.well-known path serving custom files behind proxy?


I’ve been following this guide to self-host gitea on nearlyfreespeech behind their proxy. I’m using “1.16.8 built with GNU Make 4.3, go1.18.2 : bindata, sqlite, sqlite_unlock_notify”. Things have been going smoothly, I got the site up and serving fine, but I’ve hit a roadblock trying to run the script provided by nearlyfreespeech to set up TLS using Let’s Encrypt.

The problem seems to be that the well-known http-01 type verification that the dehydrate tool uses expects a hard-coded path to something like http://example.org/.well-known/acme-challenge/m4g1c-t0k3n. This is how Let’s Encrypt then verifies that you have control over the domain, it gives a magic token to the requester and then expects it to be able to fetch from that hard-coded URL.

I’ve got everything set up to create the .well-known directory in my {$CUSTOM_PATH}/public directory for serving. The problem is that gitea then attaches a assets subdirectory to the URL for serving files out of that custom path. Let’s Encrypt, however, cannot be configured to ask for the token at http://example.org/assets/.well-known/acme-challenge/m4g1c-t0k3n.

Is there some way to configure gitea to serve the .well-known path as without appending assets to the URL? I’d like to allow a cron job to periodically automatically renew my certs, so this would need to be a setup I can leave in place. It seems a little excessive to set up a separate static content web server to serve only certificate challenges, which would mean less than 1 query per month.