powershellssl-certificatef5powershell-7.0

ssl cert validation in powershell 7

so question not really about powershell, but maybe how to manage this: below is a script (well parts pulled out of a script we use to manage our F5 load balancer)

$modules = @("F5-LTM","TunableSslValidator","POSH-SSH")
$apiVersion = "15.1.0.2"
$headers = @{"Content-Type"="application/json"}
$credentials = Get-Credential 
try
{
        ForEach($module in $modules)
        {
                import-module $module -ErrorAction Stop
        }
}
catch
{
        Write-host "[ " -NoNewline
        write-host "FAIL" -NoNewline -ForegroundColor Red
        Write-host " ] " -NoNewline
        write-host "Importing Powershell Modules"
        write-host $_.Exception -ForegroundColor Red
        exit
}
Write-host "[ " -NoNewline
write-host " OK " -NoNewline -ForegroundColor Green
Write-host " ] " -NoNewline
write-host "Importing Powershell Modules"


$uri = "https://F5hostname/mgmt/tm/ltm/monitor/https/my-site_https_monitor?ver=$apiVersion"

#-------------------------------------------------------------------------
# Handle Cert Warning
#-------------------------------------------------------------------------
if (-not ([System.Management.Automation.PSTypeName]'ServerCertificateValidationCallback').Type)
{
$certCallback = @"
    using System;
    using System.Net;
    using System.Net.Security;
    using System.Security.Cryptography.X509Certificates;
    public class ServerCertificateValidationCallback
    {
        public static void Ignore()
        {
            if(ServicePointManager.ServerCertificateValidationCallback ==null)
            {
                ServicePointManager.ServerCertificateValidationCallback += 
                    delegate
                    (
                        Object obj, 
                        X509Certificate certificate, 
                        X509Chain chain, 
                        SslPolicyErrors errors
                    )
                    {
                        return true;
                    };
            }
        }
    }
"@
    Add-Type $certCallback
 }
[ServerCertificateValidationCallback]::Ignore()

Invoke-WebRequest -Method GET -Uri $uri -insecure -Headers $headers -Credential $credentials ErrorAction Stop -UseBasicParsing

this works if you run with powershell 5.1 but fails with the following error in powershell 7.0.1

The remote certificate is invalid according to the validation procedure.

the f5 does have a untrusted cert - and i am looking to resolve that, but i am using TunableSslValidator and i have that cert validation block in there because we had issues in powershell 5 as well, but we trust this internal resource and i was willing to ignore the cert issues.

is there a way to bypass this in powershell 7?

Solution

  • Just faced the same problem last friday: after a look in the docs for pwsh 7.0 at https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/invoke-webrequest?view=powershell-7 I saw that a new switch "-SkipCertificateCheck" was introduced and this worked to ignore cert validation.