Looking at moving away from purchased certificate towards free Let’s Encrypt generated certificates, Lansweeper posed a bit of an issue when using ISS Express

Following Lansweeper’s SSL instructions to automate the process, a certificate would need to be generated, installed and then it’s thumbprint added to a config file.

The below Powershell script uses Posh-ACME with Cloudflare DNS verification to generate the certificate and then regex replaces the certificate’s thumbprint in the Lansweeper config file.

##– Import Posh-ACME Module –##
Import-Module Name PoshACME
##– set the server. LE_STAGE or LE_PROD –##
Set-PAServer LE_PROD
##– set up letsencrypt acount if it doesn't already exist –##
If(!(Get-PAAccount)){
New-PAAccount AcceptTOS Contact "<–email address for contact–>"
}
##– set up cloudflare –##
$CloudFlareToken = @{ CFTokenInsecure = '<–cloudflare token–>' }
##– generate the certificate setting using DNS verification through CloudFlare –##
New-PACertificate <lansweeper URL> DnsPlugin Cloudflare PluginArgs $CloudFlareToken Force
##– let's get the source of the pfx certificate –##
$PAPFXCert = Get-PACertificate | Select PfxFile
##– set the certificate password –##
$Password = ConvertTo-SecureString String "poshacme" AsPlainText Force
##– import the certificate & grab the result –##
$PAPFXImport = Import-PfxCertificate FilePath $PAPFXCert.PfxFile CertStoreLocation Cert:\LocalMachine\My Password $Password
##– get the certificate object –##
$CertObj= Get-ChildItem "Cert:\LocalMachine\my\$($PAPFXImport.Thumbprint)"
##– get the thumbprint of the certificate –##
$CertThumb = $CertObj.Thumbprint
##– stop the IIS Express service –##
Stop-Service "IIS Express service"
##– replace the thumbprint in the config –##
##– path of the lansweeper config –##
$lansweeperConfig = "C:\Program Files (x86)\Lansweeper\IISexpress\IISExpressSvc.exe.config"
##– read in the contents of the lansweeper config –##
$lansweeperConfigRead = Get-Content Path $lansweeperConfig
##– create the text to swap in to the config containing the new thumbprint –##
$lansweeperConfigReplacedText = "add key=`"CertificateThumbPrint`" value=`"$($CertThumb)`""
##– replace the old thumbprint text with the new –##
$lansweeperConfigReplace = $lansweeperConfigRead -replace ".*\`"CertificateThumbPrint\`" value=\`".*\`"",$lansweeperConfigReplacedText
##– write the replaced config back –##
Set-Content Path $lansweeperConfig Value $lansweeperConfigReplace
##– start the IIS Express service –##
Start-Service "IIS Express service"
Categories: Powershell

1 Comment

Zach H · December 28, 2020 at 7:42 pm

I found this blog post because a client of mine wanted to migrate away from the (now annual) cert renewal with our university CA to something that could be automated, so naturally I turned to letsencrypt. Just a heads up for any users who have lansweeper set up on windows server using the full IIS system, rather than IIS express, you can use the github project win-acme, and if port 80 is open, the http-01 verification method, to do this as well. We were already using IIS, so win-acme was a very easy and straightforward method.

Leave a Reply

Avatar placeholder

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.