diff --git a/docker/main/rootfs/etc/s6-overlay/s6-rc.d/nginx/run b/docker/main/rootfs/etc/s6-overlay/s6-rc.d/nginx/run
index 82ea1249b..95527c4ab 100755
--- a/docker/main/rootfs/etc/s6-overlay/s6-rc.d/nginx/run
+++ b/docker/main/rootfs/etc/s6-overlay/s6-rc.d/nginx/run
@@ -22,6 +22,7 @@ function set_worker_processes() {
 
 set_worker_processes
 
+# ensure the directory for ACME challenges exists
 mkdir -p /etc/letsencrypt/www
 
 # Create self signed certs if needed
diff --git a/docker/main/rootfs/usr/local/nginx/conf/tls.conf b/docker/main/rootfs/usr/local/nginx/conf/tls.conf
index 9180caf00..fe2673f53 100644
--- a/docker/main/rootfs/usr/local/nginx/conf/tls.conf
+++ b/docker/main/rootfs/usr/local/nginx/conf/tls.conf
@@ -15,4 +15,10 @@ ssl_protocols TLSv1.3;
 ssl_prefer_server_ciphers off;
 
 # HSTS (ngx_http_headers_module is required) (63072000 seconds)
-add_header Strict-Transport-Security "max-age=63072000" always;
\ No newline at end of file
+add_header Strict-Transport-Security "max-age=63072000" always;
+
+# ACME challenge location
+location /.well-known/acme-challenge/ {
+    default_type "text/plain";
+    root /etc/letsencrypt/www;
+}