.well-known path serving custom files behind proxy?


I’ve been following this guide to self-host gitea on nearlyfreespeech behind their proxy. I’m using “1.16.8 built with GNU Make 4.3, go1.18.2 : bindata, sqlite, sqlite_unlock_notify”. Things have been going smoothly, I got the site up and serving fine, but I’ve hit a roadblock trying to run the script provided by nearlyfreespeech to set up TLS using Let’s Encrypt.

The problem seems to be that the well-known http-01 type verification that the dehydrate tool uses expects a hard-coded path to something like http://example.org/.well-known/acme-challenge/m4g1c-t0k3n. This is how Let’s Encrypt then verifies that you have control over the domain, it gives a magic token to the requester and then expects it to be able to fetch from that hard-coded URL.

I’ve got everything set up to create the .well-known directory in my {$CUSTOM_PATH}/public directory for serving. The problem is that gitea then attaches a assets subdirectory to the URL for serving files out of that custom path. Let’s Encrypt, however, cannot be configured to ask for the token at http://example.org/assets/.well-known/acme-challenge/m4g1c-t0k3n.

Is there some way to configure gitea to serve the .well-known path as without appending assets to the URL? I’d like to allow a cron job to periodically automatically renew my certs, so this would need to be a setup I can leave in place. It seems a little excessive to set up a separate static content web server to serve only certificate challenges, which would mean less than 1 query per month.


You can add a proxy in the site panel. I’ve configured a proxy as follows:

  • Protocol: http
  • Base URI: /.well-known/
  • Document Root: /assets/.well-known/
  • Port: (same port as Gitea listens on, 3000 by default)

After this, the certificate challenge will succeed.

The “public” / “assets” directory wasn’t well-designed.

I have a better idea for this case: Add static HTTP file server for /.well-known/ endpoint by alex19srv · Pull Request #25892 · go-gitea/gitea · GitHub

Done in Serve pre-defined files in "public", add "security.txt", add CORS header for ".well-known" by wxiaoguang · Pull Request #25974 · go-gitea/gitea · GitHub

Serve pre-defined files in “public”, add “security.txt”, add CORS header for “.well-known” #25974