In general, I decided.
So, maybe someone will need a normal instruction for IP:

openssl req -newkey rsa:2048 -sha256 -nodes -x509 -days 365 \
-keyout YOURPRIVATE.key \
-out YOURPUBLIC.crt \
-subj "/C=RU/ST=Saint-Petersburg/L=Saint-Petersburg/O=Example Inc/CN=IP_СЕРВЕРА"

Next, convert to .pem :
Copy the files to a folder with other keys: (you can not copy, but specify your path in the Apache config)

cp YOURPUBLIC.crt /etc/ssl/certs/YOURPUBLIC.crt
cp YOURPRIVATE.key /etc/ssl/private/YOURPRIVATE.key

In settings (for apache) /etc/apache2/sites-available/default-ssl.conf :

<IfModule mod_ssl.c>
<VirtualHost _default_:443>
ServerAdmin [email protected]
ServerName IP сервера
DocumentRoot /var/www/html
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
SSLEngine on
SSLCertificateFile      /etc/ssl/certs/YOURPUBLIC.crt
SSLCertificateKeyFile /etc/ssl/private/YOURPRIVATE.key
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
<Directory /usr/lib/cgi-bin>
SSLOptions +StdEnvVars
</Directory>
BrowserMatch "MSIE [2-6]" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
</VirtualHost>
</IfModule>

Create a new Apache snippet in the /etc/apache2/conf-available directory.
It is recommended to specify its purpose in the file name (for example, ssl-params.conf):

# from https://cipherli.st/
# and https://raymii.org/s/tutorials/Strong_SSL_Security_On_Apache2.html
SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
SSLProtocol All -SSLv2 -SSLv3
SSLHonorCipherOrder On
Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains; preload"
Header always set X-Frame-Options DENY
Header always set X-Content-Type-Options nosniff
# Requires Apache >= 2.4
SSLCompression off
SSLSessionTickets Off
SSLUseStapling on
SSLStaplingCache "shmcb:logs/stapling-cache(150000)"
SSLOpenSSLConfCmd DHParameters "/etc/ssl/certs/dhparam.pem"

Settings for Apache:

sudo a2enmod ssl
sudo a2enmod headers
sudo a2ensite default-ssl

We check,
if ok, then there will be something like:

AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 127.0.1.1. Set the 'ServerName' directive globally to suppress this message
Syntax OK

Reboot.
If ok, then open c https in the browser.
Well, then we feed the certificate MANDATORY! with @ telegram bot
Check:
https://api.telegram.org/MY_TOKEN/getWebhookInfo

That's right - self-signed certificates can't be authenticated - hence they don't work in this context.

THE SAME BUG, ​​but everything is done with Apache on WIND...
..Help to find your way!?
_ _ especially since:
Create a new Apache snippet in the /etc/apache2/conf-available directory.
....
PS conversion:
openssl x509 -in YOURPUBLIC.crt -out YOURPUBLIC.pem -outform PEM
gives identical content with a different file extension at the end =Ъ
Thank you in advance60