To fulfil the certbot HTTP-01 challenge for receiving a Let’s Encrypt certificate you need to have a document root that is reachable from the internet. This can become a problem with applications such as GitLab, SonarQube and even WordPress where you might not have such direct control over the file structure.

This becomes more challenging when your server is located behind a reverse proxy, where the challenge token is not necessarily on the same server. But it can also become a lot more easier.

By adding a new location in the site’s configuration you can redirect the verification by Let’s Encrypt to a document controlled by the reverse proxy, thus having a server and location reachable from the Internet.

NGINX configuration

server {
    listen                  80;
    listen                  [::]:80;
    server_name             <DOMAIN>;

    ... server configuration ...

    location /.well-known/acme-challenge/ {
        root                /var/www/html/;

    error_log               /var/log/nginx/<DOMAIN>-error.log;
    access_log              /var/log/nginx/<DOMAIN>-access.log;

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.