I hope this doesn't count as a necro, but I just figured out how to fully automate Let's Encrypt with the default webserver (no reverse proxy needed)
1. Getting your LE Certs
I used Let's Encrypt Windows Simple (https://github.com/Lone-Coder/letsencrypt-win-simple). Download it and run it. You'll want to set it to use its internal webserver for verification. (plays nice with the ScreenConnect webserver). It will also configure a scheduled task
After that, it will save the certs to C:\ProgramData\letsencrypt-win-simple\httpsacme-v01.api.letsencrypt.org. The one of interest to me was remotesupport.mydomain-all.pfx - note this filename
2. Modifying the SSL install script
Get ScreenConnect Configurator:
https://docs.connectwise...llation/SSL_ConfiguratorNext I had to modify the ScreenConnect SSL Configurator (to get rid of prompts, so it is automated). It extracts to %TEMP% when run and can be found in there. It goes without saying you need to move it out of %TEMP%.
The changes I made were
ScreenConnectConfigurator.cmdChange the bottom to be:
Code:
set COMMAND=1
if "%COMMAND%"=="1" call ProcedureWindowsSslMenu.cmd
if "%COMMAND%"=="2" call ProcedureLinuxSslMenu.cmd
if "%COMMAND%"=="3" goto EXIT
rem goto PROMPT_COMMAND
This automates the first menu
ProcedureWindowsSslMenu.cmdCode: set COMMAND=5
if "%COMMAND%"=="0" start "" "openssl.exe"
if "%COMMAND%"=="1" call ProcedureChangeWorkingDirectory.cmd
if "%COMMAND%"=="2" call ProcedureChangeScreenConnectDirectory.cmd
if "%COMMAND%"=="3" call ProcedureGenerateCsr.cmd
if "%COMMAND%"=="4" call ProcedureWindowsApplyCert.cmd
if "%COMMAND%"=="5" call ProcedureWindowsInstallPfxFile.cmd
if "%COMMAND%"=="6" start "" "notepad.exe" "%TEMP%\%LOG_FILE%"
rem if "%COMMAND%"=="7" (goto EXIT) else ( goto PROMPT_COMMAND)
That automates the second menu
ProcedureWindowsInstallPfxFile.cmdHere's the tricky one
First, hardcode the PFX path instead of the set /p
Code:
set PFX_PATH="C:\ProgramData\letsencrypt-win-simple\httpsacme-v01.api.letsencrypt.org\remotesupport.mydomain-all.pfx"
Second, specify the password for the pfx file in the certutil command so it doesn't prompt for it. Unless you changed the letsencrypt-win-simple config file, by default the pfx password is blank.
Code:
certutil -f -p "" -importpfx "%PFX_PATH%"
Third, specify the pass again, slightly different for the openssl command
Code:
openssl pkcs12 -in "%PFX_PATH%" -nokeys -out "%TEMP%\ExtractedCert.cer" -passin pass:
This last step was needed for me, although probably is not needed for most users. I run the relay off a seperate internal IP so it can also use port 443. As such, the "webserveruri" command is bound to a specific internal IP and not to all interfaces. So the change I made was
Code:
rem call ProcedureWindowsModifyWebConfig.cmd "webserveruri=https://+:443/"
If you do this step you'll need to make sure that webserveruri is already setup properly
ProcedureWindowsBindCertificate.cmdAt the start of the file, add
Code:
netsh http delete sslcert 0.0.0.0:443
That will delete the previous certificate binding, otherwise an error will be thrown that one already exists.
Scheduled tasksModify the Windows scheduled task created by letsencrypt-win
Add the following:
Program: Point it to ScreenConnectConfigurator.cmd
Order it
below the Let's Encrypt script
Add the following:
Program: net
Arguments: stop "ScreenConnect Web Server"
Move it to the top of the priority, above the Let's Encrypt commands
Then add another
Add the following:
Program: net
Arguments: start "ScreenConnect Web Server"
And make sure it is last
Finally, change the time so that it runs overnight and not 9am.
LE is fully automated and will renew by itself and install the certs
Hope this helps someone
Edited by user Saturday, November 25, 2017 4:33:19 AM(UTC)
| Reason: formatting