Lightsail subdomain not encrypted

I encrypted subdomains following the

and checked the txt records using

but is not showing encrypted, i.e., rendering not secured.

In the Nginx configuration, it is set as follows:

if ($host ~ ^[^.]+\.example\.com$) {
    return 301 https://$host$request_uri;
} # managed by Certbot

So, it should be working, but not. What’s missing here?


Hi @allison9y

checked your main domain there is a new wildcard certificate ( ):
expires in 86 days	
*, - 2 entries

But checking your subdomain no https is configured ( ):

Domainname Http-Status redirect Sec. G 200 0.260 H -2 1.374 V
ConnectFailure - Unable to connect to the remote server No connection could be made because the target machine actively refused it 404 0.253 A
Not Found
Visible Content: 404 Not Found nginx/1.14.0 (Ubuntu)

So add a port 443 vHost that uses the wildcard certificate.

What doesn’t it mean no https are configured. How can I configure this? Where?

in nginx.conf (or a file included in nginx.conf)
you should already have a ‘server’ directive in it else your http would not be served.
You have to add another with something like

server {
listen *:443 ssl http2;
ssl_certificate /path/to/fullchain.pem;
ssl_certificate_key /path/to/privkey.pem;
(…see nginx doc and tutorials…)

That’s what @JuergenAuer is referring to when he is writing about ‘vHost’ (that’s more an Apache term)


This uses a different IP address to the main Thus do I have to configure the 443 server in as

server {
listen *:443 ssl http2;


I gather that has to have a https directive but there is no certificates for the IP address. Does that mean that the IP has to be encrypted as well?

Yes the server_name directive should match your server name (duh.)
And the rest should look similar to your http (port 80) server section; with the addition of ssl directives of course (I did not look precisely but it’s certain that at least ssl_certificate and ssl_certificate_key directive should be present and point at your certificates - other directives can be present such as ssl_protocols, ssl_ciphers, and others but I’m not sure these are mandatory)
Normally you don’t use certificates with IP addresses (you don’t use pure IP addresses at all in modern Web)

I have no idea of what you could mean by that. No one is encrypting localhost.