Http does not redirect to https only at the first access

Hello, I developed a full SSL website with trellis, but have one SSL redirect issue.


  1. http access is NOT redirected to https ONLY at the first access.
  2. ONCE the browser has accessed to https page, it DOES redirect to https even when typing http URL

Does anybody have any idea why it does not work only for the first browser access?
I would appreciate your help a lot!

Steps to reproduce

  1. Access to
  2. You see nginx default top page
  3. Access to
  4. You see the WordPress site by trellis
  5. Type http address with the same browser.
  6. You see the WordPress site instead of nginx default top.

Redirect configuration

There is a nginx redirect configuration on the production as following.

/etc/nginx/sites-enabled$ more

server {
  listen 80;


  include acme-challenge-location.conf;

  location / {
    return 301 https://$host$request_uri;
1 Like

Excellent and thorough issue report.

Why the default Nginx page?

I wouldn’t have expected it to conflict, but I wonder if the /etc/nginx/sites-enabled/default Nginx conf is still present and conflicting. It would serve that default Nginx page we see. If it is still there, maybe the Trellis task to remove the default conf didn’t complete for some reason. If that file is still there, try running the wordpress-setup role again::

ansible-playbook server.yml -e env=production --tags wordpress-setup

Then visit the http version of the site on a fresh browser to see if the https redirect works.

If that doesn’t resolve it, could you tell us what are all the conf files in /etc/nginx/sites-enabled? Maybe there is another file that is conflicting.

Also, I wonder if it might help to see your whole /etc/nginx/sites-enabled/ file – you might post its contents.

Why the redirect to https?

The https redirect block you posted from your nginx conf is appropriate. However, I don’t think it is currently causing the redirect. I believe the redirect is happening because the first successful visit to the https version of the site will set the HSTS header in your browser. From then on, your browser automatically changes an http request to https, so the server will not even see the http request.

Note: You may already know, but you can clear hsts headers to help in testing.


This may or may not be relevant but I know in the past Trellis had some issues with international TLDs; could the version of Trellis that @goodpic is using cause an issue here?

Thank you so much for your detailed suggestions!
I will try them as soon as I return to my console in a few hours.

Thank you for your comment @MWDelaney. I am actually using the latest master (HEAD) tree as I needed merge #731 fix. I googled the international TLDs issue and I suppose that has been already fixed in the latest?

I believe roots/trellis#622 (Jul 26, 2016) resolved the international TLD issue, so that shouldn’t be an issue given that you’re using latest master, @goodpic.
(Thanks @MWDelaney)

A couple other thoughts came to mind.

  1. You may want to SSH into the server and check for config errors with sudo nginx -t
  2. Also sudo service nginx reload to ensure that Nginx is using your latest config. I could see myself making adjustments till everything looks perfect, wondering why my changes aren’t showing up, forgetting that they will not be applied till Nginx is reloaded.

@fullyint Yes, indeed there was a conflict on the nginx conf, and solved by removing it!

The fix

On the production server.

$ cd /etc/nginx/sites-enabled
$ ls

$ more 
server {
  listen 80;
  include acme-challenge-location.conf;

$ sudo rm 
$ sudo nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful

$ sudo service nginx reload

Why it happened?

My guess is…
I remember that I had an error when I first provisioned the production server ( ansible-playbook server.yml -e env=production ).

I forgot to set CNAME for the , and the Letsencrpypt task failed because the API could not reach to the site.
I could complete the provisioning after setting CNAME but maybe the was left during the retry?

Thank you @fullyint for your prompt suggestion. You saved my day!

1 Like

roots/trellis#743 should help prevent this for users in the future

1 Like