Loop At Checkout From Billing to Cart After Switching to SSL, Enable SSL Button Does Not Work, Too Many Redirects

Version 4.60.6

My nopCommerce instance (two stores on two separate domains) worked without issue before transitioning to use SSL.

After transitioning to use SSL, the site is accessible prefaced with https and appears to work fine until the user gets to checkout.  At this point, when they click "continue" on the billing address screen, they are redirected back to the cart.

The error shown in the browser is (modified to remove my domain name):

Mixed Content: The page at 'https://www.example.com/onepagecheckout#opc-billing' was loaded over HTTPS, but requested an insecure XMLHttpRequest endpoint 'http://www.example.com/checkout/OpcSaveBilling/'. This request has been blocked; the content must be served over HTTPS.

Indicating a problem with the https setup...

Upon further inspection, I realized that clicking "Enable SSL" on the stores was not doing anything.  It would refresh the page, but the button would not change to "Disable SSL."  I checked and it indeed was not updating SslEnabled in the database either.

I did change the URL of the stores to start with https:// and end with /

I have tried enabling Use proxy servers in the app settings, leaving the other 3 fields in the Hosting Configuration setting blank, to no avail.

I have tried writing the SslEnabled value for each store to 1 directly in the database.  When I do this, it results in Too Many Redirect errors.  I have tried this with the Use proxy servers setting on and off.  I have tried clearing cookies and opening in a private browsing window.

There are no errors in the logs in the admin panel.

My SSL certificate is only valid for my domains that begin with www.  To accommodate, I am using 301 redirects for the domains without www. to the domains with www.  Additionally, I am using 301 redirects for http:// to https://.  I am using nginx to handle this and as a reverse proxy.  I have tried with these redirects removed and this did not solve the Too Many Redirect problem.

These days browsers like Chrome are not forgiving at all and unless you have everything setup as it shoud be with the SSL then you are bound to see these errors.
I guess the redirects are getting it confused and it does not like it
You probably either need to run without SSL which is not good these days
Or you need a certificate that handles both www. and no www. or at least just no www.

Yidna wrote:

Thanks for the response.  I'm not sure I follow.  Even with the 301 redirects entirely disabled, which would simply require users to access the sites from https://www. ..., I still get the "Too Many Redirects" error.  

I can purchase a certificate that accommodates both www. and without, but I would still like to understand/learn why this would be the solution to the symptoms I'm seeing.  I would think that removing the redirects and having the user (myself) type in https://www. ... explicitly would eliminate this variable just the same.  Thoughts?

Please check the following posts. Let me know if one of them helps:

1. https://www.nopcommerce.com/en/boards/topic/89707/problem-with-ssl#279280

2. https://www.nopcommerce.com/en/boards/topic/89707/problem-with-ssl/page/2#299370

3. https://www.nopcommerce.com/en/boards/topic/93970/blocked-content-on-opcsavebilling-with-cloudflare-ssl#306464

a.m. wrote:

Thank you for the response.

Regarding the second URL, I followed the steps as below to no avail:

-Set Hosting config per post in appsettings.json, being sure to use null instead of "".  Restart application.
-Set nginx config to listen to both 80 and 443.  Server names beginning with https://www. ...  Remove all redirects.  (See default.conf contents below)
-Clear application cache
At this point, the Enable SSL button in the admin page of nopCommerce still does not work and merely refreshes the page.
-Set SslEnabled for both stores to 1 in database.
-Restart both Nginx and nopCommerce application
-Clear browser cache, open private window
At this point, both domains beginning with https://www. ... result in too many redirect errors.
Revert
-Return SslEnabled for both stores to 0 in database.
-Restart nopCommerce
At this point, the stores are accessible as originally, but the checkout loop issue is still present.

Here is the nginx configuration (default.conf) that I am using, with my domain names and IPs redacted.  I am questioning if I am setting the proxy_pass correctly.  I am using the public IP of my server with http and with port 8010, which is the port my nopCommerce Docker container listens to.  Note that the SSL certificates is valid for both domains, hence why both server blocks reference the same file.  The SSL certificates are working correctly as I am able to access both sites using https://www. ...

server {
    listen       443 ssl;
    listen  [::]:443 ssl;
    server_name  www.mysite2.com;
  
  ssl_certificate /etc/nginx/ssl/mysite1.crt;
  ssl_certificate_key /etc/nginx/ssl/mysite1.key;

    location / {
        proxy_pass http://<publicIPofserver>:8010;
        proxy_set_header Host            $host;
    }

    error_page   500 502 503 504  /50x.html;
    location = /50x.html {
        root   /usr/share/nginx/html/mysite2;
    }

}
server {
    listen       443 ssl;
    listen  [::]:443 ssl;
    server_name  www.mysite1.com;
  
  ssl_certificate /etc/nginx/ssl/mysite1.crt;
  ssl_certificate_key /etc/nginx/ssl/mysite1.key;

    location / {
        proxy_pass http://<publicIPofserver>:8010;
        proxy_set_header Host            $host;
    }

    error_page   500 502 503 504  /50x.html;
    location = /50x.html {
        root   /usr/share/nginx/html/mysite1;
    }
  
}
server {
    listen       80;
    listen  [::]:80;
    server_name  www.mysite2.com;

    location / {
        proxy_pass http://<publicIPofserver>:8010;
        proxy_set_header Host            $host;
    }

    error_page   500 502 503 504  /50x.html;
    location = /50x.html {
        root   /usr/share/nginx/html/mysite2;
    }

}
server {
    listen       80;
    listen  [::]:80;
    server_name  www.mysite1.com;
  
  ssl_certificate /etc/nginx/ssl/mysite1.crt;
  ssl_certificate_key /etc/nginx/ssl/mysite1.key;

    location / {
        proxy_pass http://<publicIPofserver>:8010;
        proxy_set_header Host            $host;
    }

    error_page   500 502 503 504  /50x.html;
    location = /50x.html {
        root   /usr/share/nginx/html/mysite1;
    }
  
}

Regarding the third URL, I do not use Cloudflare so I do not believe this is applicable.

Regarding the first URL, I intend to try this, but this involves a code change which is a more extreme measure.  If this does work, I would like to understand why this code change is required.

a.m. wrote:

As I said in my last post, I wanted to try this.  Rather than changing the single call of this method that I've happened to see the failure with as described in this post, I went into the method and changed the code to ignore this parameter entirely.  This will essentially force it to use SSL anywhere this method is used.  I have concerns that this could have negative effects elsewhere, and I would still like to understand why this change is required.  But for now it is working.

Below is the new method found in Nop.Core/WebHelper.cs

public virtual string GetStoreLocation(bool? useSsl = null)
{
    var storeLocation = string.Empty;

    //get store host
    //Uncomment here to remove SSL force
    //var storeHost = GetStoreHost(useSsl ?? IsCurrentConnectionSecured());

    //Comment below to remove SSL force
    var storeHost = GetStoreHost(true);


    if (!string.IsNullOrEmpty(storeHost))
    {
        //add application path base if exists
        storeLocation = IsRequestAvailable() ? $"{storeHost.TrimEnd('/')}{_httpContextAccessor.HttpContext.Request.PathBase}" : storeHost;
    }

    //if host is empty (it is possible only when HttpContext is not available), use URL of a store entity configured in admin area
    if (string.IsNullOrEmpty(storeHost))
        storeLocation = _storeContext.Value.GetCurrentStore()?.Url
                        ?? throw new Exception("Current store cannot be loaded");

    //ensure that URL is ended with slash
    storeLocation = $"{storeLocation.TrimEnd('/')}/";

    return storeLocation;
}

Of note, I do not have SslEnabled for the stores.  I would also like to know if that will have any effects elsewhere, as the SSL seems to be working and the store so far seems to be fully functional.

Also, I was able to reenable my redirects from http:// to https:// and from the naked domain to www. successfully.