Telegram self-subscription certificate for the IP?

Domain no. Only the IP.
Create the certificate:

openssl req-newkey rsa:2048 -sha256 -nodes -keyout YOURPRIVATE.key-x509 -days 365 -out YOURPUBLIC.pem -subj "/C=US/ST=New York/L=Brooklyn/O=Example Brooklyn Company/CN=ROUGOOR"

Generating a RSA private key
writing new private key to 'YOURPRIVATE.key'

Send telegram:

curl -F "url=https://IP_МОЕГО_СЕРВЕРА/tg/index.php" -F "certificate=@YOURPUBLIC.pem" "МОЙ_ТОКЕН/setwebhook"

{"ok":true,"result":true,"description":"Webhook was set"}#

Next, check in the browser:МОЙ_ТОКЕН/getWebhookInfo

{"ok":true,"result":{"url":"https://IP_МОЕГО_СЕРВЕРА/tg/index.php","has_custom_certificate":true,"pending_update_count":21,"last_error_date":1575977768,"last_error_message":"SSL error {error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed}","max_connections":40}}

I do not understand, what not so?
April 3rd 20 at 17:18
2 answers
April 3rd 20 at 17:20
In General, we decided.
So, MB is useful to someone normal steps for IP:

openssl req-newkey rsa:2048 -sha256 -nodes -x509 -days 365 \
-keyout YOURPRIVATE.key \
-out YOURPUBLIC.crt \
-subj "/C=RU/ST=Saint-Petersburg/L=Saint-Petersburg/O=Example Inc./CN=RESERVERA"

Further, convertim in .pem :

openssl x509 -in YOURPUBLIC.crt -out YOURPUBLIC.pem -outform PEM

Copy the files in the folder with other keys: (you can not copy, but to change this path in your Apache configuration)
cp YOURPUBLIC.crt /etc/ssl/certs/YOURPUBLIC.crt
cp YOURPRIVATE.key /etc/ssl/private/YOURPRIVATE.key

In configuration (for apache) /etc/apache2/sites-available/default-ssl.conf :

<IfModule mod_ssl.c>
<VirtualHost _default_:443>
ServerName server IP
DocumentRoot /var/www/html
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
SSLEngine on
SSLCertificateFile /etc/ssl/certs/YOURPUBLIC.crt
SSLCertificateKeyFile /etc/ssl/private/YOURPRIVATE.key
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
<Directory /usr/lib/cgi-bin>
SSLOptions +StdEnvVars
BrowserMatch "MSIE [2-6]" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0

Create a new snippet in the Apache directory/etc / apache2/conf-available.

It is recommended to specify in the file name, its purpose (for example, ssl-params.conf):

sudo nano /etc/apache2/conf-available/ssl-params.conf

# from
# and
SSLProtocol All-SSLv2 -SSLv3
SSLHonorCipherOrder On
Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains; preload",
Header always set X-Frame-Options DENY
Header always set X-Content-Type-Options nosniff
# Requires Apache >= 2.4
SSLCompression off
SSLSessionTickets Off
SSLUseStapling on
SSLStaplingCache "shmcb:logs/stapling-cache(150000)"
SSLOpenSSLConfCmd DHParameters "/etc/ssl/certs/dhparam.pem"

Settings for Apache:

sudo a2enmod ssl
sudo a2enmod headers
sudo a2ensite default-ssl

sudo apache2ctl configtest
if OK, it will be something like:
AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using Set the 'ServerName' directive globally to suppress this message
Syntax OK

service apache2 restart

If OK, then open the c https in the browser.

Well, then fed to the certificate REQUIRED! with @ telegram bot

curl -F "url=https://IP_МОЕГО_СЕРВЕРА/tg/index.php" -F "certificate=@YOURPUBLIC.pem" "МОЙ_ТОКЕН/setwebhook"

April 3rd 20 at 17:22
All right - self-subscription certificate cannot be verified for authenticity - hence they do not work in this context.
Not true @hailey . . Self-subscription certificates work fine in telegram - maryjane_Schiller commented on April 3rd 20 at 17:25

Find more questions by tags LinuxUbuntuDigital certificatesTelegram