SSL Error with Invoke-PSUScript
Hi,
we use Powershell Universal 5 on IIS. I try to use Invoke-PSUScript -Name 'Example.ps1'
But i get the error
Cannot retrieve the dynamic parameters for the cmdlet. Status(StatusCode=“Internal”, Detail=“Error starting gRPC call. HttpRequestException: The SSL connection could not be established, see inner exception. AuthenticationException: The remote certificate was rejected by the provided RemoteCertificateValidationCallback.”, DebugException=“System.Net.Http.HttpRequestException: The SSL connection could not be established, see inner exception.”)
We use a a ssl certificate from our internal pki.
Do you have any ideas how to fix this?
Product: PowerShell Universal Version: 5.0.4
All Comments (12)
You can either add -TrustCertificate to the end of your Invoke-PSUScript command or, if you upgrade to 5.0.6, you can supposedly add the TrustCertificate parameter to your customized appsettings.json file by adding:
{
"Api": {
"TrustCertificate": true
}
}
But I’m not able to get this ability working in my own testing of 5.0.6.
I put
“Api”: {
“Url”: “http://localhost:5000”,
“SecurityModel”: “Permissive”
}
this in my appsettings.json
As long as the scripts are on the same server as PSU itself,
that should not matter.
Are you not using a certificate in your setup?
Yes and No.
This is a new box.
I have a self-signed certificate, but am still waiting for the official one.
So the self-signed is not valid, and like you stated, the workaround don’t seem to work.
That’s why I use plain http for just the internal API calls.
The system is firewalled off, access for users only via https.
EDIT:
I now have this and it is working,
https://zzz.yyy.xxx.net is actually not the real URL that users would use, but a FQDN that resolves locally as well and I have a machine certificate for. (not a certificate for SSL - but it seems to work)
“Api”: {
“Url”: “https://zzz.yyy.xxx.net”,
“TrustCertificate”: true,
“SecurityModel”: “Permissive”
}
with:
$script=Invoke-PSUScript -Wait -script scriptvars.ps1
(very simply script to just output some vars…)
Thanks for your answers guys.
I got -TrustCertificate running for me.
Can you explain how?
When I try
$script=Invoke-PSUScript -Wait -TrustCertificate -script scriptvars.ps1
I get:
on 5.0.6
4445f9a63f20e1af405143d6ff904aecfaa08e18.png
I’m not sure. -TrustCertificate works fine for me on an Invoke-PSUScript command in 5.0.6. I put that parameter at the end, though. Maybe it’s positional, for some reason. Try moving it to the end.
If you want it global and appsettings.json is not working, you can also use PSU_TRUST_CERTIFICATE environment variable set to true.
The appsettings.json wasn’t working in every configuration but we changed it for 5.0.7 so it will be.
Adam Driscoll
PowerShell Expert and Developer at Devolutions
I think it should work withInvoke-PSUScript -Name 'scriptvars.ps1' -TrustCertificate
…Maybe it’s positional, for some reason. Try moving it to the end.
I did move it around, no change.
I think it should work with
Invoke-PSUScript -Name 'scriptvars.ps1' -TrustCertificateI noticed that sometimes -name works better, and sometimes -script.
Will test further.
Invoke-PSUScript and TrustCertificate had some more fixes in 5.0.7. Not sure it’ll fix this issue, but worth a shot.
I’m getting some odd behavior on this too in 5.0.7 - when trying to run Get-PSUEventHubConnection with TrustCertificate set to false in the app settings and the -TrustCertificate flag passed in manually, I get an error that the parameter doesn’t exist. However, when setting it to true in app settings AND passing the flag, I’m getting the behavior I expect. Setting it to true by itself returns the SSL error.
The environment variable seems to still be the safest way to get this to come together on IIS.