HTTPS not working for OpenCArt install in subfolder

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. |, so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I ran this command:

  • I generated and installed SSL certificates using CertSage for domains and
  • I installed OpenCart in the subfolder Order using the Installatron app supplied with cPanel.
  • I visited httpds:// to complete installation

It produced this output:

  • I was redirected to http and got error message saying my connection was not secure.
  • Connections to are still secure, no errors

My web server is (include version): Linux (version?)

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is: TSOHost

I can login to a root shell on my machine (yes or no, or I don't know): I don't know

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): cPanel 102.0 (build 32)

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certsage 1.4.0

I don't see such a redirect? Your OpenCart site is severely broken (PHP warnings visible, mixed content all over the place), but at least its broken contents are securely send to my webbrowser. Maybe you need to clear your browsers cache.

1 Like

Thanks for the response.

1 Like

I've fixed the php errors.

There's still a redirect error on order/admin.

And a redirect on Your Store

Root works as expected:

curl -Ii
HTTP/2 200
last-modified: Sun, 17 Sep 2023 14:53:01 GMT
etag: "21014cf-6e9-6058f2ea9cd4f"
accept-ranges: bytes
content-length: 1769
vary: Accept-Encoding
content-type: text/html
date: Sat, 21 Oct 2023 20:49:56 GMT
server: Apache

ORDER fails:

curl -Ii
HTTP/2 301
content-type: text/html; charset=iso-8859-1
date: Sat, 21 Oct 2023 20:47:00 GMT
server: Apache

Seems like there is nothing handling the order location and it falls through.

[since we are dealing with Apache...]

There may be some name:port overlap that is messing things up.
What show?:

sudo apachectl -t -D DUMP_VHOSTS

sudo grep -Ri order /etc/apache2


Why is that a fail? This kind of redirect is expected for directories: it just adds the slash / which is supposed to be there for directories. If you'd use the -L option, you'd see curl following the redirect to the actual store:

osiris@erazer ~ $ curl -LIv
*   Trying
* Connected to ( port 443 (#0)
* ALPN: offers h2,http/1.1
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
*  CAfile: /etc/ssl/certs/ca-certificates.crt
*  CApath: /etc/ssl/certs
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
* ALPN: server accepted h2
* Server certificate:
*  subject:
*  start date: Sep 18 16:50:02 2023 GMT
*  expire date: Dec 17 16:50:01 2023 GMT
*  subjectAltName: host "" matched cert's ""
*  issuer: C=US; O=Let's Encrypt; CN=R3
*  SSL certificate verify ok.
* using HTTP/2
* h2 [:method: HEAD]
* h2 [:scheme: https]
* h2 [:authority:]
* h2 [:path: /order]
* h2 [user-agent: curl/8.1.2]
* h2 [accept: */*]
* Using Stream ID: 1 (easy handle 0x55a1a1139140)
> HEAD /order HTTP/2
> Host:
> User-Agent: curl/8.1.2
> Accept: */*
< HTTP/2 301 
HTTP/2 301 
< location:
< content-type: text/html; charset=iso-8859-1
content-type: text/html; charset=iso-8859-1
< date: Sat, 21 Oct 2023 21:38:53 GMT
date: Sat, 21 Oct 2023 21:38:53 GMT
< server: Apache
server: Apache

* Connection #0 to host left intact
* Issue another request to this URL: ''
* Found bundle for host: 0x55a1a1120870 [can multiplex]
* Re-using existing connection #0 with host
* h2 [:method: HEAD]
* h2 [:scheme: https]
* h2 [:authority:]
* h2 [:path: /order/]
* h2 [user-agent: curl/8.1.2]
* h2 [accept: */*]
* Using Stream ID: 3 (easy handle 0x55a1a1139140)
> HEAD /order/ HTTP/2
> Host:
> User-Agent: curl/8.1.2
> Accept: */*
< HTTP/2 200 
HTTP/2 200 
< x-powered-by: PHP/8.0.30
x-powered-by: PHP/8.0.30
< set-cookie: OCSESSID=473b95d0deb22897121b397021; path=/
set-cookie: OCSESSID=473b95d0deb22897121b397021; path=/
< set-cookie: language=en-gb; expires=Mon, 20-Nov-2023 21:38:54 GMT; Max-Age=2592000; path=/;
set-cookie: language=en-gb; expires=Mon, 20-Nov-2023 21:38:54 GMT; Max-Age=2592000; path=/;
< set-cookie: currency=USD; expires=Mon, 20-Nov-2023 21:38:54 GMT; Max-Age=2592000; path=/;
set-cookie: currency=USD; expires=Mon, 20-Nov-2023 21:38:54 GMT; Max-Age=2592000; path=/;
< vary: Accept-Encoding
vary: Accept-Encoding
< content-type: text/html; charset=utf-8
content-type: text/html; charset=utf-8
< date: Sat, 21 Oct 2023 21:38:53 GMT
date: Sat, 21 Oct 2023 21:38:53 GMT
< server: Apache
server: Apache

* Connection #0 to host left intact
osiris@erazer ~ $ 

See? Works as intended.


I stand corrected.
My oversight/undersight - LOL


Thanks for all your help.

If the 301 isn't a fail AND the certificate is accepted, why do browsers report that the connection is insecure?

On Firefox, if I "Disable protection" the webpage renders correctly (over http), with the theme. With protection enabled it renders as text (over https).

Any advice appreciated


1 Like

The URL:
Produces content that contains "http://" 88 times!

You need to remove the HTTP from the code.
It should be self-referenced.

The first occurrence starts the ball rolling in that wrong direction:
<base href="" />

<base href="" />
<link href="" rel="icon" />
  <form action="" method="post" enctype="multipart/form-data" id="form-currency">
    <input type="hidden" name="redirect" value="" />
        <li><a href=""><i class="fa fa-phone"></i></a> <span class="hidden-xs hidden-sm hidden-md">123456789</span></li>
        <li class="dropdown"><a href="" title="My Account" class="dropdown-toggle" data-toggle="dropdown"><i class="fa fa-user"></i> <span class="hidden-xs hidden-sm hidden-md">My Account</span> <span class="caret"></span></a>
                        <li><a href="">Register</a></li>
            <li><a href="">Login</a></li>
        <li><a href="" id="wishlist-total" title="Wish List (0)"><i class="fa fa-heart"></i> <span class="hidden-xs hidden-sm hidden-md">Wish List (0)</span></a></li>
        <li><a href="" title="Shopping Cart"><i class="fa fa-shopping-cart"></i> <span class="hidden-xs hidden-sm hidden-md">Shopping Cart</span></a></li>
        <li><a href="" title="Checkout"><i class="fa fa-share"></i> <span class="hidden-xs hidden-sm hidden-md">Checkout</span></a></li>
        <div id="logo"><a href=""><img src="" title="My e-commerce" alt="My e-commerce" class="img-responsive" /></a></div>
                        <li class="dropdown"><a href=";path=20" class="dropdown-toggle" data-toggle="dropdown">Desktops</a>
                                <li><a href=";path=20_26">PC (0)</a></li>
                                <li><a href=";path=20_27">Mac (1)</a></li>
            <a href=";path=20" class="see-all">Show All Desktops</a> </div>
                                <li class="dropdown"><a href=";path=18" class="dropdown-toggle" data-toggle="dropdown">Laptops &amp; Notebooks</a>
                                <li><a href=";path=18_46">Macs (0)</a></li>
                                <li><a href=";path=18_45">Windows (0)</a></li>
            <a href=";path=18" class="see-all">Show All Laptops &amp; Notebooks</a> </div>
                                <li class="dropdown"><a href=";path=25" class="dropdown-toggle" data-toggle="dropdown">Components</a>
                                <li><a href=";path=25_29">Mice and Trackballs (0)</a></li>
                                <li><a href=";path=25_28">Monitors (2)</a></li>
                                <li><a href=";path=25_30">Printers (0)</a></li>
                                <li><a href=";path=25_31">Scanners (0)</a></li>
                                <li><a href=";path=25_32">Web Cameras (0)</a></li>
            <a href=";path=25" class="see-all">Show All Components</a> </div>
                                <li><a href=";path=57">Tablets</a></li>
                                <li><a href=";path=17">Software</a></li>
                                <li><a href=";path=24">Phones &amp; PDAs</a></li>
                                <li><a href=";path=33">Cameras</a></li>
                                <li class="dropdown"><a href=";path=34" class="dropdown-toggle" data-toggle="dropdown">MP3 Players</a>
                                <li><a href=";path=34_43">test 11 (0)</a></li>
                                <li><a href=";path=34_44">test 12 (0)</a></li>
                                <li><a href=";path=34_47">test 15 (0)</a></li>
                                <li><a href=";path=34_48">test 16 (0)</a></li>
                                <li><a href=";path=34_49">test 17 (0)</a></li>
                                <li><a href=";path=34_50">test 18 (0)</a></li>
                                <li><a href=";path=34_51">test 19 (0)</a></li>
                                <li><a href=";path=34_52">test 20 (0)</a></li>
                                <li><a href=";path=34_53">test 21 (0)</a></li>
                                <li><a href=";path=34_54">test 22 (0)</a></li>
                                <li><a href=";path=34_55">test 23 (0)</a></li>
                                <li><a href=";path=34_56">test 24 (0)</a></li>
                                <li><a href=";path=34_38">test 4 (0)</a></li>
                                <li><a href=";path=34_37">test 5 (0)</a></li>
                                <li><a href=";path=34_39">test 6 (0)</a></li>
                                <li><a href=";path=34_40">test 7 (0)</a></li>
                                <li><a href=";path=34_41">test 8 (0)</a></li>
                                <li><a href=";path=34_42">test 9 (0)</a></li>
            <a href=";path=34" class="see-all">Show All MP3 Players</a> </div>
    <div class="swiper-wrapper">       <div class="swiper-slide text-center"><a href="index.php?route=product/product&amp;path=57&amp;product_id=49"><img src="" alt="iPhone 6" class="img-responsive" /></a></div>
            <div class="swiper-slide text-center"><img src="" alt="MacBookAir" class="img-responsive" /></div>
      <div class="image"><a href=";product_id=43"><img src="" alt="MacBook" title="MacBook" class="img-responsive" /></a></div>
        <h4><a href=";product_id=43">MacBook</a></h4>
      <div class="image"><a href=";product_id=40"><img src="" alt="iPhone" title="iPhone" class="img-responsive" /></a></div>
        <h4><a href=";product_id=40">iPhone</a></h4>
      <div class="image"><a href=";product_id=42"><img src="" alt="Apple Cinema 30&quot;" title="Apple Cinema 30&quot;" class="img-responsive" /></a></div>
        <h4><a href=";product_id=42">Apple Cinema 30&quot;</a></h4>
      <div class="image"><a href=";product_id=30"><img src="" alt="Canon EOS 5D" title="Canon EOS 5D" class="img-responsive" /></a></div>
        <h4><a href=";product_id=30">Canon EOS 5D</a></h4>
    <div class="swiper-wrapper">      <div class="swiper-slide text-center"><img src="" alt="NFL" class="img-responsive" /></div>
            <div class="swiper-slide text-center"><img src="" alt="RedBull" class="img-responsive" /></div>
            <div class="swiper-slide text-center"><img src="" alt="Sony" class="img-responsive" /></div>
            <div class="swiper-slide text-center"><img src="" alt="Coca Cola" class="img-responsive" /></div>
            <div class="swiper-slide text-center"><img src="" alt="Burger King" class="img-responsive" /></div>
            <div class="swiper-slide text-center"><img src="" alt="Canon" class="img-responsive" /></div>
            <div class="swiper-slide text-center"><img src="" alt="Harley Davidson" class="img-responsive" /></div>
            <div class="swiper-slide text-center"><img src="" alt="Dell" class="img-responsive" /></div>
            <div class="swiper-slide text-center"><img src="" alt="Disney" class="img-responsive" /></div>
            <div class="swiper-slide text-center"><img src="" alt="Starbucks" class="img-responsive" /></div>
            <div class="swiper-slide text-center"><img src="" alt="Nintendo" class="img-responsive" /></div>
                   <li><a href=";information_id=4">About Us</a></li>
                    <li><a href=";information_id=6">Delivery Information</a></li>
                    <li><a href=";information_id=3">Privacy Policy</a></li>
                    <li><a href=";information_id=5">Terms &amp; Conditions</a></li>
          <li><a href="">Contact Us</a></li>
          <li><a href="">Returns</a></li>
          <li><a href="">Site Map</a></li>
          <li><a href="">Brands</a></li>
          <li><a href="">Gift Certificates</a></li>
          <li><a href="">Affiliate</a></li>
          <li><a href="">Specials</a></li>
          <li><a href="">My Account</a></li>
          <li><a href="">Order History</a></li>
          <li><a href="">Wish List</a></li>
          <li><a href="">Newsletter</a></li>
    <p>Powered By <a href="">OpenCart</a><br /> My e-commerce &copy; 2023</p>

Ouch. This is a vanilla install of OpenCart done using the webhost's own installation package. I'll raise a support ticket with them.



1 Like

You shouldn't be able to load the page over HTTP, as there is an HTTP to HTTPS redirect in place. See my curl output above.

It might be a setting in OpenCart. For example, with WordPress the settings manager has a configuration for the sites URL. If that URL starts with http://, it'll incorrectly generate the URLs inside the WordPress code and it has to start with https://. Maybe OpenCart also has such a setting.

Looking at the "Settings General" (odd order of the two words :roll_eyes:) at Settings General - OpenCart Documentation, you can see there indeed exists a " Store URL" option. It claims you need to include the http: in the beginning, but I'm preeeetty sure that needs to be https://.

1 Like

Thanks for your help.

PEBKAC (problem exists between keyboard and chair).

I failed to notice that there was a drop down in the installer that offered choice between http and https.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.