diff --git a/servarr-system/servarr.yaml b/servarr-system/servarr.yaml
index eee17e5..e5e1aef 100644
--- a/servarr-system/servarr.yaml
+++ b/servarr-system/servarr.yaml
@@ -340,6 +340,18 @@ spec:
   selector:
     app: qbittorrent
 ---
+# Authentik outpost service reference
+apiVersion: v1
+kind: Service
+metadata:
+  name: ak-outpost-arr-outpost
+  namespace: servarr-system
+spec:
+  type: ExternalName
+  externalName: ak-outpost-arr-outpost.auth-system.svc.cluster.local
+  ports:
+  - port: 9000
+---
 # Ingresses with Authentik proxy auth
 apiVersion: networking.k8s.io/v1
 kind: Ingress
@@ -351,6 +363,9 @@ metadata:
     nginx.ingress.kubernetes.io/auth-signin: https://prowlarr.dooplex.hu/outpost.goauthentik.io/start?rd=$escaped_request_uri
     nginx.ingress.kubernetes.io/auth-snippet: |
       proxy_set_header X-Forwarded-Host $http_host;
+      if ($request_uri ~ "^/.well-known/acme-challenge/") {
+        return 200;
+      }
     nginx.ingress.kubernetes.io/auth-url: http://ak-outpost-arr-outpost.auth-system.svc.cluster.local:9000/outpost.goauthentik.io/auth/nginx
     nginx.ingress.kubernetes.io/proxy-body-size: "0"
     nginx.ingress.kubernetes.io/ssl-redirect: "true"
@@ -394,6 +409,9 @@ metadata:
     nginx.ingress.kubernetes.io/auth-signin: https://radarr.dooplex.hu/outpost.goauthentik.io/start?rd=$escaped_request_uri
     nginx.ingress.kubernetes.io/auth-snippet: |
       proxy_set_header X-Forwarded-Host $http_host;
+      if ($request_uri ~ "^/.well-known/acme-challenge/") {
+        return 200;
+      }
     nginx.ingress.kubernetes.io/auth-url: http://ak-outpost-arr-outpost.auth-system.svc.cluster.local:9000/outpost.goauthentik.io/auth/nginx
     nginx.ingress.kubernetes.io/proxy-body-size: "0"
     nginx.ingress.kubernetes.io/ssl-redirect: "true"
@@ -437,6 +455,9 @@ metadata:
     nginx.ingress.kubernetes.io/auth-signin: https://sonarr.dooplex.hu/outpost.goauthentik.io/start?rd=$escaped_request_uri
     nginx.ingress.kubernetes.io/auth-snippet: |
       proxy_set_header X-Forwarded-Host $http_host;
+      if ($request_uri ~ "^/.well-known/acme-challenge/") {
+        return 200;
+      }
     nginx.ingress.kubernetes.io/auth-url: http://ak-outpost-arr-outpost.auth-system.svc.cluster.local:9000/outpost.goauthentik.io/auth/nginx
     nginx.ingress.kubernetes.io/proxy-body-size: "0"
     nginx.ingress.kubernetes.io/ssl-redirect: "true"
@@ -480,6 +501,9 @@ metadata:
     nginx.ingress.kubernetes.io/auth-signin: https://qbittorrent.dooplex.hu/outpost.goauthentik.io/start?rd=$escaped_request_uri
     nginx.ingress.kubernetes.io/auth-snippet: |
       proxy_set_header X-Forwarded-Host $http_host;
+      if ($request_uri ~ "^/.well-known/acme-challenge/") {
+        return 200;
+      }
     nginx.ingress.kubernetes.io/auth-url: http://ak-outpost-arr-outpost.auth-system.svc.cluster.local:9000/outpost.goauthentik.io/auth/nginx
     nginx.ingress.kubernetes.io/proxy-body-size: "0"
     nginx.ingress.kubernetes.io/ssl-redirect: "true"
@@ -589,16 +613,3 @@ spec:
     requests:
       storage: 1Gi
   storageClassName: longhorn
----
-# Authentik outpost service reference
-apiVersion: v1
-kind: Service
-metadata:
-  name: ak-outpost-arr-outpost
-  namespace: servarr-system
-spec:
-  type: ExternalName
-  externalName: ak-outpost-arr-outpost.auth-system.svc.cluster.local
-  ports:
-  - port: 9000
----