Nginx: [emerg] a duplicate listen 0.0.0.0:443

Altostratus · February 3, 2023, 4:29pm

I'm having the same problem. On macOS, installed nginx and certbot (2.2.0) using homebrew.

Configured three servers like this:

    server {
        listen 443;
        server_name example.com
        location / {
            proxy_pass http://192.168.1.2:9000;
        }
    }

    server {
        listen 443;
        server_name a.example.com;

        location / {
            proxy_pass http://192.168.1.2:9001;
        }
    }

    server {
        listen 443;
        server_name b.example.com;
        location / {
            proxy_pass http://192.168.1.2:9002;
        }
    }

When I run:

sudo certbot --nginx -d example.com -d a.example.com -d b.example.com

I get successful deployment for all three servers, but then a warning:

nginx restart failed:
nginx: [emerg] a duplicate listen 0.0.0.0:443 in /usr/local/etc/nginx/nginx.conf:41

I'm not sure what to do next. I don't see where the duplicate entries are. I'm listening for three different domains on the same port and they redirect to three different servers. Both ports 80 and 443 are open.

Thanks for your help.

rg305 · February 3, 2023, 5:35pm

Hi @Altostratus, and welcome to the LE community forum

I've moved your post to a separate topic because ... that's just how we do things here.
There can only be one "solution" response to any topic and your problem [allbeit very similar] might have a different solution.

I'm not versed in MAC.
Can you show what service is using port 80 443?

Bruce5051 · February 3, 2023, 5:56pm

Hello @Altostratus, welcome to the Let's Encrypt community.

If you had originally started a new Help Topic you would have been presented with the following.

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I ran this command:

It produced this output:

My web server is (include version):

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

Thank you for assisting us in helping YOU!

_az · February 3, 2023, 8:39pm

This doesn't look right. This means "listen with normal HTTP on port 443".

nginx can't listen on port 443 for both HTTP and HTTPS. The reason you are encountering the duplicate listen is because Certbot will then try to add:

listen 443 ssl;

in a duplicate server block for the same server_name, which is not something that is possible.

You probably just want to start with listen 80; in that beginning configuration, and then let Certbot add the listen 443 ssl; servers for you.

Altostratus · February 4, 2023, 10:15am

Thank you all very much for the post guidelines and help. I've followed the advice by @_az and changed the listening port to 80. This has indeed worked, and added the listen 443 directive as well as the certificate paths to all three domains. However, when I now do sudo nginx -t && nginx -s reload, I get this:

nginx: the configuration file /usr/local/etc/nginx/nginx.conf syntax is ok
nginx: configuration file /usr/local/etc/nginx/nginx.conf test is successful
nginx: [emerg] cannot load certificate "/etc/letsencrypt/live/example.com/fullchain.pem": BIO_new_file() failed (SSL: error:0200100D:system library:fopen:Permission denied:fopen('/etc/letsencrypt/live/example.com/fullchain.pem','r') error:2006D002:BIO routines:BIO_new_file:system lib)
nginx: configuration file /usr/local/etc/nginx/nginx.conf test failed

The file is there, because I can view it with:

sudo cat /etc/letsencrypt/live/example.com/fullchain.pem

The file contains three certificates one after the other.

What am I still missing here?

Thanks again.

EDIT: fixed missing slash in path to pem file.

Osiris · February 4, 2023, 11:07am

A slash (/) in the path between example.com and fullchain.pem.

Altostratus · February 4, 2023, 11:14am

I'm sorry, the slash is there of course, in the error message, reflecting the line added by Cerbot. I've mistakenly took it out when changing my domain name to example.com above.

Osiris · February 4, 2023, 11:29am

You might need to add another sudo after the &&. (Not sure though.)

Altostratus · February 4, 2023, 11:38am

That's it!

sudo nginx -t && sudo nginx -s reload

This loads the server with no errors.

Thank you very much for your time and help.

system · March 6, 2023, 11:38am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.