Closed Jamie0 closed 3 years ago
Hi @Jamie0 ,
Thanks for posting this issue. I just created a new issue on ssl-root-cas repo: https://github.com/windhamg/node-ssl-root-cas/issues/1. If there is no fix plan for ssl-root-cas, i plan to use tls.rootCertificates
to load all root cas instead (which require node version >= 12.3.0).
Thanks, Shen
PR for the fix is merged in: https://github.com/alexa/alexa-skills-kit-sdk-for-nodejs/commit/8217a3f38ce1cba9d6b5b9d2488902cf12322cb7. Will do release ASAP
Closing this issue as ask-sdk-express-adapter v2.10.2 is released to fix this issue
https://github.com/alexa/alexa-skills-kit-sdk-for-nodejs/blob/9b0dd9fbd0169e140be09ed3dfda2e30772dd0af/ask-sdk-express-adapter/lib/verifier/index.ts#L288
To validate signatures on incoming requests, the Alexa skills hit uses the 'ssl-root-cas' nodejs package, loaded as
ssl-root-cas/latest
.This package doesn't appear to have been updated beyond 1.3.1. Due to a breaking change in Firefox, the package references the now-discontinued site 'mxr.mozilla.org', which no longer resolves and means the certificates fail to download.
As a result, on a fresh install of the ASK SDK, signature verification is not working.