问题
Server: Win Server 2012
Web server: IIS 8.5
Project: Asp.Net MVC
I bought a wildcard SSL certification for my domain and its subdomains and installed it on my server and bound to the website (in IIS).
It show green secure HTTPS in browser.
I used Telegram SetWebhook
with my webhook URL (Something like this: https://webhook.example.com/api/WebhookAction/
)
But when i run Telegram GetWebhookInfo
it return certificate verify failed
error:
{
"ok":true,
"result":{
"url":"https://webhook.example.com/api/WebhookAction/",
"has_custom_certificate":false,
"pending_update_count":1,
"last_error_date":1489066503,
"last_error_message":"SSL error {336134278, error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed}",
"max_connections":40
}
}
What do you think about this problem?
- Should i change the Webhook Url to a None-SubDomain address like this:
https://mydomain:8443/api/WebhookAction
? - Has my
SSL
any problem (for example should be a None-Wildcard SSL)?
Edit
Also i tried:
Self-Signed Certificate way
A)
I Created a Self Signed Certificate by the following OpenSSL
command instead of the Wildcard SSL
openssl req -newkey rsa:2048 -sha256 -nodes -keyout MyDomain_private_key.key -x509 -days 365 -out MyDomain_public.pem -subj "/C=US/ST=New York/L=MyDomain/O=MyDomain/CN=webhook.example.com"
B)
Then i created a PFX
from the output files by this command:
openssl pkcs12 -export -out MyDomain.pfx -inkey MyDomain_private.key -in MyDomain_public.pem -certfile MyDomain_public.pem
C)
Then i installed the MyDomain.pfx
on the server and bind it to the Https://webhook.mydomain.com
.
D)
Also i used the MyDomain_public.pem
file in the SetWebhook
command as the certification file (with both a third library and Curl
command).
The Curl
command:
curl -F "url=https://webhook.example.com/api/Webhookaction/" -F "certificate=C:\path\mydomain_public.pem" https://api.telegram.org/bot[TOKEN]/setWebhook
But when i call GetWebhookInfo
API command, it return this error:
{
"ok":true,
"result":{
"url":"https://api.telegram.org/bot[token]/setWebhook?url=https://webhook.mydomain.com/api/webhookaction/",
"has_custom_certificate":true,
"pending_update_count":1,
"last_error_date":1489126755,
"last_error_message":"SSL error {336134278, error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed}",
"max_connections":40
}
}
What is my mistake?
回答1:
You are not allowed to use wild card certificates.
https://core.telegram.org/bots/webhooks#the-short-version
- Provides a supported, non-wildcard, verified or self-signed certificate.
- Uses a CN or SAN that matches the domain you’ve supplied on setup.
- Supplies all intermediate certificates to complete a verification chain.
回答2:
The error in your getWebHookInfo:
"last_error_message":"SSL error {337047686, error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed}"
Is Telegram saying that it needs the whole certificate chain (it's also called CA Bundle or full chained certificate).
How to check your certificate:
You can use the SSL Labs SSL Server Test service to check your certificate:
Just pass your URL like the following example, replacing coderade.github.io
with your host:
https://www.ssllabs.com/ssltest/analyze.html?d=coderade.github.io&hideResults=on&latest
If you see "Chain issues: Incomplete" you do not serve full chained certificate.
How to fix that:
Download the full chained certificate for your SSL certificate provider and install this on your webserver.
I don't know which service you are using, but for my example, with gunicorn I solved adding the ca-certs with ca-bundle
file sent by my SSL Certificate provider (In my case Namecheap Comodo) on my SSL configuration, like the following example:
ca_certs = "cert/my-service.ca-bundle"
For further information: @martini answer on this thread and the FIX: Telegram Webhooks Not Working site.
来源:https://stackoverflow.com/questions/42698736/telegram-webhook-why-i-get-ssl3-get-server-certificatecertificate-verify-faile