Powershell 3.0 Invoke-WebRequest HTTPS在所有请求上失败

Question

我正在尝试通过Powershell 3.0和REST API使用我们的Load Balancer.但是,无论我尝试什么,如果它是https请求,无论是我们的负载均衡器还是任何其他https站点,我目前都会遇到故障.我觉得我错过了一些明显的东西.

以下是使用https失败的代码

try
{
    #fails
    #$location='https://www.bing.com'
    #fails
    #$location='https://www.google.com'
    #fails
    #$location='https://www.facebook.com'
    #fails
    #$location='https://www.ebay.com'
    #works
    #$location='http://www.bing.com'
    #works
    #$location='http://www.google.com'
    #fails (looks like Facebook does a redirect to https://)
    $location='http://www.facebook.com'
    #works
    #$location='http://www.ebay.com'
    $response=''
    $response = Invoke-WebRequest -URI $location
    $response.StatusCode
    $response.Headers
}
catch
{
    Write-Host StatusCode $response.StatusCode
    Write-Host $_.Exception
}

我得到的错误是:

System.Net.WebException: The underlying connection was closed: An unexpected error occurred on a send. ---> System.Management.Automation.PSInvalidOperationException: 
There is no Runspace available to run scripts in this thread. You can provide one in the DefaultRunspace property of the System.Management.Automation.Runspaces.Runspa
ce type. The script block you attempted to invoke was: $true
   at System.Net.TlsStream.EndWrite(IAsyncResult asyncResult)
   at System.Net.ConnectStream.WriteHeadersCallback(IAsyncResult ar)
   --- End of inner exception stack trace ---
   at Microsoft.PowerShell.Commands.WebRequestPSCmdlet.GetResponse(WebRequest request)
   at Microsoft.PowerShell.Commands.WebRequestPSCmdlet.ProcessRecord()

我希望这个页面以及对底部的建议,包括来自Aaron D.的那些建议会有所作为,但它们都没有任何区别.

[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true}

和

function Ignore-SSLCertificates
{
    $Provider = New-Object Microsoft.CSharp.CSharpCodeProvider
    $Compiler = $Provider.CreateCompiler()
    $Params = New-Object System.CodeDom.Compiler.CompilerParameters
    $Params.GenerateExecutable = $false
    $Params.GenerateInMemory = $true
    $Params.IncludeDebugInformation = $false
    $Params.ReferencedAssemblies.Add("System.DLL") > $null
    $TASource=@'
    namespace Local.ToolkitExtensions.Net.CertificatePolicy
    {
        public class TrustAll : System.Net.ICertificatePolicy
        {
            public bool CheckValidationResult(System.Net.ServicePoint sp,System.Security.Cryptography.X509Certificates.X509Certificate cert, System.Net.WebRequest req, int problem)
            {
                return true;
            }
        }
    }
'@ 
    $TAResults=$Provider.CompileAssemblyFromSource($Params,$TASource)
    $TAAssembly=$TAResults.CompiledAssembly
    ## We create an instance of TrustAll and attach it to the ServicePointManager
    $TrustAll = $TAAssembly.CreateInstance("Local.ToolkitExtensions.Net.CertificatePolicy.TrustAll")
    [System.Net.ServicePointManager]::CertificatePolicy = $TrustAll
}

和

add-type @"
    using System.Net;
    using System.Security.Cryptography.X509Certificates;
    public class TrustAllCertsPolicy : ICertificatePolicy {
        public bool CheckValidationResult(
            ServicePoint srvPoint, X509Certificate certificate,
            WebRequest request, int certificateProblem) {
            return true;
        }
    }
"@
[System.Net.ServicePointManager]::CertificatePolicy = New-Object TrustAllCertsPolicy

我尝试过切换到Invoke-RestCommand,但无效,因为我得到相同的响应.

感觉这必须是环境因素,因为我无法相信上述内容对其他任何人都不起作用,但我已经在工作站和服务器上尝试了相同的结果(并不完全排除环境)但我知道他们的设置不同).

有什么想法吗？

Answer 1

这对我很有用.该网站默认为TLS 1.0,显然PS不适用于此.我用过这一行:

[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12

我的PS脚本(到目前为止我测试过的所有内容)都运行得很好.

Answer 2

答案是不要这样做来解决SSL问题:

[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true}

如果你这样做,你的第一个https请求将起作用(似乎),但后续的请求不会.此外,你需要关闭Powershell ISE,然后重新打开它,然后再试一次(没有那条线).

这是在这里的一句话中提到的http://social.technet.microsoft.com/Forums/windowsserver/en-US/79958c6e-4763-4bd7-8b23-2c8dc5457131/sample-code-required-for-invokerestmethod-using- https-and-basic-authorization？forum = winserverpowershell - "并且所有后续运行都会产生此错误:",但不清楚重置的解决方案是什么.

Answer 3

很长一段时间我也一直困扰着这个.它甚至影响了Visual Studio,因为VS $PROFILE在运行NuGet还原时将我的域加载到了它的域中.

看到上面的评论让我意识到我有一个自定义回调脚本,因为我们的一个供应商在其ssl证书中发布了带有无效CN的产品.

简而言之,我用编译好的c#对象替换了我的脚本委托(从等式中删除脚本运行空间).

(用于C#突出显示的单独代码块)

using System.Net;
using System.Net.Security;
using System.Security.Cryptography.X509Certificates;

public static class CustomCertificateValidationCallback {
    public static void Install() 
    {
        ServicePointManager.ServerCertificateValidationCallback += CustomCertificateValidationCallback.CheckValidationResult;
    }

    public static bool CheckValidationResult(
        object sender, 
        X509Certificate certificate, 
        X509Chain chain, 
        SslPolicyErrors sslPolicyErrors)
    {
        // please don't do this. do some real validation with explicit exceptions.
        return true;
    }
}

在Powershell中:

Add-Type "" # C# Code
[CustomCertificateValidationCallback]::Install()