diff --git a/.infra/Freyfile.hcl b/.infra/Freyfile.hcl
index a1cb1cf..0658e0e 100644
--- a/.infra/Freyfile.hcl
+++ b/.infra/Freyfile.hcl
@@ -180,6 +180,10 @@ setup {
       name           = "nginx | Add nginx PPA"
       apt_repository = "repo='ppa:nginx/stable'"
     }
+    tasks {
+      name = "nginx | Create public www directory"
+      file = "path=/mnt/nginx-www state=directory owner=www-data group=ubuntu mode=ug+rwX,o= recurse=yes"
+    }
   }
 }
 
diff --git a/.infra/files/nginx.conf b/.infra/files/nginx.conf
index c2e6e26..d9aaf7f 100644
--- a/.infra/files/nginx.conf
+++ b/.infra/files/nginx.conf
@@ -4,6 +4,13 @@ server {
 
     server_name master.tus.io;
 
+    # certbot will place the files required for the HTTP challenge in the
+    # webroot under the .well-known/acme-challenge directory. Therefore we must
+    # make this path publicly accessible.
+    location /.well-known {
+            root /mnt/nginx-www/;
+    }
+
     location / {
         # Forward incoming requests to local tusd instance
         proxy_pass http://localhost:8080;