Welcome to OStack Knowledge Sharing Community for programmer and developer-Open, Learning and Share
Welcome To Ask or Share your Answers For Others

Categories

0 votes
2.1k views
in Technique[技术] by (71.8m points)

php - telegram bot SSL error: SSL error {error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed}

I use let's encrypt free SSL (my host provider support it by default), I checked my site at sslshopper.com (the only warning was: The certificate is not trusted in all web browsers. You may need to install an Intermediate/chain certificate to link it to a trusted root certificate. Learn more about this error. The fastest way to fix this problem is to contact your SSL provider.) and https://www.geocerts.com/ssl_checker the result was that my site passed all tests, except Certificate Chain Complete. so i don't think the problem is from the certificate, telegram accepts self-signed certificate as i know.

I've tried to use telegram sample bot at https://core.telegram.org/bots/samples/hellobot, after I set webhook URL, I checked my bot at https://api.telegram.org/bot[my-token]/getWebhookinfo

the result was:

{
  "ok": true,
  "result": {
    "url": "https://itest.gigfa.com/tlg1/tlg1.php",
    "has_custom_certificate": false,
    "pending_update_count": 17,
    "last_error_date": 1521140994,
    "last_error_message": "SSL error {337047686, error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed}",
    "max_connections": 40
  }
}

and the bot doesn't work at all.

See Question&Answers more detail:os

与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome To Ask or Share your Answers For Others

1 Answer

0 votes
by (71.8m points)

Yes, the problem is with your certificate.

The error in your getWebHookInfo:

"last_error_message":"SSL error {337047686, error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed}"

Is Telegram saying that it needs the whole certificate chain (it's also called CA Bundle or full chained certificate).

How to check your certificate:

You can use the SSL Labs SSL Server Test service to check your certificate:

Just pass your URL like the following example, replacing valde.ci with your host:

https://www.ssllabs.com/ssltest/analyze.html?d=valde.ci&hideResults=on&latest

If you see "Chain issues: Incomplete" you do not serve a full chained certificate.

How to fix:

Download the full chained certificate for your SSL certificate provider and install this on your webserver.

I don't know which service you are using, but for my example, with gunicorn I solved adding the ca-certs with ca-bundle file sent by my SSL Certificate provider (In my case Namecheap Comodo) on my SSL configuration, like the following example:

ca_certs = "cert/my-service.ca-bundle"

For further information: @martini answer on this thread and the FIX: Telegram Webhooks Not Working post.


与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome to OStack Knowledge Sharing Community for programmer and developer-Open, Learning and Share
Click Here to Ask a Question

2.1m questions

2.1m answers

60 comments

57.0k users

...