Saving Workflow on HTTPS server reverts to HTTP

I am having issues with HTTPS. I have enforced HTTPS on my site at server level and within .htaccess. But when I edit a Workflow and then try to save it I get an http 500 error. It seems that it is trying to save it under http without using ssl for some reason. I have changed the “site url” in the config.php to have https in it but to no avail. I have also cleared out my cache.

Any help from you good folks would be appreciated.



Check your config.php for the values stored under site_url and host_name, the HTTP could be coming from there.

Check also config_override.php in case you have these values overriden there.

Thank you for the reply, but no that is not the answer. It is only when I edit a record and then go to save that record that it kicks me out to an http page with a 500 error, (understandably) . I then have to log back in and I find that the record has been saved.

Any further suggestions would be appreciated. Don’t particularly wish to go back to http only.

The part that seems to be failing is:

<input title="Save" accesskey="a" class="button primary" onclick="var _form = document.getElementById('EditView'); _form.action.value='Save'; if(check_form('EditView'))SUGAR.ajaxUI.submitForm(_form);return false;" type="submit" name="button" value="Save" id="SAVE">

Is there some configuration within the form save function that is not using the correct configuration of the site?

I think that is simply going through SugarController.php Save action, and that it uses the normal redirect (after saving a an edit view, it redirects to the detail view). This relies on site_url.

What exactly do you have in site_url? Does it end with a slash?

If your config_override.php file Please set verify_client_ip to false

'verify_client_ip' => false,

‘site_url’ => ‘’, without a / at the end.

I also have tried setting 'verify_client_ip => false and that has no effect either. I am just wondering if there is a hard coded http crept into the code somewhere that has not been noticed?

This is the Save Action out of SugarController.php:

* Specify what happens after the save has occurred.
protected function post_save()
$module = (!empty($this->return_module) ? $this->return_module : $this->module);
$action = (!empty($this->return_action) ? $this->return_action : ‘DetailView’);
$id = (!empty($this->return_id) ? $this->return_id : $this->bean->id);

    $url = "index.php?module=" . $module . "&action=" . $action . "&record=" . $id;

There is no reference to it using site_url in the code.

Then that is used in SugarApplication::redirect, then that calls into Javascvript loadContent

It doesn’t seem to use site_url, you are right. It just stays in the current domain and protocol, only changes the URL parts after that.

I don’t think a stray http:// is in the code, it would have shown up long ago.

Maybe something in your .htaccess is changing it?

Here is my .htaccess:

This is a standard one from suitecrm


RedirectMatch 403 .*\.log$
RedirectMatch 403 /+not_imported_.*\.txt
RedirectMatch 403 /+(soap|cache|xtemplate|data|examples|include|log4php|metadata|modules|vendor)/+.*\.(php|tpl)
RedirectMatch 403 /+emailmandelivery\.php
RedirectMatch 403 /+.git
RedirectMatch 403 /+.cache/
RedirectMatch 403 /+tests
RedirectMatch 403 /+RoboFile\.php
RedirectMatch 403 /+composer\.json
RedirectMatch 403 /+composer\.lock
RedirectMatch 403 /+upload
RedirectMatch 403 /+custom/+blowfish
RedirectMatch 403 /+cache/+diagnostic
RedirectMatch 403 /+files\.md5$

<IfModule mod_rewrite.c>
    Options +SymLinksIfOwnerMatch
    Options -Indexes
    Options -MultiViews
    RewriteEngine On
    RewriteBase /crm
    RewriteRule ^cache/jsLanguage/(.._..).js$ index.php?entryPoint=jslang&modulename=app_strings&lang=$1 [L,QSA]
    RewriteRule ^cache/jsLanguage/(\w*)/(.._..).js$ index.php?entryPoint=jslang&modulename=$1&lang=$2 [L,QSA]

    # --------- DEPRECATED --------
    RewriteRule ^api/(.*)$ - [env=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
    RewriteRule ^api/(.*?)$ lib/API/public/index.php/$1 [L]
    # -----------------------------

    RewriteRule ^Api/(.*)$ - [env=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
    RewriteRule ^Api/access_token$ Api/index.php/access_token [L]
    RewriteRule ^Api/V8/(.*?)$ Api/index.php/V8/$1 [L]
<IfModule mod_headers.c>
    Header unset ETag
    FileETag None
<IfModule mod_headers.c>
    Header unset X-Powered-By
    Header always unset X-Powered-By
<IfModule mod_expires.c>
 ExpiresActive on
 ExpiresDefault "access plus 1 month"

 # CSS
 ExpiresByType text/css "access plus 1 year"
 # Data
 ExpiresByType application/atom+xml "access plus 1 hour"
 ExpiresByType application/rdf+xml "access plus 1 hour"
 ExpiresByType application/rss+xml "access plus 1 hour"
 ExpiresByType application/json "access plus 0 seconds"
 ExpiresByType application/ld+json "access plus 0 seconds"
 ExpiresByType application/schema+json "access plus 0 seconds"
 ExpiresByType application/geo+json "access plus 0 seconds"
 ExpiresByType application/xml "access plus 0 seconds"
 ExpiresByType text/calendar "access plus 0 seconds"
 ExpiresByType text/xml "access plus 0 seconds"

 # Favicon
 ExpiresByType image/x-icon "access plus 1 week"

 ExpiresByType text/html "access plus 0 seconds"

 # JavaScript
 ExpiresByType application/javascript "access plus 1 year"
 ExpiresByType application/x-javascript "access plus 1 year"
 ExpiresByType text/javascript "access plus 1 year"

 # Markdown
 ExpiresByType text/markdown "access plus 0 seconds"

 # Media files
 ExpiresByType audio/ogg "access plus 1 month"
 ExpiresByType image/bmp "access plus 1 month"
 ExpiresByType image/gif "access plus 1 month"
 ExpiresByType image/jpeg "access plus 1 month"
 ExpiresByType image/jpg "access plus 1 month"
 ExpiresByType image/png "access plus 1 month"
 ExpiresByType image/svg+xml "access plus 1 month"
 ExpiresByType image/webp "access plus 1 month"
 ExpiresByType video/mp4 "access plus 1 month"
 ExpiresByType video/ogg "access plus 1 month"
 ExpiresByType video/webm "access plus 1 month"

 # Fonts
 ExpiresByType font/eot "access plus 1 month"
 ExpiresByType font/opentype "access plus 1 month"
 ExpiresByType font/otf "access plus 1 month"
 ExpiresByType application/x-font-ttf "access plus 1 month"
 ExpiresByType font/ttf "access plus 1 month"
 ExpiresByType application/font-woff "access plus 1 month"
 ExpiresByType application/x-font-woff "access plus 1 month"
 ExpiresByType font/woff "access plus 1 month"
 ExpiresByType application/font-woff2 "access plus 1 month"
 ExpiresByType font/woff2 "access plus 1 month"

 # Other
 ExpiresByType text/x-cross-domain-policy "access plus 1 week"
<IfModule mod_headers.c>
    Header set X-Content-Type-Options "nosniff"
<IfModule mod_rewrite.c>
        RewriteEngine On
        RewriteCond %{REQUEST_FILENAME} !-d
        RewriteCond %{REQUEST_URI} (.+)/$
        RewriteRule ^ %1 [R=301,L]

Can;t see anything in there that is making this happen.

When the 500 error appears it is just on the rest of the usl that should redirect back to the detail view of the record is missing.

To be honest, I don’t understand htaccess files. If you say that is the default, that is enough for me…

Maybe the “Network” tab in your browser will give you some additional details about the redirect. but if not, I am a bit lost, I don’t know what else to tell you…

Thank you for the suggestions. I hope that someone else will have some ideas as this is going to be difficult to use suitecrm with it doing this all the time we wish to save an edit.

Regards, Chris.

Is this still happening only on Workflows module, or on every module?

I would try some variations to see what could be peculiar about your installation that could be causing this:

This seems to be in all modules. “Create New” edit form “Save” leads to the 500 error. Log back into suitecrm and the entry has been saved. It is only when I go to save either a new entry or edit an entry and try and save it. Inline editing works fine.

Using the and softaculous it works fine so don’t think it is browser related. Both of those are https.

I think it is about time that I did a re-install of suitecrm. But has anyone written down the procedure for doing it whilst preserving the data that already exists. I have added a lot of custom fields and it would be a great shame to have to add them all again. (Also time consuming.)

All help would be appreciated.

OK, just as an update, a new installation works as it should. Is there any way to transfer all the Custom fields from the old installation to the new one without having to add them all from scratch?

I have now followed one of your previous posts on transferring the Custom folder and pointed the new installation to the old database and it works!!! Repair and there it all is. Thank you for your time.
Regards, Chris.


Well, nearly! It was working this morning and now has stopped with the same problem. The “Save and Continue” button works. It saves the record and takes me to edit the next record. The “Save” button was working for about 4 edits correctly and now produces a blank 500 error screen again. The record is saved correctly but it does not take me back to the list of contacts as it should. :japanese_ogre:

With a 500 error you will very likely find a FATAL in your php_errors.log (or whatever log name you have defined in php.ini).

The following is the error we are seeing in the error log file:

2020-06-17 14:06:10 UTC [apache][suexec:error] [pid 42093] error: directory is writable by others, execution denied. cwd: /home/u147-faee9v5gdrt9/www/

I have checked the permissions on the css directory and they were set to 775 as per the instructions in the installation manual. I have changed them to 755 with the same result.

Any further information would be of assistance.