Unable to link account with Alexa with Cloudflare Tunnels

I recently started experiencing some issues with the custom Alexa integration (no cloud, custom setup following Amazon Alexa Smart Home Skill - Home Assistant). This happened after months of everything working fine. I decided to remove all devices, unlink the skill, and start over. However, since then, I have been unable to relink the skill to my account. I receive the dreaded page telling me there is an issue connecting, with no more info (screen below).

I’m starting to suspect there could have been some change to Cloudflare that’s making this stop working. I was able to manually trigger the HA login flow on the command line (/auth/login_flow + /auth/token) using information I took out of Network DevTools when trying to link the account. No issues receiving an access and refresh token there.

I have also tried the following, based on some similar issues I’ve seen with Cloudflare Tunnels + HA remote access + Alexa:

  • Ensured that Bot protection was disabled in Cloudflare
  • Ensured that TLSv1.2 was allowed (disabled TLSv1.3 in Cloudflare and allowed minimum TLS1.0
  • Added AS16509 to allowlist in Cloudflare
  • Added Alexa IP to allowlist in Cloudflare

I’m wondering if anybody has encountered a similar issue and how they’ve fixed it. I’m really out of ideas at this point and this is becoming increasingly difficult to debug.

Hi,

I’ve been pulling my hair out on the same issue this week. I had a perfectly working system and then it stopped. I unlinked the skill in DEV on Alexa and then I could not get it to link.
I read somewhere that if you changed the DNS setting in Cloudflare from proxied to DNS only on the domain in Cloudflare it might work.
I changed to DNS only and left it overnight then magically next time it would link on the Alexa App.
Good luck!

Try turning off your wifi and use 4G/5G on your phone when trying to link.

What did the trick for me was that and turning off Bot Fight Mode.

My SSL/TLS encryption is Full, Minimum TLS Version is TLS 1.3 (was at default 1.0 before linking, but I changed to 1.3 afterward and it still works), WAF rules (Block all non-US IP, Block all known bots (was off before linking but turned on afterard and it still works)). I also have Caching Level set to “No query string” (don’t know if it’s related but just thought I’d mention that too).

1 Like

An alternative approach is HA Skill Addon (authored by me).

It uses a similar custom Alexa skill but uses SQS and a worker addon to get messages from AWS Lambda to your HA instance - it doesn’t rely on your HA public endpoint at all.

1 Like

In case you’re using Cloudflare access, it might be blocking the skill. It only worked when I created a bypass rule for both the HA api, and auth subpages.
image

1 Like

Thanks for the hint. I did this for linking with bypass and now reset it to the Cloudflare service token Auth.
Cloudflare token is sent via code in the requests from Lambda function.

I also had the same issue that I have been struggling with for months and finally found a fix. The issue here is that it is actually the bot protection where Cloudflare is blocking this. From the Cloudflare console, If you go into Security > Events, you’ll likely see events that are shown as service of “Bot fight mode” and action taken of “Managed Challenge”.

You can bypass this in two ways:

  1. Security > Bots, and disable bot fight mode. This will disable bot fight mode for everything that is on your cloudflare domain, which likely isn’t desired.

  2. Security > WAF > Tools. Create two rules here. In my case, I am using US-East-1 region of AWS, so what I was able to do was create two rules with an action of Allow, which will bypass the bot fight mode. Since I didn’t want to try to figure out all the AWS IP ranges, I wound up using the ASN as a filter. I set AS14618 to allow, and that covers the Lambda functioanlity. Then I set AS16509 to allow, and that covers the linking of the account in the Alexa app.

Overall rule number 2 is a bit too broad for my liking, but at least it keeps bot protection in place. You may be able to remove rule 2 after you link the Alexa app, but I did not test this.

Resources:

https://www.reddit.com/r/homeassistant/comments/yxvm92/psa_cloudflares_bot_fight_mode_js_challenging/

2 Likes

I found even a nicer way, a wrapper for token part that is required by the skill itself, so you can pass the service token there as well. Home Assistant + CloudFlare Zero Trust + Alexa · GitHub

I’m quite desperate with this one. I migrated from an raspberry pi to a VM in proxmox and I also took the chance to migrate from duckdns to cloudflare tunnels. The only think I can’t make to work is linking the alexa skill in the ios app to home assistant. I enter the credentials and it returns an error message saying that it can’t link the app.

I tested the lambda function to check if it can speak with HA and it does, so it has to be the alexa skill itself, which I’ve also updated to the new domain.

On cloudflare I don’t have the bot protection enabled (I never had). I tried lowering the min TLS version. I added the WAF filters that @bdf0506 mentioned and it didn’t work (I’m in eu-west-1 tho).

Does anyone have any idea? Is there anywhere in cloudflare where I can see the logs to check wether the request is actually reaching the tunnel to begin with?

I’m going to answer myself. Tired of not being able to link, I just repeated the onboarding process again from scratch, creating a new skill, a new lambda function, a new long lived access token… Everything.
And with the new skill it worked the first time.

Really? Didn’t you do anything else?

That was all for me.

Oh nice, What guide did you follow?? That of bdf0506?

The official one in the home assistant page. Nothing special.

1 Like

It worked… I did exactly like you, I set those blessed rules in cloudflare… It was him who blocked everything for me, in fact there was an event blocked by the bot fighter and it was just that

I don’t know if my problem fits here, but I have the same setup with cloudflare tunnels with access enabled. My lambda test fails with 401. I have the following error showing in HA:

Login attempt or request with invalid authentication from ec2-3-249-247-122.eu-west-1.compute.amazonaws.com (3.249.247.122). Requested URL: '/api/alexa/smart_home'. (python-urllib3/1.26.11)

I tried to just continue but I was not able to link my account, it is directing me to the access login screen and after that to the HA login screen, but after the sign in it fails.

Hi there
I also have no idea if my problem is related to this topic. But it looks close enough.

I want to switch my home automation from pure Node-Red to Home-Assistant. For this reason i’m testing everything with a second raspberry.

I got stuck with the alexa integration. For this i want to use an cloudflare tunnel and the cloudflared-addon. If switch my tunnel to port 8123 i can access my HA through the internet with https. So i think my domain and cloudflare is setup correctly. But when i change it to port 443 and test the discover part of setup i got the following error message in the clodflared-protokoll

Unable to reach the origin service. The service may be down or it may not be responding to traffic from cloudflared: dial tcp 192.168.0.49:443: connect: connection refused

for me it looks like alexa has no instance on my HA. I have
‘alexa:
smart_home:’
in my config.

Any ideas? Is alexa broken in my HA (HomeAssistant-OS with 2023.8.2 Core)?

ps. Sorry for bad english. Not my native language :slight_smile:

I had similar trouble with linking my account. I have had a setup working for over a year and I changed my HA URL and so made changes across all places to reflect the new URL. In spite of the settings being the same in CF for the old and new domain URL, alexa skill account linking would fail in the last screen after successful authentication. I tried changing min TLS version to 1.3 and it suddently worked. to check if that was really the cause, I changed it back to 1.0 and it still worked.
So, this is really not predictable. It just works sometimes and doesnt at other times.

Did you resolve this?
If tunnel via 8123 works but not 443, it would seem to me to be a proxying issue inside HA. There has to be a proxy (NGINX, Caddy) between inbound HTTPS 443 and HA’s (only) internal HTTP port of 8123. If you send 443 into the tunnel, a proxy in HA has to redirect to HA HTTP 8123. With cloudflare tunnel, public access to https:///your_domain_name is usually defined to send HTTP://[your_internal_ip]:8123 into the tunnel. While you can specify HTTPS://your_internal_ip, it has to hit a proxy listener on [your_internal_ip] port 443 plus HA has to allow that proxy address. If HA is not allowing it or if there’s no proxy listening then you get dial tcp 192.168.0.49:443: connect: connection refused.

OMG! Thanks! I spent way too long on this and these turned out to be the magic rules!