telegram bot webhook self-signed certificate problem

Question

I have an static ip address and I want to use it as Telegram bot webhook. In the other words, my bot application runs on my local system, and I configured my modem to forward requests from that ip address to my local server:port. This method is working for other applications run on my local system, but I have problem with ssl.

For setting webhook, first I generate a Self-signed certificate in this way:

openssl req -newkey rsa:2048 -sha256 -nodes -keyout PRIVATE.key -x509 -days 365 -out PUBLIC.pem -subj "/C=NG/ST=Lagos/L=Lagos/O=YOUR_NAME_OR_COMPANY_NAME/CN=<MY_IP:PORT> OR <MY_IP>"

This generates PUBLIC.pem file and I send it to setWebhook api. The result is ok, but I always get below result from getWebhookInfo method:

{
   "ok":true,
   "result":{
      "url":".../bot/receive",
      "has_custom_certificate": true,
      "pending_update_count":15,
      "last_error_date":1609911454,
      "last_error_message":"SSL error {error:14095044:SSL routines:ssl3_read_n:internal error}",
      "max_connections":40,
      "ip_address":"..."
   }
}

Also in my applicaition, I have enabled ssl supprot with .p12 equivalent of .pem certificate, but not working. Is there any way for doing this? Thanks in advance.

`CN= OR ` did you actually specify both with `OR` in between? I don't believe that's valid. If you want more than one you need to add them as an alternate. See https://stackoverflow.com/a/23587047/2232127 — JensV, Jan 15 '21 at 15:55

score 1 · Answer 1 · answered Jan 15 '21 at 22:58

Your problem lies within your self-signed certificate:

openssl req -newkey rsa:2048 -sha256 -nodes -keyout PRIVATE.key -x509 -days 365 -out PUBLIC.pem -subj "/C=NG/ST=Lagos/L=Lagos/O=YOUR_NAME_OR_COMPANY_NAME/CN=<MY_IP:PORT> OR <MY_IP>"

... more specifically the -subj switch. Surely, you're providing the CSR information, though if you look closely you're using the or operator when declaring your IP. Moreover, your last initialization is just the plain IP address. For further reading purposes on how to creating a self-signed SSL certification, I suggest you the following resources:

How to create a self-signed certificate with OpenSSL
OpenSSL Quick Reference Guide
In case you want to set up an alternative (or multiple) DNS names to your certificate, this thread is also very informative.

For just one DNS name, your certificate should look like this:

openssl req -newkey rsa:2048 -sha256 -nodes -keyout PRIVATE.key -x509 -days 365 -out PUBLIC.pem -subj "/C=NG/ST=Lagos/L=Lagos/O=YOUR_NAME_OR_COMPANY_NAME/CN=<MY_IP:PORT>

whereas MY_IP is obviously the IP address of your own server (from which you're calling the webhook).

For the sake of completeness, I'd advise you to use a reverse proxy such as NGNIX - it will spare you from many headaches regarding SSL certificates in the request container. If you ask me, it's easier to maintain once established. Though it's just an alternative option.

@hamed Please let me know if I was able to answer your question thoroughly. Don't hesitate to ask me any questions regarding this reply, in case something is unclear! — J. M. Arnold, Jan 15 '21 at 22:59

score 0 · Answer 2 · answered Sep 18 '21 at 15:39

I faced this problem couple of days ago and I know the right solution. First of all, it's the right command for openssl.

openssl req -newkey rsa:2048 -sha256 -nodes -keyout PRIVATE.key -x509 -days 365 -out PUBLIC.pem -subj "/C=US/ST=State/L=City/O=pinkyhi/CN=IP"

Be sure that you put only IP WITHOUT "https://" prefix or port. Next, you need to convert your PUBLIC.pem to .pfx format with this command and set the password for it.

openssl pkcs12 -inkey PRIVATE.key -in PUBLIC.pem -export -out PUBLIC.pfx

Now you should edit your Program.cs file and check that there is:

        public static IHostBuilder CreateHostBuilder(string[] args) =>
        Host.CreateDefaultBuilder(args)
        .ConfigureWebHostDefaults(webBuilder =>
        {
            webBuilder.UseStartup<Startup>();
            webBuilder.UseKestrel(options =>
            {
                options.ConfigureHttpsDefaults(co =>
                {
                    co.SslProtocols = SslProtocols.Tls12;
                });
                options.Listen(IPAddress.Loopback, 443, listenOptions =>
                {
                    listenOptions.UseHttps("./Static/PUBLIC.pfx", "YOURPASSWORD");
                });
                options.Listen(IPAddress.Any, 443, listenOptions =>
                {
                    listenOptions.UseHttps("./Static/PUBLIC.pfx", "YOURPASSWORD");
                });
            });
        });

Next check that your webhook URL which you send to Telegram is in the format: "https://IP", also WITHOUT port!

If all of that didn't help you, try to use this HTML form to upload webHook with URL manually, also you can check webhook info to get some information about errors. You should edit with accordingly to your TOKEN.

<html>
<body>

<form action="https://api.telegram.org/botTOKEN/setwebhook" method="post" enctype="multipart/form-data">
    Select Certificate to upload:
    <input type="file" name="certificate" id="fileToUpload">
    URL: <input type="text" name="url"  value="https://IP"><br>
    <input type="submit" value="Upload Certificate" name="submit">
</form>
<br>
<br>
<br>
<a href="https://api.telegram.org/botTOKEN/getWebhookInfo">Check hook info</a>
</body>
</html>

And check that you opened 443 port on firewall and your router

telegram bot webhook self-signed certificate problem

2 Answers2