Getting "Your connection is not private"

My domain is:
I ran this command: certbot (ran successfully and Let's Debug passes)
My web server is (include version): nginx Version: 1.18.0-0ubuntu1
The operating system my web server runs on is (include version): Linux Mint 20.1 (Ulyssa)
My hosting provider, if applicable, is: None - self hosting
I can login to a root shell on my machine (yes or no, or I don't know): yes
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 1.12.0

My nginx config file in sites-available reads as follows:

server {

    # Adjust this to your the FQDN you chose!
    server_name       ;

    access_log                  /var/log/nginx/foundry/access.log;
    error_log                   /var/log/nginx/foundry/error.log;

    location ^~ /.well-known/acme-challenge {
        allow all;
        root /var/www/letsencrypt;
        auth_basic off;

    location / {
        proxy_set_header        Host $host;
        proxy_set_header        X-Real-IP $remote_addr;
        proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header        X-Forwarded-Proto $scheme;

        # Adjust the port number you chose!
        proxy_pass    ;

        proxy_http_version      1.1;
        proxy_set_header        Upgrade $http_upgrade;
        proxy_set_header        Connection "Upgrade";
        proxy_read_timeout      90;

        # Again, adjust both your FQDN and your port number here!

    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

server {
    if ($host = {
        return 301 https://$host$request_uri;
    } # managed by Certbot

    listen 80;
    server_name       ;
    return 404; # managed by Certbot


Looks fine to me!

Can you take a screenshot of the error message?


Thank you for your help @_az . I can't get a screenshot of the error message in Chrome, but here is the text:

Your connection is not private
Attackers might be trying to steal your information from (for example, passwords, messages, or credit cards). Learn more

To get Chrome’s highest level of security, turn on enhanced protection normally uses encryption to protect your information. When Google Chrome tried to connect to this time, the website sent back unusual and incorrect credentials. This may happen when an attacker is trying to pretend to be, or a Wi-Fi sign-in screen has interrupted the connection. Your information is still secure because Google Chrome stopped the connection before any data was exchanged.

You cannot visit right now because the website uses HSTS. Network errors and attacks are usually temporary, so this page will probably work later.

Are you connecting to at the default port? Or perhaps on a different port than 443? Because your regular HTTPS port 443 is fine.


Are you connect to the same IP that we are connecting to?:


When you ping, what IP is shown?


I believe I'm connecting on the standard port (I'm not specifying any alternative port, I'm just using

When I ping, I get as the IP address.


I wonder if the problem is that you don't have hairpin NAT on your modem/router.

If you skip past the NET::ERR_CERT_AUTHORITY_INVALID security warning, what do you see? Your website, or your router's admin page?


It's strange because usually when there is a certificate error, you can click advanced and ignore the warning and go forward anyway, but this error message is different and doesn't give me that option. Here is a picture of the screen I'm getting (sorry, my screen capture extension isn't working for this page either...)


Ah yes, because your domain is also configured with HSTS.

You can get past the warning, by typing this, with the page open:


Wait, there is a complicating factor I've been forgetting. The server is running as a virtual machine on a proxmox server. This is my first time using proxmox and I am realizing I haven't looked into network routing for that. If any of you happen to know what is needed there, I'd appreciate a pointer, but otherwise, I'll do some digging in that direction and get back.


Ooh, that is helpfu @_az and when I type that, I get my comcast router.


OK, I think the NAT theory is probably correct then!

If you can, try re-assigning the web admin port on your Comcast Router from port 443, to something else. If this is possible, it should be somewhere with the settings.

I don't know how locked-down Comcast routers are so I can't tell you whether it's possible, but I hope it is.


My network is set up with a Comcast cable modem/router hooked to only one device: which is my Nest/Google wifi router.

I was getting tired of doing port configuration in both the comcast router and in the Nest router, so I tried setting the comcast to use a DMZ which points to the Nest/Google router and then I do all the port forwarding only on the Nest router (in this case, 443 and 80 to my internal server). Is that a broken setup?


Can you add an entry into the client hosts file?
[for Windows: c:\windows\system32\drivers\etc\hosts]
[for Linux: /etc/hosts]
If so, try adding something like:

[replacing "" with the actual internal IP of the foundry server]


@rg305 do you mean to add that /etc/hosts entry to the computer I'm trying to attach with, or to the computer which serves


Add that to the client - not the server.
[the server already knows where he is]


I tried adding that /etc/hosts entry and now when I try to go to, it hangs at "connecting" and ultimately times out.


Are you able to access that IP directly?
Like are you on the same network with it?
Or do you have to cross a router/firewall?
[pardon my lack of understanding (your setup)]

Some simple tests:
ping IP.IP.IP.IP
traceroute IP.IP.IP.IP
[replace IP.IP.IP.IP with actual local IP of server]


Thanks @rg305 here is my setup:

  1. My LAN (I have full access)
    1a. PC on LAN running Proxmox (a linux distro that runs VMs) (at
    1a1. A VM running the foundry server I'm trying to reach (VM is given ip of on local LAN)
    1b. A laptop from which I'll run the commands you gave me (using the local LAN IP of 1a1)


> traceroute
traceroute to (, 64 hops max
  1  9.072ms  7.142ms  8.325ms 
> ping
PING ( 56(84) bytes of data.
64 bytes from icmp_seq=1 ttl=64 time=6.50 ms
64 bytes from icmp_seq=2 ttl=64 time=6.48 ms
--- ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1002ms
rtt min/avg/max/mdev = 6.478/6.487/6.496/0.009 ms

http://IP.IP.IP.IP/ gets me a 404 error
https://IP.IP.IP.IP/ gets me an error page ("Your connection not private") from Chrome, but unlike when I try to do this from outside the LAN, it let's me override and connect to the site instead of making me type "thisisunsafe". I then get my server app successfully.

When I do https://publicIPaddress, I get a "Your connection not private", but because the .page domain is HSTS, it doesn't include an (obvious) option for overriding and connecting anyway. If I type "thisisunsafe", I get my router config screen instead of the server.


I should mention that I have both 80 and 443 port forwarded on both my Comcast router (which faces the internet and has only one internal connection to my Google router) and my Google router (which provides my local LAN with the systems above and assigns fixed IP addresses for the systems on my LAN)