Telegram Bot-带letencrypt证书的Webhook SSL错误

时间:2020-04-30 14:49:59

标签: apache ssl ssl-certificate telegram-bot lets-encrypt

我已经尝试修复此错误已有两天了,但仍然没有找到任何可行的方法...所以这是我的问题:

我以前在Raspberry Pi上使用Certbot(letsencrypt)进行了Telegram Bot的安装,并且运行良好。现在,我想在新的HomeServer(一台 Manjaro Linux机器)上构建相同的东西。

因此,我安装了Apache和Certbot,并且与任何浏览器完美兼容,可以使用https://<mydomain>访问我的网站。但是...当我用证书设置Telegram机器人的Webhook时,您必须像这样通过:

curl -F "url=https://mrmobi.ddns.net/botTelegram/index.php" -F "certificate=@/etc/letsencrypt/live/mrmobi.ddns.net/fullchain.pem" https://api.telegram.org/bot723985628:AAHiEXNJgXZ-mGprEhGNc1QxiVpGfhxK_9A/setWebhook

总是给我同样的错误

{
    "ok": true,
    "result": {
        "url": "<myDomain>",
        "has_custom_certificate": true,
        "pending_update_count": 1,
        "last_error_date": 1588255882,
        "last_error_message": "SSL error {error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed}",
        "max_connections": 40
    }
}

因此,我搜索了解决方案,而每个人都一直在说,您应该尝试使用https://www.ssllabs.com/ssltest/analyze.html?d=<mydomain>&hideResults=on测试您的网站,然后检查是否在Chain项下写了“ None”之外的其他内容,并且这种情况下,您必须为服务器提供“完整证书链”。因此,我确实运行了该测试,但是写为“ None”,因为我已经给了Apache fullchain.pem证书。

Chain Issues Screenshot

由于Certbot创建了多个证书:我还尝试将chain.pemcert.pem传递给 / setWebhook 请求,但是出现相同的错误。

这是我创建它们的方式:

certbot certonly --webroot /srv/http -d <myfirstdomain> -d <myseconddomain>

所以现在我真的不知道该如何解决,因为SSL适用于浏览器,而不适用于Telegram Webhook ...

如果这是我的/etc/httpd/conf/extra/httpd-ssl.conf的一部分:

#   SSL Engine Switch:
#   Enable/Disable SSL for this virtual host.
SSLEngine on

#   Server Certificate:
#   Point SSLCertificateFile at a PEM encoded certificate.  If
#   the certificate is encrypted, then you will be prompted for a
#   pass phrase.  Note that a kill -HUP will prompt again.  Keep
#   in mind that if you have both an RSA and a DSA certificate you
#   can configure both in parallel (to also allow the use of DSA
#   ciphers, etc.)
#   Some ECC cipher suites (http://www.ietf.org/rfc/rfc4492.txt)
#   require an ECC certificate which can also be configured in
#   parallel.
SSLCertificateFile "/etc/letsencrypt/live/mrmobi.ddns.net/fullchain.pem"
#SSLCertificateFile "/etc/httpd/conf/server-dsa.crt"
#SSLCertificateFile "/etc/httpd/conf/server-ecc.crt"

#   Server Private Key:
#   If the key is not combined with the certificate, use this
#   directive to point at the key file.  Keep in mind that if
#   you've both a RSA and a DSA private key you can configure
#   both in parallel (to also allow the use of DSA ciphers, etc.)
#   ECC keys, when in use, can also be configured in parallel
SSLCertificateKeyFile "/etc/letsencrypt/live/mrmobi.ddns.net/privkey.pem"
#SSLCertificateKeyFile "/etc/httpd/conf/server.key"
#SSLCertificateKeyFile "/etc/httpd/conf/server-dsa.key"
#SSLCertificateKeyFile "/etc/httpd/conf/server-ecc.key"

#   Server Certificate Chain:
#   Point SSLCertificateChainFile at a file containing the
#   concatenation of PEM encoded CA certificates which form the
#   certificate chain for the server certificate. Alternatively
#   the referenced file can be the same as SSLCertificateFile
#   when the CA certificates are directly appended to the server
#   certificate for convenience.
#SSLCertificateChainFile "/etc/letsencrypt/live/mrmobi.ddns.net/fullchain.pem"

#   Certificate Authority (CA):
#   Set the CA certificate verification path where to find CA
#   certificates for client authentication or alternatively one
#   huge file containing all of them (file must be PEM encoded)
#   Note: Inside SSLCACertificatePath you need hash symlinks
#         to point to the certificate files. Use the provided
#         Makefile to update the hash symlinks after changes.
#SSLCACertificatePath "/etc/httpd/conf/ssl.crt"
#SSLCACertificateFile "/etc/httpd/conf/ssl.crt/ca-bundle.crt"

那么,我希望有人能够帮我解决这个问题,因为我真的不知道这里出了什么问题...

编辑:

我现在删除了证书,并使用Certbot重新创建了证书,但使用了certbot --apache -d <myfirstdomain> -d <myseconddomain>这样的--apache选项,但仍然无法正常工作,我仍然遇到相同的错误...

这是Certbot在/etc/letsencrypt/options-ssl-apache.conf处创建并链接到Apache配置中的新配置:


# Intermediate configuration, tweak to your needs
SSLProtocol             all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite          ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384>SSLHonorCipherOrder     on

SSLOptions +StrictRequire

# Add vhost name to log entries:
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\"" vhost_combined
LogFormat "%v %h %l %u %t \"%r\" %>s %b" vhost_common```

1 个答案:

答案 0 :(得分:0)

要解决此问题,我只需要发出.../setWebhook请求而不通过证书,然后将https://放在URL前面。

因为我认为Certbots证书是“自签名的”,但显然不是,我在想什么?我不敢相信这是如此简单,我忽略了……

那么,我仍然希望这对任何人都可能有同样愚蠢的问题有所帮助。 :)

相关问题
最新问题