The underlying connection was closed

[Alvalvar]

I try to use RestPS module and could not connect to rest server with error:
Invoke-RestMethod : The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel

If i use: [System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true}
receive error: Invoke-RestMethod : The underlying connection was closed: An unexpected error occurred on a send

Server and client on the same host.

Server part: =========================================

$ServerCert = Get-ChildItem -Path Cert:\LocalMachine\My\ | Where-Object { $_.Subject -eq 'CN=Server.PowerShellDemo.io'}
$ServerParams = @{
    RoutesFilePath = 'C:\RestPS\endpoints\RestPSRoutes.json'
    Port = 8182
    AppGuid = "d1495a62-411b-43e3-978f-eef3e710170d"
	SSLThumbprint = $ServerCert.Thumbprint
    VerificationType = 'VerifyRootCA'
}
Start-RestPSListener @ServerParams

Client part: ==========================================

[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true}
[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12 -bor [System.Net.SecurityProtocolType]::Tls11 -bor [System.Net.SecurityProtocolType]::Tls
$ClientCert = Get-ChildItem -Path Cert:\LocalMachine\My\ | Where-Object { $_.Subject -eq 'CN=DemoClient.PowerShellDemo.io'}
$HttpsParams = @{
  Uri = 'https://localhost:8182/process?name=powershell'
  Method = 'Get'
  Certificate = $ClientCert
  UseBasicParsing = $true
}
Invoke-RestMethod @HttpsParams

Certificate generated from https://invoke-automation.blog/2018/09/16/creating-a-local-ssl-certificate-hierarchy-with-windows-powershell
What i do wrong?

[jpsider]

On the client run the following function (included with RestPS:
Disable-SSLValidation

[Alvalvar]

On the client run the following function (included with RestPS: Disable-SSLValidation

Tried it, it didn't work. Same error.

[Alvalvar]

I try it on WinSrv2016 and two different Win10
Same result

[jpsider]

Which directions are you following? I don't have a place to test right now. But I can probably do it later. I just want to be sure I am following the same directions.

[Alvalvar]

Which directions are you following? I don't have a place to test right now. But I can probably do it later. I just want to be sure I am following the same directions.

https://github.com/jpsider/RestPS

[Alvalvar]

Hi! Any luck trying to reproduce the error?

[jpsider]

I have not had time to sit and go through the example yet.

[Alvalvar]

Good day!
Had a time to look at the cause of the errors?

[jpsider]

I'm sorry, not yet. Got caught up at work and then found myself on vacation!

I will get to it very soon.

[jpsider]

Alright,
I was able to follow the instructions here to create a local hierarchy for certificates. (https://invoke-automation.blog/2018/09/16/creating-a-local-ssl-certificate-hierarchy-with-windows-powershell/)
Then follow the instructions here to start and execute the Rest commands. (https://github.com/jpsider/RestPS)

In my Server window - this is the exact history
install-module jpsider,restps Update-ConsoleTitle server-window $rootCAparams = @{ DnsName = 'PowerShellDemo.io Root Cert' KeyLength = 2048 KeyAlgorithm = 'RSA' HashAlgorithm = 'SHA256' KeyExportPolicy = 'Exportable' NotAfter = (Get-Date).AddYears(5) CertStoreLocation = 'Cert:\LocalMachine\My' KeyUsage = 'CertSign','CRLSign' #fixes invalid certificate error } $rootCA = New-SelfSignedCertificate @rootCAparams $rootCA $CertStore = New-Object -TypeName
System.Security.Cryptography.X509Certificates.X509Store(
[System.Security.Cryptography.X509Certificates.StoreName]::Root,
'LocalMachine')
$CertStore.open('MaxAllowed')
$CertStore.add($rootCA)
$CertStore.close()
$params = @{
DnsName = 'Server.PowerShellDemo.io'
Signer = $rootCA # <------ Notice the Signer is the newly created RootCA
KeyLength = 2048
KeyAlgorithm = 'RSA'
HashAlgorithm = 'SHA256'
KeyExportPolicy = 'Exportable'
NotAfter = (Get-Date).AddYears(2)
CertStoreLocation = 'Cert:\LocalMachine\My'
}

$ServerCert = New-SelfSignedCertificate @params
$ServerCert
$params = @{
DnsName = 'DemoClient.PowerShellDemo.io'
FriendlyName = 'DemoClient'
Signer = $rootCA # <------ Notice the Signer is the newly created RootCA
KeyLength = 2048
KeyAlgorithm = 'RSA'
HashAlgorithm = 'SHA256'
KeyExportPolicy = 'Exportable'
NotAfter = (Get-Date).AddYears(2)
CertStoreLocation = 'Cert:\LocalMachine\My'
}
$ClientCert = New-SelfSignedCertificate @params
$ClientCert
Get-ChildItem -Path Cert:\LocalMachine\My
Get-ChildItem -Path Cert:\LocalMachine\Root
Invoke-DeployRestPS -LocalDir 'C:\RestPS'
Get-ChildItem -Path Cert:\LocalMachine\My
$ServerCert = Get-ChildItem -Path Cert:\LocalMachine\My\ |
Where-Object { $_.Subject -eq 'CN=Server.PowerShellDemo.io'}

$ServerThumbprint = $ServerCert.Thumbprint
$ServerCert
$ServerParams = @{
RoutesFilePath = 'C:\RestPS\endpoints\RestPSRoutes.json'
Port = 8080
SSLThumbprint = $ServerCert.Thumbprint
VerificationType = 'VerifyRootCA'
}
Start-RestPSListener @ServerParams
history
`

For the client this is the exact history

`
Update-ConsoleTitle client-window
Get-ChildItem -Path Cert:\LocalMachine\My
$ClientCert = Get-ChildItem -Path Cert:\LocalMachine\My\ |
Where-Object { $_.Subject -eq 'CN=Democlient.PowerShellDemo.io'}

$clientThumbprint = $clientCert.Thumbprint
$clientThumbprint
$HttpsParams = @{
Uri = 'https://localhost:8080/process?name=powershell'
Method = 'Get'
Certificate = $ClientCert
UseBasicParsing = $true
}
Invoke-RestMethod @HttpsParams
Disable-SSLValidation
$HttpsParams = @{
Uri = 'https://localhost:8080/process?name=powershell'
Method = 'Get'
Certificate = $ClientCert
UseBasicParsing = $true
}
Invoke-RestMethod @HttpsParams
$HttpsParams = @{
Uri = 'https://localhost:8080/endpoint/shutdown'
Method = 'Get'
Certificate = $ClientCert
UseBasicParsing = $true
}
Invoke-RestMethod @HttpsParams
`

[Alvalvar]

Hi! It`s a fckng magic :(

PS C:\Temp> $HttpsParams = @{
Uri = 'https://localhost:8080/process?name=powershell'
Method = 'Get'
Certificate = $ClientCert
UseBasicParsing = $true
}
PS C:\Temp> Invoke-RestMethod @HttpsParams
Invoke-RestMethod : The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel.
At line:1 char:1
Invoke-RestMethod @HttpsParams

CategoryInfo : InvalidOperation: (System.Net.HttpWebRequest:HttpWebRequest) [Invoke-RestMethod], WebException
FullyQualifiedErrorId : WebCmdletWebResponseException,Microsoft.PowerShell.Commands.InvokeRestMethodCommand

PS C:\Temp> Disable-SSLValidation
True
PS C:\Temp> $HttpsParams = @{
Uri = 'https://localhost:8080/process?name=powershell'
Method = 'Get'
Certificate = $ClientCert
UseBasicParsing = $true
}
PS C:\Temp> Invoke-RestMethod @HttpsParams
Invoke-RestMethod : The request was aborted: Could not create SSL/TLS secure channel.
At line:1 char:1
Invoke-RestMethod @HttpsParams

CategoryInfo : InvalidOperation: (System.Net.HttpWebRequest:HttpWebRequest) [Invoke-RestMethod], WebException
FullyQualifiedErrorId : WebCmdletWebResponseException,Microsoft.PowerShell.Commands.InvokeRestMethodCommand