How to fix https not available on Adobe Commerce (Magento)

Steps for Adobe Commerce (Magento)

1. Obtain and install an SSL certificate on your web server (Apache or Nginx) via your hosting provider or Let's Encrypt (e.g. using Certbot: sudo certbot --apache -d yourdomain.com).
2. In your Magento Admin, go to Stores → Configuration → General → Web.
3. Expand the 'Base URLs (Secure)' section and set 'Secure Base URL' to https://yourdomain.com/.
4. Set 'Use Secure URLs on Storefront' and 'Use Secure URLs in Admin' both to 'Yes'.
5. Expand the 'URL Options' section and ensure 'Auto-redirect to Base URL' is set to 'Yes (302 Found)' or 'Yes (301 Moved Permanently)' to redirect HTTP to HTTPS.
6. Clear the Magento cache: System → Cache Management → Flush Magento Cache. Also flush your full-page cache (Varnish if applicable).
7. Update your web server configuration (Apache .htaccess or Nginx server block) to add a server-level 301 redirect from HTTP to HTTPS as an additional safeguard.

<!-- Apache .htaccess — force HTTPS with a 301 redirect -->
<IfModule mod_rewrite.c>
  RewriteEngine On
  RewriteCond %{HTTPS} off
  RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
</IfModule>

<!-- Optional: add HSTS via an HTTP header in .htaccess -->
<IfModule mod_headers.c>
  Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains" "expr=%{HTTPS} == 'on'"
</IfModule>

What is https not available?

HTTPS (HyperText Transfer Protocol Secure) encrypts the connection between your store and every visitor's browser, so that passwords, payment details, and personal data cannot be intercepted in transit. When a site "does not respond on HTTPS," it means your store is either serving pages only over unencrypted HTTP, or its SSL/TLS certificate is missing, expired, or invalid. The padlock icon customers expect in their browser address bar will be absent — or replaced with a security warning.

Google has used HTTPS as a ranking signal since 2014 and Chrome actively labels HTTP sites as "Not Secure," which destroys visitor trust and tanks conversion rates — shoppers who see that warning leave immediately. Without HTTPS, payment card data, login credentials, and personal information travel over the network in plain text, making your store trivially easy to eavesdrop on and putting you in violation of PCI-DSS requirements for accepting card payments. Regulators and payment processors can fine or de-platform stores that transmit cardholder data without encryption. This is classified as OWASP A02:2021 — Cryptographic Failures, one of the most critical vulnerability categories in web security.

See the complete Https not available guide for every platform and the full background.