Ubuntu Nginx: HTTPS not accessible from internet or other machine on same LAN, even thought port 443 is open and listening

Nginx 1.22.0 Certbot 1.32.2

I can't access HTTPS or port 443 on my webpage from the internet or even another machine on my LAN, even though port 443 is open and listening on Ubuntu and I can even access the webpage at localhost. Port 80/HTTP works fine from anywhere. Nothing is wrong when I run "sudo service nginx status." Nothing else is using 443 when I use netstat. Any ideas?

The output of this command would be a good start to understanding why nginx isn't listening on HTTPS:

sudo nginx -T

Netstat says it's listening, but there's probably something I'm missing. Here's the output:

nginx: configuration file /etc/nginx/nginx.conf test is successful
# configuration file /etc/nginx/nginx.conf:
user www-data;
worker_processes auto;
pid /run/nginx.pid;
include /etc/nginx/modules-enabled/*.conf;

events {
        worker_connections 768;
        # multi_accept on;

http {

        # Basic Settings

        sendfile on;
        tcp_nopush on;
        types_hash_max_size 2048;
        # server_tokens off;

        # server_names_hash_bucket_size 64;
        # server_name_in_redirect off;

        include /etc/nginx/mime.types;
        default_type application/octet-stream;

        # SSL Settings

        ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; # Dropping SSLv3, ref: POOD                                                                                                                                                                             LE
        ssl_prefer_server_ciphers on;

        # Logging Settings

        access_log /var/log/nginx/access.log;
        error_log /var/log/nginx/error.log;

        # Gzip Settings

        gzip on;

        # gzip_vary on;
        # gzip_proxied any;
        # gzip_comp_level 6;
        # gzip_buffers 16 8k;
        # gzip_http_version 1.1;
        # gzip_types text/plain text/css application/json application/javascript                                                                                                                                                                              text/xml application/xml application/xml+rss text/javascript;

        # Virtual Host Configs

        include /etc/nginx/conf.d/*.conf;
        include /etc/nginx/sites-enabled/*;

#mail {
#       # See sample authentication script at:
#       # http://wiki.nginx.org/ImapAuthenticateWithApachePhpScript
#       # auth_http localhost/auth.php;
#       # pop3_capabilities "TOP" "USER";
#       # imap_capabilities "IMAP4rev1" "UIDPLUS";
#       server {
#               listen     localhost:110;
#               protocol   pop3;
#               proxy      on;
#       }
#       server {
#               listen     localhost:143;
#               protocol   imap;
#               proxy      on;
#       }

# configuration file /etc/nginx/modules-enabled/50-mod-http-geoip2.conf:
load_module modules/ngx_http_geoip2_module.so;

# configuration file /etc/nginx/modules-enabled/50-mod-http-image-filter.conf:
load_module modules/ngx_http_image_filter_module.so;

# configuration file /etc/nginx/modules-enabled/50-mod-http-xslt-filter.conf:
load_module modules/ngx_http_xslt_filter_module.so;

# configuration file /etc/nginx/modules-enabled/50-mod-mail.conf:
load_module modules/ngx_mail_module.so;

# configuration file /etc/nginx/modules-enabled/50-mod-stream.conf:
load_module modules/ngx_stream_module.so;

# configuration file /etc/nginx/modules-enabled/70-mod-stream-geoip2.conf:
load_module modules/ngx_stream_geoip2_module.so;

# configuration file /etc/nginx/mime.types:

types {
    text/html                             html htm shtml;
    text/css                              css;
    text/xml                              xml;
    image/gif                             gif;
    image/jpeg                            jpeg jpg;
    application/javascript                js;
    application/atom+xml                  atom;
    application/rss+xml                   rss;

    text/mathml                           mml;
    text/plain                            txt;
    text/vnd.sun.j2me.app-descriptor      jad;
    text/vnd.wap.wml                      wml;
    text/x-component                      htc;

    image/avif                            avif;
    image/png                             png;
    image/svg+xml                         svg svgz;
    image/tiff                            tif tiff;
    image/vnd.wap.wbmp                    wbmp;
    image/webp                            webp;
    image/x-icon                          ico;
    image/x-jng                           jng;
    image/x-ms-bmp                        bmp;

    font/woff                             woff;
    font/woff2                            woff2;

    application/java-archive              jar war ear;
    application/json                      json;
    application/mac-binhex40              hqx;
    application/msword                    doc;
    application/pdf                       pdf;
    application/postscript                ps eps ai;
    application/rtf                       rtf;
    application/vnd.apple.mpegurl         m3u8;
    application/vnd.google-earth.kml+xml  kml;
    application/vnd.google-earth.kmz      kmz;
    application/vnd.ms-excel              xls;
    application/vnd.ms-fontobject         eot;
    application/vnd.ms-powerpoint         ppt;
    application/vnd.oasis.opendocument.graphics        odg;
    application/vnd.oasis.opendocument.presentation    odp;
    application/vnd.oasis.opendocument.spreadsheet     ods;
    application/vnd.oasis.opendocument.text            odt;
    application/vnd.openxmlformats-officedocument.presentationml.presentation                                                                                                                                                                                 pptx;
    application/vnd.openxmlformats-officedocument.spreadsheetml.sheet    xlsx;
    application/vnd.openxmlformats-officedocument.wordprocessingml.document    d                                                                                                                                                                             ocx;
    application/vnd.wap.wmlc              wmlc;
    application/wasm                      wasm;
    application/x-7z-compressed           7z;
    application/x-cocoa                   cco;
    application/x-java-archive-diff       jardiff;
    application/x-java-jnlp-file          jnlp;
    application/x-makeself                run;
    application/x-perl                    pl pm;
    application/x-pilot                   prc pdb;
    application/x-rar-compressed          rar;
    application/x-redhat-package-manager  rpm;
    application/x-sea                     sea;
    application/x-shockwave-flash         swf;
    application/x-stuffit                 sit;
    application/x-tcl                     tcl tk;
    application/x-x509-ca-cert            der pem crt;
    application/x-xpinstall               xpi;
    application/xhtml+xml                 xhtml;
    application/xspf+xml                  xspf;
    application/zip                       zip;

    application/octet-stream              bin exe dll;
    application/octet-stream              deb;
    application/octet-stream              dmg;
    application/octet-stream              iso img;
    application/octet-stream              msi msp msm;

    audio/midi                            mid midi kar;
    audio/mpeg                            mp3;
    audio/ogg                             ogg;
    audio/x-m4a                           m4a;
    audio/x-realaudio                     ra;

    video/3gpp                            3gpp 3gp;
    video/mp2t                            ts;
    video/mp4                             mp4;
    video/mpeg                            mpeg mpg;
    video/quicktime                       mov;
    video/webm                            webm;
    video/x-flv                           flv;
    video/x-m4v                           m4v;
    video/x-mng                           mng;
    video/x-ms-asf                        asx asf;
    video/x-ms-wmv                        wmv;
    video/x-msvideo                       avi;

# configuration file /etc/nginx/sites-enabled/default:
# You should look at the following URL's in order to grasp a solid understanding
# of Nginx configuration files in order to fully unleash the power of Nginx.
# https://www.nginx.com/resources/wiki/start/
# https://www.nginx.com/resources/wiki/start/topics/tutorials/config_pitfalls/
# https://wiki.debian.org/Nginx/DirectoryStructure
# In most cases, administrators will remove this file from sites-enabled/ and
# leave it as reference inside of sites-available where it will continue to be
# updated by the nginx packaging team.
# This file will automatically load configuration files provided by other
# applications, such as Drupal or Wordpress. These applications will be made
# available underneath a path with that package name, such as /drupal8.
# Please see /usr/share/doc/nginx-doc/examples/ for more detailed examples.

# Default server configuration
server {

        # SSL configuration
        #listen 443 ssl default_server;
        #listen [::]:443 ssl default_server;
        # Note: You should disable gzip for SSL traffic.
        # See: https://bugs.debian.org/773332
        # Read up on ssl_ciphers to ensure a secure configuration.
        # See: https://bugs.debian.org/765782
        # Self signed certs generated by the ssl-cert package
        # Don't use them in a production server!
        # include snippets/snakeoil.conf;

        root /var/www/html;

        # Add index.php to the list if you are using PHP
        index index.html index.htm index.nginx-debian.html;

        server_name duckroll.epicgamer.org;

        location / {
                root   /var/www/html;
                index  index.html index.htm;
                ssi on;
                if ($request_uri ~ ^/(.*)\.html(\?|$)) {
                        return 302 /$1;
                try_files $uri $uri.html $uri/ =404;
                location /autosaul {
                        alias /var/www/html/autosaul;
                        try_files $uri $uri/ @autosaul;

location @autosaul {
                rewrite /autosaul/(.*)$ /autosaul/info.html?/$1 last;

        error_page  404              /404.html;
        location = /404.html {
            root   /var/www/html;

        error_page  403              /403.html;
        location = /403.html {
            root   /var/www/html;

        error_page  500 502 503 504  /50x.html;
        location = /50x.html {
            root   /var/www/html;

        # pass PHP scripts to FastCGI server
        #location ~ \.php$ {
        #       include snippets/fastcgi-php.conf;
        #       # With php-fpm (or other unix sockets):
        #       fastcgi_pass unix:/run/php/php7.4-fpm.sock;
        #       # With php-cgi (or other tcp sockets):
        #       fastcgi_pass;

        # deny access to .htaccess files, if Apache's document root
        # concurs with nginx's one
        #location ~ /\.ht {
        #       deny all;

    listen 443 ssl; # managed by Certbot
    listen [::]:443 ssl;
    ssl_certificate /etc/letsencrypt/live/duckroll.epicgamer.org/fullchain.pem;                                                                                                                                                                              # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/duckroll.epicgamer.org/privkey.pem                                                                                                                                                                             ; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot


# Virtual Host configuration for example.com
# You can move that to a different file under sites-available/ and symlink that
# to sites-enabled/ to enable it.
#server {
#       listen 80;
#       listen [::]:80;
#       server_name example.com;
#       root /var/www/example.com;
#       index index.html;
#       location / {
#               try_files $uri $uri/ =404;
#       }

server {
    if ($host = duckroll.epicgamer.org) {
        return 301 https://$host$request_uri;
    } # managed by Certbot

        listen 80 default_server;
        listen [::]:80 default_server;

        server_name duckroll.epicgamer.org;
    return 404; # managed by Certbot


# configuration file /etc/letsencrypt/options-ssl-nginx.conf:
# This file contains important security parameters. If you modify this file
# manually, Certbot will be unable to automatically provide future security
# updates. Instead, Certbot will print and log an error message with a path to
# the up-to-date file that you will need to refer to when manually updating
# this file. Contents are based on https://ssl-config.mozilla.org

ssl_session_cache shared:le_nginx_SSL:10m;
ssl_session_timeout 1440m;
ssl_session_tickets off;

ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers off;

ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECD                                                                                                                                                                             SA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:E                                                                                                                                                                             CDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384";

# configuration file /etc/nginx/sites-enabled/duckroll:
server {
       listen 80;
       listen [::]:80;

       server_name example.ubuntu.com;

       root /var/www/duckroll/;
       index index.html;

       location / {
              autoindex on;
              autoindex_exact_size on;
              try_files $uri $uri/ =404;

I guess it'd be a firewall: nftables?


Yeah, looks like a firewall issue to me.

If you run something locally like:

curl -I --resolve duckroll.epicgamer.org:443: https://duckroll.epicgamer.org

I bet it will work.


that didn't work, it returned curl: (49) Couldn't parse CURLOPT_RESOLVE entry 'duckroll.epicgamer.org:' What is the command supposed to do?

Sorry, that was before I edited the command to fix a mistake. Try what it says now.


Thanks, it worked now

Server: nginx/1.22.0 (Ubuntu)
Date: Thu, 12 Jan 2023 02:30:25 GMT
Content-Type: text/html
Connection: keep-alive
1 Like

Right. So it means that nginx is listening on port 443, and you can access it locally.

So I'd look at:

  • Your router/modem to see whether a port forwarding rule has been set up for port 443 TCP.
  • ufw status
  • Whether Charter are blocking port 443 on your service.

I can't even access HTTPS from a machine on the same LAN, so I don't think it's a router issue, but there is a rule set up for 443.
UFW has a rule for Nginx HTTP and Nginx HTTPS both allowed, and Nginx is actively listening when running netstat.
If charter is something you install separately like from apt, then I haven't installed it. If it is built into Ubuntu, what can I do to check if it is blocking 443?



Mmm, sometimes routers suck at loopback NAT and fail to create the connection when you try to connect to the WAN IP address from inside the LAN.

I think one more thing worth checking is whether you can try the curl --resolve trick from another machine on your LAN, substituting for the LAN IP address of your nginx server.

Edit: if you tried LAN IP already and it's not working, then it really seems that the blame is on a local firewall like ufw.


Lan IP

did it ever work?
If so, when did this problem start?


Sorry, I should have specified that I was accessing it from the Lan IP.

1 Like

Never worked. I'm trying to set up my website, but I ran into this roadblock and have been trying to fix it myself. I don't know too much about Nginx, so I wasn't able to on my own, so I came here.

Please show:
netstat -pant | grep 443 | grep -i listen


Maybe the full output of

sudo iptables-save

would help as well. To see whether ufw is colliding with some other rules that might be blocking port 443.

tcp        0      0   *               LISTEN      4767/nginx: master
tcp6       0      0 :::443                  :::*                    LISTEN      4767/nginx: master
1 Like

Curl was unable to connect from my Windows machine. I'll try this (on the Ubuntu machine)