phpsslbotstelegram

telegram bot SSL error: SSL error {error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed}

I use let's encrypt free SSL (my host provider support it by default), I checked my site at sslshopper.com (the only warning was: The certificate is not trusted in all web browsers. You may need to install an Intermediate/chain certificate to link it to a trusted root certificate. Learn more about this error. The fastest way to fix this problem is to contact your SSL provider.) and https://www.geocerts.com/ssl_checker the result was that my site passed all tests, except Certificate Chain Complete. so i don't think the problem is from the certificate, telegram accepts self-signed certificate as i know.

I've tried to use telegram sample bot at https://core.telegram.org/bots/samples/hellobot, after I set webhook URL, I checked my bot at https://api.telegram.org/bot[my-token]/getWebhookinfo

the result was:

{
  "ok": true,
  "result": {
    "url": "https://itest.gigfa.com/tlg1/tlg1.php",
    "has_custom_certificate": false,
    "pending_update_count": 17,
    "last_error_date": 1521140994,
    "last_error_message": "SSL error {337047686, error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed}",
    "max_connections": 40
  }
}

and the bot doesn't work at all.

Solution

  • Yes, the problem is with your certificate.

    The error in your getWebHookInfo:

    "last_error_message":"SSL error {337047686, error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed}"

    Is Telegram saying that it needs the whole certificate chain (it's also called CA Bundle or full chained certificate).

    How to check your certificate:

    You can use the SSL Labs SSL Server Test service to check your certificate:

    Just pass your URL like the following example, replacing valde.ci with your host:

    https://www.ssllabs.com/ssltest/analyze.html?d=valde.ci&hideResults=on&latest

    If you see "Chain issues: Incomplete" you do not serve a full chained certificate.

    How to fix:

    Download the full chained certificate for your SSL certificate provider and install this on your webserver.

    I don't know which service you are using, but for my example, with gunicorn I solved adding the ca-certs with ca-bundle file sent by my SSL Certificate provider (In my case Namecheap Comodo) on my SSL configuration, like the following example:

    ca_certs = "cert/my-service.ca-bundle"

    For further information: @martini answer on this thread and the FIX: Telegram Webhooks Not Working post.