[Bug]: Skill doesn't communicate with my HA instance

[timothe]

Did you check our FAQ and Issue/PR for similar issues?

• [X] FAQ checked!
• [X] Issues/PR checked!

Contact Details

No response

What happened?

I followed the guide but hit a snag on this step. The last check doesn't work. The checks before were successful:

• Alexa media player module and custom data is set up in HA
• skill imported in AWS
• invocation name changed
• skill built
• code checked with URL and long life token and deployed
• HA configuration checked and reloaded
• HA accessible from https with custom url (implemented for a while)
• went through the prerequisites and all steps again

I used the fr_FR language with a french invocation word "sois cool". The test tab is showing no json output and the bot is replying with "Un problème est survenu avec la réponse de la Skill demandée" (a problem occured with the skill response). I don't see any call from the logs in HA.

What am I missing?

Version

latest

What Alexa device are you using?

Echo

What other Alexa device are you using?

No response

Relevant log output

No response

[DEADSEC-SECURITY]

Are you sure you deployed and configured the skill using the alexa app?

[timothe]

I can see the "Alexa Actionable Notifications" enabled in the dev category in my Alexa app. Is that what you meant?

[DEADSEC-SECURITY]

But in the mobile app did you install or setup the skill lik you do with other skills?

[timothe]

I don't see the option to do that, plus I see it there already, and it's not part of the guide. What should I do exactly?

[DEADSEC-SECURITY]

In the mobile app, when you go to "YOUR SKILLS" under Dev do you see you custom skill there? And if you see it and click on it is it enabled?

Also are you using tokens or using the login with HA?

[timothe]

It is there, and it is enabled. The long live token is used, not the login. For good measure, I generated another token and deployed on the skill code, stilll showing the same issue.

[timothe]

[DEADSEC-SECURITY]

can you activate debug mode try again and send me the logs?

[timothe]

I understand I need to set debug to true in the code, but I have no idea where to find the logs and can't find it on the wiki either. Where should I be looking?

[DEADSEC-SECURITY]

There should be a button called cloudwatch or logs in the top bar of the code editor

[timothe]

Gotcha! I see that it tried and failed accessing the URL of my HA instance, which is weird because that's the only URL I'm using from any endpoint - there's no IP whitelist or firewall rule to prevent that. Plus, the certificate is valid. But for good measure, I set the valid certificate to False in the code. I tried again, same issue. See logs: log-events-viewer-result.csv

[DEADSEC-SECURITY]

Your getting a TLS error, is your certificate from a certified authority? Are you using a domain or an IP?

[timothe]

I used another Alexa integration before without issue. I'm using the Companion app an other things using this domain. My web browser is connecting using this URL and saying the certificate is valid. This is a fresh Let's Encrypt certificate, I'm using a wild card one which works flawlessly for months on this server. I really don't think this is the issue here. I'm seriously out of ideas. Do you know anything else that could explain the issue?

[DEADSEC-SECURITY]

Could be an outdated version of requests too. What library versions are you using and what python version?

[timothe]

According to the docs, Python version 3.7 and I just installed the library 0.10.1 today (although the lambda function still shows 0.9.1).

[DEADSEC-SECURITY]

Yhe thats just, that I sometimes forget to update the version in the comment. Anyway what I meat was the requirments.txt file what do you have inside there?

[DEADSEC-SECURITY]

Also is your domain using TLS 1.0? Cuz thats considered insecure for todays standards so requests sometimes complaints about it and given that in the logs it specifies the TLS 1.0 issue it could be that.

[timothe]

No, it's not that. Is there any reason why AWS would not be able to communicate with my server? Knowing that all other services can do it without issue?

[timothe]

Requirements.txt is the latest with:

isodate==0.6.0
boto3==1.9.216
ask-sdk-core==1.11.0
pydantic==1.10.4

[timothe]

I did, deployed, tested, same result. Log enclosed: log-events-viewer-result.csv

Would it be different if I switched from token to auth?

[DEADSEC-SECURITY]

Lets try forcing urllib3 to version 2 and see how it goes. You can do so by adding a new line to your requirements file with this: urllib3==2.0.5

This is related to this issue I found: https://stackoverflow.com/questions/47516722/urllib-request-ssl-connection-python-3

Apparently urllib3 doesn't support tls 1.3 on version 1 so version 2 might fix it?

[DEADSEC-SECURITY]

I did, deployed, tested, same result. Log enclosed: log-events-viewer-result.csv

Would it be different if I switched from token to auth?

My bad, wrong library. Check my last message. You can remove the requests library and use urllib3

[timothe]

No worries, thanks! I tried, but got an error from the deployment: ERROR: Cannot install boto3 and urllib3==2.0.5 because these package versions have conflicting dependencies

[DEADSEC-SECURITY]

ok let me fix that dependency issue very quick ill send you an updated version of requiremnts file

[DEADSEC-SECURITY]

Try this:

isodate==0.6.0
ask-sdk-core==1.11.0
pydantic==1.10.4
boto3~=1.28.51
urllib3~=2.0.0

This should force urllib version 2+ and boto3 1.28+ which should now solve the conflict. I haven't tested these version upgrades so lets hope they don't break other stuff.

[DEADSEC-SECURITY]

If that doesn't work before reverting the requirements file, try changing the class Borg to the following:

class Borg:
    """Borg MonoState Class for State Persistence."""

    _shared_state = {}

    def __init__(self):
        self.__dict__ = self._shared_state

def _init_http_pool():
    return urllib3.PoolManager(
        cert_reqs="CERT_REQUIRED" if VERIFY_SSL else "CERT_NONE", timeout=urllib3.Timeout(connect=10.0, read=10.0),
        ssl_version=urllib3.util.ssl.PROTOCOL_TLS
    )

This will force the requests to use TLS v1.3

[DEADSEC-SECURITY]

If none of this works then your best bet is to make sure your listener accepts connections using TLS 1.0, 1.1 and 1.2 instead of only 1.3

[DEADSEC-SECURITY]

If that doesn't work before reverting the requirements file, try changing the class Borg to the following:

class Borg:
    """Borg MonoState Class for State Persistence."""

    _shared_state = {}

    def __init__(self):
        self.__dict__ = self._shared_state

def _init_http_pool():
    return urllib3.PoolManager(
        cert_reqs="CERT_REQUIRED" if VERIFY_SSL else "CERT_NONE", timeout=urllib3.Timeout(connect=10.0, read=10.0),
        ssl_version=urllib3.util.ssl.PROTOCOL_TLS
    )

This will force the requests to use TLS v1.3

Now it should be good for you to try. Sorry I did some changes @timothe

[timothe]

So changing the requirements didn't work with the same error ERROR: Cannot install boto3 and urllib3~=2.0.0 because these package versions have conflicting dependencies. The conflict is caused by: The user requested urllib3~=2.0.0 botocore 1.31.51 depends on urllib3<1.27 and >=1.25.4

I changed the Borg class and I could deploy, but then the test failed and I can see a new error: [ERROR] AttributeError: module 'urllib3.util' has no attribute 'ssl'

[DEADSEC-SECURITY]

Might need to force botocore version too. To be honest I would just allow TLS v1.0, v1.1, v1.2 and see if it works. Also revert your changes for now.

[timothe]

I reverted my changes. I checked my security settings, and I was using the most strict security (TLS 1.3 only). I changed to accept 1.3/1.2/1.1/1.0 and did another test, same result. Logs here: log-events-viewer-result.csv

[DEADSEC-SECURITY]

Weird, can you try again, has been 3 hours maybe it was cashing or something like that?

[DEADSEC-SECURITY]

Does your home assistant have https in the url in the code? Can you send me a screenshot of the config to my email (amng835@gmail.com) so I can make sure thats not the issue?

[timothe]

No problem, I contacted you @DEADSEC-SECURITY. I tried again after 2 hours and still the same issue on maximum compatibility mode.

[DEADSEC-SECURITY]

I have a possible solution @timothe for you to try.

Add this somewhere next to the import statements: from urllib3.exceptions import InsecureRequestWarning

then after thee imports add this: urllib3.disable_warnings(category=InsecureRequestWarning)

And see if it works.

[timothe]

Same issue 😕

log-events-viewer-result.csv

[DEADSEC-SECURITY]

Can you try the code from this branch? https://github.com/keatontaylor/alexa-actions/tree/207-bug-skill-doesnt-communicate-with-my-ha-instance

It basicaly now uses requests instead of urllib3 and lets see if that changes anything.

[timothe]

Imported, deployed, errored :( log-events-viewer-result.csv

[DEADSEC-SECURITY]

I'm making a new skill on side with your domain to see if I can catch the error, because whats weird is that I tried doing the request in my computer to your domain and it worked.

Do you have any sort of anti-bot or firewall protecting your domain?

[DEADSEC-SECURITY]

@timothe to do the tests I need a TOKEN. Would you mind sending me a token via email? If you are ok with it make it admin permissions if not (I totally understand) make it be able to read entities at least so I can go past the initial "open actionable notifications" test.

[timothe]

I'm sorry, I can't do that.

[DEADSEC-SECURITY]

Ok I understand. I need to think of another way to test it out then.

[DEADSEC-SECURITY]

Have you tried recreating the skill?

[timothe]

I just did - with the same result. It's using the master branch though, if I'm correct.

[DEADSEC-SECURITY]

can you use the branch 207-bug-skill-doesnt-communicate-with-my-ha-instance and test it?

[timothe]

I don't think it's possible to import from a specific branch, at least I haven't found a way. I could however recreate and change the files to the ones from the branch though. I just did that, and I get the same error.

[DEADSEC-SECURITY]

You will need to open the branch copy the code and past in the alexa skill code section

[DEADSEC-SECURITY]

Sorry didn't read the hole answer, did you deploy the code changes? Same error in logs?

[timothe]

That's what I did.

[timothe]

Yes same error, TLS something, can't reach after x retries