Using "client.setInsecure();" or not

I am trying to get a notification to my telegram App, but works only with this line of code:
client.setInsecure();

How to make it work without this code line?

#include <ESP8266WiFi.h>
#include <WiFiClientSecure.h>
#include <UniversalTelegramBot.h>

// Telegram Bot credentials
const char* ssid = "Saint_Pio";
const char* password = "MyWifiPass";
const char* botToken = "My_Token";
const char* chatId = "MyChat_ID";

WiFiClientSecure client;
UniversalTelegramBot bot(botToken, client);



void setup(){
  //client.setInsecure();
  Serial.begin(115200);
  connectToWiFi();
}
void loop(){
  bot.sendMessage(chatId, "Button pressed!");
  Serial.print(bot.sendMessage(chatId, ""));
}

void connectToWiFi() {
  Serial.print("Connecting to WiFi");
  WiFi.begin(ssid, password);

  while (WiFi.status() != WL_CONNECTED) {
    delay(500);
    Serial.print(".");
  }

  Serial.println("\nConnected to WiFi");
}

The line client.setInsecure() is used to disable SSL certificate verification. This means that your HTTPS requests are not verifying the authenticity of the server's SSL certificate.

It is not recommended for security reasons in general and to make it work you need to ensure that your arduino can properly verify the SSL root certificate provided by Telegram's servers

may be it's just a

const char* telegramCert = "-----BEGIN CERTIFICATE-----\n" \
                            "MIIDgzCCAmugAwIBAgIJAOm5L0X4iz+nMA0GCSqGSIb3DQEBCwUAMCcxJTAjBgNV\n" \
                            // find the right certificate ...
                            "UZ3F\n" \
                            "-----END CERTIFICATE-----\n";

and adding

  client.setCACert(telegramCert);

at the end of connectToWiFi

PS/ try with

-----BEGIN CERTIFICATE-----
MIIGmTCCBYGgAwIBAgIIPlcRzWeh2j8wDQYJKoZIhvcNAQELBQAwgbQxCzAJBgNV
BAYTAlVTMRAwDgYDVQQIEwdBcml6b25hMRMwEQYDVQQHEwpTY290dHNkYWxlMRow
GAYDVQQKExFHb0RhZGR5LmNvbSwgSW5jLjEtMCsGA1UECxMkaHR0cDovL2NlcnRz
LmdvZGFkZHkuY29tL3JlcG9zaXRvcnkvMTMwMQYDVQQDEypHbyBEYWRkeSBTZWN1
cmUgQ2VydGlmaWNhdGUgQXV0aG9yaXR5IC0gRzIwHhcNMjMwODMwMDA0MDQzWhcN
MjQwOTMwMDA0MDQzWjAdMRswGQYDVQQDDBIqLndlYi50ZWxlZ3JhbS5vcmcwggEi
MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDXBGS7HQY5gJe8Qp5AOA+B0qB9
e9evyiZRSP24mHT5w53yx95XIFrFd+Fk0ABaomc6uRg9PES+Qc9BruNL9pV3cytQ
MxJE0Ybou5hY4aMYjvTRMGs9jl/rgClXAczOc/qvbvPrCS3JbkfOgS7+1T5eN4ud
4y9dP2Q7d51fm/3Z0EufupGWSKMdOiXTymuSv2FbVY7Rq2PlaZ3IK4Ro9s+a7TwZ
/b3KATWXWzfIkGM90VxxQH+pHruRaSdOiWeNT5AfwebgFFCy7Wzt5GYOK4k0zYDO
2nX+fms4YeeynMwH1gCmlvRoOJSWNP6sfwgBJCdFkoBOJfrp4SRjxvn453krAgMB
AAGjggNDMIIDPzAMBgNVHRMBAf8EAjAAMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggr
BgEFBQcDAjAOBgNVHQ8BAf8EBAMCBaAwOAYDVR0fBDEwLzAtoCugKYYnaHR0cDov
L2NybC5nb2RhZGR5LmNvbS9nZGlnMnMxLTg3NTguY3JsMF0GA1UdIARWMFQwSAYL
YIZIAYb9bQEHFwEwOTA3BggrBgEFBQcCARYraHR0cDovL2NlcnRpZmljYXRlcy5n
b2RhZGR5LmNvbS9yZXBvc2l0b3J5LzAIBgZngQwBAgEwdgYIKwYBBQUHAQEEajBo
MCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5nb2RhZGR5LmNvbS8wQAYIKwYBBQUH
MAKGNGh0dHA6Ly9jZXJ0aWZpY2F0ZXMuZ29kYWRkeS5jb20vcmVwb3NpdG9yeS9n
ZGlnMi5jcnQwHwYDVR0jBBgwFoAUQMK9J47MNIMwojPX+2yz8LQsgM4wLwYDVR0R
BCgwJoISKi53ZWIudGVsZWdyYW0ub3JnghB3ZWIudGVsZWdyYW0ub3JnMB0GA1Ud
DgQWBBRHh49nuhQYDIxRJkzoGUixbSPHmTCCAXwGCisGAQQB1nkCBAIEggFsBIIB
aAFmAHUA7s3QZNXbGs7FXLedtM0TojKHRny87N7DUUhZRnEftZsAAAGKQ+KwMAAA
BAMARjBEAiBChEpMKZVSGeeIZeeG57ueZZPC4j4q1A+lO95ae15xrwIgEdle06GV
9JekVnu8ANZFYB8Opu45oCMEPGdbmgCqmJgAdABIsONr2qZHNA/lagL6nTDrHFIB
y1bdLIHZu7+rOdiEcwAAAYpD4rFcAAAEAwBFMEMCIFVo+gDik6aCvf++XHAdOAFV
wsI+KWDJEKCRopiMmC7OAh94apgWcUwpRoHzAOBhVvM1iw+iRgiCRKXfakST68FC
AHcA2ra/az+1tiKfm8K7XGvocJFxbLtRhIU0vaQ9MEjX+6sAAAGKQ+KxzgAABAMA
SDBGAiEAhl+E+43e55OBk1AbFH5HyVBfITU7zjlxLUfZpDv94fgCIQDoEvtr48z0
/ySUMkE6nvDA5CUy5MYzz3pwo4UPtWwa/jANBgkqhkiG9w0BAQsFAAOCAQEAJ+ZW
XwSXrxm+jKXHNGcIQZVUP2qt7WSaMtaYxS1bh8NRLdYg9fU6WdA3RsmhMnVr3hk/
Yaz7HFETOCN1YIg3IO5onzDfds99cEcWKXDDzdNj60zNjdHEtUgWgWMKwC14VUHr
eCCvr1ErBUCuBWtxAH1lxIMQ+q1bRXYzTXz0I7QVBoXhIsiWLK3hBzMMoiB2UIyz
n9gR/o2yOrpygPM6U2LU3iu8hGko1YhzebppmPsOoTExz6nfAHXHgvKnloYM5iH1
BvikZSS9jVeckLAw09+pT9PxwqRTZOfPlo5phphxk6FBXR45e8i6kmj0J6mkd1eB
XqT7zkD6Pmh6y7iOAQ==
-----END CERTIFICATE-----

How to get my own Certificate for free? using linux?

it's not your certificate, it's theirs.

As I said, the security part means you are checking that the server you are reaching is really who it say it is.

So, this certificate, i just need to get in the Telegram Website from my Web Browser?

well, it's the certificate of the server that your code is trying to reach. I don't know if they have a special one for the messages and another one for their public web site

Or are you trying to setup your own telegram server?

I am not trying to setup my own telegram server, no. I am try to understand, how did you get that certificate?
why i cannot get my own?
Thanks for responding, btw.

For what purpose?

Man, i am just trying to understand, why. How can i secure my board without using this line of code: client.setInsecure(); ???

this has nothing to do with securing your board

as I wrote (twice), it's to ensure the server you are contacting is the real telegram server and not some other server that a hacker could try to make you believe you are contacting the real one through some DNS attack or hijacking your internet access.

I got that from reading the PEM securing their main public site ( web.telegram.org)

So, can i use clint.setInsecure(); ?? without a problem?

Thanks for sharing, the info!

It can be that my Esp3266 board is not with the time configuration?
if i put the current time, it works, without the setinsecure(); command line?

i am just trying to get a notification to my Telegram App. I want to get a notification when i press a button, i know that the last code that i put here is not for this, but i am just trying to understand if my board will not be insecure!

Define insecure

You should only use setInsecure during the early dev phase when you are trying to get something to work -- or if you are donating your time to help someone else do the same. Once you've got it working, to be secure, you should not use it.

The CA in setCACert stands for Certificate Authority. You don't set the cert for the individual website -- there are millions of those. You need the "root" cert, signed by one of over 100 CAs out there.

For example, Google acts as its own CA (Google Trust Services). *.web.telegram.org uses Go Daddy. Some boards/clients are setup to store maybe a dozen CAs, which would enable you to verify thousands of different hosts. But WiFiClientSecure is simple: just one.

To get the cert, which is public, you can use the browser. Each one has some UI, usually by clicking the lock icon just before the URL, and clicking through whatever "more info" to drill down and see the whole certificate chain. The last one is the root, and there should be a way to download it. You want the PEM format, of just that one certificate. (Not the chain, although if you download the chain, you can pull out the root -- just more work.)

I happen to have Amazon's handy -- won't work in this case -- but if you use raw strings, it's an easy copy&paste.

const char AMAZON_ROOT_CERT[] = R"(
-----BEGIN CERTIFICATE-----
MIIDQTCCAimgAwIBAgITBmyfz5m/jAo54vB4ikPmljZbyjANBgkqhkiG9w0BAQsF
ADA5MQswCQYDVQQGEwJVUzEPMA0GA1UEChMGQW1hem9uMRkwFwYDVQQDExBBbWF6
b24gUm9vdCBDQSAxMB4XDTE1MDUyNjAwMDAwMFoXDTM4MDExNzAwMDAwMFowOTEL
MAkGA1UEBhMCVVMxDzANBgNVBAoTBkFtYXpvbjEZMBcGA1UEAxMQQW1hem9uIFJv
b3QgQ0EgMTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALJ4gHHKeNXj
ca9HgFB0fW7Y14h29Jlo91ghYPl0hAEvrAIthtOgQ3pOsqTQNroBvo3bSMgHFzZM
9O6II8c+6zf1tRn4SWiw3te5djgdYZ6k/oI2peVKVuRF4fn9tBb6dNqcmzU5L/qw
IFAGbHrQgLKm+a/sRxmPUDgH3KKHOVj4utWp+UhnMJbulHheb4mjUcAwhmahRWa6
VOujw5H5SNz/0egwLX0tdHA114gk957EWW67c4cX8jJGKLhD+rcdqsq08p8kDi1L
93FcXmn/6pUCyziKrlA4b9v7LWIbxcceVOF34GfID5yHI9Y/QCB/IIDEgEw+OyQm
jgSubJrIqg0CAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMC
AYYwHQYDVR0OBBYEFIQYzIU07LwMlJQuCFmcx7IQTgoIMA0GCSqGSIb3DQEBCwUA
A4IBAQCY8jdaQZChGsV2USggNiMOruYou6r4lK5IpDB/G/wkjUu0yKGX9rbxenDI
U5PMCCjjmCXPI6T53iHTfIUJrU6adTrCC2qJeHZERxhlbI1Bjjt/msv0tadQ1wUs
N+gDS63pYaACbvXy8MWy7Vu33PqUXHeeE6V/Uq2V8viTO96LXFvKWlJbYK8U90vv
o/ufQJVtMVT8QtPHRh8jrdkPSHCa2XV4cdFyQzR1bldZwgJcJmApzyMZFo6IQ6XU
5MsI+yMRQ+hDKXJioaldXgjUkK642M4UwtBV8ob2xJNDd2ZhwLnoQdeXeGADbkpy
rqXRfboQnoZsG4q5WTP468SQvvG5
-----END CERTIFICATE-----
)";

client.setCACert(AMAZON_ROOT_CERT);  // If contacting AWS or someone using Amazon-signed certs

You want the one from "Go Daddy Root Certificate Authority" instead.

(BTW, you can get your own certificate, so that the server can verify that a request is coming from you -- mutual authentication, so you can verify each other. This is a more advanced use case, and a whole 'nother topic.)

Oh yeah: one reason to use the root CA cert instead of the "leaf" for the website is that best practices for the latter is to make them short-lived. Last I checked, it's recommended to rotate those certs every 90 days or something. You don't want to recompile (minor hassle) and redeploy (major hassle) that often.

The cert for *.web.telegram.org lasts through September this year. The intermediate cert in the chain for "Go Daddy Secure Certificate Authority " lasts until 2031. The cert for "Go Daddy Root Certificate Authority" lasts until 2037.

I found a solution. I changed the Library. i was using the UniversalTelegramBot, but i could not resolve this, So, instead of using the UniversalTelegramBot, i use CTBot from GitHub. CTBot is a simple Arduino class to manage Telegram Bot on ESP8266/ESP32 platform.

Here is the link to download and use it: https://github.com/shurillu/CTBot

So i downgraded the ArduinoJson to the 6.9.0 version, and it worked with no problems.

Thank you everyone! I hope this topic helps other people with the same issue!

To me it's still not clear what your issue was.

What was the problem with using client.setCACert() along with the server's certificate?

Anyways, Thank you! I Hope you guys have a great day!

This topic was automatically closed 180 days after the last reply. New replies are no longer allowed.