0
Server: Win Server 2012
Web server: IIS 8.5
Project: Asp.Net MVC

I bought a wildcard SSL certification for my domain and its subdomains and installed it on my server and bound to the website (in IIS).

It show green secure HTTPS in browser.

enter image description here

I used Telegram SetWebhook with my webhook URL (Something like this: https://webhook.example.com/api/WebhookAction/)

But when i run Telegram GetWebhookInfo it return certificate verify failed error:

{  
   "ok":true,
   "result":{  
      "url":"https://webhook.example.com/api/WebhookAction/",
      "has_custom_certificate":false,
      "pending_update_count":1,
      "last_error_date":1489066503,
      "last_error_message":"SSL error {336134278, error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed}",
      "max_connections":40
   }
}

What do you think about this problem?

  • Should i change the Webhook Url to a None-SubDomain address like this: https://mydomain:8443/api/WebhookAction ?
  • Has my SSL any problem (for example should be a None-Wildcard SSL)?

Edit

Also i tried:

Self-Signed Certificate way

A) I Created a Self Signed Certificate by the following OpenSSL command instead of the Wildcard SSL 

openssl req -newkey rsa:2048 -sha256 -nodes -keyout MyDomain_private_key.key -x509 -days 365 -out MyDomain_public.pem -subj "/C=US/ST=New York/L=MyDomain/O=MyDomain/CN=webhook.example.com"

B) Then i created a PFX from the output files by this command:

openssl pkcs12 -export -out MyDomain.pfx -inkey MyDomain_private.key -in MyDomain_public.pem -certfile MyDomain_public.pem

C) Then i installed the MyDomain.pfx on the server and bind it to the Https://webhook.mydomain.com.

enter image description here

D) Also i used the MyDomain_public.pem file in the SetWebhook command as the certification file (with both a third library and Curl command).

The Curl command:

curl -F "url=https://webhook.example.com/api/Webhookaction/" -F "certificate=C:\path\mydomain_public.pem" https://api.telegram.org/bot[TOKEN]/setWebhook

But when i call GetWebhookInfo API command, it return this error:

{  
   "ok":true,
   "result":{  
      "url":"https://api.telegram.org/bot[token]/setWebhook?url=https://webhook.mydomain.com/api/webhookaction/",
      "has_custom_certificate":true,
      "pending_update_count":1,
      "last_error_date":1489126755,
      "last_error_message":"SSL error {336134278, error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed}",
      "max_connections":40
   }
}

What is my mistake?

jww
  • 97,681
  • 90
  • 411
  • 885
Ramin Bateni
  • 16,499
  • 9
  • 69
  • 98
  • There is an easier way to do this self-signing. Please create a new question on this topic, so it is clearer for other SO users – Charles Okwuagwu Mar 10 '17 at 08:11
  • OK @CharlesOkwuagwu, i wrote another question about how to create a Self-Signed Certificate to use for telegram webhook and i will put its link here for you soon. Thank you. – Ramin Bateni Mar 10 '17 at 08:24
  • Please can you give a link to the new question – Charles Okwuagwu Mar 10 '17 at 08:44
  • Thank you @CharlesOkwuagwu . The new question link: http://stackoverflow.com/questions/42713926/what-is-easy-way-to-create-a-use-an-self-signed-certification-for-a-telegram-web – Ramin Bateni Mar 10 '17 at 08:45
  • Stack Overflow is a site for programming and development questions. This question appears to be off-topic because it is not about programming or development. See [What topics can I ask about here](http://stackoverflow.com/help/on-topic) in the Help Center. Perhaps [Super User](http://superuser.com/) or [Unix & Linux Stack Exchange](http://unix.stackexchange.com/) would be a better place to ask. Also see [Where do I post questions about Dev Ops?](http://meta.stackexchange.com/q/134306) – jww Mar 10 '17 at 14:40
  • Fix your certificate. ***`CN=example.com`*** is probably wrong. Hostnames always go in the *SAN*. If its present in the *CN*, then it must be present in the *SAN* too (you have to list it twice in this case). For more rules and reasons, see [How do you sign Certificate Signing Request with your Certification Authority](http://stackoverflow.com/a/21340898/608639) and [How to create a self-signed certificate with openssl?](http://stackoverflow.com/q/10175812/608639) – jww Mar 10 '17 at 14:42

2 Answers2

1

You are not allowed to use wild card certificates.

https://core.telegram.org/bots/webhooks#the-short-version

  1. Provides a supported, non-wildcard, verified or self-signed certificate.
  2. Uses a CN or SAN that matches the domain you’ve supplied on setup.
  3. Supplies all intermediate certificates to complete a verification chain.
Charles Okwuagwu
  • 10,538
  • 16
  • 87
  • 157
  • 1
    Thank you Charles, I tried to create and use a self-signed certificate, i write some description about the steps and added to the question. May you help me? Why i get error too? What is my mistake? – Ramin Bateni Mar 10 '17 at 06:53
  • @RAM were you able to use the self signed? – Charles Okwuagwu Mar 10 '17 at 08:06
  • 1
    My way to using the pfx file is similar to this topic: `https://www.sslshopper.com/article-how-to-create-a-self-signed-certificate-in-iis-7.html` then i use Add Site Binding in IIS to bing it to the subdomain. – Ramin Bateni Mar 10 '17 at 08:31
  • `Supplies all intermediate certificates to complete a verification chain.` can you tell me how to do this in apache? – Pejman Apr 06 '17 at 02:25
0

The error in your getWebHookInfo:

"last_error_message":"SSL error {337047686, error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed}"

Is Telegram saying that it needs the whole certificate chain (it's also called CA Bundle or full chained certificate).

How to check your certificate:

You can use the SSL Labs SSL Server Test service to check your certificate:

Just pass your URL like the following example, replacing coderade.github.io with your host:

https://www.ssllabs.com/ssltest/analyze.html?d=coderade.github.io&hideResults=on&latest

If you see "Chain issues: Incomplete" you do not serve full chained certificate.

How to fix that:

Download the full chained certificate for your SSL certificate provider and install this on your webserver.

I don't know which service you are using, but for my example, with gunicorn I solved adding the ca-certs with ca-bundle file sent by my SSL Certificate provider (In my case Namecheap Comodo) on my SSL configuration, like the following example:

ca_certs = "cert/my-service.ca-bundle"

For further information: @martini answer on this thread and the FIX: Telegram Webhooks Not Working site.

valdeci
  • 13,962
  • 6
  • 55
  • 80