diff --git a/.github/workflows/main.yaml b/.github/workflows/main.yaml
index c09fb36a..f7aaf205 100644
--- a/.github/workflows/main.yaml
+++ b/.github/workflows/main.yaml
@@ -41,8 +41,8 @@ jobs:
           -etcd-endpoints http://localhost:2379 \
           -advertise-url http://localhost:10080 \
           -advertise-url-https https://localhost:10443 \
-          -server-cert ./e2e/certs/server.crt \
-          -server-key ./e2e/certs/server.key.insecure &
+          -server-cert ./mtest/certs/server.crt \
+          -server-key ./mtest/certs/server.key.insecure &
 
       - name: Run test
         run: make test
diff --git a/docs/api.md b/docs/api.md
index 56177957..aebd2b79 100644
--- a/docs/api.md
+++ b/docs/api.md
@@ -1010,7 +1010,7 @@ Register disk encryption key. The request body is raw binary format of the key.
 **Example**
 
 ```console
-$ head -c256 /dev/urandom | curl -s -i -X PUT -d - 'localhost:10443/api/v1/crypts/1/pci-0000:00:17.0-ata-1'
+$ head -c256 /dev/urandom | curl -s -i -X PUT -d - 'https://localhost:10443/api/v1/crypts/1/pci-0000:00:17.0-ata-1'
 HTTP/1.1 201 Created
 Content-Type: application/json
 Date: Tue, 10 Apr 2018 09:12:12 GMT
@@ -1038,7 +1038,7 @@ Get an encryption key of the particular disk.
 **Example**
 
 ```console
-$ curl -s -i 'localhost:10080/api/v1/crypts/1/pci-0000:00:17.0-ata-1'
+$ curl -s -i 'https://localhost:10443/api/v1/crypts/1/pci-0000:00:17.0-ata-1'
 HTTP/1.1 200 OK
 Content-Type: application/octet-stream
 Date: Tue, 10 Apr 2018 09:15:59 GMT
@@ -1060,7 +1060,7 @@ Delete all disk encryption keys of the specified machine. This request does not
 **Example**
 
 ```console
-$ curl -s -X DELETE 'localhost:10080/api/v1/crypts/1'
+$ curl -s -X DELETE 'https://localhost:10443/api/v1/crypts/1'
 ["abdef", "aaaaa"]
 ```
 
diff --git a/web/crypts_test.go b/web/crypts_test.go
index 2a625a09..46b26c04 100644
--- a/web/crypts_test.go
+++ b/web/crypts_test.go
@@ -15,6 +15,37 @@ import (
 	"github.com/cybozu-go/sabakan/v2/models/mock"
 )
 
+func testCryptsHTTP(t *testing.T) {
+	// test sabakan HTTP Server returns 404 for crypts API
+	ctx := context.Background()
+	m := mock.NewModel()
+	handler := Server{Model: m, TLSServer: false}
+	err := m.Machine.Register(ctx, []*sabakan.Machine{
+		sabakan.NewMachine(sabakan.MachineSpec{Serial: "1"}),
+	})
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	serial := "1"
+	diskPath := "exists-path"
+	key := "aaa"
+
+	err = m.Storage.PutEncryptionKey(ctx, serial, diskPath, []byte(key))
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	expectedStatusCode := 404
+	w := httptest.NewRecorder()
+	r := httptest.NewRequest("GET", path.Join("/api/v1/crypts", serial, diskPath), nil)
+	handler.ServeHTTP(w, r)
+	resp := w.Result()
+	if resp.StatusCode != expectedStatusCode {
+		t.Error("wrong status code, expects:", expectedStatusCode, ", actual:", resp.StatusCode)
+	}
+}
+
 func testCryptsGet(t *testing.T) {
 	ctx := context.Background()
 	m := mock.NewModel()
@@ -252,6 +283,7 @@ func testCryptsDelete(t *testing.T) {
 }
 
 func TestCrypts(t *testing.T) {
+	t.Run("HTTP", testCryptsHTTP)
 	t.Run("Get", testCryptsGet)
 	t.Run("Put", testCryptsPut)
 	t.Run("Delete", testCryptsDelete)