diff --git a/manifests/profile/base/aodh/api.pp b/manifests/profile/base/aodh/api.pp
index 50a7ddb0f..e020eaf40 100644
--- a/manifests/profile/base/aodh/api.pp
+++ b/manifests/profile/base/aodh/api.pp
@@ -37,6 +37,7 @@ class tripleo::profile::base::aodh::api (
 
   if $step >= 3 {
     include ::aodh::api
+    include ::apache::mod::ssl
     include ::aodh::wsgi::apache
 
     #NOTE: Combination alarms are deprecated in newton and disabled by default.
diff --git a/manifests/profile/base/ceilometer/api.pp b/manifests/profile/base/ceilometer/api.pp
index da94da2ad..d31382acb 100644
--- a/manifests/profile/base/ceilometer/api.pp
+++ b/manifests/profile/base/ceilometer/api.pp
@@ -30,6 +30,7 @@ class tripleo::profile::base::ceilometer::api (
 
   if $step >= 4 {
     include ::ceilometer::api
+    include ::apache::mod::ssl
     include ::ceilometer::wsgi::apache
   }
 }
diff --git a/manifests/profile/base/gnocchi/api.pp b/manifests/profile/base/gnocchi/api.pp
index 9a085515e..51b441799 100644
--- a/manifests/profile/base/gnocchi/api.pp
+++ b/manifests/profile/base/gnocchi/api.pp
@@ -50,6 +50,7 @@ class tripleo::profile::base::gnocchi::api (
 
   if $step >= 4 {
     include ::gnocchi::api
+    include ::apache::mod::ssl
     include ::gnocchi::wsgi::apache
 
     class { '::gnocchi::storage':
diff --git a/manifests/profile/base/keystone.pp b/manifests/profile/base/keystone.pp
index 7e8409566..eda6767b2 100644
--- a/manifests/profile/base/keystone.pp
+++ b/manifests/profile/base/keystone.pp
@@ -87,6 +87,7 @@ class tripleo::profile::base::keystone (
     }
 
     include ::keystone::config
+    include ::apache::mod::ssl
     include ::keystone::wsgi::apache
     include ::keystone::cors
 
diff --git a/releasenotes/notes/ensure-ssl-conf-2f32c6ead6f3bb0e.yaml b/releasenotes/notes/ensure-ssl-conf-2f32c6ead6f3bb0e.yaml
new file mode 100644
index 000000000..92f2360ac
--- /dev/null
+++ b/releasenotes/notes/ensure-ssl-conf-2f32c6ead6f3bb0e.yaml
@@ -0,0 +1,10 @@
+---
+fixes:
+  - |
+    With having package mod_ssl by default installed in images we introduced
+    issue with mod_ssl package update. In case of SSL not being used or
+    provided by HAproxy the puppet-apache module by default purges the
+    ssl.conf file. The package update then recreates the file with default
+    Listen 443 option. This causes conflict on 443 port during httpd restart.
+    If we include ::apache::mod::ssl the ssl.conf file will be configured and
+    the Listen option will be used only if there is vhost set to use SSL.