search

home-assistant / home-assistant.io

:blue_book: Home Assistant User documentation
https://www.home-assistant.io
Other
4.78k stars 7.2k forks source link

LetsEncrypt no longer accepted by AWS #33996

Closed TBRoach closed 1 month ago

TBRoach commented 1 month ago

Feedback

A warning box states: You must use a valid/trusted SSL certificate for account linking to work. Self signed certificates will not work, but you can use a free Let’s Encrypt certificate.

However, the Amazon Developer documentation states: If you don't have your own authorization server, you can use Login with Amazon (LWA) or any OAuth 2.0 provider that has a certificate signed by an Amazon-approved certificate authority. Note that you can't use https://letsencrypt.org/, even though it's on the certificate list.

While I set up a Login With Amazon profile, it is unclear how to incorporate that with Home Assistant to allow the skill to function with the proper tokens, etc.

URL

https://www.home-assistant.io/integrations/alexa.smart_home/

Version

2024.7.3

Additional information

No response

home-assistant[bot] commented 1 month ago

Hey there @home-assistant/cloud, @ochlocracy, @jbouwh, mind taking a look at this feedback as it has been labeled with an integration (alexa) you are listed as a code owner for? Thanks!

Code owner commands Code owners of `alexa` can trigger bot actions by commenting: - `@home-assistant close` Closes the feedback. - `@home-assistant rename Awesome new title` Renames the feedback. - `@home-assistant reopen` Reopen the feedback. - `@home-assistant unassign alexa` Removes the current integration label and assignees on the feedback, add the integration domain after the command. - `@home-assistant add-label needs-more-information` Add a label (needs-more-information) to the feedback. - `@home-assistant remove-label needs-more-information` Remove a label (needs-more-information) on the feedback.
jbouwh commented 1 month ago

When is this an issue? It does not seem an issue if you already have set up alexa.

TBRoach commented 1 month ago

This is an issue when attempting to set up Alexa following the instructions per https://www.home-assistant.io/integrations/alexa.smart_home/

I can link the newly-created Alexa app if the skill messaging permission is not enabled, but Alexa device discovery fails. Testing the lamda function with a long-lived token does produce the expected results: the failure to accept my newly-established LetsEncrypt certificates prevents the new Alexa app from reproducing the lamda function discovery.

Terminology appears fluid, which does not help inexperienced participants such as myself. I also do not know if HAOS, etc., is programmed to exchange tokens and all per the Login With Alexa scheme.

jbouwh commented 1 month ago

I am unable to reproduce this. Let's Encrypt is on the Mozilla accepted certificate list, if not this would be a big issue. Please share some more details where is told Let's encrypt is not supported.

Can you share the link where it says:

... Note that you can't use https://letsencrypt.org/, even though it's on the certificate list. ...

jbouwh commented 1 month ago

It seems this is something old: https://community.home-assistant.io/t/alexa-smart-home-skill-and-letsencrypt-certificates/413312

The only thing that does not work is using an alternate port. Even the managed Nabu Casa service uses Let's Encrypt.

TBRoach commented 1 month ago

It does sound like it may be an older issue from the 413312 post (which did not appear in my search prior to posting), but no solution was provided.

My 443 port redirects to the NGINX Home Assistant SSL proxy add-on and I can readily access my Home Assistant instance over HTTPS through a browser or the Android app. Note that DuckDNS HTTPS connection failed even with the 443 forwarding until that add-on was installed. Also note that this is not the Nginx Proxy Manager many posts recommend which does not resemble their descriptions.

The link provided in the account linking section of the https://www.home-assistant.io/integrations/alexa.smart_home/ webpage is https://developer.amazon.com/en-US/docs/alexa/account-linking/requirements-account-linking.html

That section of the documentation reads: Requirements for Account Linking for Alexa Skills Note: Sign in to the developer console to build or publish your skill.

Account linking for Alexa skills uses the OAuth 2.0 authentication framework. If your skill uses account linking, your authorization server must adhere to the following requirements.

If you don't have your own authorization server, you can use Login with Amazon (LWA) or any OAuth 2.0 provider that has a certificate signed by an Amazon-approved certificate authority. Note that you can't use https://letsencrypt.org/, even though it's on the certificate list.

To see which skill types require account linking, see Does my skill need account linking?

Obviously I am not an expert and I cannot state with certainty that the certificate is the cause, since I can link the Alexa app without “Send Alexa Events” enabled--although device discovery fails.

It is also possible that existing accounts and certificates were grandfathered-in before a "LetsEncrypt.org" exclusion was made, assuming the Amazon documentation is correct. I do not know how often people attempt to follow the alexa.smart_home guide.

I am migrating away from the Universal Devices Portal since my ISY994ir is obsolete, with management through HAOS on a mini X86-64. While I have an M5 and the Android app for voice control through Assist, it would be nice to integrate my existing Alexa devices (at least until Amazon kills Alexa off), especially as Alexa also serves as a control point for SmartLife and other IOT device networks.

jbouwh commented 1 month ago

I am sorry, but I cannot help you. The only thing I know is port 443 is required. It is very likely you experience some effects of a config failure. If let's encrypt would fail we would have a bigger issue I guess.

TBRoach commented 1 month ago

I did not post "to help me."

I posted as feedback about a discrepancy between the https://www.home-assistant.io/integrations/alexa.smart_home/ webpage versus the https://developer.amazon.com/en-US/docs/alexa/account-linking/requirements-account-linking.html Amazon Developer documentation.

I am not well-enough informed to determine which site is correct.

jbouwh commented 1 month ago

Well the home assistant documentation should be the single point of truth. If the HA documentation is not correct, then I'd like to know where it should be corrected.

TBRoach commented 1 month ago

My new Alexa app is now online using Let's Encrypt, so the Alexa Developer documentation is incorrect.

I would suggest adding the following after "Read more from the Alexa developer documentation about requirements for account linking." "Despite the Alexa documentation's disclaimer, however, certificates from https://letsencrypt.org/ are still accepted."

My connection issues arose from an earlier portion of the alexa.smart_home page, under the "Add Code to the Lambda Function" section. This paragraph was unclear to me as a new user: IMPORTANT - Alexa Skills are only supported in certain AWS regions Your current server location will be displayed on the top right corner (for example, Ohio), make sure you select the server closest to your location / region based on your Amazon account’s country, whilst also ensuring that it is within one of the supported regions for Alexa Skills otherwise this will not work!

I suggest the following revision: IMPORTANT - Alexa Skills are only supported in certain AWS regions. Your current server location will be displayed on the top right corner (for example, Ohio). Select one of the three servers below that is closest to your location / region based on your Amazon account’s country. Alexa functions created on other servers will not work properly and may prevent account linking.

jbouwh commented 1 month ago

Please have a look at https://github.com/home-assistant/home-assistant.io/pull/34102 and leave a review.