Telegram webhook: Why i get ssl3_get_server_certificate:certificate verify failed Error when i call GetWebhookInfo API command?

纵饮孤独 提交于 2021-01-08 15:35:50

问题


Server: Win Server 2012
Web server: IIS 8.5
Project: Asp.Net MVC

I bought a wildcard SSL certification for my domain and its subdomains and installed it on my server and bound to the website (in IIS).

It show green secure HTTPS in browser.

I used Telegram SetWebhook with my webhook URL (Something like this: https://webhook.example.com/api/WebhookAction/)

But when i run Telegram GetWebhookInfo it return certificate verify failed error:

{  
   "ok":true,
   "result":{  
      "url":"https://webhook.example.com/api/WebhookAction/",
      "has_custom_certificate":false,
      "pending_update_count":1,
      "last_error_date":1489066503,
      "last_error_message":"SSL error {336134278, error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed}",
      "max_connections":40
   }
}

What do you think about this problem?

  • Should i change the Webhook Url to a None-SubDomain address like this: https://mydomain:8443/api/WebhookAction ?
  • Has my SSL any problem (for example should be a None-Wildcard SSL)?

Edit

Also i tried:

Self-Signed Certificate way

A) I Created a Self Signed Certificate by the following OpenSSL command instead of the Wildcard SSL

openssl req -newkey rsa:2048 -sha256 -nodes -keyout MyDomain_private_key.key -x509 -days 365 -out MyDomain_public.pem -subj "/C=US/ST=New York/L=MyDomain/O=MyDomain/CN=webhook.example.com"

B) Then i created a PFX from the output files by this command:

openssl pkcs12 -export -out MyDomain.pfx -inkey MyDomain_private.key -in MyDomain_public.pem -certfile MyDomain_public.pem

C) Then i installed the MyDomain.pfx on the server and bind it to the Https://webhook.mydomain.com.

D) Also i used the MyDomain_public.pem file in the SetWebhook command as the certification file (with both a third library and Curl command).

The Curl command:

curl -F "url=https://webhook.example.com/api/Webhookaction/" -F "certificate=C:\path\mydomain_public.pem" https://api.telegram.org/bot[TOKEN]/setWebhook

But when i call GetWebhookInfo API command, it return this error:

{  
   "ok":true,
   "result":{  
      "url":"https://api.telegram.org/bot[token]/setWebhook?url=https://webhook.mydomain.com/api/webhookaction/",
      "has_custom_certificate":true,
      "pending_update_count":1,
      "last_error_date":1489126755,
      "last_error_message":"SSL error {336134278, error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed}",
      "max_connections":40
   }
}

What is my mistake?


回答1:


You are not allowed to use wild card certificates.

https://core.telegram.org/bots/webhooks#the-short-version

  1. Provides a supported, non-wildcard, verified or self-signed certificate.
  2. Uses a CN or SAN that matches the domain you’ve supplied on setup.
  3. Supplies all intermediate certificates to complete a verification chain.



回答2:


The error in your getWebHookInfo:

"last_error_message":"SSL error {337047686, error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed}"

Is Telegram saying that it needs the whole certificate chain (it's also called CA Bundle or full chained certificate).

How to check your certificate:

You can use the SSL Labs SSL Server Test service to check your certificate:

Just pass your URL like the following example, replacing coderade.github.io with your host:

https://www.ssllabs.com/ssltest/analyze.html?d=coderade.github.io&hideResults=on&latest

If you see "Chain issues: Incomplete" you do not serve full chained certificate.

How to fix that:

Download the full chained certificate for your SSL certificate provider and install this on your webserver.

I don't know which service you are using, but for my example, with gunicorn I solved adding the ca-certs with ca-bundle file sent by my SSL Certificate provider (In my case Namecheap Comodo) on my SSL configuration, like the following example:

ca_certs = "cert/my-service.ca-bundle"

For further information: @martini answer on this thread and the FIX: Telegram Webhooks Not Working site.



来源:https://stackoverflow.com/questions/42698736/telegram-webhook-why-i-get-ssl3-get-server-certificatecertificate-verify-faile

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!