RestPS icon indicating copy to clipboard operation
RestPS copied to clipboard
verified publisher icon jpsider

The underlying connection was closed

Open Alvalvar opened this issue 2 years ago • 12 comments

I try to use RestPS module and could not connect to rest server with error: Invoke-RestMethod : The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel

If i use: [System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true} receive error: Invoke-RestMethod : The underlying connection was closed: An unexpected error occurred on a send

Server and client on the same host.

Server part: =========================================

$ServerCert = Get-ChildItem -Path Cert:\LocalMachine\My\ | Where-Object { $_.Subject -eq 'CN=Server.PowerShellDemo.io'}
$ServerParams = @{
    RoutesFilePath = 'C:\RestPS\endpoints\RestPSRoutes.json'
    Port = 8182
    AppGuid = "d1495a62-411b-43e3-978f-eef3e710170d"
	SSLThumbprint = $ServerCert.Thumbprint
    VerificationType = 'VerifyRootCA'
}
Start-RestPSListener @ServerParams

Client part: ==========================================

[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true}
[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12 -bor [System.Net.SecurityProtocolType]::Tls11 -bor [System.Net.SecurityProtocolType]::Tls
$ClientCert = Get-ChildItem -Path Cert:\LocalMachine\My\ | Where-Object { $_.Subject -eq 'CN=DemoClient.PowerShellDemo.io'}
$HttpsParams = @{
  Uri = 'https://localhost:8182/process?name=powershell'
  Method = 'Get'
  Certificate = $ClientCert
  UseBasicParsing = $true
}
Invoke-RestMethod @HttpsParams

Certificate generated from https://invoke-automation.blog/2018/09/16/creating-a-local-ssl-certificate-hierarchy-with-windows-powershell What i do wrong?

Alvalvar avatar Aug 02 '23 10:08 Alvalvar

On the client run the following function (included with RestPS: Disable-SSLValidation

jpsider avatar Aug 02 '23 10:08 jpsider

On the client run the following function (included with RestPS: Disable-SSLValidation

Tried it, it didn't work. Same error.

Alvalvar avatar Aug 02 '23 10:08 Alvalvar

I try it on WinSrv2016 and two different Win10 Same result

Alvalvar avatar Aug 02 '23 10:08 Alvalvar

Which directions are you following? I don't have a place to test right now. But I can probably do it later. I just want to be sure I am following the same directions.

jpsider avatar Aug 02 '23 11:08 jpsider

Which directions are you following? I don't have a place to test right now. But I can probably do it later. I just want to be sure I am following the same directions.

https://github.com/jpsider/RestPS

Alvalvar avatar Aug 02 '23 11:08 Alvalvar

Hi! Any luck trying to reproduce the error?

Alvalvar avatar Aug 07 '23 13:08 Alvalvar

I have not had time to sit and go through the example yet.

jpsider avatar Aug 07 '23 13:08 jpsider

Good day! Had a time to look at the cause of the errors?

Alvalvar avatar Aug 23 '23 07:08 Alvalvar

I'm sorry, not yet. Got caught up at work and then found myself on vacation!

I will get to it very soon.

jpsider avatar Aug 23 '23 15:08 jpsider

Alright, I was able to follow the instructions here to create a local hierarchy for certificates. (https://invoke-automation.blog/2018/09/16/creating-a-local-ssl-certificate-hierarchy-with-windows-powershell/) Then follow the instructions here to start and execute the Rest commands. (https://github.com/jpsider/RestPS)

In my Server window - this is the exact history install-module jpsider,restps Update-ConsoleTitle server-window $rootCAparams = @{ DnsName = 'PowerShellDemo.io Root Cert' KeyLength = 2048 KeyAlgorithm = 'RSA' HashAlgorithm = 'SHA256' KeyExportPolicy = 'Exportable' NotAfter = (Get-Date).AddYears(5) CertStoreLocation = 'Cert:\LocalMachine\My' KeyUsage = 'CertSign','CRLSign' #fixes invalid certificate error } $rootCA = New-SelfSignedCertificate @rootCAparams $rootCA $CertStore = New-Object -TypeName System.Security.Cryptography.X509Certificates.X509Store( [System.Security.Cryptography.X509Certificates.StoreName]::Root, 'LocalMachine') $CertStore.open('MaxAllowed') $CertStore.add($rootCA) $CertStore.close() $params = @{ DnsName = 'Server.PowerShellDemo.io' Signer = $rootCA # <------ Notice the Signer is the newly created RootCA KeyLength = 2048 KeyAlgorithm = 'RSA' HashAlgorithm = 'SHA256' KeyExportPolicy = 'Exportable' NotAfter = (Get-Date).AddYears(2) CertStoreLocation = 'Cert:\LocalMachine\My' }

$ServerCert = New-SelfSignedCertificate @params $ServerCert $params = @{ DnsName = 'DemoClient.PowerShellDemo.io' FriendlyName = 'DemoClient' Signer = $rootCA # <------ Notice the Signer is the newly created RootCA KeyLength = 2048 KeyAlgorithm = 'RSA' HashAlgorithm = 'SHA256' KeyExportPolicy = 'Exportable' NotAfter = (Get-Date).AddYears(2) CertStoreLocation = 'Cert:\LocalMachine\My' } $ClientCert = New-SelfSignedCertificate @params $ClientCert Get-ChildItem -Path Cert:\LocalMachine\My
Get-ChildItem -Path Cert:\LocalMachine\Root
Invoke-DeployRestPS -LocalDir 'C:\RestPS' Get-ChildItem -Path Cert:\LocalMachine\My
$ServerCert = Get-ChildItem -Path Cert:\LocalMachine\My\ | Where-Object { $_.Subject -eq 'CN=Server.PowerShellDemo.io'}

$ServerThumbprint = $ServerCert.Thumbprint $ServerCert $ServerParams = @{ RoutesFilePath = 'C:\RestPS\endpoints\RestPSRoutes.json' Port = 8080 SSLThumbprint = $ServerCert.Thumbprint VerificationType = 'VerifyRootCA' } Start-RestPSListener @ServerParams history `

For the client this is the exact history

` Update-ConsoleTitle client-window Get-ChildItem -Path Cert:\LocalMachine\My
$ClientCert = Get-ChildItem -Path Cert:\LocalMachine\My\ | Where-Object { $_.Subject -eq 'CN=Democlient.PowerShellDemo.io'}

$clientThumbprint = $clientCert.Thumbprint $clientThumbprint $HttpsParams = @{ Uri = 'https://localhost:8080/process?name=powershell' Method = 'Get' Certificate = $ClientCert UseBasicParsing = $true } Invoke-RestMethod @HttpsParams Disable-SSLValidation $HttpsParams = @{ Uri = 'https://localhost:8080/process?name=powershell' Method = 'Get' Certificate = $ClientCert UseBasicParsing = $true } Invoke-RestMethod @HttpsParams $HttpsParams = @{ Uri = 'https://localhost:8080/endpoint/shutdown' Method = 'Get' Certificate = $ClientCert UseBasicParsing = $true } Invoke-RestMethod @HttpsParams `

jpsider avatar Aug 25 '23 22:08 jpsider

Hi! It`s a fckng magic :(

PS C:\Temp> $HttpsParams = @{ Uri = 'https://localhost:8080/process?name=powershell' Method = 'Get' Certificate = $ClientCert UseBasicParsing = $true } PS C:\Temp> Invoke-RestMethod @HttpsParams Invoke-RestMethod : The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel. At line:1 char:1 Invoke-RestMethod @HttpsParams

CategoryInfo : InvalidOperation: (System.Net.HttpWebRequest:HttpWebRequest) [Invoke-RestMethod], WebException FullyQualifiedErrorId : WebCmdletWebResponseException,Microsoft.PowerShell.Commands.InvokeRestMethodCommand

PS C:\Temp> Disable-SSLValidation True PS C:\Temp> $HttpsParams = @{ Uri = 'https://localhost:8080/process?name=powershell' Method = 'Get' Certificate = $ClientCert UseBasicParsing = $true } PS C:\Temp> Invoke-RestMethod @HttpsParams Invoke-RestMethod : The request was aborted: Could not create SSL/TLS secure channel. At line:1 char:1 Invoke-RestMethod @HttpsParams

CategoryInfo : InvalidOperation: (System.Net.HttpWebRequest:HttpWebRequest) [Invoke-RestMethod], WebException FullyQualifiedErrorId : WebCmdletWebResponseException,Microsoft.PowerShell.Commands.InvokeRestMethodCommand

Alvalvar avatar Aug 29 '23 06:08 Alvalvar