Alexa home assistant skill linking via Cloudflare

Hi All,
I am struggling to let pass calls from alexa via the Cloudflare firewall (so I think).
I am implementing the solution proposed as described in this post

https://community.cloudflare.com/t/account-linking-alexa-with-cloudflare/433124

and I have done exactly what is described here.
But when I try to test out the lambda function with the certificate I get this error :

http failed: HTTPSConnectionPool(host='alexa.mydomain.online', port=None): Tried to open a foreign host with url: https://mydomain.cloudflareaccess.com/cdn-cgi/access/login/alexa.mydomain.online?kid=70e155a96d4.....

@dsm / @Jose16 , would anyone of you be able to help me on this?
I have tested accessing

https://alexa.mydomain.online

via a request from Postman and it works fine when I pass in the certificate and fails with 403 when I do not - so that part is working fine.
Can you tell me where should I look next?

Hi - what happens when you turn off the mtls firewall rule? I would turn that off and see if you can get the code to work without the firewall rule in place and then troubleshoot from there. Also, it’s possible the connection is being redirected and I don’t think HTTPSConnectionPool allows that by default. You could try adding assert_same_host=True as a parameter in the request() function call to test that.

Thanks for the reply @dsm , Your first question make me think if I am actually following the right solution.
Let me describe my problem first , please let me know if I am on the right track
I have a subdomain , say ha.mydomain.online which is configured on Cloudflare to use a tunnel to my home server. Everything is working perfect with respect to redirecting traffic from the internet via Cloudflare to my home server via this tunnel. I am running an instance of Home Assistant and all’s good. The problem came in when I tried to configure the Alexa Skill as described in the documentation. More details below:

  • I configured the lambda as described in the docs and I am able to make a discovery test call on the URL ha.mydomain.online . I have also turned OFF “BOTS” protection on Cloudflare as that was blocking calls from lambda.
  • When I try to link my Alexa Skill Account to my HA instance I get the error “Unable to link your account at this time” which a very generic error.
    I searched the internet for solutions and came across this post where two solutions are being spoken of , one using service token and another using mTLS. I am trying the latter but don’t know if I am doing the right thing as I don’t understand what call is not working during account linking given that my lambda call is working fine.
  • Anyway what I did was that I created a separate subdmain alexa.mydomain.online because if I tried to create a Cloudflare application on ha.mydomain.online , it implemented 2FA on this (not sure why) and started asking for a code to be emailed back on every hit.
  • Then I implemented the mTLS solution on the subdomain alexa.mydomain.online and did all the steps and used your code. This does not have the 2FA issue so I continue to test with this.

So, to come back to the question you asked, if I remove mTLS on alexa.mydomain.online the lambda works fine but Skill account linking doesn’t. This approach is essentially switching back to ha.mydomain.online
Your second suggestion of using asset_same_host will need some effort from my side as I am not a python guy and I see this is only available on the low level method urlopen() and not in HTTPSConnectionPool(), if you have an example , pl let me know – is this still relevant though given the context above?

Hi, an update on my issues. I was able to successfully able to make the Alexa calls work through the existing URL ha.mydomain.online . The actual issue was a firewall rule which was blocking the calls.

With this out of the way, I am now thinking as to why do we need either of the solutions discussed on the thread I mentioned above? If it is to provide an extra layer of security - maybe yes , otherwise things are working at least for me without either the service token approach or mTLS.
Can someone throw some light on it?

@vks002
I have the same issue “Unable to link your account at this time”.
I have disabled all firewall rules. No success.
If i switch off the DNS proxy, so that the traffic is not routed via Cloudflare, all is working.
Lambda test is also working. I think there is a second setting which blocks the account linking.
Any ideas?

“Bot fight” is already disabled.
I found a solution for my issue. Alexa Account linking is using TLS 1.2 and i had set the Minimum TLS version to 1.3. So i changed to TLS 1.2 and all is working fine. :blush:

1 Like

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.