“参数不正确” 使用“netsh http add sslcert”时出错
按照如何:使用 SSL 证书配置端口,我在命令行上输入了此命令(废话):
netsh http add sslcert ipport:10.141.146.227:7001 certhash=5d48e604007b867ae8a69260a4ad318d2c05d8ff appid={EDE3C891-306C-40fe-BAD4-895B236A1CC8}
输出:
The parameter is incorrect.
我的 certhash 指纹是从证书(本地计算机) 中的证书中获取的 → 个人 → 证书文件夹。
appid GUID 已生成。
我还需要修复哪些问题才能使其正常工作?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(22)
在 PowerShell 中,只需键入以下内容。 首先进入netsh HTTP模式,然后添加sslcert。 这对我有用。
在 netsh 会话中:
In PowerShell, just type as follows. First get into netsh HTTP mode and then add sslcert. It's worked for me.
In the netsh session:
导致此问题的另一个可能原因是从证书管理器页面复制隐藏字符。 如果您从“证书”中的详细信息窗口复制指纹,请检查开头是否有隐藏字符(使用箭头键!)。 这就是我出现“参数不正确”错误消息的原因。
Another possible cause for this problem is hidden characters being copied from the Certificate Manager page. If you copy the thumbprint from the details window in Certificates, check for a hidden character at the start (use your arrow keys!). This was the cause for me of the "The Parameter is Incorrect" error message.
.ps1 文件中的 PowerShell 命令行和 PowerShell 脚本会认为大括号 {...} 是 PowerShell 指令。 所以引用他们的话。 否则,正如您所见,PowerShell 将会感到困惑。
因此,而不是这样做(您发现失败):
执行此操作(注意单引号):
以下是有关带大括号的 PowerShell 语法的一些信息:
PowerShell 以及大括号和其他大括号的隐藏艺术
The PowerShell command line and PowerShell scripts in .ps1 files will think curly brackets {...} are PowerShell directives. So quote them. Otherwise, as you have seen, PowerShell will be confused.
So rather than this (which you found fails):
Do this (note the single quotes):
Here is some information about PowerShell syntax with curley braces:
PowerShell and the hidden art of curly braces and other braces
查看 netsh 命令的语法,我看到了这个示例:
从表面上看,您的问题是您正在做的事情
与
Looking at the syntax for the netsh command, I saw this example:
By the looks of it, your problem is that you're doing
as opposed to
我多次遇到这个问题,每次都有不同的原因。 以下是对我有用的原因和确切命令。
原因如下:
从 Windows 对话框中复制并粘贴证书指纹会向您的哈希值添加隐藏字符。 它在文本编辑器中不可见,但您需要删除该字符才能使其工作。
SSL 指纹应在个人 → 证书中可用,以便与本地主机一起使用。
应该是“ipport=”,而不是“ipport:”
SSL 证书应该有私钥。 如果您使用证书管理控制台,请确保它在证书视图上有一个小钥匙图标。
GUID 应以完整格式定义:{a10b0420-a21f-45de-a1f8-818b5001145a},并且在 PowerShell 中应包含单引号:'{a10b0420-a21f-45de-a1f8-818b5001145a}' 因此,PowerShell格式与命令行不同。
SSL 证书应具有完整的字符,所有字符都填充为“0”且不含任何空格。 您可以复制指纹(注意删除特殊隐藏字符)并删除空格,或者如果证书已注册到另一个地址,则使用“netsh http show sslcert”来获取值。
什么对我有用:
这是在 PowerShell 中对我有用的确切命令:
这是命令行语句:
可帮助您避免相关问题的更多命令:
使用以下命令查看当前注册的证书。 您可以从那里找到并重用 certhash 或您的 appid:
如果证书已使用类似的 ip 和端口注册,则需要将其删除。 我发现它会导致 localhost、127.0 出现问题.0.1 和 0.0.0.0。 您只需在测试环境中注册0.0.0.0。 使用以下命令删除潜在损坏的证书:
I faced this problem several times and every time it had a different cause. Here are the causes and exact commands that worked for me.
Here are some causes:
Copy and pasting a certificate thumbprint from the Windows dialog adds a hidden character to your hash. It is not visible in text editors, but you need to remove the character to make it work.
An SSL thumbprint should be available in Personal → Certificates to work with localhost.
It should be 'ipport=', not 'ipport:'
SSL certificate should have a private key. If you are using the certificate management console, make sure that it has a little key icon on the certificate view.
The GUID should be defined in full format: {a10b0420-a21f-45de-a1f8-818b5001145a}, and it should have single quotes in PowerShell: '{a10b0420-a21f-45de-a1f8-818b5001145a}' Thus, the PowerShell format is different from the command line.
SSL certificate should have complete characters with all padding '0's and without any space. You may copy the thumbprint (be careful to remove special hidden characters) and remove spaces, or use 'netsh http show sslcert' to get the value if the certificate is already registered for another address.
What worked for me:
Here is the exact command that worked for me in PowerShell:
And here is the command line statement:
More commands to help you avoid related problems:
Use the following command to see current registered certificate. You may find and reuse certhash or your appid from there:
If the certificate is already registered with similar ip and port, you need to remove it. I found it causes a problem with localhost, 127.0.0.1 and 0.0.0.0. You need to have only 0.0.0.0 registered in your testing environment. Use the following command to remove potential corrupted certificates:
从Certificate\Details\Thumbprint复制证书指纹会在指纹值前面添加字节“3f38”,当转换为 ANSI 时,该值将显示为“?”。 这个隐藏的价值给我带来了问题。
我将值粘贴到 Notepad++ 中,选择编码 → 转换为 ANSI,然后我手动删除了前面的“?” 人物。 然后我将有一个干净指纹值可供使用。
Copying the certificate thumbprint from the Certificate\Details\Thumbprint would prepend the thumbprint value with the bytes '3f38' which, when converted to ANSI were shown as a '?'. This hidden value caused the issue for me.
I pasted the value into Notepad++, chose Encoding → Convert to ANSI, and then I manually removed the prepended '?' characters. I would then have a clean thumbprint value to use.
当我刚刚开始使用 HTTP.sys (IIS)。 我运行后:
然后
netsh http add sslcert命令开始正常运行。I was getting this error as well when I was just getting started with HTTP.sys (IIS). After I ran:
then the
netsh http add sslcertcommands started behaving properly.就我而言,问题是我遵循了 Microsoft 的说明。 我从 SSL 窗口复制了指纹。 这样做会复制哈希开头的不可打印字符。
尝试将指纹粘贴到记事本中,然后按Home 并按 Delete 两次(直到指纹被删除)并重新添加字符。 如果复制指纹并将其粘贴到 cmd 中,您就可以看到该字符:
In my case the problem is that I am following the Microsoft instructions. I copied the thumbprint from the SSL window. Doing so copies non-printable characters at the beginning of the hash.
Try to paste the thumbprint into Notepad and then press Home and press Delete twice (until the first characters from the thumbprint is deleted) and the readd the character. You can see the character if you copy the thumbprint and paste it into cmd:
这对我有用:
我的
certhash参数的长度不完全是 20 个字节。 我必须在前面填充零才能使其正常工作。因此,
我必须这样做:
certhash=00000000112233445566778899aabbccddeeff00,而不是certhash=112233445566778899aabbccddeeff00。This worked for me:
My
certhashparameter wasn't fully 20 bytes long. I had to pad it with zeroes in front to get it to work.So, instead of
certhash=112233445566778899aabbccddeeff00, I had to do this:certhash=00000000112233445566778899aabbccddeeff00.小心。 如果您有 DNS 名称作为绑定,请使用 hostnameport 而不是 ipport:
我必须删除 Office 365 单点登录- 上。
Watch out. If you have a DNS name as a binding, use hostnameport instead of ipport:
I had to delete ADFS Proxy Bindings for Office 365 single sign-on.
使用序列号而不是指纹作为 certhash 参数将导致此错误,因为字符数存在差异。 用 0 填充会将错误更改为:
Using the Serial number instead of the Thumbprint for the certhash parameter will cause this error because of the difference in the amount of characters. Padding with 0s will change the error to:
您使用的是ipport:,而不是ipport=,这很容易做到,因为您可以使用ip:port。
另外,请注意
{与<或(。这也让我过去感到困惑。You have ipport: rather than ipport= which is easy to do since you follow that with ip:port.
Also, watch out for the
{versus<or(. That has also gotten me in the past.在得到相同的“参数不正确”后,我做了一些事情,我认为它可以工作。 错误。
我重新启动机器并再次执行此操作。 第一次就成功了。
我确定我在 C:\ 并在重新启动后再次发出该命令不起作用
我无法解释原因,但我认为也许两次都有其他问题。 因为这已经是我第三次发生了:
我查看了我的 CA 的指纹 (不是颁发的服务器证书)并再次从 MMC 复制它,它起作用了。
发生这种情况后,我再次删除它(netsh http delete sslcert ipport=0.0.0.0:)并使用服务器证书的指纹重复该过程。 那该死的东西又起作用了。
我不知道。 尝试经历我做过的同样的事情。 也许其中之一会起作用。 最后,我怀疑我在 certhash 中输入了虚假的空格或字符。
There were a few things I did that I thought made it work after getting the same "The parameter is incorrect." error.
I restarted the machine and did it again. It worked the first time.
I made sure I was in C:\ and issued the command again after restarting didn't work
I couldn't explain why, but I think that maybe both times, there was something else wrong. Because the third time this happened to me:
I went through the thumbprint of my CA (not the issued server cert) and copied it again from the MMC and it worked.
After this happened, I deleted it again (netsh http delete sslcert ipport=0.0.0.0:) and repeated the process using the thumbprint of the server certificate. The darned thing worked again.
I don't know. Just try going through the same thing I did. Maybe one of these would work. In the end, I suspect that I entered a bogus space or character in the certhash.
这其实是cmd vs PowerShell的语法问题。 将命令更改为
将在两个终端中运行。
This is actually a syntax problem of cmd vs PowerShell. Changing the command to
will work in both terminals.
这将在 PowerShell 命令行中起作用:
重要的细节是使用反引号 (`) 转义每个 { },并且不要省略 certstorename。 否则,netsh 会引发错误 87。
这些变量只是为了方便起见。
This will work from the PowerShell command line:
The important details are to escape each { } with a backtick (`) and not to omit certstorename. Otherwise, netsh raises an error 87.
The variables are just for sake of convenience.
我有一个隐藏的问题,该问题仅显示在 PowerShell 中,而不显示在命令提示符上。
我从证书中复制了指纹,并删除了 Notepad++ 中的所有空格,但是它的前面仍然有一个隐藏的字符。
它看起来像这样:
.. certhash=dca41243...
实际上是
.. certhash="special char"dca41243...
I had a hidden issue that only showed in PowerShell, not on a command prompt.
I had copied a thumbprint from a certificate and removed all spaces in Notepad++, but it still had a hidden character in front.
It looked like this:
.. certhash=dca41243...
It was actually
.. certhash="special char"dca41243...
我试图使用 hostnameport 参数添加 IP 地址 和端口,所以我得到了这个参数错误。
netsh http add sslcert hostnameport="10.0.0.120:443"而不是:
netsh http add sslcert ipport="10.0.0.120:443"I was trying to add an IP address and port with the hostnameport parameter, so I got this parameter error.
netsh http add sslcert hostnameport="10.0.0.120:443"Instead of:
netsh http add sslcert ipport="10.0.0.120:443"我一定最终破坏了 Visual Studio 和 IIS Express 通过删除 localhost 证书。 我真的被困住了。 应用程序无法启动,我似乎无能为力来纠正这种断开连接(这就是让我开始进入这个线程的原因)。
我终于能够通过更改非 SSL URL 上分配的端口(.NET Core 应用程序)并禁用项目设置中的启用 SSL 复选框并重新开始。 然后,我可以使用以下命令添加新创建的证书:
netsh http add sslcert ipport=0.0.0.0:44392 appid={214124cd-d05b-4309-9af9-9caa44b2b74b} certhash=A0ADC1A1002F288CCFA96261F9F352D28C675A90。另请注意,
appid变量并不反映您的 Visual Studio 项目 AppID(或者至少不必如此)。 它只是一个任意的 GUID,根据 Scott Hanselmann:这对我来说并不明显,并且使得处理参数不正确错误变得更加模糊。
I must have ended up mangling the relationship between Visual Studio and IIS Express by deleting the localhost certificate. I was really stuck. The application wouldn't start and nothing I could do seemed to correct this disconnect (which is want brought me to this thread to begin with).
I was finally able to get over the issue by changing the assigned port on the non-SSL URL (
launchSettings.jsonin .NET Core applications) and disabling the Enable SSL checkbox in the project settings and taking a fresh start. I was then able to add my newly created cert with this command:netsh http add sslcert ipport=0.0.0.0:44392 appid={214124cd-d05b-4309-9af9-9caa44b2b74b} certhash=A0ADC1A1002F288CCFA96261F9F352D28C675A90.Also, note that the
appidvariable is not a reflection of your Visual Studio project AppID (or at least it doesn't have to be). It's just an arbitrary GUID, according to Scott Hanselmann:This was not obvious to me and made dealing with the parameter is incorrect error that much more obscure.
“-”并非无关紧要。
如果您的 GUID 与此不完全一样,您将收到不正确的参数错误:
{EDE3C891-306C-40fe-BAD4-895B236A1CC8}
vs.
EDE3C891306C40feBAD4895B236A1CC8 -> 错误
{EDE3C891306C40feBAD4895B236A1CC8} -> 错误
另外,我正在使用 IIS 的 appid 的 GUID,而不是随机的。
The "-"s are not irrelevant.
If your GUID doesn’t look exactly like this, you will get the incorrect parameter error:
{EDE3C891-306C-40fe-BAD4-895B236A1CC8}
vs.
EDE3C891306C40feBAD4895B236A1CC8 -> WRONG
{EDE3C891306C40feBAD4895B236A1CC8} -> WRONG
Also I’m using the GUID for the appid of IIS, not a random one.
我们将参数放在引号中(双引号,而不是单引号),这对我们很有帮助。 这样就完美运行了。
We have put the parameters in quotes (double quotes, not single), and this helped us. This way it worked perfectly.
就我而言,我将我的变量连接为 hostnameport 不正确,并且在从 PowerShell 运行时,该值周围的转义字符最终为我解决了问题。
In my case I was concatenating my variable for hostnameport incorrect and escaping characters around this value worked out for me in the end when running from PowerShell.