Installing a commercial wildcard SSL cert on Nginx

Question

I'm trying to install a Godaddy wildcard SSL certificate on AWS Lightsail (Ubuntu/Nginx). The nginx.conf is mainly the default one that gets installed with nginx...

user www-data;
worker_processes auto;
pid /run/nginx.pid;
include /etc/nginx/modules-enabled/*.conf;

events {
     worker_connections 768;
}

http {
     server {
             listen              80;
             listen              443 ssl;
             ssl                 on;
             server_name         sub.domain.com;
             ssl_certificate     /etc/ssl/ssl-bundle.crt;
             ssl_certificate_key /etc/ssl/privatekey.key;
             root                /var/www/html;

             ##
             # SSL Settings
             ##
             ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE
             ssl_prefer_server_ciphers on;
     }

     ##
     # Basic Settings
     ##
     sendfile on;
     tcp_nopush on;
     tcp_nodelay on;
     keepalive_timeout 65;
     types_hash_max_size 2048;
     # server_tokens off;

     # server_names_hash_bucket_size 64;
     # server_name_in_redirect off;

      include /etc/nginx/mime.types;
      default_type application/octet-stream;

      ##
      # Logging Settings
      ##
      access_log /var/log/nginx/access.log;
      error_log /var/log/nginx/error.log debug;

      ##
      # Gzip Settings
      ##
      gzip on;
      # gzip_vary on;
      # gzip_proxied any;
      # gzip_comp_level 6;
      # gzip_buffers 16 8k;
      # gzip_http_version 1.1;
      # gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;

      ##
      # Virtual Host Configs
      ##
      include /etc/nginx/conf.d/*.conf;
      include /etc/nginx/sites-enabled/*;
}

I did a sudo nginx -t and everything looked good so I restarted nginx. In a browser I get "This site can’t be reached". When I do a curl it hangs. I've turned debug on for the error.log, so now I get an error like this...

2019/03/30 22:08:13 [debug] 11579#11579: accept on 0.0.0.0:80, ready: 0
2019/03/30 22:08:13 [debug] 11579#11579: posix_memalign: 0000557BF61CDE90:512 @16
2019/03/30 22:08:13 [debug] 11579#11579: *2 accept: 212.105.165.121:55888 fd:3
2019/03/30 22:08:13 [debug] 11579#11579: *2 event timer add: 3: 60000:1079834032
2019/03/30 22:08:13 [debug] 11579#11579: *2 reusable connection: 1
2019/03/30 22:08:13 [debug] 11579#11579: *2 epoll add event: fd:3 op:1 ev:80002001
2019/03/30 22:08:26 [debug] 11579#11579: *2 http wait request handler
2019/03/30 22:08:26 [debug] 11579#11579: *2 malloc: 0000557BF61CE8A0:1024
2019/03/30 22:08:26 [debug] 11579#11579: *2 recv: eof:1, avail:1
2019/03/30 22:08:26 [debug] 11579#11579: *2 recv: fd:3 0 of 1024
2019/03/30 22:08:26 [info] 11579#11579: *2 client closed connection while waiting for request, client: 212.105.165.121, server: 0.0.0.0:80
2019/03/30 22:08:26 [debug] 11579#11579: *2 close http connection: 3
2019/03/30 22:08:26 [debug] 11579#11579: *2 event timer del: 3: 1079834032
2019/03/30 22:08:26 [debug] 11579#11579: *2 reusable connection: 0
2019/03/30 22:08:26 [debug] 11579#11579: *2 free: 0000557BF61CE8A0
2019/03/30 22:08:26 [debug] 11579#11579: *2 free: 0000557BF61CDE90, unused: 120

Any ideas why this isn't working?

Answer 1

Server blocks normally come in below the basic settings or by way of:

include /etc/nginx/conf.d/.conf; or include /etc/nginx/sites-enabled/;

And not before the basic settings of the nginx http block so I'd give that a shot as a starting point. ie. https://www.nginx.com/resources/wiki/start/topics/examples/full/

Also:

listen 443 ssl; ssl on;

are redundant: ssl on; is the old way of enabling ssl and I would remove this. listen 443 ssl; is the current way of doing it.