Doubt with nginx configuration

I have used certbot to get my SSL certificate and everything works perfect.

The problem is that I need to use port 443 for Heroku app and it is occupied by nginx according to the modifications made by certbot.

nano /etc/nginx/sites-available/

server {

        root /var/www/;
        index index.html index.htm index.nginx-debian.html;


        location / {
		try_files $uri $uri/ =404;

    listen [::]:443 ssl ipv6only=on; # managed by Certbot
    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

    location ~ \.php$ {
			include snippets/fastcgi-php.conf;
			fastcgi_pass unix:/var/run/php/php7.4-fpm.sock;

		location ~ /\.ht {
        deny all;
server {
    if ($host = {
        return 301 https://$host$request_uri;
    } # managed by Certbot

    if ($host = {
        return 301 https://$host$request_uri;
    } # managed by Certbot

        listen 80;
        listen [::]:80;

    return 404; # managed by Certbot


Could you help me to modify the nginx file so that Heroku uses port 443 and does not lose my certificates created by certbot?

1 Like

@juanam Well, I know nothing about Heroku except what I just read on wiki. But, from that and what you said it looks like Heroku will do the listening on port 443 for the https inbound traffic. Heroku will need to have its own SSL certs for that. And, it seems to support automating that. Do these Heroku instructions help?

If Heroku will continue to talk to your nginx server, you need to resolve whether that will be with http or https. If https, you will need your existing LE certs to talk https between Heroku and nginx. Heroku will need its own certs to talk https to the client (browser or whatnot).

If Heroku talks with http to your nginx server, you can abandon your current certs and just use the Heroku cert automation at the page link I provided.

I hope this helps.


@MikeMcQ this solution it is not free.
I am using Heroku for free but from what I read in the shared link I have to pay dynos to include ACM for free:

All applications with paid dynos include ACM for free.

If your app is currently running on Free dynos, Heroku enables ACM automatically when you upgrade your app to use Hobby or Professional dynos

I use Free dynos.

Alternative solution:

I have read that a website can be served in SSL using any port (not just 443) for example port 8443.

I know that certbot will not accept to renew certificates automatically with that port, but that is not a problem I can use manual renewal using another challenge.

What I don't know is how to implement SSL using a non-standard port.

I have tried editing the nginx configuration that I shared before, changing the port 443 to 8443 but the web does not work.

Any suggestions for proposed solution?

That should work, but you'd need to enter the port number in the address bar too.

However, I'm curious: do you actually want to have your Heroku app directly accessible to the world wide web? It's quite common to have apps available behind a webserver such as nginx where nginx will be (partly) configured as a reverse proxy. You can read more about this here: NGINX Reverse Proxy | NGINX Plus

The idea is that only your nginx will be available to the world wide web on ports 80 (HTTP) and 443 (HTTPS) and that based on certain information (hostname, path, other info or a combination of those) will internally redirect requests to the Heroku app.

That said, I assumed Heroku was some kind of service running on your host, but after reading the Heroku Wikipedia page it seems Heroku is a bigger framework of some sorts. I have absolutely NO idea how that works or how that integrates with nginx. So the above advice might be useless.


Thanks to @MikeMcQ and @Osiris for helping.
I have already fixed it by making Heroku work on another port, I thought it was essential that it work on port 443 if my website was SSL, but I was not right. :blush:
BTW moderators can close this thread.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.