Ignore SSL warning with powershell downloadstring

Asked 17/12, 2015 at 9:39 Answered 24/7 at 15:3

I've got this beautiful one liner which calls a webservice of mine via Task Scheduler:

-ExecutionPolicy unrestricted -Command "(New-Object Net.WebClient).DownloadString(\"https://127.0.0.1/xxx\")"

But my webservice has SSL now and I want to make a local call so it gives an SSL exception. So is there a way to ignore the SSL warning with this one liner?

Flick answered 17/12, 2015 at 9:39 Comment(0)

With the one-liner you don't have many options in ignoring the SSL-warning (with the WebClient downloadstring method).

You could try doing this before invoking the command :

[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true} ;

Since you're using this in a task-scheduler, I'd add it before the DownloadString command with a ';' to seperate the two commands.

This should do the trick, which would set the callback in the session:

 -ExecutionPolicy unrestricted -Command "[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true};(New-Object Net.WebClient).DownloadString(\"127.0.0.1/xxx\")"

If you have a newer Powershell installation (check if you have the invoke-webrequest cmdlet available), you can use this cmdlet in addtion to a security policy. Still not a one-liner, but this should do the trick :

add-type @"
using System.Net;
using System.Security.Cryptography.X509Certificates;
public class TrustAllCertsPolicy : ICertificatePolicy {
    public bool CheckValidationResult(
        ServicePoint srvPoint, X509Certificate certificate,
        WebRequest request, int certificateProblem) {
        return true;
    }
}
"@
[System.Net.ServicePointManager]::CertificatePolicy = New-Object TrustAllCertsPolicy

$result = Invoke-WebRequest -Uri ""https://127.0.0.1/xxx"

Try to see if that works from a normal host, if so, you could bundle it in a simple script and use this in your scheduled task.

Impermanent answered 17/12, 2015 at 11:16 Comment(6)

I'll try the first solution, so that would be:[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true} ; -ExecutionPolicy unrestricted -Command "(New-Object Net.WebClient).DownloadString(\"127.0.0.1/xxx\")" – Flick 17/12, 2015 at 11:54

The first solution didn't seem to work. Would it be a possible solution to add the certificate to the 'trusted' certificates when browsed via 127.0.0.1? Will the powershell command trust the certificate then? – Flick 17/12, 2015 at 11:57

The command would be -ExecutionPolicy unrestricted -Command "[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true};(New-Object Net.WebClient).DownloadString(\"127.0.0.1/xxx\")" (to set the validation callback in the same session. – Impermanent 17/12, 2015 at 12:5

Thanks that worked! Could you please update your answer with this example. That would maybe help others also. – Flick 17/12, 2015 at 12:5

Yes, if you add your self-signed certificate to the trust store on this computer, it should work without any more hassle. I'd recommend of testing and getting it to work in the shell itself, before trying the scheduled task, it'll make it easier debugging:) – Impermanent 17/12, 2015 at 12:5

The single in-line addition does the trick for a number of tight scripts we have that limited capability in locked-down hosts that require a lot of additional policy changes for full PS scripts, but that will accept one-liners from cmd.exe powershell -command. In our case, it's the foundation of a canary script that distinguishes SSL issues from other forms of API and webhost outages. – Estimate 25/10, 2021 at 17:19

If you're looking to implement a conditional policy, use the following.

[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {
    param(
        [object]$sender,
        [Security.Cryptography.X509Certificates.X509Certificate] $certificate, 
        [Security.Cryptography.X509Certificates.X509Chain] $chain, 
        [Net.Security.SslPolicyErrors] $sslPolicyErrors
    )
    # Implement your custom logic here
    $true
}

Forcible answered 10/10, 2019 at 12:54 Comment(0)

Just for s and g, I created and tested a one liner for the c sharp code to do this.

add-type "using System.Net;using System.Security.Cryptography.X509Certificates;public class T : ICertificatePolicy {public bool CheckValidationResult(ServicePoint srvPoint, X509Certificate certificate,WebRequest request, int certificateProblem) {return true;}}";[System.Net.ServicePointManager]::CertificatePolicy = New-Object T

Worthless...maybe..crazy looking..definitely :)

Rumilly answered 24/7 at 15:3 Comment(1)

As it’s currently written, your answer is unclear. Please edit to add additional details that will help others understand how this addresses the question asked. You can find more information on how to write good answers in the help center. – Pander 24/7 at 19:56

Recommended topics

Hot tags