21

I've got this beautiful one liner which calls a webservice of mine via Task Scheduler:

-ExecutionPolicy unrestricted -Command "(New-Object Net.WebClient).DownloadString(\"https://127.0.0.1/xxx\")"

But my webservice has SSL now and I want to make a local call so it gives an SSL exception. So is there a way to ignore the SSL warning with this one liner?

Julian
  • 1,105
  • 2
  • 26
  • 57

2 Answers2

41

With the one-liner you don't have many options in ignoring the SSL-warning (with the WebClient downloadstring method).

You could try doing this before invoking the command :

[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true} ;

Since you're using this in a task-scheduler, I'd add it before the DownloadString command with a ';' to seperate the two commands.

This should do the trick, which would set the callback in the session:

 -ExecutionPolicy unrestricted -Command "[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true};(New-Object Net.WebClient).DownloadString(\"127.0.0.1/xxx\")"

If you have a newer Powershell installation (check if you have the invoke-webrequest cmdlet available), you can use this cmdlet in addtion to a security policy. Still not a one-liner, but this should do the trick :

add-type @"
using System.Net;
using System.Security.Cryptography.X509Certificates;
public class TrustAllCertsPolicy : ICertificatePolicy {
    public bool CheckValidationResult(
        ServicePoint srvPoint, X509Certificate certificate,
        WebRequest request, int certificateProblem) {
        return true;
    }
}
"@
[System.Net.ServicePointManager]::CertificatePolicy = New-Object TrustAllCertsPolicy

$result = Invoke-WebRequest -Uri ""https://127.0.0.1/xxx"

Try to see if that works from a normal host, if so, you could bundle it in a simple script and use this in your scheduled task.

Harald F.
  • 4,505
  • 24
  • 29
  • I'll try the first solution, so that would be:[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true} ; -ExecutionPolicy unrestricted -Command "(New-Object Net.WebClient).DownloadString(\"https://127.0.0.1/xxx\")" – Julian Dec 17 '15 at 11:54
  • The first solution didn't seem to work. Would it be a possible solution to add the certificate to the 'trusted' certificates when browsed via 127.0.0.1? Will the powershell command trust the certificate then? – Julian Dec 17 '15 at 11:57
  • 1
    The command would be -ExecutionPolicy unrestricted -Command "[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true};(New-Object Net.WebClient).DownloadString(\"https://127.0.0.1/xxx\")" (to set the validation callback in the same session. – Harald F. Dec 17 '15 at 12:05
  • Thanks that worked! Could you please update your answer with this example. That would maybe help others also. – Julian Dec 17 '15 at 12:05
  • Yes, if you add your self-signed certificate to the trust store on this computer, it should work without any more hassle. I'd recommend of testing and getting it to work in the shell itself, before trying the scheduled task, it'll make it easier debugging:) – Harald F. Dec 17 '15 at 12:05
  • The single in-line addition does the trick for a number of tight scripts we have that limited capability in locked-down hosts that require a lot of additional policy changes for full PS scripts, but that will accept one-liners from cmd.exe powershell -command. In our case, it's the foundation of a canary script that distinguishes SSL issues from other forms of API and webhost outages. – storsoc Oct 25 '21 at 17:19
1

If you're looking to implement a conditional policy, use the following.

[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {
    param(
        [object]$sender,
        [Security.Cryptography.X509Certificates.X509Certificate] $certificate, 
        [Security.Cryptography.X509Certificates.X509Chain] $chain, 
        [Net.Security.SslPolicyErrors] $sslPolicyErrors
    )
    # Implement your custom logic here
    $true
}
James Caradoc-Davies
  • 21
  • 3