[GH-ISSUE #186] The certificate chain for the Telgegram gateway need to be checked #47

New issue

Open

opened 2026-02-26 05:32:41 +03:00 by kerem · 0 comments

kerem commented

2026-02-26 05:32:41 +03:00

Owner

Originally created by @j-ed on GitHub (Jan 9, 2019).
Original GitHub issue: https://github.com/nextcloud/twofactor_gateway/issues/186

Expected behavior

If you configure the Telegram gateway, a potential SSL certificate problem should be checked and displayed so that the root cause of the problem can be solved easily by the administrator.

Current behavior

If you configure the Telegram gateway, the SSL certificate is not checked during the administrator nor the user configuration. This results in a token verification error if a user tries to activate his account for 2FA. In the log file a more or less correct cURL error 60 is displayed:

{
  "reqId": "IRRQ0Ra3P0GhisfzS7gi",
  "level": 3,
  "time": "2019-01-08 21:17:28+01:00",
  "remoteAddr": "192.168.178.21",
  "user": "juergen",
  "app": "index",
  "method": "POST",
  "url": "/index.php/apps/twofactor_gateway/settings/telegram/verification/start",
  "message": {
    "Exception": "Telegram\\Bot\\Exceptions\\TelegramSDKException",
    "Message": "cURL error 60:SSL certificate problem: self signed certificate in certificate chain (see http://curl.haxx.se/libcurl/c/libcurl-errors.html)",
    "Code": 0,
    "Trace": [
      {
        "file": "/srv/www/nextcloud/nextcloud/apps2/twofactor_gateway/vendor/irazasyed/telegram-bot-sdk/src/TelegramClient.php",
        "line": 79,
        "function": "send",
        "class": "Telegram\\Bot\\HttpClients\\GuzzleHttpClient",
        "type": "->",
        "args": [
          "https://api.telegram.org/bot123456789:AAbbCCddEEffGGhhIIjjKKllMMnnOOppQQ/getUpdates",
          "GET",
          {
            "User-Agent": "Telegram Bot PHP SDK v3.0.0 - (https://github.com/irazasyed/telegram-bot-sdk)"
          },
          {
            "headers": {
              "User-Agent": "Telegram Bot PHP SDK v3.0.0 - (https://github.com/irazasyed/telegram-bot-sdk)"
            },
            "body": null,
            "timeout": 60,
            "connect_timeout": 10,
            "synchronous": true,
            "query": []
          },
          false
        ]
      },
      {
        "file": "/srv/www/nextcloud/nextcloud/apps2/twofactor_gateway/vendor/irazasyed/telegram-bot-sdk/src/Traits/Http.php",
        "line": 304,
        "function": "sendRequest",
        "class": "Telegram\\Bot\\TelegramClient",
        "type": "->",
        "args": [
          {
            "__class__": "Telegram\\Bot\\TelegramRequest"
          }
        ]
      },
      {
        "file": "/srv/www/nextcloud/nextcloud/apps2/twofactor_gateway/vendor/irazasyed/telegram-bot-sdk/src/Traits/Http.php",
        "line": 181,
        "function": "sendRequest",
        "class": "Telegram\\Bot\\Api",
        "type": "->",
        "args": [
          "GET",
          "getUpdates",
          []
        ]
      },
      {
        "file": "/srv/www/nextcloud/nextcloud/apps2/twofactor_gateway/vendor/irazasyed/telegram-bot-sdk/src/Methods/Update.php",
        "line": 47,
        "function": "get",
        "class": "Telegram\\Bot\\Api",
        "type": "->",
        "args": [
          "getUpdates",
          []
        ]
      },
      {
        "file": "/srv/www/nextcloud/nextcloud/apps2/twofactor_gateway/lib/Service/Gateway/Telegram/Gateway.php",
        "line": 94,
        "function": "getUpdates",
        "class": "Telegram\\Bot\\Api",
        "type": "->",
        "args": []
      },
      {
        "file": "/srv/www/nextcloud/nextcloud/apps2/twofactor_gateway/lib/Service/Gateway/Telegram/Gateway.php",
        "line": 75,
        "function": "getChatId",
        "class": "OCA\\TwoFactorGateway\\Service\\Gateway\\Telegram\\Gateway",
        "type": "->",
        "args": [
          {
            "__class__": "OC\\User\\User"
          },
          {
            "__class__": "Telegram\\Bot\\Api"
          },
          66778899
        ]
      },
      {
        "file": "/srv/www/nextcloud/nextcloud/apps2/twofactor_gateway/lib/Service/SetupService.php",
        "line": 92,
        "function": "send",
        "class": "OCA\\TwoFactorGateway\\Service\\Gateway\\Telegram\\Gateway",
        "type": "->",
        "args": [
          {
            "__class__": "OC\\User\\User"
          },
          "66778899",
          "987654 is your Nextcloud verification code."
        ]
      },
      ...

I was able to resolve the problem by downloading all relevant, certificates (intermediate, root) and by updating the local CRL for it.

Required certificate chain:

api.telegram.org.pem (c8ffe1eb)
-> go_daddy_secure_certificate_authority_-_g2.pem (27eb7704)
   -> go_daddy_root_certificate_authority_-_g2.pem (cbf06781)
      -> subjectc__us_o__the_go_daddy_group_inc._ou__go_daddy_class_2_certification_authority.pem (f081611a)

Steps to reproduce

The required SSL certificates for "api.telegram.org" haven't been installed on the server.
Open Settings -> Personal -> Security and navigate to the Message gateway second-factor auth configuration.
Try to enable the Telegram gateway, enter your user id and press the verify button.

-> A verification failure is displayed without any hint pointing to the underlying certificate problem.

Environment

Server Configuration

OS: Linux 3.16.50
Web server: Apache2 2.4.37
Database: MariaDB 10.2.19
PHP version: 7.2.13
Nextcloud version: 15.0.0
Twofactor_gateway app version: 0.11.0

Client Configuration

Browser: Mozilla Firefox 64.0
Operating system: Windows 10

Originally created by @j-ed on GitHub (Jan 9, 2019). Original GitHub issue: https://github.com/nextcloud/twofactor_gateway/issues/186 ## Expected behavior If you configure the Telegram gateway, a potential SSL certificate problem should be checked and displayed so that the root cause of the problem can be solved easily by the administrator. ## Current behavior If you configure the Telegram gateway, the SSL certificate is not checked during the administrator nor the user configuration. This results in a token verification error if a user tries to activate his account for 2FA. In the log file a more or less correct **cURL error 60** is displayed: ``` { "reqId": "IRRQ0Ra3P0GhisfzS7gi", "level": 3, "time": "2019-01-08 21:17:28+01:00", "remoteAddr": "192.168.178.21", "user": "juergen", "app": "index", "method": "POST", "url": "/index.php/apps/twofactor_gateway/settings/telegram/verification/start", "message": { "Exception": "Telegram\\Bot\\Exceptions\\TelegramSDKException", "Message": "cURL error 60:SSL certificate problem: self signed certificate in certificate chain (see http://curl.haxx.se/libcurl/c/libcurl-errors.html)", "Code": 0, "Trace": [ { "file": "/srv/www/nextcloud/nextcloud/apps2/twofactor_gateway/vendor/irazasyed/telegram-bot-sdk/src/TelegramClient.php", "line": 79, "function": "send", "class": "Telegram\\Bot\\HttpClients\\GuzzleHttpClient", "type": "->", "args": [ "https://api.telegram.org/bot123456789:AAbbCCddEEffGGhhIIjjKKllMMnnOOppQQ/getUpdates", "GET", { "User-Agent": "Telegram Bot PHP SDK v3.0.0 - (https://github.com/irazasyed/telegram-bot-sdk)" }, { "headers": { "User-Agent": "Telegram Bot PHP SDK v3.0.0 - (https://github.com/irazasyed/telegram-bot-sdk)" }, "body": null, "timeout": 60, "connect_timeout": 10, "synchronous": true, "query": [] }, false ] }, { "file": "/srv/www/nextcloud/nextcloud/apps2/twofactor_gateway/vendor/irazasyed/telegram-bot-sdk/src/Traits/Http.php", "line": 304, "function": "sendRequest", "class": "Telegram\\Bot\\TelegramClient", "type": "->", "args": [ { "__class__": "Telegram\\Bot\\TelegramRequest" } ] }, { "file": "/srv/www/nextcloud/nextcloud/apps2/twofactor_gateway/vendor/irazasyed/telegram-bot-sdk/src/Traits/Http.php", "line": 181, "function": "sendRequest", "class": "Telegram\\Bot\\Api", "type": "->", "args": [ "GET", "getUpdates", [] ] }, { "file": "/srv/www/nextcloud/nextcloud/apps2/twofactor_gateway/vendor/irazasyed/telegram-bot-sdk/src/Methods/Update.php", "line": 47, "function": "get", "class": "Telegram\\Bot\\Api", "type": "->", "args": [ "getUpdates", [] ] }, { "file": "/srv/www/nextcloud/nextcloud/apps2/twofactor_gateway/lib/Service/Gateway/Telegram/Gateway.php", "line": 94, "function": "getUpdates", "class": "Telegram\\Bot\\Api", "type": "->", "args": [] }, { "file": "/srv/www/nextcloud/nextcloud/apps2/twofactor_gateway/lib/Service/Gateway/Telegram/Gateway.php", "line": 75, "function": "getChatId", "class": "OCA\\TwoFactorGateway\\Service\\Gateway\\Telegram\\Gateway", "type": "->", "args": [ { "__class__": "OC\\User\\User" }, { "__class__": "Telegram\\Bot\\Api" }, 66778899 ] }, { "file": "/srv/www/nextcloud/nextcloud/apps2/twofactor_gateway/lib/Service/SetupService.php", "line": 92, "function": "send", "class": "OCA\\TwoFactorGateway\\Service\\Gateway\\Telegram\\Gateway", "type": "->", "args": [ { "__class__": "OC\\User\\User" }, "66778899", "987654 is your Nextcloud verification code." ] }, ... ``` I was able to resolve the problem by downloading all relevant, certificates (intermediate, root) and by updating the local CRL for it. ``` Required certificate chain: api.telegram.org.pem (c8ffe1eb) -> go_daddy_secure_certificate_authority_-_g2.pem (27eb7704) -> go_daddy_root_certificate_authority_-_g2.pem (cbf06781) -> subjectc__us_o__the_go_daddy_group_inc._ou__go_daddy_class_2_certification_authority.pem (f081611a) ``` ### Steps to reproduce 1. The required SSL certificates for "api.telegram.org" haven't been installed on the server. 2. Open **Settings -> Personal -> Security** and navigate to the `Message gateway second-factor auth` configuration. 3. Try to enable the Telegram gateway, enter your user id and press the verify button. -> A verification failure is displayed without any hint pointing to the underlying certificate problem. ## Environment #### Server Configuration OS: Linux 3.16.50 Web server: Apache2 2.4.37 Database: MariaDB 10.2.19 PHP version: 7.2.13 Nextcloud version: 15.0.0 Twofactor_gateway app version: 0.11.0 #### Client Configuration Browser: Mozilla Firefox 64.0 Operating system: Windows 10