SSL Error with Invoke-PSUScript

PowerShell Universal
1

Hi,

we use Powershell Universal 5 on IIS. I try to use Invoke-PSUScript -Name 'Example.ps1'

But i get the error

Cannot retrieve the dynamic parameters for the cmdlet. Status(StatusCode=“Internal”, Detail=“Error starting gRPC call. HttpRequestException: The SSL connection could not be established, see inner exception. AuthenticationException: The remote certificate was rejected by the provided RemoteCertificateValidationCallback.”, DebugException=“System.Net.Http.HttpRequestException: The SSL connection could not be established, see inner exception.”)

We use a a ssl certificate from our internal pki.
Do you have any ideas how to fix this?

Product: PowerShell Universal
Version: 5.0.4
2

You can either add -TrustCertificate to the end of your Invoke-PSUScript command or, if you upgrade to 5.0.6, you can supposedly add the TrustCertificate parameter to your customized appsettings.json file by adding:

{
    "Api": {
       "TrustCertificate": true
    }
}

But I’m not able to get this ability working in my own testing of 5.0.6.

3

I put
“Api”: {
“Url”: “http://localhost:5000”,
“SecurityModel”: “Permissive”
}

this in my appsettings.json

As long as the scripts are on the same server as PSU itself,
that should not matter.

4

Are you not using a certificate in your setup?

6

Yes and No.
This is a new box.
I have a self-signed certificate, but am still waiting for the official one.

So the self-signed is not valid, and like you stated, the workaround don’t seem to work.
That’s why I use plain http for just the internal API calls.

The system is firewalled off, access for users only via https.

EDIT:

I now have this and it is working,
https://zzz.yyy.xxx.net is actually not the real URL that users would use, but a FQDN that resolves locally as well and I have a machine certificate for. (not a certificate for SSL - but it seems to work)

“Api”: {
“Url”: “https://zzz.yyy.xxx.net”,
“TrustCertificate”: true,
“SecurityModel”: “Permissive”
}

with:
$script=Invoke-PSUScript -Wait -script scriptvars.ps1
(very simply script to just output some vars…)

1 Like
7

Thanks for your answers guys.
I got -TrustCertificate running for me.

1 Like
8

Can you explain how?
When I try
$script=Invoke-PSUScript -Wait -TrustCertificate -script scriptvars.ps1
I get:

image

on 5.0.6

9

I’m not sure. -TrustCertificate works fine for me on an Invoke-PSUScript command in 5.0.6. I put that parameter at the end, though. Maybe it’s positional, for some reason. Try moving it to the end.

1 Like
10

If you want it global and appsettings.json is not working, you can also use PSU_TRUST_CERTIFICATE environment variable set to true.

The appsettings.json wasn’t working in every configuration but we changed it for 5.0.7 so it will be.

2 Likes
11

I think it should work with

Invoke-PSUScript -Name 'scriptvars.ps1' -TrustCertificate

12

I did move it around, no change.

I noticed that sometimes -name works better, and sometimes -script.

Will test further.

13

Invoke-PSUScript and TrustCertificate had some more fixes in 5.0.7. Not sure it’ll fix this issue, but worth a shot.

1 Like
14

I’m getting some odd behavior on this too in 5.0.7 - when trying to run Get-PSUEventHubConnection with TrustCertificate set to false in the app settings and the -TrustCertificate flag passed in manually, I get an error that the parameter doesn’t exist. However, when setting it to true in app settings AND passing the flag, I’m getting the behavior I expect. Setting it to true by itself returns the SSL error.

The environment variable seems to still be the safest way to get this to come together on IIS.