ERR_SSL_PROTOCOL_ERROR with Nginx and Amazon Linux 2

My domain is:

I just ran certbot --nginx and the keys were generated but I get a ERR_SSL_PROTOCOL_ERROR when trying to access the domain. However the IP addresses work ( and

SSLabs ( tells me that there is no secure protocols supported with the site.

I will post my nginx.conf below. If it helps I’m running a Node Express stack with React frontend which is being served statically via Express. Everything was working fine without https so I don’t think the client / server is at fault.

My web server is (include version): Nginx 1.18.0

The operating system my web server runs on is (include version): Amazon Linux 2

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): 1.5.0

Here is my nginx conf:

    user nginx;
    worker_processes auto;
    error_log /var/log/nginx/error.log;
    pid /run/;

    # Load dynamic modules. See /usr/share/doc/nginx/README.dynamic.
    include /usr/share/nginx/modules/*.conf;

    events {
        worker_connections 1024;

    http {
        log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                          '$status $body_bytes_sent "$http_referer" '
                          '"$http_user_agent" "$http_x_forwarded_for"';

        access_log  /var/log/nginx/access.log  main;

        sendfile            on;
        tcp_nopush          on;
        tcp_nodelay         on;
        keepalive_timeout   65;
        types_hash_max_size 4096;

        include             /etc/nginx/mime.types;
        default_type        application/octet-stream;

        # Load modular configuration files from the /etc/nginx/conf.d directory.
        # See
        # for more information.
        include /etc/nginx/conf.d/*.conf;

        server {

            location / {
                    proxy_pass http://localhost:3000;
                    proxy_http_version 1.1;
                    proxy_set_header Upgrade $http_upgrade;
                    proxy_set_header Connection 'upgrade';
                    proxy_set_header Host $host;
                    proxy_cache_bypass $http_upgrade;

            # Load configuration files for the default server block.
            include /etc/nginx/default.d/*.conf;

        listen [::]:443 ssl ipv6only=on; # managed by Certbot
        listen 443 ssl; # managed by Certbot
        ssl_certificate /etc/letsencrypt/live/; # managed by Certbot
        ssl_certificate_key /etc/letsencrypt/live/; # managed by Certbot
        include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
        ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

        server {
        if ($host = {
            return 301 https://$host$request_uri;
        } # managed by Certbot

        if ($host = {
            return 301 https://$host$request_uri;
        } # managed by Certbot

            listen       80;
            listen       [::]:80;
        return 404; # managed by Certbot

Something else is bound to port 443, not nginx.

sudo ss -tlpn | grep -E ":443"

I am guessing it’s your Node/Express program. You need to free up to port so that nginx can bind to it.

seems to me that no node / express program is running on 443?

Hmm. I don’t see how that’s possible. nginx would send a Server header if it was the server responding on :443, but it’s not there:

$ curl -X GET -I
HTTP/1.1 200 OK
X-Powered-By: Express
Access-Control-Allow-Origin: *
Accept-Ranges: bytes
Cache-Control: public, max-age=0
Last-Modified: Mon, 06 Jul 2020 10:41:50 GMT
ETag: W/"ae4-17323b7bb6d"
Content-Type: text/html; charset=UTF-8
Content-Length: 2788
Set-Cookie: connect.sid=s%3Ac20Dbgx29l7KcXBsy3zUqPFUy8_fsMnc.vul%2Bk6CQpjXXOJI5zKo3TLso6e57ogfrFrm%2FMShEm9M; Path=/; HttpOnly
Date: Tue, 07 Jul 2020 03:33:45 GMT
Connection: keep-alive

Are you sure you’re not doing any funky iptables port redirection stuff on port 443?

1 Like

That was it thank you so much! We had a previous PREROUTING rule in the iptables so I just reset everything to the defaults.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.