[{"data":1,"prerenderedAt":1433},["ShallowReactive",2],{"\u002Ffix-issues\u002Fflask-https-not-working-after-certbot":3},{"id":4,"title":5,"body":6,"description":1423,"extension":1424,"meta":1425,"navigation":411,"path":1429,"seo":1430,"stem":1431,"__hash__":1432},"content\u002Ffix-issues\u002Fflask-https-not-working-after-certbot.md","Flask HTTPS Not Working After Certbot",{"type":7,"value":8,"toc":1412},"minimark",[9,13,17,22,25,184,195,199,208,214,218,765,769,863,870,874,877,882,903,906,922,927,945,947,958,963,981,983,997,1002,1037,1040,1045,1064,1067,1085,1090,1111,1118,1123,1155,1158,1163,1182,1185,1199,1204,1207,1219,1222,1229,1233,1319,1326,1330,1348,1352,1363,1371,1379,1390,1398,1402,1408],[10,11,5],"h1",{"id":12},"flask-https-not-working-after-certbot",[14,15,16],"p",{},"If HTTPS stopped working after Certbot or your Flask site is still not serving securely, this guide shows you how to diagnose and fix the Nginx, certificate, and redirect setup step-by-step. The goal is to restore a valid TLS configuration and confirm that Flask is reachable over HTTPS.",[18,19,21],"h2",{"id":20},"quick-fix-quick-setup","Quick Fix \u002F Quick Setup",[14,23,24],{},"Run the core checks first:",[26,27,32],"pre",{"className":28,"code":29,"language":30,"meta":31,"style":31},"language-bash shiki shiki-themes github-light github-dark","sudo nginx -t && sudo systemctl reload nginx\nsudo certbot certificates\nsudo ls -l \u002Fetc\u002Fletsencrypt\u002Flive\u002Fyourdomain.com\u002F\nsudo grep -R \"ssl_certificate\\|server_name\\|listen 443\" \u002Fetc\u002Fnginx\u002Fsites-enabled \u002Fetc\u002Fnginx\u002Fconf.d\ncurl -I http:\u002F\u002Fyourdomain.com\ncurl -Ik https:\u002F\u002Fyourdomain.com\nopenssl s_client -connect yourdomain.com:443 -servername yourdomain.com \u003C\u002Fdev\u002Fnull | openssl x509 -noout -subject -issuer -dates\n","bash","",[33,34,35,67,78,92,112,124,135],"code",{"__ignoreMap":31},[36,37,40,44,48,52,56,58,61,64],"span",{"class":38,"line":39},"line",1,[36,41,43],{"class":42},"sScJk","sudo",[36,45,47],{"class":46},"sZZnC"," nginx",[36,49,51],{"class":50},"sj4cs"," -t",[36,53,55],{"class":54},"sVt8B"," && ",[36,57,43],{"class":42},[36,59,60],{"class":46}," systemctl",[36,62,63],{"class":46}," reload",[36,65,66],{"class":46}," nginx\n",[36,68,70,72,75],{"class":38,"line":69},2,[36,71,43],{"class":42},[36,73,74],{"class":46}," certbot",[36,76,77],{"class":46}," certificates\n",[36,79,81,83,86,89],{"class":38,"line":80},3,[36,82,43],{"class":42},[36,84,85],{"class":46}," ls",[36,87,88],{"class":50}," -l",[36,90,91],{"class":46}," \u002Fetc\u002Fletsencrypt\u002Flive\u002Fyourdomain.com\u002F\n",[36,93,95,97,100,103,106,109],{"class":38,"line":94},4,[36,96,43],{"class":42},[36,98,99],{"class":46}," grep",[36,101,102],{"class":50}," -R",[36,104,105],{"class":46}," \"ssl_certificate\\|server_name\\|listen 443\"",[36,107,108],{"class":46}," \u002Fetc\u002Fnginx\u002Fsites-enabled",[36,110,111],{"class":46}," \u002Fetc\u002Fnginx\u002Fconf.d\n",[36,113,115,118,121],{"class":38,"line":114},5,[36,116,117],{"class":42},"curl",[36,119,120],{"class":50}," -I",[36,122,123],{"class":46}," http:\u002F\u002Fyourdomain.com\n",[36,125,127,129,132],{"class":38,"line":126},6,[36,128,117],{"class":42},[36,130,131],{"class":50}," -Ik",[36,133,134],{"class":46}," https:\u002F\u002Fyourdomain.com\n",[36,136,138,141,144,147,150,153,156,160,163,166,169,172,175,178,181],{"class":38,"line":137},7,[36,139,140],{"class":42},"openssl",[36,142,143],{"class":46}," s_client",[36,145,146],{"class":50}," -connect",[36,148,149],{"class":46}," yourdomain.com:443",[36,151,152],{"class":50}," -servername",[36,154,155],{"class":46}," yourdomain.com",[36,157,159],{"class":158},"szBVR"," \u003C",[36,161,162],{"class":46},"\u002Fdev\u002Fnull",[36,164,165],{"class":158}," |",[36,167,168],{"class":42}," openssl",[36,170,171],{"class":46}," x509",[36,173,174],{"class":50}," -noout",[36,176,177],{"class":50}," -subject",[36,179,180],{"class":50}," -issuer",[36,182,183],{"class":50}," -dates\n",[14,185,186,187,190,191,194],{},"In most cases, HTTPS fails because Nginx is not loading the Certbot-managed server block, the wrong domain is configured in ",[33,188,189],{},"server_name",", port ",[33,192,193],{},"443"," is not active, or Nginx is pointing to an invalid certificate path.",[18,196,198],{"id":197},"whats-happening","What’s Happening",[14,200,201,202,204,205,207],{},"Certbot usually installs or updates Nginx TLS settings, but HTTPS still depends on a valid Nginx server block for port ",[33,203,193],{},", correct ",[33,206,189],{}," values, and certificate files that exist and match the requested domain.",[14,209,210,211,213],{},"If Nginx loads the wrong virtual host, uses stale certificate paths, or cannot bind to ",[33,212,193],{},", the browser will show certificate, redirect, or connection errors even if Certbot completed successfully.",[18,215,217],{"id":216},"step-by-step-guide","Step-by-Step Guide",[219,220,221,257,293,322,377,521,552,585,641,669,697,728],"ol",{},[222,223,224,228,253,256],"li",{},[225,226,227],"strong",{},"Confirm DNS points to the correct server.",[26,229,231],{"className":28,"code":230,"language":30,"meta":31,"style":31},"dig +short yourdomain.com\ndig +short www.yourdomain.com\n",[33,232,233,244],{"__ignoreMap":31},[36,234,235,238,241],{"class":38,"line":39},[36,236,237],{"class":42},"dig",[36,239,240],{"class":46}," +short",[36,242,243],{"class":46}," yourdomain.com\n",[36,245,246,248,250],{"class":38,"line":69},[36,247,237],{"class":42},[36,249,240],{"class":46},[36,251,252],{"class":46}," www.yourdomain.com\n",[254,255],"br",{},"Verify the returned IP matches your VPS or load balancer.",[222,258,259,262,290,292],{},[225,260,261],{},"Check that Nginx is valid and running.",[26,263,265],{"className":28,"code":264,"language":30,"meta":31,"style":31},"sudo nginx -t\nsudo systemctl status nginx --no-pager\n",[33,266,267,276],{"__ignoreMap":31},[36,268,269,271,273],{"class":38,"line":39},[36,270,43],{"class":42},[36,272,47],{"class":46},[36,274,275],{"class":50}," -t\n",[36,277,278,280,282,285,287],{"class":38,"line":69},[36,279,43],{"class":42},[36,281,60],{"class":46},[36,283,284],{"class":46}," status",[36,286,47],{"class":46},[36,288,289],{"class":50}," --no-pager\n",[254,291],{},"Fix syntax errors before continuing.",[222,294,295,298,311,313,314,317,318,321],{},[225,296,297],{},"Inspect installed certificates.",[26,299,301],{"className":28,"code":300,"language":30,"meta":31,"style":31},"sudo certbot certificates\n",[33,302,303],{"__ignoreMap":31},[36,304,305,307,309],{"class":38,"line":39},[36,306,43],{"class":42},[36,308,74],{"class":46},[36,310,77],{"class":46},[254,312],{},"Verify the domain names listed and note the certificate paths under ",[33,315,316],{},"\u002Fetc\u002Fletsencrypt\u002Flive\u002F...\u002Ffullchain.pem"," and ",[33,319,320],{},"privkey.pem",".",[222,323,324,327,347,349,350],{},[225,325,326],{},"Verify the Nginx HTTPS server block exists and matches the domain.",[26,328,330],{"className":28,"code":329,"language":30,"meta":31,"style":31},"sudo grep -R \"server_name\\|listen 443\\|ssl_certificate\\|ssl_certificate_key\" \u002Fetc\u002Fnginx\u002Fsites-enabled \u002Fetc\u002Fnginx\u002Fconf.d\n",[33,331,332],{"__ignoreMap":31},[36,333,334,336,338,340,343,345],{"class":38,"line":39},[36,335,43],{"class":42},[36,337,99],{"class":46},[36,339,102],{"class":50},[36,341,342],{"class":46}," \"server_name\\|listen 443\\|ssl_certificate\\|ssl_certificate_key\"",[36,344,108],{"class":46},[36,346,111],{"class":46},[254,348],{},"Ensure the correct server block includes:",[351,352,353,362,367],"ul",{},[222,354,355,358,359],{},[33,356,357],{},"listen 443 ssl;"," or ",[33,360,361],{},"listen 443 ssl http2;",[222,363,364,365],{},"the expected domain names in ",[33,366,189],{},[222,368,369,370,317,373,376],{},"valid ",[33,371,372],{},"ssl_certificate",[33,374,375],{},"ssl_certificate_key"," paths",[222,378,379,382,384,385,494,496,497],{},[225,380,381],{},"Open the Nginx site config and correct it if needed.",[254,383],{},"Example working configuration:",[26,386,390],{"className":387,"code":388,"language":389,"meta":31,"style":31},"language-nginx shiki shiki-themes github-light github-dark","server {\n    listen 80;\n    server_name yourdomain.com www.yourdomain.com;\n\n    return 301 https:\u002F\u002F$host$request_uri;\n}\n\nserver {\n    listen 443 ssl http2;\n    server_name yourdomain.com www.yourdomain.com;\n\n    ssl_certificate \u002Fetc\u002Fletsencrypt\u002Flive\u002Fyourdomain.com\u002Ffullchain.pem;\n    ssl_certificate_key \u002Fetc\u002Fletsencrypt\u002Flive\u002Fyourdomain.com\u002Fprivkey.pem;\n\n    location \u002F {\n        proxy_pass http:\u002F\u002F127.0.0.1:8000;\n        include proxy_params;\n    }\n}\n","nginx",[33,391,392,397,402,407,413,418,423,427,432,438,443,448,454,460,465,471,477,483,489],{"__ignoreMap":31},[36,393,394],{"class":38,"line":39},[36,395,396],{},"server {\n",[36,398,399],{"class":38,"line":69},[36,400,401],{},"    listen 80;\n",[36,403,404],{"class":38,"line":80},[36,405,406],{},"    server_name yourdomain.com www.yourdomain.com;\n",[36,408,409],{"class":38,"line":94},[36,410,412],{"emptyLinePlaceholder":411},true,"\n",[36,414,415],{"class":38,"line":114},[36,416,417],{},"    return 301 https:\u002F\u002F$host$request_uri;\n",[36,419,420],{"class":38,"line":126},[36,421,422],{},"}\n",[36,424,425],{"class":38,"line":137},[36,426,412],{"emptyLinePlaceholder":411},[36,428,430],{"class":38,"line":429},8,[36,431,396],{},[36,433,435],{"class":38,"line":434},9,[36,436,437],{},"    listen 443 ssl http2;\n",[36,439,441],{"class":38,"line":440},10,[36,442,406],{},[36,444,446],{"class":38,"line":445},11,[36,447,412],{"emptyLinePlaceholder":411},[36,449,451],{"class":38,"line":450},12,[36,452,453],{},"    ssl_certificate \u002Fetc\u002Fletsencrypt\u002Flive\u002Fyourdomain.com\u002Ffullchain.pem;\n",[36,455,457],{"class":38,"line":456},13,[36,458,459],{},"    ssl_certificate_key \u002Fetc\u002Fletsencrypt\u002Flive\u002Fyourdomain.com\u002Fprivkey.pem;\n",[36,461,463],{"class":38,"line":462},14,[36,464,412],{"emptyLinePlaceholder":411},[36,466,468],{"class":38,"line":467},15,[36,469,470],{},"    location \u002F {\n",[36,472,474],{"class":38,"line":473},16,[36,475,476],{},"        proxy_pass http:\u002F\u002F127.0.0.1:8000;\n",[36,478,480],{"class":38,"line":479},17,[36,481,482],{},"        include proxy_params;\n",[36,484,486],{"class":38,"line":485},18,[36,487,488],{},"    }\n",[36,490,492],{"class":38,"line":491},19,[36,493,422],{},[254,495],{},"If you are using a Unix socket, use:",[26,498,500],{"className":387,"code":499,"language":389,"meta":31,"style":31},"location \u002F {\n    include proxy_params;\n    proxy_pass http:\u002F\u002Funix:\u002Frun\u002Fgunicorn.sock;\n}\n",[33,501,502,507,512,517],{"__ignoreMap":31},[36,503,504],{"class":38,"line":39},[36,505,506],{},"location \u002F {\n",[36,508,509],{"class":38,"line":69},[36,510,511],{},"    include proxy_params;\n",[36,513,514],{"class":38,"line":80},[36,515,516],{},"    proxy_pass http:\u002F\u002Funix:\u002Frun\u002Fgunicorn.sock;\n",[36,518,519],{"class":38,"line":94},[36,520,422],{},[222,522,523,526,549,551],{},[225,524,525],{},"Test the config and reload Nginx.",[26,527,529],{"className":28,"code":528,"language":30,"meta":31,"style":31},"sudo nginx -t\nsudo systemctl reload nginx\n",[33,530,531,539],{"__ignoreMap":31},[36,532,533,535,537],{"class":38,"line":39},[36,534,43],{"class":42},[36,536,47],{"class":46},[36,538,275],{"class":50},[36,540,541,543,545,547],{"class":38,"line":69},[36,542,43],{"class":42},[36,544,60],{"class":46},[36,546,63],{"class":46},[36,548,66],{"class":46},[254,550],{},"If reload fails, fix the exact file and line shown in the error output.",[222,553,554,557,579,581,582,584],{},[225,555,556],{},"Verify port 443 is listening.",[26,558,560],{"className":28,"code":559,"language":30,"meta":31,"style":31},"sudo ss -ltnp | grep :443\n",[33,561,562],{"__ignoreMap":31},[36,563,564,566,569,572,574,576],{"class":38,"line":39},[36,565,43],{"class":42},[36,567,568],{"class":46}," ss",[36,570,571],{"class":50}," -ltnp",[36,573,165],{"class":158},[36,575,99],{"class":42},[36,577,578],{"class":46}," :443\n",[254,580],{},"If nothing is listening on ",[33,583,193],{},", Nginx is not binding successfully or another service is conflicting.",[222,586,587,590,627,629,630],{},[225,588,589],{},"Check the active certificate being served.",[26,591,593],{"className":28,"code":592,"language":30,"meta":31,"style":31},"openssl s_client -connect yourdomain.com:443 -servername yourdomain.com \u003C\u002Fdev\u002Fnull | openssl x509 -noout -subject -issuer -dates\n",[33,594,595],{"__ignoreMap":31},[36,596,597,599,601,603,605,607,609,611,613,615,617,619,621,623,625],{"class":38,"line":39},[36,598,140],{"class":42},[36,600,143],{"class":46},[36,602,146],{"class":50},[36,604,149],{"class":46},[36,606,152],{"class":50},[36,608,155],{"class":46},[36,610,159],{"class":158},[36,612,162],{"class":46},[36,614,165],{"class":158},[36,616,168],{"class":42},[36,618,171],{"class":46},[36,620,174],{"class":50},[36,622,177],{"class":50},[36,624,180],{"class":50},[36,626,183],{"class":50},[254,628],{},"Confirm:",[351,631,632,635,638],{},[222,633,634],{},"subject matches the expected domain",[222,636,637],{},"issuer is the expected CA",[222,639,640],{},"certificate is not expired",[222,642,643,646,659,661,662,358,665,668],{},[225,644,645],{},"Test HTTP to HTTPS redirection.",[26,647,649],{"className":28,"code":648,"language":30,"meta":31,"style":31},"curl -I http:\u002F\u002Fyourdomain.com\n",[33,650,651],{"__ignoreMap":31},[36,652,653,655,657],{"class":38,"line":39},[36,654,117],{"class":42},[36,656,120],{"class":50},[36,658,123],{"class":46},[254,660],{},"Expect ",[33,663,664],{},"301",[33,666,667],{},"308"," to the HTTPS URL.",[222,670,671,674,687,689,690,693,694,696],{},[225,672,673],{},"Test the HTTPS response directly.",[26,675,677],{"className":28,"code":676,"language":30,"meta":31,"style":31},"curl -Ik https:\u002F\u002Fyourdomain.com\n",[33,678,679],{"__ignoreMap":31},[36,680,681,683,685],{"class":38,"line":39},[36,682,117],{"class":42},[36,684,131],{"class":50},[36,686,134],{"class":46},[254,688],{},"Expect a valid HTTP response such as ",[33,691,692],{},"200",", ",[33,695,664],{},", or your application response. A TLS handshake failure indicates certificate, vhost, or listener problems.",[222,698,699,702,725,727],{},[225,700,701],{},"If Certbot changed files unexpectedly, re-run installation for Nginx.",[26,703,705],{"className":28,"code":704,"language":30,"meta":31,"style":31},"sudo certbot --nginx -d yourdomain.com -d www.yourdomain.com\n",[33,706,707],{"__ignoreMap":31},[36,708,709,711,713,716,719,721,723],{"class":38,"line":39},[36,710,43],{"class":42},[36,712,74],{"class":46},[36,714,715],{"class":50}," --nginx",[36,717,718],{"class":50}," -d",[36,720,155],{"class":46},[36,722,718],{"class":50},[36,724,252],{"class":46},[254,726],{},"Review the proposed changes before accepting them.",[222,729,730,733,735,736,358,739,742,743,757,759,760,321],{},[225,731,732],{},"Validate Flask upstream after HTTPS is fixed.",[254,734],{},"If HTTPS loads but the app returns ",[33,737,738],{},"502",[33,740,741],{},"500",", test Gunicorn separately:",[26,744,746],{"className":28,"code":745,"language":30,"meta":31,"style":31},"curl -I http:\u002F\u002F127.0.0.1:8000\n",[33,747,748],{"__ignoreMap":31},[36,749,750,752,754],{"class":38,"line":39},[36,751,117],{"class":42},[36,753,120],{"class":50},[36,755,756],{"class":46}," http:\u002F\u002F127.0.0.1:8000\n",[254,758],{},"Or validate your socket-based upstream permissions and service state. If the proxy target is failing, continue with ",[761,762,764],"a",{"href":763},"\u002Ffix-issues\u002Ffix-nginx-not-connecting-to-gunicorn-connection-refused","Fix: Nginx Not Connecting to Gunicorn (Connection Refused)",[18,766,768],{"id":767},"common-causes","Common Causes",[351,770,771,780,795,807,813,819,829,837,847,857],{},[222,772,773,779],{},[225,774,775,776,778],{},"Wrong ",[33,777,189],{}," in Nginx"," -> Nginx serves another virtual host or default certificate -> set exact domain names and reload Nginx.",[222,781,782,785,786,789,790,317,792,794],{},[225,783,784],{},"Invalid certificate path"," -> Nginx points to a deleted, renamed, or wrong ",[33,787,788],{},"\u002Fetc\u002Fletsencrypt\u002Flive\u002F..."," directory -> update ",[33,791,372],{},[33,793,375],{}," to the active certificate path.",[222,796,797,803,804,806],{},[225,798,799,800,802],{},"Port ",[33,801,193],{}," not configured"," -> Certbot completed but no HTTPS server block is active -> add ",[33,805,357],{}," and reload Nginx.",[222,808,809,812],{},[225,810,811],{},"DNS still points elsewhere"," -> browser reaches another server with another certificate -> update A\u002FAAAA records and wait for propagation.",[222,814,815,818],{},[225,816,817],{},"Default Nginx site takes precedence"," -> requests hit the wrong server block -> disable the default site or set the correct server block as the match for the domain.",[222,820,821,824,825,828],{},[225,822,823],{},"Certbot issued for a different hostname"," -> certificate does not match the requested domain -> reissue with the exact ",[33,826,827],{},"-d"," values you use publicly.",[222,830,831,836],{},[225,832,833,834],{},"Firewall blocks ",[33,835,193],{}," -> HTTP works but HTTPS times out -> allow HTTPS in UFW, cloud firewall, or load balancer rules.",[222,838,839,842,843,846],{},[225,840,841],{},"Broken redirect logic"," -> HTTP redirects to invalid host, loops, or forces malformed URLs -> simplify the port ",[33,844,845],{},"80"," block to a direct HTTPS redirect.",[222,848,849,852,853,856],{},[225,850,851],{},"Nginx reload failed after Certbot edits"," -> old config remains active -> run ",[33,854,855],{},"nginx -t",", fix the error, and reload again.",[222,858,859,862],{},[225,860,861],{},"IPv6 misconfiguration"," -> AAAA record points to a server that is not configured for TLS -> fix IPv6 Nginx binding or remove the AAAA record.",[14,864,865,866,321],{},"If Nginx fails validation after editing TLS directives, use ",[761,867,869],{"href":868},"\u002Ffix-issues\u002Fflask-nginx-config-test-failed-fix-guide","Flask Nginx Config Test Failed (Fix Guide)",[18,871,873],{"id":872},"debugging-section","Debugging Section",[14,875,876],{},"Check the core logs and active configuration.",[14,878,879],{},[225,880,881],{},"Nginx error log",[26,883,885],{"className":28,"code":884,"language":30,"meta":31,"style":31},"sudo tail -n 100 \u002Fvar\u002Flog\u002Fnginx\u002Ferror.log\n",[33,886,887],{"__ignoreMap":31},[36,888,889,891,894,897,900],{"class":38,"line":39},[36,890,43],{"class":42},[36,892,893],{"class":46}," tail",[36,895,896],{"class":50}," -n",[36,898,899],{"class":50}," 100",[36,901,902],{"class":46}," \u002Fvar\u002Flog\u002Fnginx\u002Ferror.log\n",[14,904,905],{},"Look for:",[351,907,908,911,916,919],{},[222,909,910],{},"certificate file errors",[222,912,913,914],{},"bind failures on ",[33,915,193],{},[222,917,918],{},"syntax or include errors",[222,920,921],{},"upstream errors after TLS succeeds",[14,923,924],{},[225,925,926],{},"Nginx access log",[26,928,930],{"className":28,"code":929,"language":30,"meta":31,"style":31},"sudo tail -n 100 \u002Fvar\u002Flog\u002Fnginx\u002Faccess.log\n",[33,931,932],{"__ignoreMap":31},[36,933,934,936,938,940,942],{"class":38,"line":39},[36,935,43],{"class":42},[36,937,893],{"class":46},[36,939,896],{"class":50},[36,941,899],{"class":50},[36,943,944],{"class":46}," \u002Fvar\u002Flog\u002Fnginx\u002Faccess.log\n",[14,946,905],{},[351,948,949,952,955],{},[222,950,951],{},"whether requests are reaching the expected host",[222,953,954],{},"response codes for HTTP and HTTPS",[222,956,957],{},"requests hitting the wrong domain or server block",[14,959,960],{},[225,961,962],{},"Certbot log",[26,964,966],{"className":28,"code":965,"language":30,"meta":31,"style":31},"sudo tail -n 100 \u002Fvar\u002Flog\u002Fletsencrypt\u002Fletsencrypt.log\n",[33,967,968],{"__ignoreMap":31},[36,969,970,972,974,976,978],{"class":38,"line":39},[36,971,43],{"class":42},[36,973,893],{"class":46},[36,975,896],{"class":50},[36,977,899],{"class":50},[36,979,980],{"class":46}," \u002Fvar\u002Flog\u002Fletsencrypt\u002Fletsencrypt.log\n",[14,982,905],{},[351,984,985,988,991,994],{},[222,986,987],{},"issuance failures",[222,989,990],{},"renewal failures",[222,992,993],{},"install-hook problems",[222,995,996],{},"challenge validation errors",[14,998,999],{},[225,1000,1001],{},"Service status",[26,1003,1005],{"className":28,"code":1004,"language":30,"meta":31,"style":31},"sudo systemctl status nginx --no-pager\nsudo journalctl -u nginx -n 100 --no-pager\n",[33,1006,1007,1019],{"__ignoreMap":31},[36,1008,1009,1011,1013,1015,1017],{"class":38,"line":39},[36,1010,43],{"class":42},[36,1012,60],{"class":46},[36,1014,284],{"class":46},[36,1016,47],{"class":46},[36,1018,289],{"class":50},[36,1020,1021,1023,1026,1029,1031,1033,1035],{"class":38,"line":69},[36,1022,43],{"class":42},[36,1024,1025],{"class":46}," journalctl",[36,1027,1028],{"class":50}," -u",[36,1030,47],{"class":46},[36,1032,896],{"class":50},[36,1034,899],{"class":50},[36,1036,289],{"class":50},[14,1038,1039],{},"Look for failed reloads, startup errors, and permission problems.",[14,1041,1042],{},[225,1043,1044],{},"Full loaded Nginx config",[26,1046,1048],{"className":28,"code":1047,"language":30,"meta":31,"style":31},"sudo nginx -T | less\n",[33,1049,1050],{"__ignoreMap":31},[36,1051,1052,1054,1056,1059,1061],{"class":38,"line":39},[36,1053,43],{"class":42},[36,1055,47],{"class":46},[36,1057,1058],{"class":50}," -T",[36,1060,165],{"class":158},[36,1062,1063],{"class":42}," less\n",[14,1065,1066],{},"Search for:",[351,1068,1069,1074,1079,1082],{},[222,1070,1071,1072],{},"duplicate ",[33,1073,189],{},[222,1075,1071,1076],{},[33,1077,1078],{},"listen 443",[222,1080,1081],{},"stale certificate paths",[222,1083,1084],{},"default site catching the request first",[14,1086,1087],{},[225,1088,1089],{},"Open ports",[26,1091,1093],{"className":28,"code":1092,"language":30,"meta":31,"style":31},"sudo ss -ltnp | egrep ':80|:443'\n",[33,1094,1095],{"__ignoreMap":31},[36,1096,1097,1099,1101,1103,1105,1108],{"class":38,"line":39},[36,1098,43],{"class":42},[36,1100,568],{"class":46},[36,1102,571],{"class":50},[36,1104,165],{"class":158},[36,1106,1107],{"class":42}," egrep",[36,1109,1110],{"class":46}," ':80|:443'\n",[14,1112,1113,1114,317,1116,321],{},"Confirm Nginx is listening on both ",[33,1115,845],{},[33,1117,193],{},[14,1119,1120],{},[225,1121,1122],{},"DNS resolution",[26,1124,1126],{"className":28,"code":1125,"language":30,"meta":31,"style":31},"dig +short yourdomain.com\ndig +short www.yourdomain.com\ndig +short AAAA yourdomain.com\n",[33,1127,1128,1136,1144],{"__ignoreMap":31},[36,1129,1130,1132,1134],{"class":38,"line":39},[36,1131,237],{"class":42},[36,1133,240],{"class":46},[36,1135,243],{"class":46},[36,1137,1138,1140,1142],{"class":38,"line":69},[36,1139,237],{"class":42},[36,1141,240],{"class":46},[36,1143,252],{"class":46},[36,1145,1146,1148,1150,1153],{"class":38,"line":80},[36,1147,237],{"class":42},[36,1149,240],{"class":46},[36,1151,1152],{"class":46}," AAAA",[36,1154,243],{"class":46},[14,1156,1157],{},"Verify both IPv4 and IPv6 records point where expected.",[14,1159,1160],{},[225,1161,1162],{},"TLS handshake and SNI behavior",[26,1164,1166],{"className":28,"code":1165,"language":30,"meta":31,"style":31},"openssl s_client -connect yourdomain.com:443 -servername yourdomain.com\n",[33,1167,1168],{"__ignoreMap":31},[36,1169,1170,1172,1174,1176,1178,1180],{"class":38,"line":39},[36,1171,140],{"class":42},[36,1173,143],{"class":46},[36,1175,146],{"class":50},[36,1177,149],{"class":46},[36,1179,152],{"class":50},[36,1181,243],{"class":46},[14,1183,1184],{},"Check:",[351,1186,1187,1190,1193,1196],{},[222,1188,1189],{},"certificate chain",[222,1191,1192],{},"negotiated protocol",[222,1194,1195],{},"verification failures",[222,1197,1198],{},"whether the certificate matches the hostname",[14,1200,1201],{},[225,1202,1203],{},"Upstream test",[14,1205,1206],{},"If HTTPS works but Flask does not load:",[26,1208,1209],{"className":28,"code":745,"language":30,"meta":31,"style":31},[33,1210,1211],{"__ignoreMap":31},[36,1212,1213,1215,1217],{"class":38,"line":39},[36,1214,117],{"class":42},[36,1216,120],{"class":50},[36,1218,756],{"class":46},[14,1220,1221],{},"Or inspect Unix socket permissions and Gunicorn service state.",[14,1223,1224,1225,321],{},"For the base production layout, see ",[761,1226,1228],{"href":1227},"\u002Fdeploy\u002Fdeploy-flask-with-nginx-plus-gunicorn-step-by-step-guide","Deploy Flask with Nginx + Gunicorn (Step-by-Step Guide)",[18,1230,1232],{"id":1231},"checklist","Checklist",[351,1234,1237,1246,1255,1265,1276,1284,1290,1299,1305,1313],{"className":1235},[1236],"contains-task-list",[222,1238,1241,1245],{"className":1239},[1240],"task-list-item",[1242,1243],"input",{"disabled":411,"type":1244},"checkbox"," DNS for the domain points to the correct production server.",[222,1247,1249,1251,1252,1254],{"className":1248},[1240],[1242,1250],{"disabled":411,"type":1244}," Nginx config passes ",[33,1253,855],{}," without errors.",[222,1256,1258,1260,1261,1264],{"className":1257},[1240],[1242,1259],{"disabled":411,"type":1244}," A server block with ",[33,1262,1263],{},"listen 443 ssl"," exists for the correct domain.",[222,1266,1268,1270,1271,317,1273,1275],{"className":1267},[1240],[1242,1269],{"disabled":411,"type":1244}," ",[33,1272,372],{},[33,1274,375],{}," point to valid Let’s Encrypt files.",[222,1277,1279,1281,1282,321],{"className":1278},[1240],[1242,1280],{"disabled":411,"type":1244}," Nginx is listening on port ",[33,1283,193],{},[222,1285,1287,1289],{"className":1286},[1240],[1242,1288],{"disabled":411,"type":1244}," HTTP redirects to HTTPS correctly.",[222,1291,1293,1270,1295,1298],{"className":1292},[1240],[1242,1294],{"disabled":411,"type":1244},[33,1296,1297],{},"curl -Ik https:\u002F\u002Fyourdomain.com"," returns a valid response.",[222,1300,1302,1304],{"className":1301},[1240],[1242,1303],{"disabled":411,"type":1244}," The certificate served matches the requested hostname.",[222,1306,1308,1310,1311,321],{"className":1307},[1240],[1242,1309],{"disabled":411,"type":1244}," Firewall or security group allows inbound ",[33,1312,193],{},[222,1314,1316,1318],{"className":1315},[1240],[1242,1317],{"disabled":411,"type":1244}," Flask\u002FGunicorn upstream is reachable after TLS termination.",[14,1320,1321,1322,321],{},"For full production validation, use ",[761,1323,1325],{"href":1324},"\u002Fchecklist\u002Fflask-production-checklist-everything-you-must-do","Flask Production Checklist (Everything You Must Do)",[18,1327,1329],{"id":1328},"related-guides","Related Guides",[351,1331,1332,1336,1340,1344],{},[222,1333,1334],{},[761,1335,1228],{"href":1227},[222,1337,1338],{},[761,1339,869],{"href":868},[222,1341,1342],{},[761,1343,764],{"href":763},[222,1345,1346],{},[761,1347,1325],{"href":1324},[18,1349,1351],{"id":1350},"faq","FAQ",[14,1353,1354,1357,1359,1360,1362],{},[225,1355,1356],{},"Q: Certbot completed successfully, so why is HTTPS still broken?",[254,1358],{},"\nA: Certbot can issue a valid certificate while Nginx still serves the wrong vhost, wrong certificate path, or an inactive ",[33,1361,193],{}," config.",[14,1364,1365,1368,1370],{},[225,1366,1367],{},"Q: Should Flask or Gunicorn serve HTTPS directly?",[254,1369],{},"\nA: No. In a standard production setup, Nginx handles TLS and proxies to Gunicorn over localhost or a Unix socket.",[14,1372,1373,1376,1378],{},[225,1374,1375],{},"Q: Why am I seeing the wrong certificate in the browser?",[254,1377],{},"\nA: Your request is likely hitting a different Nginx server block, a different server entirely, or a hostname not included in the certificate.",[14,1380,1381,1384,1386,1387,1389],{},[225,1382,1383],{},"Q: Why does HTTP work but HTTPS times out?",[254,1385],{},"\nA: Port ",[33,1388,193],{}," is usually blocked, not listening, or not configured in Nginx.",[14,1391,1392,1395,1397],{},[225,1393,1394],{},"Q: Can IPv6 break HTTPS after Certbot?",[254,1396],{},"\nA: Yes. If your AAAA record points to a host without the same HTTPS configuration, some clients will fail while others work over IPv4.",[18,1399,1401],{"id":1400},"final-takeaway","Final Takeaway",[14,1403,1404,1405,1407],{},"When HTTPS fails after Certbot, the issue is usually not certificate issuance itself but the active Nginx configuration: wrong server block, wrong certificate path, port ",[33,1406,193],{}," not listening, or DNS mismatch. Validate the Nginx config, the served certificate, and the upstream path in that order.",[1409,1410,1411],"style",{},"html pre.shiki code .sScJk, html code.shiki .sScJk{--shiki-default:#6F42C1;--shiki-dark:#B392F0}html pre.shiki code .sZZnC, html code.shiki .sZZnC{--shiki-default:#032F62;--shiki-dark:#9ECBFF}html pre.shiki code .sj4cs, html code.shiki .sj4cs{--shiki-default:#005CC5;--shiki-dark:#79B8FF}html pre.shiki code .sVt8B, html code.shiki .sVt8B{--shiki-default:#24292E;--shiki-dark:#E1E4E8}html pre.shiki code .szBVR, html code.shiki .szBVR{--shiki-default:#D73A49;--shiki-dark:#F97583}html .default .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html .dark .shiki span {color: var(--shiki-dark);background: var(--shiki-dark-bg);font-style: var(--shiki-dark-font-style);font-weight: var(--shiki-dark-font-weight);text-decoration: var(--shiki-dark-text-decoration);}html.dark .shiki span {color: var(--shiki-dark);background: var(--shiki-dark-bg);font-style: var(--shiki-dark-font-style);font-weight: var(--shiki-dark-font-weight);text-decoration: var(--shiki-dark-text-decoration);}",{"title":31,"searchDepth":69,"depth":69,"links":1413},[1414,1415,1416,1417,1418,1419,1420,1421,1422],{"id":20,"depth":69,"text":21},{"id":197,"depth":69,"text":198},{"id":216,"depth":69,"text":217},{"id":767,"depth":69,"text":768},{"id":872,"depth":69,"text":873},{"id":1231,"depth":69,"text":1232},{"id":1328,"depth":69,"text":1329},{"id":1350,"depth":69,"text":1351},{"id":1400,"depth":69,"text":1401},"Complete guide on flask https not working after certbot for Flask production environments.","md",{"ogTitle":5,"ogDescription":1423,"twitterCard":1426,"robots":1427,"canonical":1428},"summary_large_image","index, follow","https:\u002F\u002Fflask-deployment.com\u002Ffix-issues\u002Fflask-https-not-working-after-certbot","\u002Ffix-issues\u002Fflask-https-not-working-after-certbot",{"title":5,"description":1423},"fix-issues\u002Fflask-https-not-working-after-certbot","W0OpK8PZ0GJj-zBsIBah-WOgEBBH6F9_hmmvEsA2j3Y",1776805765830]