Thanks for the help.
I'm really feeling pretty stupid atm since I can't seem to find & understand a how-to document to get this right :-/

So I have this config

server {
listen 80 http2 default_server;
listen [::]:80 http2 ipv6only=on default_server;
server_name _;
return 301 https://$host;
}

server {
listen 172.17.0.1:443 ssl http2 default_server;
listen [FE80:...:0001]:443 ssl http2 ipv6only=on default_server;
server_name _;
ssl_trusted_certificate "/etc/ssl/trusted.crt.pem";
ssl_certificate "/etc/ssl/dummy.crt.pem";
ssl_certificate_key "/etc/ssl/dummy.key.pem";
return 444;
}

server {
listen 443 ssl http2 default_server;
listen [::]:443 ssl http2 ipv6only=on default_server;
server_name _;
ssl_trusted_certificate "/etc/ssl/trusted.crt.pem";
ssl_certificate "/etc/ssl/dummy.crt.pem";
ssl_certificate_key "/etc/ssl/dummy.key.pem";
return 444;
}

server {
listen 172.17.0.1:80 http2;
listen [FE80:...:0001]:80 http2;
server_name example.com www.example.com;
location / {
return 301 https://example.com$request_uri;
}
}

server {
listen 172.17.0.1:443 ssl http2;
listen [FE80:...:0001]:443 ssl http2 ipv6only=on default_server;
server_name example.com www.example.com;
ssl_trusted_certificate "/etc/ssl/trusted.crt.pem";
ssl_certificate "/etc/ssl/chain.crt.pem";
ssl_certificate_key "/etc/ssl/privkey.pem";
add_header Strict-Transport-Security "max-age=315360000; includeSubDomains; preload";
location / {...}
}

With that config when I try to launch nginx it fails with these errors

Aug 09 11:29:21 myhost nginx[10095]: nginx: [emerg] bind() to [::]:443 failed (98: Address already in use)

If I comment out the IP-less listener

# server {
# listen 443 ssl http2 default_server;
# listen [::]:443 ssl http2 ipv6only=on default_server;
# server_name _;
# ssl_trusted_certificate "/etc/ssl/trusted.crt.pem";
# ssl_certificate "/etc/ssl/dummy.crt.pem";
# ssl_certificate_key "/etc/ssl/dummy.key.pem";
# return 444;
# }

and try again, I do get a site fail with that "Websites prove their identity via certificates. Firefox does not trust this site because it uses a certificate that is not valid for ..." error again.
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx