I'm working on a Ruby language server to manage multiple Telegram Bots via setwebhooks
BTW, I'll delivery the server as opensource at BOTServer
PROBLEM
I have troubles receiving webhook updates from Telegram Bot API Server. I have set a webhook token (Telegram reply "success") but I do not receive any update on the succesfully configured webhook.
I think the problem could be around self-signed Certificate mysteries. See old reddit question and answers.
I have similar problem and I fair the point is in some "misunderstanding" between Telegram Bot API Server that send HTTPs webhooks updates and the bot server receving webhooks (I use nginx as proxy/https SSL certificate handler).
It seems that someone solved the issue configuring nginx with a certificate "chain"; I'm pretty ingnorant in certificates tricks and so I ask:
QUESTION
May someone can post info, to configure nginx (any ssl web server!) with detailed settings / step-by step for dummies, showing how to pass from .key and .pem files described here: https://core.telegram.org/bots/self-signed to set-up the certificate "chain" to configure in nginx config, to be "accepted" by Telegram Bot API Server ?
BTW, my nginx config now:
upstream backend {
server 127.0.0.1:3000;
}
#
# HTTPS server
#
server {
listen 8443 ssl;
server_name myhost.com;
ssl on;
ssl_certificate /mypath/ssl/PUBLIC.pem;
ssl_certificate_key /mypath/ssl/PRIVATE.key;
ssl_session_timeout 5m;
ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers "HIGH:!aNULL:!MD5 or HIGH:!aNULL:!MD5:!3DES";
ssl_prefer_server_ciphers on;
location #backend {
proxy_pass http://backend;
}
location / {
try_files $uri #backend;
}
}
where PRIVATE.key + PUBLIC.pem files are that one generated following guidelines: Using self-signed certificates:
openssl req -newkey rsa:2048 -sha256 -nodes -keyout PRIVATE.key -x509 -days 365 -out PUBLIC.pem -subj "/C=US/ST=New York/L=Brooklyn/O=Example Brooklyn Company/CN=YOURDOMAIN.EXAMPLE"
thanks
giorgio
I answer myself, to share solution found here:
https://stackoverflow.com/a/33260827/1786393
the point was not the mentioned nginx configuration, but the PEM file:
openssl req -newkey rsa:2048 -sha256 -nodes -keyout YOURPRIVATE.key -x509 -days 365 -out YOURPUBLIC.pem -subj "/C=US/ST=New York/L=Brooklyn/O=Example Brooklyn Company/CN=YOURDOMAIN.EXAMPLE"
YOURDOMAIN.EXAMPLE in the subj strig of openssl must be real hostname of your server that receive webhooks.
the solution that works for me:
I generated key pairs: openssl genrsa -out webhook_pkey.pem 2048 and openssl req -new -x509 -days 3650 -key webhook_pkey.pem -out webhook_cert.pem
don't forget to give FQDN name. give your host's ip at least
added it to nginx config
server {
listen 8443 ssl;
server_name MY_IP;
charset utf-8;
client_max_body_size 75M;
ssl_certificate /var/www/myproject/tg_keys/webhook_cert.pem;
ssl_certificate_key /var/www/myproject/tg_keys/webhook_pkey.pem;
location / { try_files $uri #yourapplication; }
location #yourapplication {
include uwsgi_params;
uwsgi_pass unix:/var/www/myproject/hb.sock;
}
}
cURL options:
CURLOPT_SSL_VERIFYPEER = false
CURLOPT_SSL_VERIFYHOST = false
Related
Following Godaddy instructions, I have generated a private key and the corresponding CSR:
openssl req -new -newkey rsa:2048 -nodes -keyout mydomain.key -out mydomain.csr
Then, I uploaded mydomain.csr to Godaddy, getting a ZIP file containing the SSL and intermediate certificates, which I concatenated to have a single CRT file:
cat mysslcert.crt intermediate.crt >> mydomain.crt
Using the official NGINX image from the docker hub, the configuration is the following:
server {
listen 80;
listen 443 ssl;
keepalive_timeout 10m;
root /var/www;
server_name mydomain.com;
ssl on;
ssl_certificate /etc/ssl/mydomain.crt;
ssl_certificate_key /etc/ssl/mydomain.key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on; ...
The files are accessible (checked with wrong paths). The error I'm getting is the following:
SSL_CTX_use_PrivateKey_file("/etc/ssl/mydomain.key") failed (SSL: error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch)
The comparison of the MD5 tells me they're different, but what am I doing wrong?
Thanks #TarunLalwani, the problem was that the certificate that I can download from Godaddy takes time to be refreshed when a new CSR is uploaded. The solution is that I had to wait for the actual email indicating that my certificate is ready to be downloaded.
i would like to install squid proxy with SSL bump, i am working on my Virtual lab and once everything is ok i will Test it on the real network.
i already created i directory for the cert and generated the cert as below:
#Generate Private Key
openssl genrsa -out MSY.com.private 2048
# Create Certificate Signing Request
openssl req -new -key MSY.com.private -out MSY.com.csr
# Sign Certificate
openssl x509 -req -days 3652 -in MSY.com.csr -signkey MSY.com.private -out
MSY.com.cert
then i fill the info and put the 'Common Name' something other than the domain or server_name. in addition, please find the below lines from the squid configuration file:
http_port 3128
#the problem is with the below line
ssl-bump cert=/etc/squid/ssl_cert/MSY.com.cert
key=/etc/squid/ssl_cert/MSY.com.private generate-host-certificates=on
version=1 options=NO_SSLv2,NO_SSLv3,SINGLE_DH_USE
# SSL Bump Config
ssl_bump stare all
ssl_bump bump all
and its not working and if i remove the SSL bump certificate line from the configuration, the proxy works but without SSL. my questions can we eliminate SSL-bump from configuration and can i manually copy the certificate to the client/user machine and added to his/her Internet browser.
thanks
I am trying to establish a 2-way SSL connection between an nginx server and a client(browser/postman).
I am wondering whether it should be possible to tell nginx to trust the browser/postman's keys, assuming nginx requests and verifies client's certificates.
specifically, what should be put in that section of nginx
server {
listen 443;
ssl on;
ssl_certificate /etc/nginx/ssl/newcert.crt;
ssl_certificate_key /etc/nginx/ssl/newkey.pem;
ssl_session_timeout 15m;
ssl_protocols SSLv3 TLSv1;
ssl_ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv3:+EXP;
ssl_prefer_server_ciphers on;
ssl_verify_client on;
ssl_verify_depth 2;
# what should be the content of that file??
>>>>>> ssl_client_certificate /etc/nginx/ssl/trust/client.crt;
}
I failed to find any information regarding this...
Thanks.
The ssl_client_certificate directive points to a file containing the Certificate Authority used to sign the client's Certificate Request. See this document for details.
If you are using a self-signed certificate authority for your client certificates, the procedure would be something like this:
Create a self-signed certificate to use as a Certificate Authority. See OpenSSL CA(1) for a simplified scheme to manage this step.
Generate a certificate request for the client. For example:
openssl req -newkey rsa:2048 -nodes -keyout user.key -out user.req
Use the CA from step 1 to sign the request from step 2 to generate a certificate for the client. See OpenSSL CA(1) above.
Convert the certificate from step 3 into a PKCS#12 formatted file so that it can be imported by the client. For example:
cat user.key user.crt | openssl pkcs12 -export -out user.p12
I've gotten SSL to work on Apache servers and on a client's Nginx server. However, I am having issues with my EV SSL certificate installation. This is also on a server with a special character in the URL: weöm.com.
weöm.com is displayed as xn--wem-tna.com in browsers, which is fine. When I inspected my .ca-bundle that was emailed to me from COMODO, I saw my domain name rendered as we\xC3\xB6m.com, which made me think I have to generate my .csr and .key the same way.
Here's how I've been doing it (ran this command in Terminal):
openssl req -new -newkey rsa:2048 -nodes -out weom.csr -keyout weom.key -subj "/serialNumber=000000000/businessCategory=Private Organization/C=US/postalCode=00000/ST=California/L=Cupertino/street=1 Loop Way/O=Apple Inc/OU=COMODO EV SSL/CN=we\xC3\xB6m.com"
(I've replaced the serial number and other things with fake data in my example)
The code spits out a .csr and .key with the exact same data that my compiled .crt has and I cannot understand why I'm still getting this SSL: error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch error.
I've been wrangling with this for about a week, does anyone have any idea what I'm doing wrong?
EDIT: Proving more information...
Here is how I'm creating my master .crt:
cat xn--wem-tna.com.crt AddTrustExternalCARoot.crt COMODORSAAddTrustCA.crt COMODORSAExtendedValidationSecureServerCA.crt >> cert_chain.crt
This is the default file in my sites-available folder:
server {
listen 80 default_server;
listen [::]:80 default_server;
server_name xn--wem-tna.com;
return 301 https://$host$request_uri;
}
server {
# SSL configuration
listen 443 ssl default_server;
listen [::]:443 ssl default_server;
ssl_certificate cert_chain.crt;
ssl_certificate_key weom.key;
ssl_ciphers "HIGH:!aNULL:!MD5 or HIGH:!aNULL:!MD5:!3DES";
root /var/www/html;
# Add index.php to the list if you are using PHP
index index.html index.htm index.nginx-debian.html;
server_name xn--wem-tna.com;
location / {
# First attempt to serve request as file, then
# as directory, then fall back to displaying a 404.
try_files $uri $uri/ =404;
}
}
The reason for the error is that your KEY and CRT are different.
You can verify this by checking MD5 hashes on them:
openssl x509 -noout -modulus -in certificate.crt | openssl md5
openssl rsa -noout -modulus -in privateKey.key | openssl md5
Additionally I would change the order in the bundle CRT (cert_chain.crt),at the moment you have it this way:
xn--wem-tna.com.crt AddTrustExternalCARoot.crt COMODORSAAddTrustCA.crt COMODORSAExtendedValidationSecureServerCA.crt
It should be:
cat xn--wem-tna.com.crt COMODORSADomainValidationSecureServerCA.crt COMODORSAAddTrustCA.crt AddTrustExternalCARoot.crt > cert_chain.crt
This is Official Comodos Certificate Installation: NGINX
What gets me worried is your comment at the beginning:
If you have changed the key once your certificate had been issued you will need to invalidate it and apply for a new CRT with your new KEY and new CSR.
weöm.com is displayed as xn--wem-tna.com in browsers, which is fine. When I inspected my .ca-bundle that was emailed to me from COMODO, I saw my domain name rendered as we\xC3\xB6m.com, which made me think I have to generate my .csr and .key the same way.
Oh yeah, forgot to update.
I got a refund and went with CertSimple. Emailed them questions Friday night, went through the entire process of obtaining an EV cert Saturday morning/afternoon, and had it on my server by 6pm (and that's only because I was out running errands).
I self generated 2 self-signed certificates with openssl for testing purposes using :
$ sudo openssl req -new -newkey rsa:4096 -days 365 -nodes -x509 -subj "/C=FR/ST=Charente/L=Mornac/O=Office/CN=api.cockpit.yves" -keyout /usr/local/etc/nginx/ssl/api.cockpit.yves.key -out /usr/local/etc/nginx/ssl/api.cockpit.yves.crt
Generating a 4096 bit RSA private key
..........................................................................++
...................++
writing new private key to '/usr/local/etc/nginx/ssl/api.cockpit.yves.key'
-----
$ sudo openssl req -new -newkey rsa:4096 -days 365 -nodes -x509 -subj "/C=FR/ST=Charente/L=Mornac/O=Office/CN=admin.cockpit.yves" -keyout /usr/local/etc/nginx/ssl/admin.cockpit.yves.key -out /usr/local/etc/nginx/ssl/admin.cockpit.yves.crt
Generating a 4096 bit RSA private key
..................................................................................................................................................++
..............................++
writing new private key to '/usr/local/etc/nginx/ssl/admin.cockpit.yves.key'
-----
and in my nginx.conf file , I set up the Https servers with :
server {
listen 8444 ssl;
server_name admin.cockpit.yves;
ssl_certificate ssl/admin.cockpit.yves.crt;
ssl_certificate_key ssl/admin.cockpit.yves.crt;
...
}
server {
listen 8445 ssl;
server_name api.cockpit.yves;
ssl_certificate ssl/api.cockpit.yves.crt;
ssl_certificate_key ssl/api.cockpit.yves.crt;
...
}
however testing the nginx config, I get the following error :
sudo nginx -t
nginx: [emerg] SSL_CTX_use_PrivateKey_file("/usr/local/etc/nginx/ssl/admin.cockpit.yves.crt") failed (SSL: error:0906D06C:PEM routines:PEM_read_bio:no start line:Expecting: ANY PRIVATE KEY error:140B0009:SSL routines:SSL_CTX_use_PrivateKey_file:PEM lib)
nginx: configuration file /usr/local/etc/nginx/nginx.conf test failed
what could be wrong ? is it because I try to setup 2 certificates for 2 different subdomains (admin. and api. ) for the same domain cockpit.yves ?
thanks for your feedback
Your key file probably doesn't contain your key.
I had this problem too. In my case, I'd pasted my crt in to my key file (and my actual crt file was correct).
My key files begin with the string: -----BEGIN RSA PRIVATE KEY-----
Then ends with the string: -----END RSA PRIVATE KEY-----
In the comments under the question, Richard Smith actually suggested this as the solution. I'm posting it as an answer to help others later. Props to Richard.
UPDATE
I also experienced this message by pasting a combined cert before the cert in the crt file I fed my nginx server.