Question posted in 
Server: Win Server 2012
Web server: IIS 8.5
Project: Asp.Net MVC
I bought a wildcard SSL certification for my domain and its subdomains and installed it on my server and bound to the website (in IIS).
It show green secure HTTPS in browser.
I used Telegram SetWebhook with my webhook URL (Something like this: https://webhook.example.com/api/WebhookAction/)
But when i run Telegram GetWebhookInfo it return certificate verify failed error:
{
"ok":true,
"result":{
"url":"https://webhook.example.com/api/WebhookAction/",
"has_custom_certificate":false,
"pending_update_count":1,
"last_error_date":1489066503,
"last_error_message":"SSL error {336134278, error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed}",
"max_connections":40
}
}
What do you think about this problem?
- Should i change the Webhook Url to a None-SubDomain address like this:
https://mydomain:8443/api/WebhookAction? - Has my
SSLany problem (for example should be a None-Wildcard SSL)?
Edit
Also i tried:
Self-Signed Certificate way
A)
I Created a Self Signed Certificate by the following OpenSSL command instead of the Wildcard SSL
openssl req -newkey rsa:2048 -sha256 -nodes -keyout MyDomain_private_key.key -x509 -days 365 -out MyDomain_public.pem -subj "/C=US/ST=New York/L=MyDomain/O=MyDomain/CN=webhook.example.com"
B)
Then i created a PFX from the output files by this command:
openssl pkcs12 -export -out MyDomain.pfx -inkey MyDomain_private.key -in MyDomain_public.pem -certfile MyDomain_public.pem
C)
Then i installed the MyDomain.pfx on the server and bind it to the Https://webhook.mydomain.com.
D)
Also i used the MyDomain_public.pem file in the SetWebhook command as the certification file (with both a third library and Curl command).
The Curl command:
curl -F "url=https://webhook.example.com/api/Webhookaction/" -F "certificate=C:pathmydomain_public.pem" https://api.telegram.org/bot[TOKEN]/setWebhook
But when i call GetWebhookInfo API command, it return this error:
{
"ok":true,
"result":{
"url":"https://api.telegram.org/bot[token]/setWebhook?url=https://webhook.mydomain.com/api/webhookaction/",
"has_custom_certificate":true,
"pending_update_count":1,
"last_error_date":1489126755,
"last_error_message":"SSL error {336134278, error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed}",
"max_connections":40
}
}
What is my mistake?
2
Answers
You are not allowed to use wild card certificates.
https://core.telegram.org/bots/webhooks#the-short-version
The error in your getWebHookInfo:
Is Telegram saying that it needs the whole certificate chain (it’s also called CA Bundle or full chained certificate).
How to check your certificate:
You can use the SSL Labs SSL Server Test service to check your certificate:
Just pass your URL like the following example, replacing
coderade.github.iowith your host:https://www.ssllabs.com/ssltest/analyze.html?d=coderade.github.io&hideResults=on&latest
If you see "Chain issues: Incomplete" you do not serve full chained certificate.
How to fix that:
Download the full chained certificate for your SSL certificate provider and install this on your webserver.
I don’t know which service you are using, but for my example, with gunicorn I solved adding the ca-certs with
ca-bundlefile sent by my SSL Certificate provider (In my case Namecheap Comodo) on my SSL configuration, like the following example:For further information: @martini answer on this thread and the FIX: Telegram Webhooks Not Working site.