telegram bot SSL error: SSL error {error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed}

Asked 15/3, 2018 at 20:36 Answered 21/10, 2021 at 21:43

Solved php ssl bots telegram

I use let's encrypt free SSL (my host provider support it by default), I checked my site at sslshopper.com (the only warning was: The certificate is not trusted in all web browsers. You may need to install an Intermediate/chain certificate to link it to a trusted root certificate. Learn more about this error. The fastest way to fix this problem is to contact your SSL provider.) and https://www.geocerts.com/ssl_checker the result was that my site passed all tests, except Certificate Chain Complete. so i don't think the problem is from the certificate, telegram accepts self-signed certificate as i know.

I've tried to use telegram sample bot at https://core.telegram.org/bots/samples/hellobot, after I set webhook URL, I checked my bot at https://api.telegram.org/bot[my-token]/getWebhookinfo

the result was:

{
  "ok": true,
  "result": {
    "url": "https://itest.gigfa.com/tlg1/tlg1.php",
    "has_custom_certificate": false,
    "pending_update_count": 17,
    "last_error_date": 1521140994,
    "last_error_message": "SSL error {337047686, error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed}",
    "max_connections": 40
  }
}

and the bot doesn't work at all.

Fogdog answered 15/3, 2018 at 20:36 Comment(0)

Yes, the problem is with your certificate.

The error in your getWebHookInfo:

"last_error_message":"SSL error {337047686, error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed}"

Is Telegram saying that it needs the whole certificate chain (it's also called CA Bundle or full chained certificate).

How to check your certificate:

You can use the SSL Labs SSL Server Test service to check your certificate:

Just pass your URL like the following example, replacing valde.ci with your host:

https://www.ssllabs.com/ssltest/analyze.html?d=valde.ci&hideResults=on&latest

If you see "Chain issues: Incomplete" you do not serve a full chained certificate.

How to fix:

Download the full chained certificate for your SSL certificate provider and install this on your webserver.

I don't know which service you are using, but for my example, with gunicorn I solved adding the ca-certs with ca-bundle file sent by my SSL Certificate provider (In my case Namecheap Comodo) on my SSL configuration, like the following example:

ca_certs = "cert/my-service.ca-bundle"

For further information: @martini answer on this thread and the FIX: Telegram Webhooks Not Working post.

Penitential answered 27/6, 2018 at 13:0 Comment(4)

I use let's encrypt free SSL on shared hosting. is this problem from let's encrypt, or my host provider? – Fogdog 29/6, 2018 at 16:40

Do you add all the three needed files (.key, .crt and .ca-bundle)? If so, you need to add all in your site configuration. The Namecheap has a very good documentation of how to install a ssl certificate in your site in many different ways, like Apache, Node.js, Nginx and etc. Please, check if you can follow one of the available ways: namecheap.com/support/knowledgebase/article.aspx/795/69/… – Penitential 29/6, 2018 at 17:16

thanks, the problem was I didn't set the CA Certificate. – Fogdog 29/6, 2018 at 17:52

Hello guys, is anyone able to help me with a similar issue? #62326366 – Will 11/6, 2020 at 15:35

I had the same issue with my k8s setup, i was using cert-manager to issue self-signed certificates but for some reason it doesn't work, here is how i solved this:

1- Issue the certificate using this command:

openssl req -newkey rsa:2048 -sha256 -nodes -keyout PRIVATE.key -x509 -days 365 -out PUBLIC.pem -subj "/C=NG/ST=Lagos/L=Lagos/O=YOUR_ORG_NAME_HERE/CN=PUT_YOUR_DOMAIN_HERE"

NOTE: Fill in YOUR_ORG_NAME_HERE and PUT_YOUR_DOMAIN_HERE with your information.

2- base64 encode both files to be stored in k8s secret.

3- Edit certificate end put them in-place:

kubectl edit secret [secret-name] -n [namespace]

Note: put base64 content of PUBLIC.pem to ca.crt and tls.crt, and base64 of PRIVATE.key to tls.key.

Gati answered 21/10, 2021 at 21:43 Comment(0)

For those who use webmin and Let's Encrypt, My solution after 5 hours:

Download bellow link lets-encrypt-r3-cross-signed

go to Servers -> Apache Webserver -> your virtual host

Inside there set downloaded file into "Certificate authorities file" box:

It seems there must be a change in ssl check process.

Laciniate answered 31/1, 2021 at 11:50 Comment(0)

In my case I have my own https server running in node.js, and solution was add the .pem file obtained from my SSL provider in the credentials of https server, here the code:

// modules
const fs = require('fs')
const express = require('express')
const https = require('https')

// read files
const cert = fs.readFileSync('./ssl/cert.crt')
const key = fs.readFileSync('./ssl/key.key')
const ca = fs.readFileSync('./ssl/ca.pem')

// set in an object (you must respect the field names)
const credentials = { key, cert, ca }

// https server
const apiApp = express()

// ... your middlewares

const apiAppHttps = https.createServer(credentials, apiApp)

// telegram only supports ports 443, 80, 88, 8443

apiAppHttps.listen(8443, () => {
    console.log(`API listen ar port 8443`)
})

note that telegram webhook only accepts port 443, 80, 88, 8443, you can get more info about here:

https://core.telegram.org/bots/faq#im-having-problems-with-webhooks

Lohrman answered 5/2, 2021 at 4:2 Comment(0)

How to check your certificate:

How to fix:

Recommended topics

Hot tags