Telegram self-subscription certificate for the IP?

Domain no. Only the IP.
Create the certificate:

openssl req-newkey rsa:2048 -sha256 -nodes -keyout YOURPRIVATE.key-x509 -days 365 -out YOURPUBLIC.pem -subj "/C=US/ST=New York/L=Brooklyn/O=Example Brooklyn Company/CN=ROUGOOR"


Generating a RSA private key
.........................+++++
...........+++++
writing new private key to 'YOURPRIVATE.key'


Send telegram:

curl -F "url=https://IP_МОЕГО_СЕРВЕРА/tg/index.php" -F "certificate=@YOURPUBLIC.pem" "https://api.telegram.org/МОЙ_ТОКЕН/setwebhook"


Get:
{"ok":true,"result":true,"description":"Webhook was set"}#


Next, check in the browser:
https://api.telegram.org/МОЙ_ТОКЕН/getWebhookInfo

Get:
{"ok":true,"result":{"url":"https://IP_МОЕГО_СЕРВЕРА/tg/index.php","has_custom_certificate":true,"pending_update_count":21,"last_error_date":1575977768,"last_error_message":"SSL error {error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed}","max_connections":40}}


I do not understand, what not so?
April 3rd 20 at 17:18
2 answers
April 3rd 20 at 17:20
Solution
In General, we decided.
So, MB is useful to someone normal steps for IP:

openssl req-newkey rsa:2048 -sha256 -nodes -x509 -days 365 \
-keyout YOURPRIVATE.key \
-out YOURPUBLIC.crt \
-subj "/C=RU/ST=Saint-Petersburg/L=Saint-Petersburg/O=Example Inc./CN=RESERVERA"


Further, convertim in .pem :

openssl x509 -in YOURPUBLIC.crt -out YOURPUBLIC.pem -outform PEM


Copy the files in the folder with other keys: (you can not copy, but to change this path in your Apache configuration)
cp YOURPUBLIC.crt /etc/ssl/certs/YOURPUBLIC.crt
cp YOURPRIVATE.key /etc/ssl/private/YOURPRIVATE.key


In configuration (for apache) /etc/apache2/sites-available/default-ssl.conf :

<IfModule mod_ssl.c>
<VirtualHost _default_:443>
ServerAdmin your_email@example.com
ServerName server IP
DocumentRoot /var/www/html
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
SSLEngine on
SSLCertificateFile /etc/ssl/certs/YOURPUBLIC.crt
SSLCertificateKeyFile /etc/ssl/private/YOURPRIVATE.key
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
<Directory /usr/lib/cgi-bin>
SSLOptions +StdEnvVars
</Directory>
BrowserMatch "MSIE [2-6]" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
</VirtualHost>
</IfModule>


Create a new snippet in the Apache directory/etc / apache2/conf-available.

It is recommended to specify in the file name, its purpose (for example, ssl-params.conf):

sudo nano /etc/apache2/conf-available/ssl-params.conf


# from https://cipherli.st/
# and https://raymii.org/s/tutorials/Strong_SSL_Security_On_Apache2.html
SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
SSLProtocol All-SSLv2 -SSLv3
SSLHonorCipherOrder On
Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains; preload",
Header always set X-Frame-Options DENY
Header always set X-Content-Type-Options nosniff
# Requires Apache >= 2.4
SSLCompression off
SSLSessionTickets Off
SSLUseStapling on
SSLStaplingCache "shmcb:logs/stapling-cache(150000)"
SSLOpenSSLConfCmd DHParameters "/etc/ssl/certs/dhparam.pem"


Settings for Apache:

sudo a2enmod ssl
sudo a2enmod headers
sudo a2ensite default-ssl


Check
sudo apache2ctl configtest
if OK, it will be something like:
AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 127.0.1.1. Set the 'ServerName' directive globally to suppress this message
Syntax OK


Rabotaem.
service apache2 restart

If OK, then open the c https in the browser.

Well, then fed to the certificate REQUIRED! with @ telegram bot

curl -F "url=https://IP_МОЕГО_СЕРВЕРА/tg/index.php" -F "certificate=@YOURPUBLIC.pem" "https://api.telegram.org/МОЙ_ТОКЕН/setwebhook"


Check:

https://api.telegram.org/МОЙ_ТОКЕН/getWebhookInfo
April 3rd 20 at 17:22
All right - self-subscription certificate cannot be verified for authenticity - hence they do not work in this context.
Not true @hailey . https://core.telegram.org/bots/self-signed . Self-subscription certificates work fine in telegram

https://tlgrm.ru/docs/bots/self-signed - maryjane_Schiller commented on April 3rd 20 at 17:25

Find more questions by tags LinuxUbuntuDigital certificatesTelegram