Invoke-RestMethod - Ignore Self Signed Certs

Question

It seems like this question has been asked and answered, but so far every solution I come across does not help. I'm writing a PowerShell script to run some REST API's to get usage information. My script breaks immediately just trying to communicate to the server. For testing sake, I'm doing a very simplistic command:

Invoke-RestMethod 'https://server:4443/login'

It returns with this error:

Invoke-RestMethod : The underlying connection was closed: An unexpected error occurred on a send.

I can run the same command but with URL google.com and I get a valid return, so I know the command is working generally speaking.

If I run the curl equivalent on the server itself, things complete as expected. Here's a snippet of the verbose output of the curl command:

* SSLv3, TLS handshake, Client hello (1):
* SSLv3, TLS handshake, Server hello (2):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS handshake, Server key exchange (12):
* SSLv3, TLS handshake, Server finished (14):
* SSLv3, TLS handshake, Client key exchange (16):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSL connection using TLSv1.0 / DHE-RSA-AES256-SHA
* Server certificate:
*        subject: CN=localhost
*        start date: 2016-03-22 21:48:57 GMT
*        expire date: 2026-03-20 21:48:57 GMT
*        issuer: CN=localhost
*        SSL certificate verify result: self signed certificate (18), continuing anyway.

I'm only assuming this is a self signed cert issue based upon searching the fairly generic error PowerShell returns.

I've tried:

[Net.ServicePointManager]::ServerCertificateValidationCallback = {$true}

and other similar methods (complex functions) to help ignore certificate issues with no luck.

I'm running PowerShell 5 in case that helps.

I'm decent with PowerShell code but this is my first time trying Invoke-RestMethod, so maybe I'm missing something. Any insight is appreciated.

Answer 1

This will also work in later versions of powershell with invoke-restmethod/webrequest. It avoids the requirement for a runspace by implementing the handler as native .net:

if (-not("dummy" -as [type])) {     add-type -TypeDefinition @" using System; using System.Net; using System.Net.Security; using System.Security.Cryptography.X509Certificates;  public static class Dummy {     public static bool ReturnTrue(object sender,         X509Certificate certificate,         X509Chain chain,         SslPolicyErrors sslPolicyErrors) { return true; }      public static RemoteCertificateValidationCallback GetDelegate() {         return new RemoteCertificateValidationCallback(Dummy.ReturnTrue);     } } "@ }  [System.Net.ServicePointManager]::ServerCertificateValidationCallback = [dummy]::GetDelegate() 

Hope this helps.

Answer 2

If after @x0n answer, you still have the problem, try add before Request/Rest this

[System.Net.ServicePointManager]::SecurityProtocol =[System.Net.SecurityProtocolType]::Tls12

Working script for me:

if (-not ([System.Management.Automation.PSTypeName]'ServerCertificateValidationCallback').Type) { $certCallback = @"     using System;     using System.Net;     using System.Net.Security;     using System.Security.Cryptography.X509Certificates;     public class ServerCertificateValidationCallback     {         public static void Ignore()         {             if(ServicePointManager.ServerCertificateValidationCallback ==null)             {                 ServicePointManager.ServerCertificateValidationCallback +=                      delegate                     (                         Object obj,                          X509Certificate certificate,                          X509Chain chain,                          SslPolicyErrors errors                     )                     {                         return true;                     };             }         }     } "@     Add-Type $certCallback  }  [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12; [ServerCertificateValidationCallback]::Ignore()  Invoke-WebRequest https://*YOUR URI* 

Answer 3

i know this is old, but it still came up when i had this question with out actually checking. google first right?

Try this:

invoke-restMethod -SkipCertificateCheck -uri 'https://server:4443/login' -etc..etc..etc..

got it here via google: https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/invoke-restmethod?view=powershell-6