Invoke-webrequest and expired ssl certificate

Tagged: 

This topic contains 3 replies, has 2 voices, and was last updated by Profile photo of Fredrik Kacsmarck Fredrik Kacsmarck 4 months, 1 week ago.

  • Author
    Posts
  • #66220
    Profile photo of Fredrik Kacsmarck
    Fredrik Kacsmarck
    Participant

    Hi all,

    Got a test/development server with an expired certificate (will take a couple of days for the certificate to be updated).
    Is there a way to ignore the certificate error?

    Via some google exercise I've tried:

    [Net.ServicePointManager]::ServerCertificateValidationCallback = {$true}
    

    But that doesn't solve the issue of ignoring the certificate issue.
    Still getting "The underlying connection was closed: an unexpected error occured on a send".

    So is there way to get this "working" before the cert have been renewed?

    Edit: Currently on PS ver. 4 and .Net 4.5.

    Br,
    Fredrik

  • #66262
    Profile photo of Fredrik Kacsmarck
    Fredrik Kacsmarck
    Participant

    Update, it seems I can get it working.
    But it's kind of weird or I just don't know enough of the underlying structure.

    There were two issues, one the certificate was a TLS1.2 certificate and that is not enabled by default in PS (SSL3 and TLS).
    The second issue by reading some blog posts (AFAIK) is that the invoke-webrequest/invoke-restmethod runs in their own runspace.
    So by setting the servicecertificatevalidationcallback flag to true doesn't necessarely mean that invoke-webrequest will "see it".

    Now the weird part.

    If I use the following:

    $AllProtocols = [System.Net.SecurityProtocolType]'Ssl3,Tls,Tls11,Tls12'
    [System.Net.ServicePointManager]::SecurityProtocol = $AllProtocols
    [System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true}
    
    Invoke-WebRequest -Uri 'https://somesite'
    

    Will still fail.
    If I however do.

    $AllProtocols = [System.Net.SecurityProtocolType]'Ssl3,Tls,Tls11,Tls12'
    [System.Net.ServicePointManager]::SecurityProtocol = $AllProtocols
    [System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true}
    
    $webClient = New-Object System.Net.WebClient
    $content = webClient.downloadstring('https://somesite')
    Invoke-WebRequest -Uri 'https://somesite'
    

    Now the Invoke-Webrequest will work.
    The only thing I can think of is that after the download it already have an open session so invoke-webrequest will use that.
    But I'm by no means sure about this.

  • #66282
    Profile photo of Sam Boutros
    Sam Boutros
    Participant

    I use:

    $URL = 'https://somesite'
    
    #region Validate we have full IE COM object
        $ie = New-Object -ComObject internetexplorer.application
        $ie.visible = $true # for debugging - comment or remove this line for prod..
        $ie.navigate($URL)
        while ($ie.Busy) { Start-Sleep -Seconds 1 }
        if (($ie.Document | Get-Member -MemberType Properties).count -eq 0) {
            $ie.Quit()
            Write-Out 'This script requires Microsoft Azure SDK for .NET (VS 2015) from Web Platform installer at https://www.microsoft.com/web/downloads/platform.aspx'
            break
        }
    #endregion
    
    #region Bypass local certificate error
        Write-Out 'Bypassing web interface certificate error...'
        $sslbypass = $ie.Document.getElementById('overridelink')
        if ($sslbypass) { $sslbypass.click() }
        while ($ie.Busy) { Start-Sleep -Seconds 1 }
        Write-Out 'done'
    #endregion
    
  • #66346
    Profile photo of Fredrik Kacsmarck
    Fredrik Kacsmarck
    Participant

    Thanks Sam but I would rather not rely on IE.
    Anyway it works using the above method but it's a bit weird, too me at this moment in time.

You must be logged in to reply to this topic.