Looking at moving away from purchased certificate towards free Let’s Encrypt generated certificates, Lansweeper posed a bit of an issue.

Following Lansweeper’s SSL instructions to automate the process, a certificate would need to be generated, installed and then it’s thumbprint added to a config file.

The below Powershell script uses Posh-ACME with Cloudflare DNS verification to generate the certificate and then regex replaces the certificate’s thumbprint in the Lansweeper config file.

##-- Import Posh-ACME Module --##
Import-Module -Name Posh-ACME 

##-- set the server. LE_STAGE or LE_PROD --##
Set-PAServer LE_PROD

##-- set up letsencrypt acount if it doesn't already exist --##
If(!(Get-PAAccount)){
    New-PAAccount -AcceptTOS -Contact "<--email address for contact-->"
}

##-- set up cloudflare --##
$CloudFlareToken = @{ CFTokenInsecure = '<--cloudflare token-->' }

##-- generate the certificate setting using DNS verification through CloudFlare --##
New-PACertificate <--lansweeper URL--> -DnsPlugin Cloudflare -PluginArgs $CloudFlareToken -Force

##-- let's get the source of the pfx certificate --##
$PAPFXCert = Get-PACertificate | Select PfxFile

##-- set the certificate password --##
$Password = ConvertTo-SecureString -String "poshacme" -AsPlainText -Force

##-- import the certificate & grab the result --##
$PAPFXImport = Import-PfxCertificate -FilePath $PAPFXCert.PfxFile -CertStoreLocation Cert:\LocalMachine\My -Password $Password

##-- get the certificate object --##
$CertObj= Get-ChildItem "Cert:\LocalMachine\my\$($PAPFXImport.Thumbprint)"

##-- get the thumbprint of the certificate --##
$CertThumb = $CertObj.Thumbprint

##-- stop the IIS Express service --##
Stop-Service "IIS Express service"

##-- replace the thumbprint in the config --##
    
    ##-- path of the lansweeper config --##
    $lansweeperConfig = "C:\Program Files (x86)\Lansweeper\IISexpress\IISExpressSvc.exe.config"

    ##-- read in the contents of the lansweeper config --##
    $lansweeperConfigRead = Get-Content -Path $lansweeperConfig

    ##-- create the text to swap in to the config containing the new thumbprint --##
    $lansweeperConfigReplacedText = "    
Categories: Powershell

1 Comment

Zach H · December 28, 2020 at 7:42 pm

I found this blog post because a client of mine wanted to migrate away from the (now annual) cert renewal with our university CA to something that could be automated, so naturally I turned to letsencrypt. Just a heads up for any users who have lansweeper set up on windows server using the full IIS system, rather than IIS express, you can use the github project win-acme, and if port 80 is open, the http-01 verification method, to do this as well. We were already using IIS, so win-acme was a very easy and straightforward method.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.