Telegram Bot - Webhook SSL error with letsencrypt Certificate

Question

I've tried to fix this error now for two day and still haven't found a single thing that works... So here is my problem:

I previously had a Telegram Bot setup with Certbot (letsencrypt) on a Raspberry Pi and it worked perfectly. Now I wanted to build the same thing on my new HomeServer (A Manjaro Linux Machine).

So I installed Apache and Certbot and it works perfectly with any browser to access my site with https://<mydomain> . But... when I set the Webhook of the Telegram bot with the Certificate you have to pass like this:

curl -F "url=https://<mydomain>/botTelegram/index.php" -F "certificate=@/etc/letsencrypt/live/<mydomain>/fullchain.pem" https://api.telegram.org/bot723985628:AAHiEXNJgXZ-mGprEhGNc1QxiVpGfhxK_9A/setWebhook

it always gives me back the same error :

{
    "ok": true,
    "result": {
        "url": "<myDomain>",
        "has_custom_certificate": true,
        "pending_update_count": 1,
        "last_error_date": 1588255882,
        "last_error_message": "SSL error {error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed}",
        "max_connections": 40
    }
}

So then I searched for solutions, and what everyone kept saying, was that you should try to test your site with https://www.ssllabs.com/ssltest/analyze.html?d=<mydomain>&hideResults=on and then check if under Chain issues something else than "None" is written, and in that case you would have to give the server the "Full Certificate Chain". So I did run this test, but there Was written "None", because I already gave Apache the fullchain.pem Certificate.

Chain Issues Screenshot

Since Certbot created multiple Certificates: I also tried to pass the chain.pem and the cert.pem to the /setWebhook request, but there the same error occurs.

Here is how i created them:

certbot certonly --webroot /srv/http -d <myfirstdomain> -d <myseconddomain>

So now I really don't know how to fix this, cause SSL works for the Browser, just not for the Telegram Webhook...

In case here is a part of my /etc/httpd/conf/extra/httpd-ssl.conf :

#   SSL Engine Switch:
#   Enable/Disable SSL for this virtual host.
SSLEngine on

#   Server Certificate:
#   Point SSLCertificateFile at a PEM encoded certificate.  If
#   the certificate is encrypted, then you will be prompted for a
#   pass phrase.  Note that a kill -HUP will prompt again.  Keep
#   in mind that if you have both an RSA and a DSA certificate you
#   can configure both in parallel (to also allow the use of DSA
#   ciphers, etc.)
#   Some ECC cipher suites (http://www.ietf.org/rfc/rfc4492.txt)
#   require an ECC certificate which can also be configured in
#   parallel.
SSLCertificateFile "/etc/letsencrypt/live/<mydomain>/fullchain.pem"
#SSLCertificateFile "/etc/httpd/conf/server-dsa.crt"
#SSLCertificateFile "/etc/httpd/conf/server-ecc.crt"

#   Server Private Key:
#   If the key is not combined with the certificate, use this
#   directive to point at the key file.  Keep in mind that if
#   you've both a RSA and a DSA private key you can configure
#   both in parallel (to also allow the use of DSA ciphers, etc.)
#   ECC keys, when in use, can also be configured in parallel
SSLCertificateKeyFile "/etc/letsencrypt/live/<mydomain>/privkey.pem"
#SSLCertificateKeyFile "/etc/httpd/conf/server.key"
#SSLCertificateKeyFile "/etc/httpd/conf/server-dsa.key"
#SSLCertificateKeyFile "/etc/httpd/conf/server-ecc.key"

#   Server Certificate Chain:
#   Point SSLCertificateChainFile at a file containing the
#   concatenation of PEM encoded CA certificates which form the
#   certificate chain for the server certificate. Alternatively
#   the referenced file can be the same as SSLCertificateFile
#   when the CA certificates are directly appended to the server
#   certificate for convenience.
#SSLCertificateChainFile "/etc/letsencrypt/live/<mydomain>/fullchain.pem"

#   Certificate Authority (CA):
#   Set the CA certificate verification path where to find CA
#   certificates for client authentication or alternatively one
#   huge file containing all of them (file must be PEM encoded)
#   Note: Inside SSLCACertificatePath you need hash symlinks
#         to point to the certificate files. Use the provided
#         Makefile to update the hash symlinks after changes.
#SSLCACertificatePath "/etc/httpd/conf/ssl.crt"
#SSLCACertificateFile "/etc/httpd/conf/ssl.crt/ca-bundle.crt"

Well then, I hope someone is able to help me out with this, because I really have no clue what's wrong here...

EDIT:

I now deleted the Certificates, and recreated them with Certbot but with the --apache option like this certbot --apache -d <myfirstdomain> -d <myseconddomain> but it still didn't work, I still get the same error...

Here is the new config, created by Certbot at /etc/letsencrypt/options-ssl-apache.conf and linked in the Apache config:

# Intermediate configuration, tweak to your needs
SSLProtocol             all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite          ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384>SSLHonorCipherOrder     on

SSLOptions +StrictRequire

# Add vhost name to log entries:
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\"" vhost_combined
LogFormat "%v %h %l %u %t \"%r\" %>s %b" vhost_common```

Answer 1

To fix this I simply had to make the .../setWebhook Request without passing the Certificate and put https:// in front of the URL.

Because I thought Certbots Certificates are "Self-Signed", but they obviously aren't, what was I thinking? I can't believe that this was such a simple thing, that I overlooked...

Well then, still I hope this helps anyone how maybe has the same stupid problem. :)