telegram bot SSL error: SSL error {error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed}

Question

I use let's encrypt free SSL (my host provider support it by default), I checked my site at sslshopper.com (the only warning was: The certificate is not trusted in all web browsers. You may need to install an Intermediate/chain certificate to link it to a trusted root certificate. Learn more about this error. The fastest way to fix this problem is to contact your SSL provider.) and https://www.geocerts.com/ssl_checker the result was that my site passed all tests, except Certificate Chain Complete. so i don't think the problem is from the certificate, telegram accepts self-signed certificate as i know.

I've tried to use telegram sample bot at https://core.telegram.org/bots/samples/hellobot, after I set webhook URL, I checked my bot at https://api.telegram.org/bot[my-token]/getWebhookinfo

the result was:

{
  "ok": true,
  "result": {
    "url": "https://itest.gigfa.com/tlg1/tlg1.php",
    "has_custom_certificate": false,
    "pending_update_count": 17,
    "last_error_date": 1521140994,
    "last_error_message": "SSL error {337047686, error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed}",
    "max_connections": 40
  }
}

and the bot doesn't work at all.

Answer 1

Yes, the problem is with your certificate.

The error in your getWebHookInfo:

"last_error_message":"SSL error {337047686, error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed}"

Is Telegram saying that it needs the whole certificate chain (it's also called CA Bundle or full chained certificate).

How to check your certificate:

You can use the SSL Labs SSL Server Test service to check your certificate:

Just pass your URL like the following example, replacing valde.ci with your host:

https://www.ssllabs.com/ssltest/analyze.html?d=valde.ci&hideResults=on&latest

If you see "Chain issues: Incomplete" you do not serve a full chained certificate.

How to fix:

Download the full chained certificate for your SSL certificate provider and install this on your webserver.

I don't know which service you are using, but for my example, with gunicorn I solved adding the ca-certs with ca-bundle file sent by my SSL Certificate provider (In my case Namecheap Comodo) on my SSL configuration, like the following example:

ca_certs = "cert/my-service.ca-bundle"

For further information: @martini answer on this thread and the FIX: Telegram Webhooks Not Working post.

Answer 2

I had the same issue with my k8s setup, i was using cert-manager to issue self-signed certificates but for some reason it doesn't work, here is how i solved this:

1- Issue the certificate using this command:

openssl req -newkey rsa:2048 -sha256 -nodes -keyout PRIVATE.key -x509 -days 365 -out PUBLIC.pem -subj "/C=NG/ST=Lagos/L=Lagos/O=YOUR_ORG_NAME_HERE/CN=PUT_YOUR_DOMAIN_HERE"

NOTE: Fill in YOUR_ORG_NAME_HERE and PUT_YOUR_DOMAIN_HERE with your information.

2- base64 encode both files to be stored in k8s secret.

3- Edit certificate end put them in-place:

kubectl edit secret [secret-name] -n [namespace]

Note: put base64 content of PUBLIC.pem to ca.crt and tls.crt, and base64 of PRIVATE.key to tls.key.