When I try to use Invoke-WebRequest I'm getting some weird error:
Invoke-WebRequest -Uri "https://idp.safenames.com/"
Invoke-WebRequest : The underlying connection was closed: An unexpected error occurred on a send.
I'm not sure what's causing it, as the website itself seems fine.
Even with all the "ignore ssl errors" functions around stackoverflow, it's still not working, making me wonder if it's related to SSL at all.
As BaconBits notes, .NET version > 4.5 uses SSLv3 and TLS 1.0 by default.
You can change this behavior by setting the SecurityProtocol policy with the ServicePointManager class:
PS C:\> $AllProtocols = [System.Net.SecurityProtocolType]'Ssl3,Tls,Tls11,Tls12'
PS C:\> [System.Net.ServicePointManager]::SecurityProtocol = $AllProtocols
PS C:\> (Invoke-WebRequest -Uri "https://idp.safenames.com/").StatusCode
200
This will apply to all requests in the AppDomain (so it only applies to the current instance of the host application).
There's a module on GitHub and in PSGallery that can manage these settings now:
Install-Module BetterTls -Scope CurrentUser
Import-Module BetterTls
Enable-Tls -Tls11 -Tls12
This can be permanently changed as well
# set strong cryptography on 32 bit .Net Framework (version 4 and above)
Set-ItemProperty -Path 'HKLM:\SOFTWARE\Wow6432Node\Microsoft\.NetFramework\v4.0.30319' -Name 'SchUseStrongCrypto' -Value '1' -Type DWord
# set strong cryptography on 64 bit .Net Framework (version 4 and above)
Set-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\.NetFramework\v4.0.30319' -Name 'SchUseStrongCrypto' -Value '1' -Type DWord
Based on this scan, it doesn't look like that URI supports anything lower than TLS 1.1.
What version of Windows are you on? If you're on PowerShell v4.0 or lower, you're not going to be able to negotiate a TLS 1.1 or 1.2 connection because the .Net Framework doesn't support TLS 1.1 or 1.2 until .Net Framework 4.5. PowerShell v4.0 is .Net 4.0. That means the underlying System.Net.WebRequest classes can't negotiate a connection. I believe PowerShell v5.0 is .Net 4.5 or .Net 4.6, but I don't have a Win 10 client to check the $PSVersionTable right now.
You may be able to get it to work by coding the calls to WebRequest manually and specifying the protocol as [System.Net.SecurityProtocolType]::Tls12 or [System.Net.SecurityProtocolType]::Tls11, but I'm not sure if that's possible. That's supposed to work if .Net 4.5 is installed from what I'm seeing, but, again, I've never tried it.
For reference, I get the exact same results as you on Windows 7 x64/Powershell v4.0 and I've got .Net 4.5 installed, but I've never tried manually coding the WebRequest. I also get an error if I use wget for Windows 1.11.4 from here (OpenSSL 0.9.8b, well before TLS 1.1 and 1.2), but it works just fine if I use wget for Windows 1.17.1 from here (current, more or less).
I'm not sure what's causing it Teach a person to fish.... How do we know that it's a TLS problem? I had this situation and could not, for the life of me, get anything out of the WebException that said "error during TLS negotiation". Worse, the problem appeared only during automated tests, not manual tests. How, on the client side, could I get a message that says "the client tried to negotiate with TLS 1.0 and the server rejected it." Or SOME kind of pseudo-English explanation for the error, beyond "An unexpected error occurred on a send."
One line:
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType] 'Ssl3, Tls, Tls11, Tls12' (at least in v5.1 you don't even need the [System.Net.SecurityProtocolType] cast); recent .NET versions additionally support Tls13
-UserAgentparameter. Maybe the site is blocking connections from "bots".