HTTPS Connection Issues

From MgmtWiki
Revision as of 20:19, 21 September 2021 by Tom (talk | contribs) (References)

Jump to: navigation, search

Full Title or Meme

Like most security protocols HTTPS can start failing for all sorts of reasons, but issues with upgraded security seems to be most common.


  • For HTTPS to work the certificate (and key) used to sign the TLS (SSL) connection packets must match one of the certs in the cert:\localmachiroot folder. That means that the fingerprint (hash) of the root key must match the signing key.


Net Core Console Apps

Here are the steps:

  1. Create a Certificate Signing Request (CSR).
  2. Have the CSR signed by the server.
  3. Get the signed certificate.
  4. Include the signed certificate in the HTTP request.
  5. Make sure to put the Self-Signed CA Certificate in the Local Computer's Trusted Root CA store.

Troubleshooting steps in order (do not skip if a certain step is not successful):

  1. Test with HTTP
  2. Test with HTTPS (one-way authentication)
  3. Test with HTTPS (mutual authentication)

PowerShell Invoke-xxxMethod

$r = Invoke-RestMethod "" -Method Post -Body $j -ContentType "application/jose"
The registry service https://localhost:5035/csp could not be found. Exception: The SSL connection could not be established, see inner exception.

or on AWS

$r = Invoke-RestMethod "http://localhost:5035/csp" -Method Post -Body $j -ContentType "application/jose"
Invoke-RestMethod : The underlying connection was closed: The connection was closed unexpectedly.
At line:1 char:6
+ $r = Invoke-RestMethod "http://localhost:5035/csp" -Method Post -Body ...
+      ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (System.Net.HttpWebRequest:HttpWebRequest) [Invoke-RestMethod], WebException
    + FullyQualifiedErrorId : WebCmdletWebResponseException,Microsoft.PowerShell.Commands.InvokeRestMethodCommand

One common cause for this issue is a mismatch in TLS levels between the client and server. In general all sites should be (2020-07) set for tls1.1 or higher.

  • Check with powershell Get-TlsCipherSuite [[-Name] <String>] [<CommonParameters>]

PowerShell Ignore SSL Errors

add-type @"
   using System.Net;
   using System.Security.Cryptography.X509Certificates;
   public class TrustAllCertsPolicy : ICertificatePolicy {
       public bool CheckValidationResult(
           ServicePoint srvPoint, X509Certificate certificate,
           WebRequest request, int certificateProblem) {
           return true;
[System.Net.ServicePointManager]::CertificatePolicy = New-Object TrustAllCertsPolicy
$result = Invoke-WebRequest -Uri "