Author Posts

October 27, 2015 at 5:30 pm

I am attempting to use invoke-RestMethod to connect to a Citrix Netscaler's nitro rest api. I then re-use the returned SessionVariable to run several commands through the API. This works fine with http, but when I use https I get back an empty object or a session expired error.

$credential = get-credentials        
$login =@{"login"@{"username"="nsroot";"password"="password";"timeout"="360"}}
$loginJson = ConvertTo-Json $login
try {
  Write-Verbose "Calling Invoke-RestMethod for login"
  $response = Invoke-RestMethod -Uri "https://netscaler.mydomain.com/nitro/v1/config/login" -Body $loginJson -Method POST -SessionVariable saveSession -ContentType application/json -ErrorAction Stop -TimeoutSec 60
   if ($response.severity -eq "ERROR") {
     throw "Error. See response: `n$($response | fl * | Out-String)"
   } else {
     Write-Verbose "Response:`n$(ConvertTo-Json $response | Out-String)"
     $saveSession.Credentials = $credential
     $myNSSession1 = New-Object -TypeName PSObject
     $myNSSession1 | Add-Member -NotePropertyName Endpoint  -NotePropertyValue "netscaler.mydomain.com" -TypeName String
     $myNSSession1 | Add-Member -NotePropertyName WebSession  -NotePropertyValue $saveSession -TypeName Microsoft.PowerShell.Commands.WebRequestSession
     }
 }
 catch [Exception] {
     throw $_
 }
$uri = "https://netscaler.mydomain.com/nitro/v1/config/nsconfig"
$call = Invoke-RestMethod -uri $uri -Method GET -WebSession $myNSSession1.WebSession

This returns:

Invoke-RestMethod : { "errorcode": 444, "message": "Session expired or killed. Please login again", "severity": "ERROR" }

October 27, 2015 at 11:47 pm

It could be a certificate trust problem. You can try this:

    add-type @"
        using System.Net;
        using System.Security.Cryptography.X509Certificates;
        public class TrustAllCertsPolicy : ICertificatePolicy {
            public bool CheckValidationResult(
                ServicePoint srvPoint, X509Certificate certificate,
                WebRequest request, int certificateProblem) {
                return true;
            }
        }
"@
    [System.Net.ServicePointManager]::CertificatePolicy = New-Object TrustAllCertsPolicy

This will force your current powershell session to trust all certificates.

I've used this method personally for scripting McAfee EPO server as the EPO server URL uses SSL and I haven't bothered to install a proper trusted cert for it yet...

October 28, 2015 at 6:27 am

I'm actually importing the cert into the current user root store earlier in the same script. Prior to doing that I was getting an unable to establish SSL/TLS connection error.

$ApplianceCert = Request-WebCertificate -url "https://netscaler.mydomain.com"
$ApplianceCert.FriendlyName="Netscaler.mydomain.com"
$store = new-object System.Security.Cryptography.X509Certificates.X509Store([System.Security.Cryptography.X509Certificates.StoreName]::Root, "CurrentUser")
  $store.open("MaxAllowed")
  $store.add($ApplianceCert)
  $store.close()