ssl - telegram bot webhook self-signed certificate problem

Question

I have an static ip address and I want to use it as Telegram bot webhook. In the other words, my bot application runs on my local system, and I configured my modem to forward requests from that ip address to my local server:port. This method is working for other applications run on my local system, but I have problem with ssl.

For setting webhook, first I generate a Self-signed certificate in this way:

openssl req -newkey rsa:2048 -sha256 -nodes -keyout PRIVATE.key -x509 -days 365 -out PUBLIC.pem -subj "/C=NG/ST=Lagos/L=Lagos/O=YOUR_NAME_OR_COMPANY_NAME/CN=<MY_IP:PORT> OR <MY_IP>"

This generates PUBLIC.pem file and I send it to setWebhook api. The result is ok, but I always get below result from getWebhookInfo method:

{
   "ok":true,
   "result":{
      "url":".../bot/receive",
      "has_custom_certificate": true,
      "pending_update_count":15,
      "last_error_date":1609911454,
      "last_error_message":"SSL error {error:14095044:SSL routines:ssl3_read_n:internal error}",
      "max_connections":40,
      "ip_address":"..."
   }
}

Also in my applicaition, I have enabled ssl supprot with .p12 equivalent of .pem certificate, but not working. Is there any way for doing this? Thanks in advance.

Answer 1

Your problem lies within your self-signed certificate:

openssl req -newkey rsa:2048 -sha256 -nodes -keyout PRIVATE.key -x509 -days 365 -out PUBLIC.pem -subj "/C=NG/ST=Lagos/L=Lagos/O=YOUR_NAME_OR_COMPANY_NAME/CN=<MY_IP:PORT> OR <MY_IP>"

... more specifically the -subj switch. Surely, you're providing the CSR information, though if you look closely you're using the or operator when declaring your IP. Moreover, your last initialization is just the plain IP address. For further reading purposes on how to creating a self-signed SSL certification, I suggest you the following resources:

• How to create a self-signed certificate with OpenSSL
• OpenSSL Quick Reference Guide
• In case you want to set up an alternative (or multiple) DNS names to your certificate, this thread is also very informative.

For just one DNS name, your certificate should look like this:

openssl req -newkey rsa:2048 -sha256 -nodes -keyout PRIVATE.key -x509 -days 365 -out PUBLIC.pem -subj "/C=NG/ST=Lagos/L=Lagos/O=YOUR_NAME_OR_COMPANY_NAME/CN=<MY_IP:PORT>

whereas MY_IP is obviously the IP address of your own server (from which you're calling the webhook).

For the sake of completeness, I'd advise you to use a reverse proxy such as NGNIX - it will spare you from many headaches regarding SSL certificates in the request container. If you ask me, it's easier to maintain once established. Though it's just an alternative option.