Configure Firewalld for SSL on the Fedora 29 workstation

I am struggling with firewalld and SSL on the Fedora 29 workstation. I get a connection refused / I can not connect to the server when I try to open an SSL connection with nginx.

If I stop firewalld with:

sudo systemctl stop firewalld

Then I connect using http and https from a remote system and I get the default Nginx welcome page.

If I start firewalld with

sudo systemctl start firewalld

Then I can connect using http but I can not connect using https and I get the error "I can not connect to the server" so the problem seems to be my firewalld configuration.

I had configured firewalld for http and https as follows:

> sudo firewall-cmd --set-default-zone = public
> sudo firewall-cmd --zone = public --add-service = https --permanent
> sudo firewall-cmd --zone = public --add-service = http --permanent
> sudo firewall-cmd --zone = public --add-masquerade --permanent
> sudo firewall-cmd --load

and now:

> sudo firewall-cmd --get-default-zone
> sudo firewall-cmd --get-active-zones
interfaces: ens33
> sudo firewall-cmd --list-all
public (active)
objective: by default
icmp-block-inversion: no
interfaces: ens33
services: dhcpv6-client http https mdns ssh
masquerade: yes
forward ports:
ports of origin:
rich rules: 

Which brings me to the point where https works but not https when firewalld is enabled.

I have tried to shut down selinux with:

sudo setenforce 0

but the same result: https connections are rejected when firewalld is enabled.

I have also tried to activate the firewalld log, but even at log level 10 with everything denied, I do not get an entry in the log, after firewalld has been started, on the connection attempt.

I suspect that the problem here is my self-signed SSL certificate, known by nginx but not known by firewalld, but it seems that I can not find anything that shows how to point firewalld to my CA certificate.


sudo systemctl disable firewalld

Any suggestions for firewalld to accept my SSL connections?