Telegram Bot API Webhooks自签名证书问题 [英] Telegram Bot API Webhooks Self-signed Certificate issue

问题描述

我正在使用Ruby语言服务器通过 setwebhooks 管理多个Telegram Bots

I'm working on a Ruby language server to manage multiple Telegram Bots via setwebhooks

BTW，我将以 BOTServer

问题

我收到webhook更新时遇到麻烦来自Telegram Bot API服务器。我已经设置了一个webhook令牌（电报回复成功）但我没有收到关于成功配置的webhook的任何更新。

I have troubles receiving webhook updates from Telegram Bot API Server. I have set a webhook token (Telegram reply "success") but I do not receive any update on the succesfully configured webhook.

我认为问题可能在自签名证书的谜团。请参阅旧的 reddit问题和答案。

I think the problem could be around self-signed Certificate mysteries. See old reddit question and answers.

我有类似的问题，我认为重点在于发送HTTPs webhooks更新的Telegram Bot API服务器和接收webhooks的bot服务器之间的一些误解（我使用nginx作为代理/ https SSL证书处理程序）。

I have similar problem and I fair the point is in some "misunderstanding" between Telegram Bot API Server that send HTTPs webhooks updates and the bot server receving webhooks (I use nginx as proxy/https SSL certificate handler).

似乎有人解决了使用证书chain配置nginx的问题;我对证书技巧非常陌生，所以我问：

It seems that someone solved the issue configuring nginx with a certificate "chain"; I'm pretty ingnorant in certificates tricks and so I ask:

问题

可能有人可以发布信息，配置nginx（任何ssl web服务器！），其中包含详细设置/傻瓜步骤，显示如何传递此处描述的.key和.pem文件： https://core.telegram.org/bots/self-signed 到设置证书链 在nginx配置中配置，被Telegram Bot API服务器接受？

May someone can post info, to configure nginx (any ssl web server!) with detailed settings / step-by step for dummies, showing how to pass from .key and .pem files described here: https://core.telegram.org/bots/self-signed to set-up the certificate "chain" to configure in nginx config, to be "accepted" by Telegram Bot API Server ?

BTW，我的nginx配置现在：

BTW, my nginx config now:

upstream backend {
  server 127.0.0.1:3000;
}

#
# HTTPS server
#
server {
  listen 8443 ssl;
  server_name myhost.com;

  ssl on;
  ssl_certificate /mypath/ssl/PUBLIC.pem;
  ssl_certificate_key /mypath/ssl/PRIVATE.key;

  ssl_session_timeout 5m;

  ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
  ssl_ciphers "HIGH:!aNULL:!MD5 or HIGH:!aNULL:!MD5:!3DES";
  ssl_prefer_server_ciphers on;

  location @backend {
    proxy_pass http://backend;
  }

  location / {
    try_files $uri @backend;
  }
}

其中PRIVATE.key + PUBLIC.pem文件是那样的一个生成以下指南：使用自签名证书：

where PRIVATE.key + PUBLIC.pem files are that one generated following guidelines: Using self-signed certificates:

openssl req -newkey rsa:2048 -sha256 -nodes -keyout PRIVATE.key -x509 -days 365 -out PUBLIC.pem -subj "/C=US/ST=New York/L=Brooklyn/O=Example Brooklyn Company/CN=YOURDOMAIN.EXAMPLE"

谢谢

giorgio

推荐答案

我自己回答，分享找到的解决方案这里：
https://stackoverflow.com/a/33260827/1786393

I answer myself, to share solution found here: https://stackoverflow.com/a/33260827/1786393

这一点不是提到的nginx配置，而是PEM文件：

the point was not the mentioned nginx configuration, but the PEM file:

openssl req -newkey rsa:2048 -sha256 -nodes -keyout YOURPRIVATE.key -x509 -days 365 -out YOURPUBLIC.pem -subj "/C=US/ST=New York/L=Brooklyn/O=Example Brooklyn Company/CN=YOURDOMAIN.EXAMPLE"

YOURDOMAIN.EXAMPLE openssl的strig必须是接收webhook的服务器的真实主机名。

YOURDOMAIN.EXAMPLE in the subj strig of openssl must be real hostname of your server that receive webhooks.

这篇关于Telegram Bot API Webhooks自签名证书问题的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！