忽略来自 Powershell Invoke-RestMethod 的自签名证书不起作用(它再次更改...) [英] Ignoring Self-Signed Certificates from Powershell Invoke-RestMethod doesn't work (it's changed again...)
问题描述
使用标准解决方案忽略证书验证后,Invoke-RestMethod
返回:
After using standard solutions for ignoring certificate verification, Invoke-RestMethod
is returning:
Invoke-RestMethod : A system error occurred and has been logged. Please try again later or contact your administrator.
我今天才注意到这个失败,所以我认为这与 Powershell 更新有关.我所说的标准解决方案"是指:
I just noticed this failure today, so I think it has something to do with a Powershell update. By "standard solutions" I mean:
[System.Net.ServicePointManager]::ServerCertificateValidationCallback = { $true }
几个月前停止工作,并在添加到 Powershell 的 C# 类型中正确设置回调(下面历史中的描述).
which stopped working a few months ago, and setting the callback properly in a C# type added to Powershell (description below in History).
这是我的环境:
> $PSVersionTable
Name Value
---- -----
PSVersion 5.1.15063.674
PSEdition Desktop
PSCompatibleVersions {1.0, 2.0, 3.0, 4.0...}
BuildVersion 10.0.15063.674
CLRVersion 4.0.30319.42000
WSManStackVersion 3.0
PSRemotingProtocolVersion 2.3
SerializationVersion 1.1.0.1
这里有一点历史,所以这个问题不会因为重复而被关闭.
Here is a little history so this question doesn't just get closed as a duplicate.
如果你在谷歌或 StackOverflow 上搜索,你会发现这个问题有一些预设的答案.但是,今天我注意到所有标准解决方案都不再有效.
If you Google around or search StackOverflow you can find this question coming up with a few canned responses. However, today I noticed that all of the standard solutions aren't working anymore.
Powershell 给出的标准错误是:
The standard error Powershell gives is:
Invoke-RestMethod : The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel.
各地论坛给出的标准答案是在调用 Invoke-RestMethod
之前使用此命令:
The standard answer given on forums everywhere is to use this command before you call Invoke-RestMethod
:
[System.Net.ServicePointManager]::ServerCertificateValidationCallback = { $true }
但如果您使用的是最新版本的 Windows 10/2016 和 Powershell,那么您对 Invoke-RestMethod
的调用将返回:
But if you're using an up to date version of Windows 10 / 2016 and Powershell, then your call to Invoke-RestMethod
will return:
Invoke-RestMethod : The underlying connection was closed: An unexpected error occurred on a send.
为什么会发生这种情况的解释可以在 在 Huddled Masses 上找到博客.可以概括为:
The explanation for why that happens is found on Huddled Masses blog. It can be summarized as:
将 ServerCertificateValidationCallback 设置为脚本块对异步回调(发生在任务线程上的回调)不起作用,因为另一个线程没有运行空间来执行脚本.
Setting the ServerCertificateValidationCallback to a scriptblock won't work for an asynchronous callback (one that happens on a task thread), because the other thread won't have a runspace to execute the script on.
最初,我一直在用这段代码解决这个问题:
Originally, I had been solving that problem with this code:
if (-not ([System.Management.Automation.PSTypeName]"TrustAllCertsPolicy").Type)
{
Add-Type -TypeDefinition @"
using System.Net;
using System.Security.Cryptography.X509Certificates;
public class TrustAllCertsPolicy : ICertificatePolicy {
public bool CheckValidationResult(
ServicePoint srvPoint, X509Certificate certificate,
WebRequest request, int certificateProblem)
{
return true;
}
}
"@
}
if ([System.Net.ServicePointManager]::CertificatePolicy.ToString() -ne "TrustAllCertsPolicy")
{
[System.Net.ServicePointManager]::CertificatePolicy = New-Object TrustAllCertsPolicy
}
但是,这在 Windows Server 2016 上不起作用,即使它在 Windows 10 上运行良好.因此,基于 Huddled Masses 我写这个是为了处理 C# 中的证书验证回调,而不是脚本块:
But, that didn't work on Windows Server 2016, even though it was working fine on Windows 10. So, based on Huddled Masses I wrote this up to handle certificate validation callbacks in C# rather than a script block:
function Disable-SslVerification
{
if (-not ([System.Management.Automation.PSTypeName]"TrustEverything").Type)
{
Add-Type -TypeDefinition @"
using System.Net.Security;
using System.Security.Cryptography.X509Certificates;
public static class TrustEverything
{
private static bool ValidationCallback(object sender, X509Certificate certificate, X509Chain chain,
SslPolicyErrors sslPolicyErrors) { return true; }
public static void SetCallback() { System.Net.ServicePointManager.ServerCertificateValidationCallback = ValidationCallback; }
public static void UnsetCallback() { System.Net.ServicePointManager.ServerCertificateValidationCallback = null; }
}
"@
}
[TrustEverything]::SetCallback()
}
function Enable-SslVerification
{
if (([System.Management.Automation.PSTypeName]"TrustEverything").Type)
{
[TrustEverything]::UnsetCallback()
}
}
这在很长一段时间内都非常有效,但就在最近,当我调用 Invoke-RestMethod
时,我开始收到以下错误:
That worked really well for a long time, but just recently I started getting the following error back when I call Invoke-RestMethod
:
Invoke-RestMethod : A system error occurred and has been logged. Please try again later or contact your administrator.
我知道一个合适的解决方案就是部署证书,但通常您只想测试一下,而不必设置合适的 PKIX.
I understand that a proper solution is just to deploy certificates, but often you just want to test things out without having to set up a proper PKIX.
推荐答案
我想我已经将范围缩小到我正在调用的 Web 服务中的更改.哦!
I think I have narrowed this down to a change in the web service that I'm calling. Doh!
我在问题中列出的 Disable-SslVerification
和 Enable-SslVerification
函数仍然是最好的方法,而且似乎有效.
The Disable-SslVerification
and Enable-SslVerification
function that I listed in my question are still the best way to go and seem to work.
我很期待 Bacon Bits 在评论中提到的 -SkipCertificateCheck
开关.然后,我们可以停止黑客攻击.=)
I look forward to the -SkipCertificateCheck
switch mentioned by Bacon Bits in the comments. Then, we can stop hacking. =)
希望这个问题对那些试图解决相同问题但遇到发送时发生意外错误
问题的人有价值.
Hopefully this question is valuable for people who are trying to solve the same problem but run into the An unexpected error occurred on a send
problem.
这篇关于忽略来自 Powershell Invoke-RestMethod 的自签名证书不起作用(它再次更改...)的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!