3

I am trying to setup my Telegram bot webhook using a Let's Encrypt certificate but Telegram keeps saying verification_failed. Browsers, however, are totally fine with new Let's Encrypt certificate.

My self-signed certificate is currently working fine in webhooks on my Ubuntu 17.04 with Nginx web server.

What am i missing?

Current self-signed certificate setup (Works)

I generated my certificate using this command:

openssl req -newkey rsa:2048 -sha256 -nodes -keyout my-cert.key -x509 -days 365 -out my-cert.pem -subj "/C=CA/ST=Ontario/L=Toronto/O=My Organization/CN=example.org"

and Nginx configuration:

server {
    server_name example.org www.example.org localhost;

    listen 443  ssl;
    listen 8080 ssl;
    listen 8443 ssl;

    ssl_certificate     /etc/nginx/certificates/my-cert.pem;
    ssl_certificate_key /etc/nginx/certificates/my-cert.key;

    ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
    ssl_prefer_server_ciphers on;

    location ~* ^/bots/mybot/webhook/.+$ {
        proxy_pass          http://0.0.0.0:5000;
        proxy_http_version  1.1;
        proxy_set_header    Upgrade $http_upgrade;
        proxy_set_header    Connection keep-alive;
        proxy_set_header    Host $host;
        proxy_cache_bypass  $http_upgrade;
        proxy_set_header    X-Forwarded-For $proxy_add_x_forwarded_for;
    }
}

New Let's Encrypt setup (Works in browsers, Fails in webhooks)

Certificate is generated for my domain using EFF's great certbot.

When setting Telegram's webhook, I use /etc/letsencrypt/live/example.org/cert1.pem file.

This is Nginx configuration I tried:

server {
    server_name example.org www.example.org localhost;

    listen  80;
    listen  [::]:80;

    root /var/www/html;
    index index.html index.htm index.nginx-debian.html;

    if ($scheme != "https") {
        return 301 https://$host$request_uri;
    }
}

server {
    server_name example.org www.example.org localhost;

    listen 443  ssl;
    listen 8080 ssl;
    listen 8443 ssl;

    ssl_certificate /etc/letsencrypt/live/example.org/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/example.org/privkey.pem; # managed by Certbot

    ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
    ssl_prefer_server_ciphers on;

    location ~* ^/bots/mybot/webhook/.+$ {
        proxy_pass          http://0.0.0.0:5000;
        proxy_http_version  1.1;
        proxy_set_header    Upgrade $http_upgrade;
        proxy_set_header    Connection keep-alive;
        proxy_set_header    Host $host;
        proxy_cache_bypass  $http_upgrade;
        proxy_set_header    X-Forwarded-For $proxy_add_x_forwarded_for;
    }
}
Poulad
  • 1,149
  • 1
  • 12
  • 22
  • Does it work now? Have you tried my solution jet? – creyD Jul 06 '17 at 08:41
  • thanks for the reply. I will get a chance to try it in a few hours. – Poulad Jul 06 '17 at 17:06
  • How do you solve this ? I have the same problem. I'm using certbot to configure my nginx server. I tried fullchain.pem with webhook, bu t also "cert.pem" (it seems the public cert): from /etc/letsencrypt/live/README: "cert.pem: will break many server configurations, and should not be used". But same result: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed – eramos Mar 09 '20 at 13:12
  • Looking at the answer (and its comment) below, you can see there is no need to pass the certificate when invoking `setwebhook` command on the bot API. – Poulad Mar 09 '20 at 13:19
  • ok, i didn't understand that solution . I will try, thank u. – eramos Mar 14 '20 at 12:52

1 Answers1

4

I tried this a while ago myself with an Apache webserver but on Ubuntu 17.04 too with letsencrypt and it works fine.

You mentioned that you used the setwebhook?url= method with an additional argument (passing the certificate...). Somehow this isn´t needed. You can just enter the url starting with https:// and you are fine.

creyD
  • 1,972
  • 3
  • 26
  • 55