OAuth2 Provider Let's Encrypt Certificate No Longer Supported

[jsetton]

According to the official documentation, Let's Encrypt SSL certificate cannot be used by the OAuth2 server involved in the skill account linking process anymore.

At this point, it's not very clear if this is actually enforced. The official skill uses such certificate without any issue. Lately, it appears that some additional undocumented security requirements were added for newly created skills but don’t seem to be enforced for existing ones yet.

While it may appear that the certificate restriction is now in place for newly created skills, it looks like setting your reverse proxy server SSL ciphers setting to ALL still allows the account linking process to complete successful using a LE certificate. Moreover, reverting back that setting to its original more strict value still allows that process to complete, as it seems that Amazon is doing some caching on their end. Currently, it’s hard to pinpoint which exact SSL ciphers Amazon is looking for and if there are actually enforcing this documented restriction for smart home skills.

Ultimately, if the above workaround doesn't work, the solution for private skill instances using a private Cloud connector, is to use the Amazon LWA OAuth2 provider option and add their Cloud connector account username and password to the skill configuration file as described in the readme file.

It is important to note that this is only affecting the OAuth2 authorization process and such restriction doesn't apply to the communication between the skill Lambda function and your OH server where LE certificates can be used without any issues.

[jmccoy555]

Hi, has It is important to note that this is only affecting the OAuth2 authorization process and such restriction doesn't apply to the communication between the skill Lambda function and your OH server where LE certificates can be used without any issues been confirmed as the case, as my skill has stopped working?

I am connecting directly to my openHAB instance, via a nginx reverse proxy. It stopped working a couple of weeks or so ago, maybe its just coincidence but I haven't touched anything and its been happily working away for a good few years and have only just had chance to investigate.

I am using the Login with Amazon, and Let's Encrypt.

I can not see anything hitting my nginx log from AWS, but if I check with my phone not on WiFi I see a log entry and can authenticate with via basic auth with my username and password.

Thanks.

[jsetton]

I can not see anything hitting my nginx log from AWS, but if I check with my phone not on WiFi I see a log entry and can authenticate with via basic auth with my username and password.

If it was a certificate issue, you would see the initial connection coming from the Lambda function in your NGINX logs. What do your Lambda function logs show? Also, since you mentioned you deployed this a while back, can you confirm the node.js version your Lambda function is set to?

[jmccoy555]

Yeah, that's what I thought, but in the Skill and Lambda charts I could see the actions being processed and it just looked like it wasn't making it though to my openHAB. I don't really understand the Lambda logging side of things to be honest, I guess I need to do some research on that.

node.js 8.1, so pretty old I guess. Maybe I'll just delete the skill and function and try a redeploy. Is there anything on the Amazon side that expires?

I presume the main branch is best?

Thanks for you help.

[jsetton]

I don't really understand the Lambda logging side of things to be honest, I guess I need to do some research on that.

Assuming you deployed your Lambda function in us-east-1, you can access the log for the Lambda function here.

node.js 8.1, so pretty old I guess. Is there anything on the Amazon side that expires?

The Lambda runtime support for node.js 8.1 ended in March 2020. This means that no update were applied, including OS patches, since then to that runtime image.

As the older root certificate for Let's Encrypt certificates expired on September 30th, it could be that the newer one wasn't added to the list of trust certificates at that time.

Maybe I'll just delete the skill and function and try a redeploy.

Depending if my assumption above is accurate, you would only need to bump the runtime to node.js 12.x in your Lambda function settings.

Otherwise, it all depends on what your Lambda logs are showing. Keep in mind that there are some major changes about to be merged including deployment changes. So I would wait if you plan to completely reinstall your private skill.

[jmccoy555]

Thanks for the pointers..... and sorry for hijacking this thread. Happy to delete and start a new one if you like?

I have just redeployed as I was having a poke about and am not too sure what I'd done so thought it was best to start again.

I'm in the UK so using eu-west-1 and have changed the runtime to Node.js 12.x.

I'm getting this error in my Lambda

2021-10-23T17:00:46.172Z	undefined	ERROR	Uncaught Exception 	{
    "errorType": "Runtime.ImportModuleError",
    "errorMessage": "Error: Cannot find module 'request'\nRequire stack:\n- /var/task/node_modules/request-promise-native/lib/rp.js\n- /var/task/lib/rest.js\n- /var/task/alexa/v2/ohConnector.js\n- /var/task/index.js\n- /var/runtime/UserFunction.js\n- /var/runtime/index.js",
    "stack": [
        "Runtime.ImportModuleError: Error: Cannot find module 'request'",
        "Require stack:",
        "- /var/task/node_modules/request-promise-native/lib/rp.js",
        "- /var/task/lib/rest.js",
        "- /var/task/alexa/v2/ohConnector.js",
        "- /var/task/index.js",
        "- /var/runtime/UserFunction.js",
        "- /var/runtime/index.js",
        "    at _loadUserApp (/var/runtime/UserFunction.js:100:13)",
        "    at Object.module.exports.load (/var/runtime/UserFunction.js:140:17)",
        "    at Object.<anonymous> (/var/runtime/index.js:43:30)",
        "    at Module._compile (internal/modules/cjs/loader.js:999:30)",
        "    at Object.Module._extensions..js (internal/modules/cjs/loader.js:1027:10)",
        "    at Module.load (internal/modules/cjs/loader.js:863:32)",
        "    at Function.Module._load (internal/modules/cjs/loader.js:708:14)",
        "    at Function.executeUserEntryPoint [as runMain] (internal/modules/run_main.js:60:12)",
        "    at internal/main/run_main_module.js:17:47"
    ]
}

[jmccoy555]

Or is it worth me just deploying your fork? Happy to help test!

[jsetton]

Or is it worth me just deploying your fork? Happy to help test!

At this point, that's the only solution I would recommend if you can't wait until it gets merged and use the official skill in the meantime. You can also sign-up for the beta test.

Either ways, please open a new issue related to the error you may encounter.

[jmccoy555]

Well that's done the trick.... I'm back in business. Will test what I can and report any issues I find.

Thanks. 😄