Alexa is not able to link with Alexa Skill (Lambda Function) anymore

Hi guys.

Last week the self created alexa smart home skill stopped working for me. (without any change on the configuration … of course :slight_smile: ). It tells me that my skill is not linked anymore. And that’s the point where I’m struggling because I’m not able to link it anymore. It always tells (in german on my device) “Kontoverknüpfung erforderlich” - which means something like “account linking needed” in english) and when I try to link it it tells me that the links could not be established successfully. It always says “[SKILL NAME] konnte nicht mit Alexa verknüpft werden” which means something like “[SKILL NAME] could not be linked to Alexa” in English.

What I already did for troubleshooting:

  • enabled debug logging on the alexa component - it does not spawn any related log during the authentication process
  • recreated the whole lambda function (test-successfull - reports all my smart-home devices during lambda-function-test)
  • recreated the whole smart_home skill - no success with linking
  • Created a new user with a new password and tried linking with this one - no success with linking

I CAN see requests hitting on the nginx-reverse-proxy logs from amazon/alexa during the authentication-process

[06/Dec/2021:08:07:44 +0000] - 200 200 - GET https my-url.acme.org "/auth/authorize?client_id=https%3A%2F%2Flayla.amazon.com%2F&response_type=code&state=A2SAAEAEBF4-J7C7FPs853I7seR-NYB8Fbb2bAHwY0bzOcjwU369TgKa_Y36GFGKVgb8d7kJ5Q2b5PypwJ-ojLkaxsKrqwGhBCbiXlx96XaGJt2cswe_krQ9ZExq8wJzTcWfgUa_fUA_gSRiOdQrU-fPqFOoSbnjicP5nFxEA-IhY3FPN3CgCCDzbireXhP8s5hJzGndyfTuPClu5TKO3o9LJzO8-YqLEi97qRFGjGuCj_Z6FQrliYE4k8e9l3bTlc1m4W2NU-iGyZcqlVpyPO8d0niu1eLhpV5s-D17Ntsj6Zin22w0cFVbw0Fa0kHuHzKM3tNns_FtJi3ybbeyKoZOLVd1AhGJTulnkC7ntVXomabf_jAWLEBkJxjdExN_REdFwV7LdDHgtu3VBDGzt2x2-iEW5BuO7d-k3MQac6lonis7Dlna2eBZejInrJ24I5txok2VhEuFLzY8ady_o9rOnIOnhUWhnDtAfYfCtIRqzm9pE9wvxaNXpMDZHIccqIQRrORAYZ7EHktZ8KvVouOA6pU0nf_YJZvNWW9frjVNiI0ZYAms6cNadtfqkSOspV81IOVPWjLFBBonJ1Lh02PP7bfBD7G3KpknFtNZeLU-mb5gPemp5b6Rhc2KgI9YhYKAzN_-or-LLn_LbZYCyl-F_SBAdhAFvNj_hJ1m4rhnYkkMWPbT6s&scope=smart_home&redirect_uri=https%3A%2F%2Flayla.amazon.com%2Fapi%2Fskill%2Flink%2FM3FIWMEYBG09NI" [Client 172.68.110.123] [Length 1236] [Gzip 1.90] [Sent-to 192.168.100.244] "Mozilla/5.0 (iPhone; CPU iPhone OS 15_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/15.1 Mobile/15E148 Safari/604.1" "-"
[06/Dec/2021:08:07:44 +0000] - 200 200 - GET https my-url.acme.org "/auth/providers" [Client 172.68.110.123] [Length 78] [Gzip -] [Sent-to 192.168.100.244] "Mozilla/5.0 (iPhone; CPU iPhone OS 15_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/15.1 Mobile/15E148 Safari/604.1" "https://my-url.acme.org/auth/authorize?client_id=https%3A%2F%2Flayla.amazon.com%2F&response_type=code&state=A2SAAEAEBF4-J7C7FPs853I7seR-NYB8Fbb2bAHwY0bzOcjwU369TgKa_Y36GFGKVgb8d7kJ5Q2b5PypwJ-ojLkaxsKrqwGhBCbiXlx96XaGJt2cswe_krQ9ZExq8wJzTcWfgUa_fUA_gSRiOdQrU-fPqFOoSbnjicP5nFxEA-IhY3FPN3CgCCDzbireXhP8s5hJzGndyfTuPClu5TKO3o9LJzO8-YqLEi97qRFGjGuCj_Z6FQrliYE4k8e9l3bTlc1m4W2NU-iGyZcqlVpyPO8d0niu1eLhpV5s-D17Ntsj6Zin22w0cFVbw0Fa0kHuHzKM3tNns_FtJi3ybbeyKoZOLVd1AhGJTulnkC7ntVXomabf_jAWLEBkJxjdExN_REdFwV7LdDHgtu3VBDGzt2x2-iEW5BuO7d-k3MQac6lonis7Dlna2eBZejInrJ24I5txok2VhEuFLzY8ady_o9rOnIOnhUWhnDtAfYfCtIRqzm9pE9wvxaNXpMDZHIccqIQRrORAYZ7EHktZ8KvVouOA6pU0nf_YJZvNWW9frjVNiI0ZYAms6cNadtfqkSOspV81IOVPWjLFBBonJ1Lh02PP7bfBD7G3KpknFtNZeLU-mb5gPemp5b6Rhc2KgI9YhYKAzN_-or-LLn_LbZYCyl-F_SBAdhAFvNj_hJ1m4rhnYkkMWPbT6s&scope=smart_home&redirect_uri=https%3A%2F%2Flayla.amazon.com%2Fapi%2Fskill%2Flink%2FM3FIWMEYBG09NI"
[06/Dec/2021:08:07:44 +0000] - 200 200 - POST https my-url.acme.org "/auth/login_flow" [Client 172.68.110.123] [Length 210] [Gzip -] [Sent-to 192.168.100.244] "Mozilla/5.0 (iPhone; CPU iPhone OS 15_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/15.1 Mobile/15E148 Safari/604.1" "https://my-url.acme.org/auth/authorize?client_id=https%3A%2F%2Flayla.amazon.com%2F&response_type=code&state=A2SAAEAEBF4-J7C7FPs853I7seR-NYB8Fbb2bAHwY0bzOcjwU369TgKa_Y36GFGKVgb8d7kJ5Q2b5PypwJ-ojLkaxsKrqwGhBCbiXlx96XaGJt2cswe_krQ9ZExq8wJzTcWfgUa_fUA_gSRiOdQrU-fPqFOoSbnjicP5nFxEA-IhY3FPN3CgCCDzbireXhP8s5hJzGndyfTuPClu5TKO3o9LJzO8-YqLEi97qRFGjGuCj_Z6FQrliYE4k8e9l3bTlc1m4W2NU-iGyZcqlVpyPO8d0niu1eLhpV5s-D17Ntsj6Zin22w0cFVbw0Fa0kHuHzKM3tNns_FtJi3ybbeyKoZOLVd1AhGJTulnkC7ntVXomabf_jAWLEBkJxjdExN_REdFwV7LdDHgtu3VBDGzt2x2-iEW5BuO7d-k3MQac6lonis7Dlna2eBZejInrJ24I5txok2VhEuFLzY8ady_o9rOnIOnhUWhnDtAfYfCtIRqzm9pE9wvxaNXpMDZHIccqIQRrORAYZ7EHktZ8KvVouOA6pU0nf_YJZvNWW9frjVNiI0ZYAms6cNadtfqkSOspV81IOVPWjLFBBonJ1Lh02PP7bfBD7G3KpknFtNZeLU-mb5gPemp5b6Rhc2KgI9YhYKAzN_-or-LLn_LbZYCyl-F_SBAdhAFvNj_hJ1m4rhnYkkMWPbT6s&scope=smart_home&redirect_uri=https%3A%2F%2Flayla.amazon.com%2Fapi%2Fskill%2Flink%2FM3FIWMEYBG09NI"
[06/Dec/2021:08:07:56 +0000] - 200 200 - POST https my-url.acme.org "/auth/login_flow/9225eef45e7948e7b806d2719c848945" [Client 172.68.110.123] [Length 200] [Gzip -] [Sent-to 192.168.100.244] "Mozilla/5.0 (iPhone; CPU iPhone OS 15_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/15.1 Mobile/15E148 Safari/604.1" "https://my-url.acme.org/auth/authorize?client_id=https%3A%2F%2Flayla.amazon.com%2F&response_type=code&state=A2SAAEAEBF4-J7C7FPs853I7seR-NYB8Fbb2bAHwY0bzOcjwU369TgKa_Y36GFGKVgb8d7kJ5Q2b5PypwJ-ojLkaxsKrqwGhBCbiXlx96XaGJt2cswe_krQ9ZExq8wJzTcWfgUa_fUA_gSRiOdQrU-fPqFOoSbnjicP5nFxEA-IhY3FPN3CgCCDzbireXhP8s5hJzGndyfTuPClu5TKO3o9LJzO8-YqLEi97qRFGjGuCj_Z6FQrliYE4k8e9l3bTlc1m4W2NU-iGyZcqlVpyPO8d0niu1eLhpV5s-D17Ntsj6Zin22w0cFVbw0Fa0kHuHzKM3tNns_FtJi3ybbeyKoZOLVd1AhGJTulnkC7ntVXomabf_jAWLEBkJxjdExN_REdFwV7LdDHgtu3VBDGzt2x2-iEW5BuO7d-k3MQac6lonis7Dlna2eBZejInrJ24I5txok2VhEuFLzY8ady_o9rOnIOnhUWhnDtAfYfCtIRqzm9pE9wvxaNXpMDZHIccqIQRrORAYZ7EHktZ8KvVouOA6pU0nf_YJZvNWW9frjVNiI0ZYAms6cNadtfqkSOspV81IOVPWjLFBBonJ1Lh02PP7bfBD7G3KpknFtNZeLU-mb5gPemp5b6Rhc2KgI9YhYKAzN_-or-LLn_LbZYCyl-F_SBAdhAFvNj_hJ1m4rhnYkkMWPbT6s&scope=smart_home&redirect_uri=https%3A%2F%2Flayla.amazon.com%2Fapi%2Fskill%2Flink%2FM3FIWMEYBG09NI"

I am at a loss. Can anyone help me?
Thx guys!

PS: I do have a valid let’s encrypt certificate on my url.

:slight_smile:
cheers

It turned out that the below also was not the “real” problem. I enabled the Bot Fight mode last week (and of course forgotten that I did :wink: .
Unfortunately I was not able to allow Amazon-Lambda to pass through this bot-fight-mode via firewall rules on cloudflare so I decided to disable it again.

Cheers

old-information:

I found the problem on my own! Cloudflare proxying was the “bad boy”. I changed my home URL from “proxied” to “DNS-only” and voila - linking successfully finished.
Anyhow it’s strange because it was working with proxied hostname before. Do anyone have an idea why this happened - or better - does anyone have an idea to configure it WITH proxying?

Cheers

PS: It looks like that this is only valid for the linking-process itself. I reactivated proxying on my hass URL again and it is still working.

1 Like

I want change to Cloudflare proxied so my IP is hidden and ports are closed on router.
If I change do in need unlink all my skills before I made the change?

When everything is running via Cloudflare then relink all skills again?

Hey Poudenes,

Look one post above :slight_smile:
Cloudflare proxying service itself was not the problem but “Bot-Fight” mode was! I just disabled bot-fight mode again and everything was working as before (includes linking via proxied IP - at least for me)

cheers

That option was already off at moment I changed to
Cloud flare.

It is per default. As I told before - I changed the option on my own because I thought it brings more security.

Understand you. Maybe im not clear:

Everything was working when all domains point to my IP with open ports in router.
I changed name servers to Cloudflare. Everything was working except all Alexa Skills.

The “Bot-Fight” mode was already disabled. And if I understand you right. Your turned it on for security reasons, but then your skills didn’t work. You disabled it again and it worked again.

So then my skills must work in first place? Or do I need unlink them and link again.
Maybe because of certs change as well or path to devices will change?

Puh good question. To be honest I can not answer that. I already was at CloudFlare with my domain before I initially created the Alexa-Skill. So I assume you do not have to disable the proxy-feature. Anyhow if it IS the case - you just can disable the proxying-feature in the cloudflare-dashboard for the time linking your skill.

Cheers

But them my IP is visible again…
I will do a test tomorrow. unlink skills, change to Cloudflare. After some hours link again and see if this will work. My idea is to hide my IP and remove all ports

Of course - Just meant to disable it for the time linking and reenable it again. That’s what I did. Anyhow btw you have to open some ports on your router (at least from my knowledge).

I use a add-on Cloudflared:

This create a tunnel between Cloudflare and HA. In this add-on you can select that you use NPM.
So all subdomains have a CNAME to tunnel address.
Behind the Cloudflare add-on NPM is using to read the subdomains and redirect them to right device.

Because of this tunnel you can remove port 80 and 443. Cloudflare is tunneling all the connections to my HA.

I have changed everything and before unlinked all skills. After the change relinked. Seems ok. Everything is working ok for now… Lets see what happen later on :slight_smile:

Nice! Didn’t know about that! - thx for this hint!
Cheers

1 Like

I ran into this thread after facing the same issue.
The simple solution is to turn off “Bot Fight Mode” from the Cloudflare dashboard as you say.
Since bot rules are executed before firewall rules on Cloudflare, we also can’t make a rule to allow that traffic while having the bot on.
One solution I found from this Cloudflare forum post (Can firewall rules override super bot fight mode settings? - #2 by ncano - Security - Cloudflare Community) to bypass the “Bot Fight Mode” is to allow Amazon IPs through the “IP Access Rules”: https://support.cloudflare.com/hc/en-us/articles/217074967-Configuring-IP-Access-Rules
I allowed Amazon’s ASN which is “AS16509” and that seemed to do the trick:


I’m not entirely sure however how safe it is to allow Amazon’s IP range blindly.
The tunnel solution proposed by @poudenes is probably more prudent.

CFC

2 Likes

I’ve just had a similar issue in. Instead it was my Geo block of anywhere except Europe. For some reason Cloudflare started to recognise calls from AWS coming from US and not EU :confused:

Thank you! This is EXACTLY what I was looking to do to keep bot fight enabled except exclude for Amazon Alexa. I did find that my requests were coming from AS14618 AMAZON-AES.

UPDATE: In addition to the ASN above I also needed to add AS16509 AMAZON-02. Additional details about the ASN available here: https://www.bigdatacloud.com/asn-lookup/AS16509

I have same problem and I added AS16509 to IP Access Rules in cloudflare but error still there.

I am from EU.

Error

Logger: homeassistant.components.http.ban
Source: components/http/ban.py:82
Integration: HTTP (documentation, issues)
First occurred: 11:21:54 AM (1 occurrences)
Last logged: 11:21:54 AM

Login attempt or request with invalid authentication from hidden. Requested URL: '/auth/login_flow'. (Mozilla/5.0 (iPhone; CPU iPhone OS 15_3 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/15.3 Mobile/15E148 Safari/604.1)

Any idea?

strange I have Alexa connected with cloudflared as well. my HA link is proxied… everything works here.
I don’t know what I did in past to let it work. Some things that can be:

SSL/TLS

  • mode is set to full

  • Recommender is off

Edge certificates:

  • Always use HTTPS is off

  • min TLS verzon is 1.2

  • Opportunistic Encryption is on

  • TLS 1.3 is on

  • auto HTTPS rewrites is on

  • cert transparency monitor is off

Bot Fight Mode is off

Are you from EU?

I am configured alexa using this video:
LINK

Where in HA I find this settings:

SSL/TLS

mode is set to full

Recommender is off

Edge certificates:

Always use HTTPS is off

min TLS verzon is 1.2

Opportunistic Encryption is on

TLS 1.3 is on

auto HTTPS rewrites is on

cert transparency monitor is off

Bot Fight Mode is off

this are settings in cloud flared. I changed some things in cloud flare to let it work