Nginx Configuration Issues - Certificate Obtained but not used by NGINX


Took a while to get letsencrypt working on my nginx server (I’m trying it to learn more…having a hard time with it though). Once I got it, and I was redirecting traffic going to port 80 up to port 443 with a 301, suddenly the default welcome nginx page is there, not my page that was being served at http. I can’t find where this default is being called, or where to find it. Forgive my noobedness, but can anyone with nginx exp help me out? I’ll paste my sites-available conf file if you think it’s in there.



Default server configuration

server {
listen 80 default_server;
listen [::]:80 default_server;
return 301 https://$server_name$request_uri;

SSL configuration

listen 443 ssl default_server;

listen [::]:443 ssl default_server;

Note: You should disable gzip for SSL traffic.


Read up on ssl_ciphers to ensure a secure configuration.


Self signed certs generated by the ssl-cert package

Don’t use them in a production server!

include snippets/snakeoil.conf;

root /var/www/html;

Add index.php to the list if you are using PHP

index index.php index.html index.htm index.nginx-debian.html;

location ~ /.well-known {
allow all;

pass the PHP scripts to FastCGI server listening on

#location ~ .php$ {

include snippets/fastcgi-php.conf;

# With php7.0-cgi alone:


# With php7.0-fpm:

fastcgi_pass unix:/run/php/php7.0-fpm.sock;


deny access to .htaccess files, if Apache’s document root

concurs with nginx’s one

#location ~ /.ht {

deny all;


server {
# SSL Configuration

    listen 443 ssl http2 default_server;
    listen [::]:443 ssl http2 default_server;
    include snippets/;
    include snippets/ssl-params.conf;



What’s in those?      


hi @74rku5

are you using certbot?

have a look at this site

For some good config examples

Generally it’s a good idea to stick to well known configurations or if you are using custom configuration to explain it first so people can assist.



ssl_certificate /etc/letsencrypt/live/;
ssl_certificate_key /etc/letsencrypt/live/;

cat ssl-params.conf



ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ecdh_curve secp384r1;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;
ssl_stapling on;
ssl_stapling_verify on;
resolver valid=300s;
resolver_timeout 5s;

Disable preloading HSTS for now. You can use the commented out header line that includes

the “preload” directive if you understand the implications.

#add_header Strict-Transport-Security “max-age=63072000; includeSubdomains; preload”;
add_header Strict-Transport-Security “max-age=63072000; includeSubdomains”;
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;

ssl_dhparam /etc/ssl/certs/dhparam.pem;


I can’t find any server_name in your “SSL Configuration” server {} block.

Oh and root /var/www/html;… Like… All the things that would make up a usable server {} block are missing from the SSL server block…

No wonder nginx can’t load your HTTPS site: it isn’t configured at all. You’ve all the things correct for your site on port 80, but you left out everything important at the port 443 piece. You just added the SSL things. But by leaving all the important stuff out, like root and server_name, nginx doesn’t do anything with the ssl server block. It is never used.

You should make a “copy” of the port 80 server block and modify it for TLS by changing the listen directive and adding the SSL stuff… Not only implementing the SSL stuff, no, add the SSL stuff to all the regular directives.


Osiris takes the prize.

The noob learned something today.

Thank you, Osiris!


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.