Telegram API Question posted in
A comprehensive official documentation can be found here.

telegram bot webhook self-signed certificate problem – Telegram API

I have an static ip address and I want to use it as Telegram bot webhook. In the other words, my bot application runs on my local system, and I configured my modem to forward requests from that ip address to my local server:port. This method is working for other applications run on my local system, but I have problem with ssl.

For setting webhook, first I generate a Self-signed certificate in this way:

openssl req -newkey rsa:2048 -sha256 -nodes -keyout PRIVATE.key -x509 -days 365 -out PUBLIC.pem -subj "/C=NG/ST=Lagos/L=Lagos/O=YOUR_NAME_OR_COMPANY_NAME/CN=<MY_IP:PORT> OR <MY_IP>"

This generates PUBLIC.pem file and I send it to setWebhook api. The result is ok, but I always get below result from getWebhookInfo method:

{
   "ok":true,
   "result":{
      "url":".../bot/receive",
      "has_custom_certificate": true,
      "pending_update_count":15,
      "last_error_date":1609911454,
      "last_error_message":"SSL error {error:14095044:SSL routines:ssl3_read_n:internal error}",
      "max_connections":40,
      "ip_address":"..."
   }
}

Also in my applicaition, I have enabled ssl supprot with .p12 equivalent of .pem certificate, but not working. Is there any way for doing this? Thanks in advance.

Tags:

2

Answers


  1. 0

    Your problem lies within your self-signed certificate:

    openssl req -newkey rsa:2048 -sha256 -nodes -keyout PRIVATE.key -x509 -days 365 -out PUBLIC.pem -subj "/C=NG/ST=Lagos/L=Lagos/O=YOUR_NAME_OR_COMPANY_NAME/CN=<MY_IP:PORT> OR <MY_IP>"

    … more specifically the -subj switch. Surely, you’re providing the CSR information, though if you look closely you’re using the or operator when declaring your IP. Moreover, your last initialization is just the plain IP address. For further reading purposes on how to creating a self-signed SSL certification, I suggest you the following resources:

    For just one DNS name, your certificate should look like this:

    openssl req -newkey rsa:2048 -sha256 -nodes -keyout PRIVATE.key -x509 -days 365 -out PUBLIC.pem -subj "/C=NG/ST=Lagos/L=Lagos/O=YOUR_NAME_OR_COMPANY_NAME/CN=<MY_IP:PORT>

    whereas MY_IP is obviously the IP address of your own server (from which you’re calling the webhook).

    For the sake of completeness, I’d advise you to use a reverse proxy such as NGNIX – it will spare you from many headaches regarding SSL certificates in the request container. If you ask me, it’s easier to maintain once established. Though it’s just an alternative option.

    Login or Signup to reply.
  2. 0

    I faced this problem couple of days ago and I know the right solution.
    First of all, it’s the right command for openssl.

    openssl req -newkey rsa:2048 -sha256 -nodes -keyout PRIVATE.key -x509 -days 365 -out PUBLIC.pem -subj "/C=US/ST=State/L=City/O=pinkyhi/CN=IP"

    Be sure that you put only IP WITHOUT "https://&quot; prefix or port.
    Next, you need to convert your PUBLIC.pem to .pfx format with this command and set the password for it.

    openssl pkcs12 -inkey PRIVATE.key -in PUBLIC.pem -export -out PUBLIC.pfx

    Now you should edit your Program.cs file and check that there is:

            public static IHostBuilder CreateHostBuilder(string[] args) =>
        Host.CreateDefaultBuilder(args)
        .ConfigureWebHostDefaults(webBuilder =>
        {
            webBuilder.UseStartup<Startup>();
            webBuilder.UseKestrel(options =>
            {
                options.ConfigureHttpsDefaults(co =>
                {
                    co.SslProtocols = SslProtocols.Tls12;
                });
                options.Listen(IPAddress.Loopback, 443, listenOptions =>
                {
                    listenOptions.UseHttps("./Static/PUBLIC.pfx", "YOURPASSWORD");
                });
                options.Listen(IPAddress.Any, 443, listenOptions =>
                {
                    listenOptions.UseHttps("./Static/PUBLIC.pfx", "YOURPASSWORD");
                });
            });
        });

    Next check that your webhook URL which you send to Telegram is in the format: "https://IP&quot;, also WITHOUT port!

    If all of that didn’t help you, try to use this HTML form to upload webHook with URL manually, also you can check webhook info to get some information about errors. You should edit with accordingly to your TOKEN.

    <html>
<body>

<form action="https://api.telegram.org/botTOKEN/setwebhook" method="post" enctype="multipart/form-data">
    Select Certificate to upload:
    <input type="file" name="certificate" id="fileToUpload">
    URL: <input type="text" name="url"  value="https://IP"><br>
    <input type="submit" value="Upload Certificate" name="submit">
</form>
<br>
<br>
<br>
<a href="https://api.telegram.org/botTOKEN/getWebhookInfo">Check hook info</a>
</body>
</html>

    And check that you opened 443 port on firewall and your router

    Login or Signup to reply.
Please signup or login to give your own answer.

Back To Top
Search