Telegram Bot - 使用 letsencrypt 证书的 Webhook SSL 错误
Telegram Bot - Webhook SSL error with letsencrypt Certificate
我已经尝试修复此错误两天了,但仍然没有找到任何有效的方法...所以这是我的问题:
我之前在 Raspberry Pi 上使用 Certbot (letsencrypt) 设置了 Telegram Bot,它运行良好。现在我想在我的新家庭服务器上构建同样的东西(A Manjaro Linux 机器)。
所以我安装了 Apache 和 Certbot,它 可以与任何浏览器完美配合 使用 https://<mydomain> 访问我的站点。但是...当我使用证书设置 Telegram 机器人的 Webhook 时,您必须像这样传递:
curl -F "url=https://<mydomain>/botTelegram/index.php" -F "certificate=@/etc/letsencrypt/live/<mydomain>/fullchain.pem" https://api.telegram.org/bot723985628:AAHiEXNJgXZ-mGprEhGNc1QxiVpGfhxK_9A/setWebhook
它总是给我返回同样的错误:
{
"ok": true,
"result": {
"url": "<myDomain>",
"has_custom_certificate": true,
"pending_update_count": 1,
"last_error_date": 1588255882,
"last_error_message": "SSL error {error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed}",
"max_connections": 40
}
}
然后我搜索了解决方案,每个人都一直在说,你应该尝试用 https://www.ssllabs.com/ssltest/analyze.html?d=<mydomain>&hideResults=on 测试你的网站,然后检查链下是否有其他问题而不是“None”已写入,在这种情况下,您必须为服务器提供“完整证书链”。所以我做了运行这个测试,但是上面写着“None”,因为我已经给了Apachefullchain.pem证书。
Chain Issues Screenshot
由于 Certbot 创建了多个证书:我还尝试将 chain.pem 和 cert.pem 传递给 /setWebhook 请求,但出现相同的错误发生。
这是我创建它们的方式:
certbot certonly --webroot /srv/http -d <myfirstdomain> -d <myseconddomain>
所以现在我真的不知道如何解决这个问题,因为 SSL 适用于浏览器,但不适用于 Telegram Webhook...
如果这是我的一部分 /etc/httpd/conf/extra/httpd-ssl.conf:
# SSL Engine Switch:
# Enable/Disable SSL for this virtual host.
SSLEngine on
# Server Certificate:
# Point SSLCertificateFile at a PEM encoded certificate. If
# the certificate is encrypted, then you will be prompted for a
# pass phrase. Note that a kill -HUP will prompt again. Keep
# in mind that if you have both an RSA and a DSA certificate you
# can configure both in parallel (to also allow the use of DSA
# ciphers, etc.)
# Some ECC cipher suites (http://www.ietf.org/rfc/rfc4492.txt)
# require an ECC certificate which can also be configured in
# parallel.
SSLCertificateFile "/etc/letsencrypt/live/<mydomain>/fullchain.pem"
#SSLCertificateFile "/etc/httpd/conf/server-dsa.crt"
#SSLCertificateFile "/etc/httpd/conf/server-ecc.crt"
# Server Private Key:
# If the key is not combined with the certificate, use this
# directive to point at the key file. Keep in mind that if
# you've both a RSA and a DSA private key you can configure
# both in parallel (to also allow the use of DSA ciphers, etc.)
# ECC keys, when in use, can also be configured in parallel
SSLCertificateKeyFile "/etc/letsencrypt/live/<mydomain>/privkey.pem"
#SSLCertificateKeyFile "/etc/httpd/conf/server.key"
#SSLCertificateKeyFile "/etc/httpd/conf/server-dsa.key"
#SSLCertificateKeyFile "/etc/httpd/conf/server-ecc.key"
# Server Certificate Chain:
# Point SSLCertificateChainFile at a file containing the
# concatenation of PEM encoded CA certificates which form the
# certificate chain for the server certificate. Alternatively
# the referenced file can be the same as SSLCertificateFile
# when the CA certificates are directly appended to the server
# certificate for convenience.
#SSLCertificateChainFile "/etc/letsencrypt/live/<mydomain>/fullchain.pem"
# Certificate Authority (CA):
# Set the CA certificate verification path where to find CA
# certificates for client authentication or alternatively one
# huge file containing all of them (file must be PEM encoded)
# Note: Inside SSLCACertificatePath you need hash symlinks
# to point to the certificate files. Use the provided
# Makefile to update the hash symlinks after changes.
#SSLCACertificatePath "/etc/httpd/conf/ssl.crt"
#SSLCACertificateFile "/etc/httpd/conf/ssl.crt/ca-bundle.crt"
那么,我希望有人能帮我解决这个问题,因为我真的不知道这里出了什么问题...
编辑:
我现在删除了证书,并使用 Certbot 重新创建了它们,但是使用了像这样的 --apache 选项 certbot --apache -d <myfirstdomain> -d <myseconddomain> 但它仍然没有用,我仍然得到同样的错误...
这是 Certbot 在 /etc/letsencrypt/options-ssl-apache.conf 创建并链接到 Apache 配置中的新配置:
# Intermediate configuration, tweak to your needs
SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384>SSLHonorCipherOrder on
SSLOptions +StrictRequire
# Add vhost name to log entries:
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\"" vhost_combined
LogFormat "%v %h %l %u %t \"%r\" %>s %b" vhost_common```
为了解决这个问题,我只需要在不通过证书的情况下发出 .../setWebhook 请求,并将 https:// 放在 URL 前面。
因为我认为 Certbots 证书是 "Self-Signed",但显然不是,我在想什么?我不敢相信这是一件如此简单的事情,我却忽略了...
那么,我仍然希望这能帮助任何可能有同样愚蠢问题的人。 :)
我已经尝试修复此错误两天了,但仍然没有找到任何有效的方法...所以这是我的问题:
我之前在 Raspberry Pi 上使用 Certbot (letsencrypt) 设置了 Telegram Bot,它运行良好。现在我想在我的新家庭服务器上构建同样的东西(A Manjaro Linux 机器)。
所以我安装了 Apache 和 Certbot,它 可以与任何浏览器完美配合 使用 https://<mydomain> 访问我的站点。但是...当我使用证书设置 Telegram 机器人的 Webhook 时,您必须像这样传递:
curl -F "url=https://<mydomain>/botTelegram/index.php" -F "certificate=@/etc/letsencrypt/live/<mydomain>/fullchain.pem" https://api.telegram.org/bot723985628:AAHiEXNJgXZ-mGprEhGNc1QxiVpGfhxK_9A/setWebhook
它总是给我返回同样的错误:
{
"ok": true,
"result": {
"url": "<myDomain>",
"has_custom_certificate": true,
"pending_update_count": 1,
"last_error_date": 1588255882,
"last_error_message": "SSL error {error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed}",
"max_connections": 40
}
}
然后我搜索了解决方案,每个人都一直在说,你应该尝试用 https://www.ssllabs.com/ssltest/analyze.html?d=<mydomain>&hideResults=on 测试你的网站,然后检查链下是否有其他问题而不是“None”已写入,在这种情况下,您必须为服务器提供“完整证书链”。所以我做了运行这个测试,但是上面写着“None”,因为我已经给了Apachefullchain.pem证书。
Chain Issues Screenshot
由于 Certbot 创建了多个证书:我还尝试将 chain.pem 和 cert.pem 传递给 /setWebhook 请求,但出现相同的错误发生。
这是我创建它们的方式:
certbot certonly --webroot /srv/http -d <myfirstdomain> -d <myseconddomain>
所以现在我真的不知道如何解决这个问题,因为 SSL 适用于浏览器,但不适用于 Telegram Webhook...
如果这是我的一部分 /etc/httpd/conf/extra/httpd-ssl.conf:
# SSL Engine Switch:
# Enable/Disable SSL for this virtual host.
SSLEngine on
# Server Certificate:
# Point SSLCertificateFile at a PEM encoded certificate. If
# the certificate is encrypted, then you will be prompted for a
# pass phrase. Note that a kill -HUP will prompt again. Keep
# in mind that if you have both an RSA and a DSA certificate you
# can configure both in parallel (to also allow the use of DSA
# ciphers, etc.)
# Some ECC cipher suites (http://www.ietf.org/rfc/rfc4492.txt)
# require an ECC certificate which can also be configured in
# parallel.
SSLCertificateFile "/etc/letsencrypt/live/<mydomain>/fullchain.pem"
#SSLCertificateFile "/etc/httpd/conf/server-dsa.crt"
#SSLCertificateFile "/etc/httpd/conf/server-ecc.crt"
# Server Private Key:
# If the key is not combined with the certificate, use this
# directive to point at the key file. Keep in mind that if
# you've both a RSA and a DSA private key you can configure
# both in parallel (to also allow the use of DSA ciphers, etc.)
# ECC keys, when in use, can also be configured in parallel
SSLCertificateKeyFile "/etc/letsencrypt/live/<mydomain>/privkey.pem"
#SSLCertificateKeyFile "/etc/httpd/conf/server.key"
#SSLCertificateKeyFile "/etc/httpd/conf/server-dsa.key"
#SSLCertificateKeyFile "/etc/httpd/conf/server-ecc.key"
# Server Certificate Chain:
# Point SSLCertificateChainFile at a file containing the
# concatenation of PEM encoded CA certificates which form the
# certificate chain for the server certificate. Alternatively
# the referenced file can be the same as SSLCertificateFile
# when the CA certificates are directly appended to the server
# certificate for convenience.
#SSLCertificateChainFile "/etc/letsencrypt/live/<mydomain>/fullchain.pem"
# Certificate Authority (CA):
# Set the CA certificate verification path where to find CA
# certificates for client authentication or alternatively one
# huge file containing all of them (file must be PEM encoded)
# Note: Inside SSLCACertificatePath you need hash symlinks
# to point to the certificate files. Use the provided
# Makefile to update the hash symlinks after changes.
#SSLCACertificatePath "/etc/httpd/conf/ssl.crt"
#SSLCACertificateFile "/etc/httpd/conf/ssl.crt/ca-bundle.crt"
那么,我希望有人能帮我解决这个问题,因为我真的不知道这里出了什么问题...
编辑:
我现在删除了证书,并使用 Certbot 重新创建了它们,但是使用了像这样的 --apache 选项 certbot --apache -d <myfirstdomain> -d <myseconddomain> 但它仍然没有用,我仍然得到同样的错误...
这是 Certbot 在 /etc/letsencrypt/options-ssl-apache.conf 创建并链接到 Apache 配置中的新配置:
# Intermediate configuration, tweak to your needs
SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384>SSLHonorCipherOrder on
SSLOptions +StrictRequire
# Add vhost name to log entries:
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\"" vhost_combined
LogFormat "%v %h %l %u %t \"%r\" %>s %b" vhost_common```
为了解决这个问题,我只需要在不通过证书的情况下发出 .../setWebhook 请求,并将 https:// 放在 URL 前面。
因为我认为 Certbots 证书是 "Self-Signed",但显然不是,我在想什么?我不敢相信这是一件如此简单的事情,我却忽略了...
那么,我仍然希望这能帮助任何可能有同样愚蠢问题的人。 :)