Looking at moving away from purchased certificate towards free Let’s Encrypt generated certificates, Lansweeper posed a bit of an issue when using ISS Express
Following Lansweeper’s SSL instructions to automate the process, a certificate would need to be generated, installed and then it’s thumbprint added to a config file.
The below Powershell script uses Posh-ACME with Cloudflare DNS verification to generate the certificate and then regex replaces the certificate’s thumbprint in the Lansweeper config file.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ##– Import Posh-ACME Module –## | |
| Import-Module -Name Posh-ACME | |
| ##– set the server. LE_STAGE or LE_PROD –## | |
| Set-PAServer LE_PROD | |
| ##– set up letsencrypt acount if it doesn't already exist –## | |
| If(!(Get-PAAccount)){ | |
| New-PAAccount -AcceptTOS -Contact "<–email address for contact–>" | |
| } | |
| ##– set up cloudflare –## | |
| $CloudFlareToken = @{ CFTokenInsecure = '<–cloudflare token–>' } | |
| ##– generate the certificate setting using DNS verification through CloudFlare –## | |
| New-PACertificate <–lansweeper URL–> -DnsPlugin Cloudflare -PluginArgs $CloudFlareToken -Force | |
| ##– let's get the source of the pfx certificate –## | |
| $PAPFXCert = Get-PACertificate | Select PfxFile | |
| ##– set the certificate password –## | |
| $Password = ConvertTo-SecureString -String "poshacme" -AsPlainText -Force | |
| ##– import the certificate & grab the result –## | |
| $PAPFXImport = Import-PfxCertificate -FilePath $PAPFXCert.PfxFile -CertStoreLocation Cert:\LocalMachine\My -Password $Password | |
| ##– get the certificate object –## | |
| $CertObj= Get-ChildItem "Cert:\LocalMachine\my\$($PAPFXImport.Thumbprint)" | |
| ##– get the thumbprint of the certificate –## | |
| $CertThumb = $CertObj.Thumbprint | |
| ##– stop the IIS Express service –## | |
| Stop-Service "IIS Express service" | |
| ##– replace the thumbprint in the config –## | |
| ##– path of the lansweeper config –## | |
| $lansweeperConfig = "C:\Program Files (x86)\Lansweeper\IISexpress\IISExpressSvc.exe.config" | |
| ##– read in the contents of the lansweeper config –## | |
| $lansweeperConfigRead = Get-Content -Path $lansweeperConfig | |
| ##– create the text to swap in to the config containing the new thumbprint –## | |
| $lansweeperConfigReplacedText = "add key=`"CertificateThumbPrint`" value=`"$($CertThumb)`"" | |
| ##– replace the old thumbprint text with the new –## | |
| $lansweeperConfigReplace = $lansweeperConfigRead -replace ".*\`"CertificateThumbPrint\`" value=\`".*\`"",$lansweeperConfigReplacedText | |
| ##– write the replaced config back –## | |
| Set-Content -Path $lansweeperConfig -Value $lansweeperConfigReplace | |
| ##– start the IIS Express service –## | |
| Start-Service "IIS Express service" |
1 Comment
Zach H · December 28, 2020 at 7:42 pm
I found this blog post because a client of mine wanted to migrate away from the (now annual) cert renewal with our university CA to something that could be automated, so naturally I turned to letsencrypt. Just a heads up for any users who have lansweeper set up on windows server using the full IIS system, rather than IIS express, you can use the github project win-acme, and if port 80 is open, the http-01 verification method, to do this as well. We were already using IIS, so win-acme was a very easy and straightforward method.