Author Posts

March 13, 2017 at 12:27 pm

Hi all,

Got a test/development server with an expired certificate (will take a couple of days for the certificate to be updated).
Is there a way to ignore the certificate error?

Via some google exercise I've tried:

[Net.ServicePointManager]::ServerCertificateValidationCallback = {$true}

But that doesn't solve the issue of ignoring the certificate issue.
Still getting "The underlying connection was closed: an unexpected error occured on a send".

So is there way to get this "working" before the cert have been renewed?

Edit: Currently on PS ver. 4 and .Net 4.5.

Br,
Fredrik

March 13, 2017 at 1:58 pm

Update, it seems I can get it working.
But it's kind of weird or I just don't know enough of the underlying structure.

There were two issues, one the certificate was a TLS1.2 certificate and that is not enabled by default in PS (SSL3 and TLS).
The second issue by reading some blog posts (AFAIK) is that the invoke-webrequest/invoke-restmethod runs in their own runspace.
So by setting the servicecertificatevalidationcallback flag to true doesn't necessarely mean that invoke-webrequest will "see it".

Now the weird part.

If I use the following:

$AllProtocols = [System.Net.SecurityProtocolType]'Ssl3,Tls,Tls11,Tls12'
[System.Net.ServicePointManager]::SecurityProtocol = $AllProtocols
[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true}

Invoke-WebRequest -Uri 'https://somesite'

Will still fail.
If I however do.

$AllProtocols = [System.Net.SecurityProtocolType]'Ssl3,Tls,Tls11,Tls12'
[System.Net.ServicePointManager]::SecurityProtocol = $AllProtocols
[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true}

$webClient = New-Object System.Net.WebClient
$content = webClient.downloadstring('https://somesite')
Invoke-WebRequest -Uri 'https://somesite'

Now the Invoke-Webrequest will work.
The only thing I can think of is that after the download it already have an open session so invoke-webrequest will use that.
But I'm by no means sure about this.

March 13, 2017 at 3:46 pm

I use:

$URL = 'https://somesite'

#region Validate we have full IE COM object
    $ie = New-Object -ComObject internetexplorer.application
    $ie.visible = $true # for debugging - comment or remove this line for prod..
    $ie.navigate($URL)
    while ($ie.Busy) { Start-Sleep -Seconds 1 }
    if (($ie.Document | Get-Member -MemberType Properties).count -eq 0) {
        $ie.Quit()
        Write-Out 'This script requires Microsoft Azure SDK for .NET (VS 2015) from Web Platform installer at https://www.microsoft.com/web/downloads/platform.aspx'
        break
    }
#endregion

#region Bypass local certificate error
    Write-Out 'Bypassing web interface certificate error...'
    $sslbypass = $ie.Document.getElementById('overridelink')
    if ($sslbypass) { $sslbypass.click() }
    while ($ie.Busy) { Start-Sleep -Seconds 1 }
    Write-Out 'done'
#endregion

March 14, 2017 at 8:43 am

Thanks Sam but I would rather not rely on IE.
Anyway it works using the above method but it's a bit weird, too me at this moment in time.