Using OpenSSL for a Telegram bot webhook, I face a ‘certificate unknown’ error. When executing modified commands as below, why does Telegram still reject my certificate?
openssl req -x509 -nodes -newkey rsa:2048 -keyout bot_priv.pem -out bot_pub.pem -days 365 -subj "/C=US/ST=CA/L=SanFrancisco/O=DevTeam/CN=sample.com"
openssl s_server -port 4433 -key bot_priv.pem -cert bot_pub.pem
openssl s_client -connect sample.com:4433
try checking if the cert’s cn matches your server domain - telegram might be rejecting it because of a mismatch. also consider verifying the full chain even if openssl seems to work fine!
I experienced a similar issue when trying to implement a Telegram bot with a self-signed certificate. Initially, I checked the CN and ensured that the domain matched, yet Telegram still rejected it. Eventually, I discovered that Telegram requires certificates signed by a trusted authority, and the self-signed certificate didn’t meet that requirement. I had to either procure a certificate from an approved CA or properly chain my certificate with an intermediate certificate that Telegram trusted. Ensuring the full certificate chain was present in my configuration was key to resolving the issue.
I encountered a similar roadblock when setting up my bot. The problem was that Telegram not only checks the CN and issuance chain but also requires that you explicitly register your certificate with the setWebhook API if you use a self-signed certificate. In my case, I had to include the public certificate when calling the webhook registration and ensure that the certificate file contained the complete chain. This oversight can lead to Telegram being unable to validate your certificate even though OpenSSL appears to work fine.
hey, i ran into this issue too. even if openssl works, telegram often needs a proper certified chain. i ended up using a ca-signed cert instead of a self-signed one. maybe give that a try, sometimes embedding intermediate certs helps too.