The url in the email comes from JUri::base

That function has not changed for a while
see: https://github.com/joomla/joomla-cms/commits/staging/libraries/src/Uri/Uri.php

You can see it here:

comparing:
https://corefiles.myjoomla.io/pre/joomla/3.8.0/libraries/src/Uri/Uri.php
https://corefiles.myjoomla.io/pre/joomla/3.9.0/libraries/src/Uri/Uri.php

The only change since 3.8.0 has been for "Extra cleanup to remove invalid chars in the URL to prevent injections through broken server implementation"

do you have a hard coded $live_site in /configuration.php ?

Yes Phil, I have $live_site = 'http://my.url' and if that is not optimum I'm happy to change it, however comparing registration.php between 3.8.13 and 3.9.0 I see a number of changes under the headings:

// Admin activation is on and user is verifying their email

and

// Set the link to confirm the user email

and

// Set the link to confirm the user account.

In other words, there are significant code changes in this functionality, which my email logs confirm went wrong exactly when I applied that upgrade.

Although to be honest I haven't taken any time to review the code changes myself yet, I would appreciate your expertise as usual, as well as others'.

REMOVE any setting for $live_site unless you KNOW why you need that. Joomla DOESNT need that to be completed to work correctly.

Yes there were changes in 3.9.0 to User Activations during registration, but I think your issue is an incorrect $live_site param, because you are forcing Joomla to use a http:// url and not allowing it to guess https://

There was a change in how the links are generated. See #21152.

But I can't confirm your claims about Secure option being respected when generating activation links. This option is only used in mod_menu. So even before 3.9 the activation link depended on where registration took place.

Thank you Phil I have changed $live_site = 'http://my.url' to $live_site = '' but the problem still persists. Please let me know if I misunderstood your recommendation and should have deleted the $live_site line altogether.

Thank you Sharky. You are correct that before 3.9 the activation link depended on where registration took place. The issue is that for my site, definitely, the activation link since 3.9 no longer depends on where registration took place, but is always http even though the actual registration page was https. So mod_menu is working correctly, but registration.php is not, as far as my site is concerned.

I hope this helps and please accept my apologies if I am misunderstanding or doing anything else wrong. Many thanks for your ongoing time and expertise.

@izharaazmi is JRoute::link() supposed to build a relative URL when protocol is not being changed?

Yes, It should and it does. Looks like this issue is not related to JRoute rather Uri::base but again Uri::base in administrator will give administrator link. So it must be Uri::root.

If you're looking at $data['siteurl'] = JUri::base(); snippet above, it's a separate issue.

Back to JRoute::link(), a relative link is built here:

Because the link is relative, doing isSsl() is always going to fail:

Also, -1 is passed as $ssl argument wherever we use JRoute::link() but it's not documented as an accepted value. It passes first (loose) check but fails at the second (strict).

I gather from the comments that the symptoms reported do indeed reflect a problem introduced with Joomla 3.9.0 and that those with more expertise and dedication than I are investigating a fix. Please do let me know if I am wrong, or if there is anything I can do to help. Many thanks, Chris

@HLeithner is this Issue solved?

Closing, we have a PR for this #24089