}/{{ ansible_distribution | lower }}"
-security_mirror: "http://{{ mirror_fqdn }}/{{ ansible_distribution | lower }}-security"
+package_mirror: "{{ http_or_https }}://{{ mirror_fqdn }}/{{ ansible_distribution | lower }}"
+security_mirror: "{{ http_or_https }}://{{ mirror_fqdn }}/{{ ansible_distribution | lower }}-security"
diff --git a/roles/configure-mirrors/vars/Fedora.yaml b/roles/configure-mirrors/vars/Fedora.yaml
index e4da29a79..a2b5d4c87 100644
--- a/roles/configure-mirrors/vars/Fedora.yaml
+++ b/roles/configure-mirrors/vars/Fedora.yaml
@@ -1 +1 @@
-package_mirror: "http://{{ mirror_fqdn }}/{{ ansible_distribution | lower }}"
+package_mirror: "{{ http_or_https }}://{{ mirror_fqdn }}/{{ ansible_distribution | lower }}"
diff --git a/roles/configure-mirrors/vars/Suse.yaml b/roles/configure-mirrors/vars/Suse.yaml
index 5947d7121..52c4800f5 100644
--- a/roles/configure-mirrors/vars/Suse.yaml
+++ b/roles/configure-mirrors/vars/Suse.yaml
@@ -1,7 +1,7 @@
-package_mirror: "http://{{ mirror_fqdn }}/opensuse"
 wheels_slug: "{%- if ansible_distribution == 'openSUSE Tumbleweed' -%}
                  opensuse-tumbleweed-{{ ansible_architecture | lower }}
               {%- else -%}
                  {{ ansible_distribution | lower }}-{{ ansible_distribution_version }}-{{ ansible_architecture | lower }}
               {%- endif -%}"
-wheel_mirror: "http://{{ mirror_fqdn }}/wheel/{{ wheels_slug }}"
+package_mirror: "{{ http_or_https }}://{{ mirror_fqdn }}/opensuse"
+wheel_mirror: "{{ http_or_https }}://{{ mirror_fqdn }}/wheel/{{ wheels_slug }}"
diff --git a/roles/configure-mirrors/vars/Ubuntu.aarch64.yaml b/roles/configure-mirrors/vars/Ubuntu.aarch64.yaml
index 047179039..cd9b03768 100644
--- a/roles/configure-mirrors/vars/Ubuntu.aarch64.yaml
+++ b/roles/configure-mirrors/vars/Ubuntu.aarch64.yaml
@@ -1 +1 @@
-package_mirror: "http://{{ mirror_fqdn }}/{{ ansible_distribution | lower }}-ports"
+package_mirror: "{{ http_or_https }}://{{ mirror_fqdn }}/{{ ansible_distribution | lower }}-ports"
diff --git a/roles/configure-mirrors/vars/Ubuntu.yaml b/roles/configure-mirrors/vars/Ubuntu.yaml
index e4da29a79..a2b5d4c87 100644
--- a/roles/configure-mirrors/vars/Ubuntu.yaml
+++ b/roles/configure-mirrors/vars/Ubuntu.yaml
@@ -1 +1 @@
-package_mirror: "http://{{ mirror_fqdn }}/{{ ansible_distribution | lower }}"
+package_mirror: "{{ http_or_https }}://{{ mirror_fqdn }}/{{ ansible_distribution | lower }}"
diff --git a/test-playbooks/base-roles/configure-mirrors.yaml b/test-playbooks/base-roles/configure-mirrors.yaml
index 1efedb8fe..114ad5a2d 100644
--- a/test-playbooks/base-roles/configure-mirrors.yaml
+++ b/test-playbooks/base-roles/configure-mirrors.yaml
@@ -1,4 +1,4 @@
-- name: Test the configure-mirrors role
+- name: Test the configure-mirrors role with http
   hosts: all
   roles:
     - role: configure-mirrors
@@ -9,7 +9,30 @@
       set_fact:
         emacs_package: app-editors/emacs
       when: ansible_distribution == 'Gentoo'
-    - name: Install a package to sanity check the mirror configuration
+    - name: Install a package to sanity check the http mirror configuration
+      package:
+        name: "{{ emacs_package | default('emacs') }}"
+        state: "present"
+      become: yes
+
+- name: Test the configure-mirrors role with https
+  hosts: all
+  roles:
+    - role: configure-mirrors
+      mirror_fqdn: "{{ zuul_site_mirror_fqdn }}"
+      mirror_use_ssl: True
+      set_apt_mirrors_trusted: True
+  post_tasks:
+    - name: Set emacs package fact for gentoo
+      set_fact:
+        emacs_package: app-editors/emacs
+      when: ansible_distribution == 'Gentoo'
+    - name: Remove existing emacs package install
+      package:
+        name: "{{ emacs_package | default('emacs') }}"
+        state: "absent"
+      become: yes
+    - name: Install a package to sanity check the https mirror configuration
       package:
         name: "{{ emacs_package | default('emacs') }}"
         state: "present"