I have an static ip address and I want to use it as Telegram bot webhook. In the other words, my bot application runs on my local system, and I configured my modem to forward requests from that ip address to my local server:port. This method is working for other applications run on my local system, but I have problem with ssl.
For setting webhook, first I generate a Self-signed certificate in this way:
openssl req -newkey rsa:2048 -sha256 -nodes -keyout PRIVATE.key -x509 -days 365 -out PUBLIC.pem -subj "/C=NG/ST=Lagos/L=Lagos/O=YOUR_NAME_OR_COMPANY_NAME/CN=<MY_IP:PORT> OR <MY_IP>"
This generates PUBLIC.pem file and I send it to setWebhook api. The result is ok, but I always get below result from getWebhookInfo method:
{
"ok":true,
"result":{
"url":".../bot/receive",
"has_custom_certificate": true,
"pending_update_count":15,
"last_error_date":1609911454,
"last_error_message":"SSL error {error:14095044:SSL routines:ssl3_read_n:internal error}",
"max_connections":40,
"ip_address":"..."
}
}
Also in my applicaition, I have enabled ssl supprot with .p12 equivalent of .pem certificate, but not working. Is there any way for doing this? Thanks in advance.
Your problem lies within your self-signed certificate:
openssl req -newkey rsa:2048 -sha256 -nodes -keyout PRIVATE.key -x509 -days 365 -out PUBLIC.pem -subj "/C=NG/ST=Lagos/L=Lagos/O=YOUR_NAME_OR_COMPANY_NAME/CN=<MY_IP:PORT> OR <MY_IP>"
... more specifically the -subj switch. Surely, you're providing the CSR information, though if you look closely you're using the or operator when declaring your IP. Moreover, your last initialization is just the plain IP address. For further reading purposes on how to creating a self-signed SSL certification, I suggest you the following resources:
How to create a self-signed certificate with OpenSSL
OpenSSL Quick Reference Guide
In case you want to set up an alternative (or multiple) DNS names to your certificate, this thread is also very informative.
For just one DNS name, your certificate should look like this:
openssl req -newkey rsa:2048 -sha256 -nodes -keyout PRIVATE.key -x509 -days 365 -out PUBLIC.pem -subj "/C=NG/ST=Lagos/L=Lagos/O=YOUR_NAME_OR_COMPANY_NAME/CN=<MY_IP:PORT>
whereas MY_IP is obviously the IP address of your own server (from which you're calling the webhook).
For the sake of completeness, I'd advise you to use a reverse proxy such as NGNIX - it will spare you from many headaches regarding SSL certificates in the request container. If you ask me, it's easier to maintain once established. Though it's just an alternative option.
I faced this problem couple of days ago and I know the right solution.
First of all, it's the right command for openssl.
openssl req -newkey rsa:2048 -sha256 -nodes -keyout PRIVATE.key -x509 -days 365 -out PUBLIC.pem -subj "/C=US/ST=State/L=City/O=pinkyhi/CN=IP"
Be sure that you put only IP WITHOUT "https://" prefix or port.
Next, you need to convert your PUBLIC.pem to .pfx format with this command and set the password for it.
openssl pkcs12 -inkey PRIVATE.key -in PUBLIC.pem -export -out PUBLIC.pfx
Now you should edit your Program.cs file and check that there is:
public static IHostBuilder CreateHostBuilder(string[] args) =>
Host.CreateDefaultBuilder(args)
.ConfigureWebHostDefaults(webBuilder =>
{
webBuilder.UseStartup<Startup>();
webBuilder.UseKestrel(options =>
{
options.ConfigureHttpsDefaults(co =>
{
co.SslProtocols = SslProtocols.Tls12;
});
options.Listen(IPAddress.Loopback, 443, listenOptions =>
{
listenOptions.UseHttps("./Static/PUBLIC.pfx", "YOURPASSWORD");
});
options.Listen(IPAddress.Any, 443, listenOptions =>
{
listenOptions.UseHttps("./Static/PUBLIC.pfx", "YOURPASSWORD");
});
});
});
Next check that your webhook URL which you send to Telegram is in the format: "https://IP", also WITHOUT port!
If all of that didn't help you, try to use this HTML form to upload webHook with URL manually, also you can check webhook info to get some information about errors. You should edit with accordingly to your TOKEN.
<html>
<body>
<form action="https://api.telegram.org/botTOKEN/setwebhook" method="post" enctype="multipart/form-data">
Select Certificate to upload:
<input type="file" name="certificate" id="fileToUpload">
URL: <input type="text" name="url" value="https://IP"><br>
<input type="submit" value="Upload Certificate" name="submit">
</form>
<br>
<br>
<br>
Check hook info
</body>
</html>
And check that you opened 443 port on firewall and your router
Related
I used openssl req -x509 -newkey rsa:4096 -nodes -out cert.pem -keyout key.pem -days 365 to generate a cert.pem and key.pem and it has executed correctly. Now what I want is how can I add the openssl generated certificate to trusted certificates so that I don't get greeted with Your connection isn't private page before loading my flask https site. Any help is appreciated.
EDIT: OS - Windows. I am trying to add the OpenSSL generated certificate to Trusted Root Certification Authorities inside the Microsoft Management console (MMC)
depending on the browser you need to run certutil with a specific db location:
chromium-based (most) -d sql:$HOME/.pki/nssdb
firefox -d %userprofile%\Application Data\Mozilla\Firefox\Profiles\%randomalphanum%.default\cert8.db
I have to deploy a backend that wants to handle HTTPS on its own.
The README of that backend provides the following command to generate a self signed cert:
openssl req -x509 -nodes -newkey rsa:2048 -keyout tls.key -out tls.crt -days 3650
That gives me a tls.key and tls.crt file. However, the NGINX guide at https://docs.nginx.com/nginx/admin-guide/security-controls/securing-http-traffic-upstream/ requires some more stuff which I don't have.
It would be awesome if someone could tell me how to generate all the certificate files I need so that NGINX can talk to the backend via SSL.
The outside facing SSL connection is covered by Lets Encrypt.
I need to make client approve a server CA certificate which is not known to it.
I have generated cert.pem using the following command
openssl req -x509 -newkey rsa:4096 -nodes -out cert.pem -keyout key.pem -days 365
And then using the following command I came to know that requests points to <full-path>/cacert.pem.
python -mrequests.certs
So, I have copied the generated cert.pem to the same path and gave it to verify. I have tried the following to do so. I don't want to use verify=False.
requests.get("https://<ip>:<port>/route1", verify='<full-path>/cert.pem')
Still I see that the client is throwing the following error.
SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
How do I make the client approve the server certificate? Am I missing anything? Any help would be appreciated.
Server side code
context = ('cert.pem', 'key.pem')
#app is flask object
app.run(host="<ip>", port=port, debug=Ture, ssl_context=context)
I have installed on my server IceCast with SSL. The program works perfectly but the SSL certificate is recognized as non-secure in the browser. I generated the certificate with the following code:
openssl req -new -newkey rsa:2048 -days 365 -nodes -x509 -keyout icecast2.pem -out icecast2.pem
Page capture: http://i.imgur.com/V5V3zM4.png
Does anyone know how I can fix it?
PD: I´m running Apache2 Server and Debian.
Many Thanks.
You've got a self-signed certificate that is not contained in any trustchain. Hence, it is marked as insecure by your browser.
There is hardly any way to fix this with your existing certificate. You can try through the Let's Encrypt initiative.
I would like to get SSL running on my subdomain api.rofulus.com
I checked out https://modulus.io/codex/projects/ssl
I created a certificate and key with:
openssl req -nodes -newkey rsa:2048 -keyout myserver.key -out server.csrls
I registered me on namecheap an bought a positiveSSL
https://www.namecheap.com/security/ssl-certificates/domain-validation.aspx
I uploaded the content of the server file to namecheap and I received 3 files:
api_rofulus_com.crt
PositiveSSLCA2.crt
AddTrustExternalCARoot.crt
But for custom SSL I need content of a key file. But my myserver.key is empty. So where or how can I get the key?
Thanks for help!
By using this command you have created certificate request server.csr:
openssl req -nodes -newkey rsa:2048 -keyout myserver.key -out server.csr
To see the contents of the request you can use:
openssl req -noout -text -in server.csr
Then you have uploaded server.csr to namecheap and got your certificates.
If your private key (myserver.key) is empty then i think you somehow corrupted it. You can reissue you certificate with the new key and certificate request. Drop a line to namecheap support, i think they can resolve this situation.