Nginx: redirect HTTPS site to www HTTPS, need certificate?

nginx https

Yes, you need a certificate for the https:// site to redirect to https://www site. In general the easiest way is to get a certificate that covers both the www and non-www and use that in both server configurations. Let's Encrypt does this no problem.

Why does your configuration work?

I have no idea why your configuration above works, with no certificate specified. As far as I know It shouldn't.

I put your config into my Nginx instance on AWS, slightly tweaked as follows

server {
  listen              443 ssl;
  listen              [::]:443 ssl;
  server_name         example2.com;
  return              301 https://www.example2.com$request_uri;
}

server {
  listen              443 ssl;
  listen              [::]:443 ssl;
  server_name         www.example2.com;

  root /var/www/folder;
}

I added the following to my /etc/hosts

11.0.1.10 example2.com www.example2.com

When I did a wget this is what I got

wget https://www.example2.com
--2017-07-29 08:07:17--  https://www.example2.com/
Resolving www.example2.com (www.example2.com)... 11.0.1.10
Connecting to www.example2.com (www.example2.com)|11.0.1.10|:443...     connected.
Unable to establish SSL connection.

You can see that it can connect to the server, but can't establish an SSL connection. When I use curl I get a different response, but it doesn't work.

curl https://www.example2.com
curl: (35) Encountered end of file

Based on this I think there's something missing from what you've told us.

Here's how it should be

This shows how Nginx should be configured.

# Main website, https www
server {
  server_name www.example.com;
  listen 443 ssl http2; # http2 is optional
  ssl_certificate /path/to/fullchain;
  ssl_certificate_key /path/to/privkey;

  # locations etc
}

# forward https non-www to www
server {
  server_name example.com;
  listen 443 ssl;
  ssl_certificate /path/to/fullchain;
  ssl_certificate_key /path/to/privkey;

  return 301 https://www.example.com$request_uri;
}    

# Forward http to https
server {
    listen       80;
    server_name  example.com www.example.com;
    access_log  /var/log/nginx/access.log main buffer=128k flush=1m if=$log_ua;
    return       301 https://example.com$request_uri;
}

Related

Raid 5 Recovery Process
AWS CodeBuild script fails s3 sync with AccessDenied
quote only if variable is non-empty
Zabbix: What is the difference between `HostMetadata` and `HostMetadataItem`?
Can I overwrite, what `diff` means for a task?
Explicitly empty groups in Ansible
Postfix: Verify all outgoing TLS connections are being established properly
Feeding Multiline STDIN Input to Command
ssh restrictions for user authentication
Is there an Internet Organization to file complaints to about ISP DNS Hijacking?
Internal Network CA: "Invalid Common Name" or Invalid Cert on everything (except Internet Explorer and Windows' Certificates mmc snapin)
Do I really need WSUS and if I disable WSUS will the workstation automatically pickup windows updates?