Deploy code version2.zip failed (upload step): 403 (Forbidden )

[awarberg]

Having followed the step-by-step guide at https://github.com/SalesforceCommerceCloud/sfcc-ci#how-do-i-get-set-up I was able to run sfcc-ci code:list and get a successful response listing my code versions.

When I try to run sfcc-ci code:deploy version2.zip I get "Deploy code version2.zip failed (upload step): 403 (Forbidden )". I have checked that the API Client ID appears correctly in Administration > Organization > WebDAV Client Permissions.

NB. The output of sfcc-ci client:auth is "Authentication succeeded" where dw.json contains the client-id and client-secret of same API Client and my personal login.

What are the correct instructions that I should follow to make code deployments work, apart from the How-do-I-get-set-up guide?

[tobiaslohr]

Hi @awarberg, can you copy-paste your WebDAV client permissions here (IMPORTANT: remove your client ID before pasting). You most likely miss either write permission for your client id for the cartridges repo on your environment. I must be:

{"clients":[{ "client_id": "YOUR_CLIENT_ID",
    "permissions": [
        { "path": "/cartridges", "operations": ["read_write"] }
    ]
}]}

[awarberg]

Hi Tobias,

These are my WebDAV client permissions on Staging:

{
    "clients":
    [{
            "client_id": "XXX",
            "permissions":
            [{
                    "path": "/impex",
                    "operations": [
                        "read_write"
                    ]
                }, {
                    "path": "/cartridges",
                    "operations": [
                        "read_write"
                    ]
                }, {
                    "path": "/static",
                    "operations": [
                        "read_write"
                    ]
                }
            ]
        }
    ]
}

[tobiaslohr]

The settings are correct. If this is staging, probably there is 2FA for code upload enabled on your staging instance?! In that case, you'd have to generate a certificate using the cert bundle provided via a support case and then use the --certificate and --passphrase flags with the sfcc-ci code:deploy command

[awarberg]

Good point, I read that 2FA will be required on April 1st! I have tried to check whether my Staging instance was configured but this setting does not exist under Administration > Global preferences > Security > Access Restriction > Code Upload.

From https://xchange.demandware.com/docs/DOC-52987:

Anyways, I tried using my certificate and passphrase but am getting the same error message:
sfcc-ci code:deploy dist/version2.zip --certificate awa.p12 --passphrase XXX =>
Error: Deploy code dist/version2.zip failed (upload step): 403 (Forbidden )

[tobiaslohr]

Is there a chance you can run with --debug flag and paste the results here? You don't have to put the whole output, I'd be interested in the actual http request/response. Please remove any tokens or similar critical information from the text.

[awarberg]

This is the debug output. Thanks for taking the time!

PS C:\Projects\XXX> sfcc-ci code:deploy version2.zip --certificate awa.p12 --passphrase XXX --debug
[DEBUG] Configuration loaded from C:\Projects\XXX/dw.json
REQUEST {
  baseUrl: 'https://staging-eu01-xxx.demandware.net',
  uri: '/on/demandware.servlet/webdav/Sites/cartridges/version2.zip',
  auth: { bearer: 'xxx' },
  strictSSL: true,
  method: 'PUT',
  agentOptions: {
    pfx: <Buffer 30 82 0d 20 02 01 03 30 82 0c e6 06 09 2a 86 48 86 f7 0d 01 07 01 a0 82 0c d7 04 82 0c d3 30 82 0c cf 30 82 07 6f 06 09 2a 86 48 86 f7 0d 01 07 06 a0 ... 3314 more bytes>,
    passphrase: 'xxx'
  },
  callback: [Function]
}
REQUEST make request https://staging-eu01-xxx.demandware.net/on/demandware.servlet/webdav/Sites/cartridges/version2.zip
{
  request: {
    debugId: 1,
    uri: 'https://staging-eu01-xxx.demandware.net/on/demandware.servlet/webdav/Sites/cartridges/version2.zip',
    method: 'PUT',
    headers: {
      host: 'staging-eu01-xxx.demandware.net',
      authorization: 'Bearer xxx',
      'content-type': 'application/zip'
    }
  }
}
REQUEST onRequestResponse https://staging-eu01-xxx.demandware.net/on/demandware.servlet/webdav/Sites/cartridges/version2.zip 403 {
  'accept-ranges': 'bytes',
  'x-dw-request-base-id': 'xxx',
  'x-error': '1',
  'set-cookie': [
    'dwsid=xxx; path=/; HttpOnly; Secure'
  ],
  'content-type': 'text/html;charset=ISO-8859-1',
  'content-length': '412',
  date: 'Fri, 27 Mar 2020 08:51:25 GMT',
  connection: 'close',
  server: 'Apache'
}
REQUEST reading response's body
REQUEST finish init function https://staging-eu01-xxx.demandware.net/on/demandware.servlet/webdav/Sites/cartridges/version2.zip
REQUEST response end https://staging-eu01-xxx.demandware.net/on/demandware.servlet/webdav/Sites/cartridges/version2.zip 403 {
  'accept-ranges': 'bytes',
  'x-dw-request-base-id': 'xxx',
  'x-error': '1',
  'set-cookie': [
    'dwsid=xxx; path=/; HttpOnly; Secure'
  ],
  'content-type': 'text/html;charset=ISO-8859-1',
  'content-length': '412',
  date: 'Fri, 27 Mar 2020 08:51:25 GMT',
  connection: 'close',
  server: 'Apache'
}
REQUEST end event https://staging-eu01-xxx.demandware.net/on/demandware.servlet/webdav/Sites/cartridges/version2.zip
REQUEST has body https://staging-eu01-xxx.demandware.net/on/demandware.servlet/webdav/Sites/cartridges/version2.zip 412
REQUEST emitting complete https://staging-eu01-xxx.demandware.net/on/demandware.servlet/webdav/Sites/cartridges/version2.zip
{
  response: {
    debugId: 1,
    headers: {
      'accept-ranges': 'bytes',
      'x-dw-request-base-id': 'xxx',
      'x-error': '1',
      'set-cookie': [Array],
      'content-type': 'text/html;charset=ISO-8859-1',
      'content-length': '412',
      date: 'Fri, 27 Mar 2020 08:51:25 GMT',
      connection: 'close',
      server: 'Apache'
    },
    statusCode: 403,
    body: '\n' +
      '\n' +
      '\n' +
      '\n' +
      '\n' +
      '<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">\n' +
      '<html>\n' +
      '<head>\n' +
      '\t<title>403 - Access denied</title>\n' +
      '\t<link rel="STYLESHEET" type="text/css" href="/waroot/style.css">\n' +
      '</head>\n' +
      '<body>\n' +
      '\t<h1>Access denied</h1>\n' +
      '\t<img src="/waroot/system_arrow.gif" width="21" height="21" alt="" border="0">\n' +
      '\t<p class="system_info">\n' +
      '\t\tAccess to the specified resource has been forbidden.\n' +
      '\t</p>\n' +
      '\t<hr>\n' +
      '</body>\n' +
      '</html>\n' +
      '\n'
  }
}
Error: Deploy code dist/version2.zip failed (upload step): 403 (Forbidden )

[tobiaslohr]

When you use 2FA for code deployments to staging, you'd have to use a slightly different host name, which is cert.staging.eu01.xxx.demandware.net. Note, the . version of the host name is required.

[awarberg]

It works, thank you so much for the help! :-)

I now get a successful response:

Code archive version2.zip successfully deployed to cert.staging.eu01.xxx.demandware.net. You may activate the code by running sfcc-ci code:activate version2 -i cert.staging.eu01.xxx.demandware.net

[tobiaslohr]

👍

[awarberg]

I am running into a new issue when attempting to active the newly uploaded code version. I have checked and there are no IP-based access restrictions.

What could be causing code deployment to work and activation to fail immediately after?

PS C:\Projects\XXX> sfcc-ci code:activate version2 -i cert.staging.eu01.XXX.demandware.net --debug
[DEBUG] Configuration loaded from C:\Projects\XXX/dw.json
REQUEST {
  auth: { bearer: 'XXX' },
  strictSSL: true,
  json: true,
  uri: 'https://cert.staging.eu01.XXX.demandware.net/s/-/dw/data/v19_5/code_versions/version2',
  method: 'PATCH',
  body: { active: true },
  callback: [Function]
}
REQUEST make request https://cert.staging.eu01.XXX.demandware.net/s/-/dw/data/v19_5/code_versions/version2
{
  request: {
    debugId: 1,
    uri: 'https://cert.staging.eu01.XXX.demandware.net/s/-/dw/data/v19_5/code_versions/version2',
    method: 'PATCH',
    headers: {
      host: 'cert.staging.eu01.XXX.demandware.net',
      authorization: 'Bearer XXX',
      accept: 'application/json',
      'content-type': 'application/json',
      'content-length': 15
    },
    body: '{"active":true}'
  }
}
Error: Network or certificate error
Error: An error occured. Try running the command again with -D,--debug flag.
[DEBUG] Error code: EPROTO, message: write EPROTO 6128:error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure:c:\ws\deps\openssl\openssl\ssl\record\rec_layer_s3.c:1544:SSL alert number 40
, stack: Error: write EPROTO 6128:error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure:c:\ws\deps\openssl\openssl\ssl\record\rec_layer_s3.c:1544:SSL alert number 40       

    at WriteWrap.onWriteComplete [as oncomplete] (internal/stream_base_commons.js:92:16)

This is my OCAPI Data settings:

{
    "_v": "19.5",
    "clients":
    [{
            "client_id": "xxx",
            "resources":
            [{
                    "resource_id": "/code_versions",
                    "methods": ["get"],
                    "read_attributes": "(**)",
                    "write_attributes": "(**)"
                }, {
                    "resource_id": "/code_versions/*",
                    "methods": ["patch", "delete"],
                    "read_attributes": "(**)",
                    "write_attributes": "(**)"
                }, {
                    "resource_id": "/jobs/*/executions",
                    "methods": ["post"],
                    "read_attributes": "(**)",
                    "write_attributes": "(**)"
                }, {
                    "resource_id": "/jobs/*/executions/*",
                    "methods": ["get"],
                    "read_attributes": "(**)",
                    "write_attributes": "(**)"
                }, {
                    "resource_id": "/sites/*/cartridges",
                    "methods": ["post"],
                    "read_attributes": "(**)",
                    "write_attributes": "(**)"
                }, {
                    "resource_id": "/role_search",
                    "methods": ["post"],
                    "read_attributes": "(**)",
                    "write_attributes": "(**)"
                }, {
                    "resource_id": "/roles/*",
                    "methods": ["get"],
                    "read_attributes": "(**)",
                    "write_attributes": "(**)"
                }, {
                    "resource_id": "/roles/*/user_search",
                    "methods": ["post"],
                    "read_attributes": "(**)",
                    "write_attributes": "(**)"
                }, {
                    "resource_id": "/roles/*/users/*",
                    "methods": ["put", "delete"],
                    "read_attributes": "(**)",
                    "write_attributes": "(**)"
                }, {
                    "resource_id": "/user_search",
                    "methods": ["post"],
                    "read_attributes": "(**)",
                    "write_attributes": "(**)"
                }, {
                    "resource_id": "/users",
                    "methods": ["get"],
                    "read_attributes": "(**)",
                    "write_attributes": "(**)"
                }, {
                    "resource_id": "/users/*",
                    "methods": ["put", "get", "patch", "delete"],
                    "read_attributes": "(**)",
                    "write_attributes": "(**)"
                }
            ]
        }
    ]
}

[tobiaslohr]

@awarberg your Data API settings are correct. The error is expected. The reason is, that technically only HTTP PUT requests are being limited on staging and require 2FA authentication. The 2FA authentication has to be done for the host cert.staging.eu01.XXX.demandware.net. The code activation however is technically a HTTP PATCH request, is not limited and thus does not require 2FA. It is not supported to run code activation (or other activities) against cert.staging.eu01.XXX.demandware.net. For code activation, you'd have to use the normal version of the host without the cert. (e.g. staging.eu01.XXX.demandware.net or staging-eu01-XXX.demandware.net)

[awarberg]

It works using the normal host name! Thank you so much! Have a great weekend!

[tobiaslohr]

You’re welcome! Same to you.

On Fri 27. Mar 2020 at 21:57, awarberg ***@***.***> wrote: It works using the normal host name! Thank you so much! Have a great weekend! — You are receiving this because you commented. Reply to this email directly, view it on GitHub <#117 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAQOUEKTCFHUVQBODJWAOWTRJUHNFANCNFSM4LUKBFGQ> .

-- TOBIAS LOHR Technical Architect Director | Program Architect Commerce Cloud B2C Services | CSG EMEA Services Salesforce Leutragraben 2-4 07743 Jena, Germany Mobile: +49-151-16215221 *Upcoming PTO:* - *April 10th - April 24th 2020* *Upcoming Parental Leave:* - *June 24th - September 23rd 2020*

[bbdemaugere]

Hello,

Fist of all, thank you for your explanation and support here. It helped us a lot.

We have the direct next issue regarding 2FA with certificate and code upload. (Tell me if I have to open a new issue)

We want to use the code:deploy as a final step for our CI/CD pipeline. So our code tagged as release on our git is automatically deployed to our staging instance.

We can upload our code using the code:deploy command but we need to be authenticated first. So it works locally because we're human and we can use either, auth:login or client:auth, but our CI/CD can't...

• auth:login opens the browser to perform a login step
• client:auth starts the 2FA process with our mobile phone and the "Salesforce Authenticator" app

How can we get a token from our CI/CD?

[tobiaslohr]

@bbdemaugere sfcc-ci code:deploy works without a user being authenticated. That being said, you should use an API client to authenticate using it's client credentials only with

sfcc-ci client:auth <client-id> <client-secret>

As there is no user involved it does not bring up 2FA in the authenticator app and thus allows you to run automations.

[bbdemaugere]

Sorry for the delayed response and thanks for yours.

I did some tests and I have now a better understanding of the situation.

I were testing sfcc-ci with my personal client-id key and I did some configurations in the Account Manager to use it with the Swagger (1). I guess that's why client:auth asked for 2FA.

With Redirect URIs sets to http://localhost:8080 it doesn't ask for 2FA anymore and I can successfully run:

sfcc-ci client:auth <client-id> <client-secret>
sfcc-ci code:deploy --certificate <cert> --passphrase <pass> <archive>

(Note: This client id can't be used to access the swagger with this config, tho)

Thanks again for the help! :)

(1): https://admin.us01.dx.commercecloud.salesforce.com/

[tobiaslohr]

One last thing: I highly suggest that you not use a client ID configured with a redirect URL for accessing critical resources on your B2C Commerce instances (e.g. through OCAPI settings or WebDAV client permissions) unless you explicitly want that. Reason is, that anyone who is in possession of the client ID may authenticate against Account Manager and then is able to execute commands against your B2C Commerce instance. A more safer approach is using client credentials incl. client id and secret, and authenticate with:

sfcc-ci client:auth <client-id> <client-secret>

Setting the Redirect URIs should not have something to do with 2FA actually.

[albertogiantin-hfarm]

@tobiaslohr it's my first time deploying code to staging instance. I don't understand your last sentence "A more safer approach is using client credentials incl. client id and secret, and authenticate with: sfcc-ci client:auth "
I created the certificate to run the "sfcc-ci code:deploy" command but I don't understand if I have to create a specific API client in Account Manager and how to configure it.
Thanks in advance for your help.

[tobiaslohr]

@albertogiantin-hfarm That statement was related to the use of that API client along with a redirect url configured in Account Manager. It's not related to the 2FA cert to deploy code on staging.

[ITNOADEVS]

When you use 2FA for code deployments to staging, you'd have to use a slightly different host name, which is cert.staging.eu01.xxx.demandware.net. Note, the . version of the host name is required.

Hi @tobiaslohr ,

I'm also facing a similar issue tried using cert.staging.eu01.XXX.demandware.net but am not clear on the version that you have mentioned. Can you please clarify this?

When I try
sfcc-ci code:deploy artifacts.zip -i 'cert.staging-eu01-xxx.demandware.net' -c '[email protected]' -p 'xxxxxx' --debug

Get following response

[DEBUG] Error code: ENOTFOUND, message: getaddrinfo ENOTFOUND cert.staging-eu01-xxx.demandware.net, stack: Error: getaddrinfo ENOTFOUND cert.staging-eu01-xxx.demandware.net

Thanks

[ITNOADEVS]

When you use 2FA for code deployments to staging, you'd have to use a slightly different host name, which is cert.staging.eu01.xxx.demandware.net. Note, the . version of the host name is required.

Hi @tobiaslohr ,

I'm also facing a similar issue tried using cert.staging.eu01.XXX.demandware.net but am not clear on the version that you have mentioned. Can you please clarify this?

When I try sfcc-ci code:deploy artifacts.zip -i 'cert.staging-eu01-xxx.demandware.net' -c '[email protected]' -p 'xxxxxx' --debug

Get following response

[DEBUG] Error code: ENOTFOUND, message: getaddrinfo ENOTFOUND cert.staging-eu01-xxx.demandware.net, stack: Error: getaddrinfo ENOTFOUND cert.staging-eu01-xxx.demandware.net

Thanks

Fixed it the env URL was incorrect (without . version)
I think was not paying attention to the URL until pasted the response above.

Still thanks a lot this thread helped me out with the whole staging deployment process

[tobiaslohr]

👍

[Ufarooq6]

Hi @tobiaslohr
Can you help us on some slightly different error for staging:
I am trying run a different command in GHA.
Command:
"echo "$CERT_B64" | base64 --decode > certificate.p12
sfcc-ci code:deploy "./${{env.BUILD_NUMBER}}.zip" -i ${{vars.CERT_INSTANCE_URL}} -c certificate.p12 -p "${{secrets.CERTIFICATE_PASSWORD}}" -a --selfsigned -D
rm -f certificate.p12"
For 2F certidicate Decoding: I am running this command to decode the cert on windows
"CERTIFICATE_2FA — run this command in your Terminal base64 -i certificate.p12Copy returned value and paste it here. 2FA Certificate is needed only for deployments to Staging instance. If you wonder where this certificate is coming from, here is the official guide written by Salesforce. link: https://help.salesforce.com/s/articleView?id=000391641&type=1
you can try from your side with our 2F cert and let us know.
Error log:
Run echo "$CERT_B64" | base64 --decode > certificate.p12
[DEBUG] No dw.json found in /runner/_work//
[DEBUG] Assuming staging-ap01-gap.demandware.net is a staging instance, replacing with cert.* format
[DEBUG] Instance name rewritten to cert.staging.ap01.gap.demandware.net
Warning: Allow self-signed certificates. Be caucious as this may expose secure information to an untrusted party.
REQUEST {
baseUrl: 'https://cert.staging.instance.org.demandware.net',
uri: '/on/demandware.servlet/webdav/Sites/cartridges/b91_v3.19.0_20240726_staging.zip',
auth: {
bearer: ''
},
strictSSL: false,
method: 'PUT',
agentOptions: {
pfx: <Buffer 30 82 0e b6 02 01 03 30 82 0e 7c 06 09 2a 86 48 86 f7 0d 01 07 01 a0 82 0e 6d 04 82 0e 69 30 82 0e 65 30 82 08 ff 06 09 2a 86 48 86 f7 0d 01 07 06 a0 ... 3720 more bytes>,
passphrase: ''
},
callback: [Function (anonymous)]
}
REQUEST make request https://cert.staging.instance.org.demandware.net/on/demandware.servlet/webdav/Sites/cartridges/b91_v3.19.0_20240726_staging.zip
Error: An error occured. Try running the command again with -D,--debug flag.
[DEBUG] Error code: undefined, message: unsupported, stack: Error: unsupported
at configSecureContext (node:internal/tls/secure-context:285:15)
at Object.createSecureContext (node:_tls_common:116:3)
at Object.connect (node:_tls_wrap:1763:48)
at Agent.createConnection (node:https:171:22)
at Agent.createSocket (node:_http_agent:340:26)
at Agent.addRequest (node:_http_agent:288:10)
at new ClientRequest (node:_http_client:334:16)
at Object.request (node:https:379:10)
at Request.start (/opt/hostedtoolcache/node/20.16.0/x64/lib/node_modules/sfcc-ci/node_modules/request/request.js:751:32)
at Request.write (/opt/hostedtoolcache/node/20.16.0/x64/lib/node_modules/sfcc-ci/node_modules/request/request.js:1491:10)
Error: Process completed with exit code 1.

      CAn you please tell what could be issue here?
      Thanks

[tobiaslohr]

@Ufarooq6 Can you check #571 (comment) please and see if that helps? Thanks!