Welcome Guest! To enable all features please Login or Register.



Go to last post Go to first unread
#1 Posted : Thursday, August 11, 2016 11:27:29 PM(UTC)

Rank: Advanced Member

Medals: ScreenConnect Advisor: Focus Group MemberLevel 1: Random Act of Kindness! Received One Thanks!

Joined: 12/10/2011(UTC)
Posts: 132

Thanks: 4 times
Was thanked: 6 time(s) in 6 post(s)
Has anyone successfully used Letsencrypt to get working certs for screenconnect? When you use lets encrypt you get 4 files cert.pem chain.pem fullchain.pem privkey.pem. I looked around for a bit but didn't see any way to get the pem files into the correct pvk format that screenconnect needs. Has anyone done this? I would like to automate the process if possible.

#2 Posted : Thursday, August 11, 2016 11:48:55 PM(UTC)

Rank: Advanced Member

Medals: ScreenConnect Advisor: Focus Group MemberLevel 1: Random Act of Kindness! Received One Thanks!

Joined: 12/10/2011(UTC)
Posts: 132

Thanks: 4 times
Was thanked: 6 time(s) in 6 post(s)
Found it. If anyone needs to use it here it is.


openssl rsa -in privkey.pem -outform PVK -out private.pvk -pvk-none
#3 Posted : Tuesday, September 13, 2016 4:25:10 PM(UTC)

Rank: Newbie

Joined: 3/26/2015(UTC)
Posts: 1

Thanks: 2 times
Thanks for linking this.

Were you able to automate the whole process? Can you share how you did it?
#4 Posted : Monday, January 16, 2017 3:58:03 PM(UTC)

Rank: Member

Medals: Level 1: Random Act of Kindness! Received One Thanks!

Joined: 10/31/2014(UTC)
Posts: 14

Was thanked: 2 time(s) in 1 post(s)
I run my screenconnect on an EC2 instance (Linux/Mono).

I ran a small apache server to get the initial certs.

After ten hours of trying to convert the certs for screenconnects' use, I gave up. I just do proxying through apache, and use regex to handle forcing everyone to the https port.

The below code does nothing but preserve URLS and push the visitor from HTTP to HTTPS. It belongs in the apache configuration file for the proxied site, not in a .htaccess file.

RewriteEngine on
RewriteCond %{HTTPS} !=on
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

I've done this with both Virtualmin and [url=Apachefriends.org]Apachefriends.org[/url] - quite a bit simpler and easier than modifying the certs for Screenconnect's use.

The screenconnect configurator kept crapping out trying to convert the intermediate certs, claimed the second intermediate cert lacked the "trusted" moniker.
P.P.S Really, screenconnect, you need to fix this. It should be simple to do, hell's jingling bells, SSL should be required.
#5 Posted : Thursday, April 27, 2017 4:55:46 PM(UTC)

Rank: Newbie

Joined: 11/16/2015(UTC)
Posts: 2
United States
Location: Chicopee

+1 for Windows Server 2012.
#6 Posted : Friday, June 9, 2017 7:12:03 PM(UTC)

Rank: Newbie

Joined: 5/23/2012(UTC)
Posts: 5
Location: Milwaukee, WI

Okay... guys... figured it out... and it's almost painless.

First, I used this document (https://docs.connectwise.com/ConnectWise_Control_Documentation/On-premises/Advanced_setup/SSL_certificate_installation/Install_and_bind_an_SSL_certificate_on_a_Windows_server) for the manual installation of an SSL with ScreenConnect/ConnectWiseControl.

Second, I used letsencrypt-win-simple (version 1.9.3). You can get that here (https://github.com/Lone-Coder/letsencrypt-win-simple).

So, here is what we do.

1) Unzip letsencrypt-win-simple.Vx.x.x (whereas x.x.x is the version number) to the desktop or other location (for this, I put it right on my desktop).
2) Run letsencrypt-win-simple from the location you unzipped it into (as administrator).
3) Select "M" for "Generate a certificate manually".
4) Follow the prompts... enter the hostname, enter your email address (if it's the first time running it) and agree to the terms (if it's the first time running it).
5) When prompted for the site path, you will use the installation location of ScreenConnect/ConnectWiseControl. Default is, I believe, "C:\Program Files (x86)\ScreenConnect\" (don't forget the trailing "\" in your path).
** At this point, the script should have made a ".well-known" directory under your ScreenConnect/ConnectWiseControl directory and should have authorized you to get certificates **
6) Once done, you will have some certificates... but, ScreenConnect/ConnectWiseControl isn't using them yet. And, they are in a goofy place.
7) Navigate to %userprofile%\appdata\Roaming\letsencrypt-win-simple which is where your certificates are saved. Letsencrypt-win-simple should have already installed the certificate onto your system in the COMPUTER ACCOUNT certificate store.
8) Now, you need to find the thumbprint of the certificate. You can do it manually (see instructions by ScreenConnect/ConnectWiseControl), if you like, or copy/paste the script below. This will put a document on your desktop called thumbprint.txt

GET THUMBPRINT SCRIPT (edit it for your needs)
--- START ---
const certpath = "%USERPROFILE%\AppData\Roaming\letsencrypt-win-simple\httpsacme-v01.api.letsencrypt.org\[your certificate name].der"
dim objStdOut
dim strLine, resString

set objStdOut = CreateObject("WScript.Shell").Exec("certutil " & certpath).StdOut

while not objStdOut.AtEndOfStream
strLine = objStdOut.ReadLine
if InStr(strLine, "(sha1)") > 0 then resString = trim(split(strLine, ":")(1))

resString = Replace(resString, " ", "")

Set objFSO=CreateObject("Scripting.FileSystemObject")

Set objFile = objFSO.CreateTextFile(outFile,True)
objFile.Write resString

wscript.echo resString
--- END ---

** Now you have a registered email address, a verified domain, certificate files, a certificate thumbprint and an installed certificate (into the COMPUTER ACCOUNT certificate store)

9) Now we need to bind the certificate for ScreenConnect/ConnectWiseControl's web server. As per the documentation we need to run this command line:
--- START ---
netsh http add sslcert ipport= certhash=[ your thumbprint from the thumbprint.txt file ] appid={00000000-0000-0000-0000-000000000000}
--- END ---

10) Now we need to edit the web.config file, located in the ScreenConnect/ConnectWiseControl directory. You SHOULD MAKE A BACKUP BEFORE YOU EDIT IT.
11) Search for the string "WebServerListenUri" in the web.config file.
12) Edit the line to be
<add key="WebServerListenUri" value="https://+:443/" />
and not (anymore)
<add key="WebServerListenUri" value="http://+:80/" />
13) Save the web.config file.
14) To to services and restart the ScreenConnect Web Server service (you can restart your machine if you like).

That's it.

#7 Posted : Friday, October 20, 2017 7:49:54 PM(UTC)

Rank: Guest

Joined: 10/20/2017(UTC)
Posts: 2
United States

This is great. But what happens in 3 months when the cert expires? How many of these steps must be repeated to renew the cert?
#8 Posted : Wednesday, October 25, 2017 9:11:15 PM(UTC)

Rank: Member

Medals: ScreenConnect Advisor: Focus Group MemberLevel 1: Random Act of Kindness! Received One Thanks!

Joined: 10/17/2011(UTC)
Posts: 18
United States
Location: Topeka, KS

Thanks: 1 times
Was thanked: 1 time(s) in 1 post(s)
That script was really useful, but having to paste the thumbprint into a batch file by hand and then run it elevated was both annoying and error prone, so I did a little enhancement to it.

The following vbs script finds the downloaded cert from letsencrypt and runs netsh to register it so that ScreenConnect can use it.

It can't be completely run non-interactive since the netsh command has to be run elevated (run as administrator) so, the first if statement checks that you are, and if not, asks for permission.

Also, if you're one of those annoying admins who turns off Wscript, I can't help you. You could program this in Perl or Python or something, but VBS works fine for me.

Don't miss editing the code to change the path where letsencrypt saved the cert and where your output files will be. The script defaults to the output files being on your desktop.

Save the following somewhere as RegisterCert.vbs (or whatever name you like)

' Ensure script is being run elevated (as administrator)

If WScript.Arguments.Length = 0 Then
  Set ObjShell = CreateObject("Shell.Application")
  ObjShell.ShellExecute "wscript.exe" _
    , """" & WScript.ScriptFullName & """ RunAsAdministrator", , "runas", 1
End if

' Change this to reflect where your certificate files got put
certpath = "C:\ProgramData\letsencrypt-win-simple\httpsacme-v01.api.letsencrypt.org\support.tbcsoftware.com-crt.der"

' Decide where the output files will be. Default is thisUser's Desktop
' you can hard code it by eding the next line and commenting out the 
' following. 

' outPath = "C:\Users\myUserName\Desktop\"
Set WshShell = WScript.CreateObject("WScript.Shell")
outPath=WshShell.ExpandEnvironmentStrings( "%USERPROFILE%\Desktop\" )
Set WshShell = nothing

' ok stuff is configured now. 

dim objStdOut
dim strLine, objShell, oExec, objFile, wsShell

crlf = chr(13) + chr(10)

set objStdOut = CreateObject("WScript.Shell").Exec("certutil " & certpath).StdOut

while not objStdOut.AtEndOfStream
strLine = objStdOut.ReadLine
if InStr(strLine, "(sha1)") > 0 then resString = trim(split(strLine, ":")(1))

resString = Replace(resString, " ", "")

Set objFSO=CreateObject("Scripting.FileSystemObject")

outFile=outPath + "thumbprint.txt"
Set objFile = objFSO.CreateTextFile(outFile,True)
objFile.Write resString

batFile=outPath + "RegisterCert.bat"
Set objFile = objFSO.CreateTextFile(batFile,True)
netCommand="netsh http add sslcert ipport= certhash=" + resString + " appid={00000000-0000-0000-0000-000000000000}"
objFile.Write netCommand + crlf
objFile.Write "IF %ERRORLEVEL% NEQ 0 SET /A errno^|=%ERRORLEVEL%" + crlf
'Comment out the next line to have the batch file run without user interaction.
objFile.Write "pause " + crlf
objFile.Write "EXIT /B %errno%" + crlf

Set objShell = wscript.createobject("wscript.shell")
intReturn=objShell.Run( batFile, 1, true)
If intReturn <> 0 Then
	Wscript.Echo "netsh command returned an error, run the batch file interactively to see it."
	resultText = "No Errors. Ran netsh, created thumbprint.txt and RegisterCert.bat for " + resString
	wscript.echo resultText

End If

Set objShell = Nothing

-_ Rick
Sr. Developer
TBC Software
#9 Posted : Saturday, November 25, 2017 3:19:25 AM(UTC)

Rank: Guest

Joined: 11/25/2017(UTC)
Posts: 1
Location: Perth WA

I hope this doesn't count as a necro, but I just figured out how to fully automate Let's Encrypt with the default webserver (no reverse proxy needed)

1. Getting your LE Certs
I used Let's Encrypt Windows Simple (https://github.com/Lone-Coder/letsencrypt-win-simple). Download it and run it. You'll want to set it to use its internal webserver for verification. (plays nice with the ScreenConnect webserver). It will also configure a scheduled task

After that, it will save the certs to C:\ProgramData\letsencrypt-win-simple\httpsacme-v01.api.letsencrypt.org. The one of interest to me was remotesupport.mydomain-all.pfx - note this filename

2. Modifying the SSL install script
Get ScreenConnect Configurator: https://docs.connectwise...llation/SSL_Configurator

Next I had to modify the ScreenConnect SSL Configurator (to get rid of prompts, so it is automated). It extracts to %TEMP% when run and can be found in there. It goes without saying you need to move it out of %TEMP%.

The changes I made were


Change the bottom to be:

if "%COMMAND%"=="1" call ProcedureWindowsSslMenu.cmd
if "%COMMAND%"=="2" call ProcedureLinuxSslMenu.cmd
if "%COMMAND%"=="3" goto EXIT

This automates the first menu


 set COMMAND=5
if "%COMMAND%"=="0" start "" "openssl.exe"
if "%COMMAND%"=="1" call ProcedureChangeWorkingDirectory.cmd
if "%COMMAND%"=="2" call ProcedureChangeScreenConnectDirectory.cmd
if "%COMMAND%"=="3" call ProcedureGenerateCsr.cmd
if "%COMMAND%"=="4" call ProcedureWindowsApplyCert.cmd
if "%COMMAND%"=="5" call ProcedureWindowsInstallPfxFile.cmd
if "%COMMAND%"=="6" start "" "notepad.exe" "%TEMP%\%LOG_FILE%"
rem if "%COMMAND%"=="7" (goto EXIT) else ( goto PROMPT_COMMAND)

That automates the second menu

Here's the tricky one

First, hardcode the PFX path instead of the set /p

set PFX_PATH="C:\ProgramData\letsencrypt-win-simple\httpsacme-v01.api.letsencrypt.org\remotesupport.mydomain-all.pfx"

Second, specify the password for the pfx file in the certutil command so it doesn't prompt for it. Unless you changed the letsencrypt-win-simple config file, by default the pfx password is blank.

certutil -f -p "" -importpfx "%PFX_PATH%"

Third, specify the pass again, slightly different for the openssl command

openssl pkcs12 -in "%PFX_PATH%" -nokeys -out "%TEMP%\ExtractedCert.cer" -passin pass:

This last step was needed for me, although probably is not needed for most users. I run the relay off a seperate internal IP so it can also use port 443. As such, the "webserveruri" command is bound to a specific internal IP and not to all interfaces. So the change I made was

rem call ProcedureWindowsModifyWebConfig.cmd "webserveruri=https://+:443/"

If you do this step you'll need to make sure that webserveruri is already setup properly


At the start of the file, add

netsh http delete sslcert

That will delete the previous certificate binding, otherwise an error will be thrown that one already exists.

Scheduled tasks
Modify the Windows scheduled task created by letsencrypt-win

Add the following:
Program: Point it to ScreenConnectConfigurator.cmd

Order it below the Let's Encrypt script

Add the following:
Program: net
Arguments: stop "ScreenConnect Web Server"

Move it to the top of the priority, above the Let's Encrypt commands

Then add another

Add the following:

Program: net
Arguments: start "ScreenConnect Web Server"

And make sure it is last

Finally, change the time so that it runs overnight and not 9am.

LE is fully automated and will renew by itself and install the certs

Hope this helps someone

Edited by user Saturday, November 25, 2017 4:33:19 AM(UTC)  | Reason: formatting

#10 Posted : Saturday, December 2, 2017 6:39:16 PM(UTC)

Rank: Member

Medals: Level 1: Random Act of Kindness! Received One Thanks!

Joined: 4/26/2014(UTC)
Posts: 30
Location: RN

Thanks: 3 times
Was thanked: 1 time(s) in 1 post(s)
Here's something I cooked up for using AutoSSL/LE certs in a WHM server. (https://github.com/Cacasapo/SC_LE_WHM/)
Cron it to run once or twice per day.


# Slacker 2017 - Use and modify at your own risk.
# Script for using certificates in a WHM install with Screenconnect.
# Screenconnect must already be configured to use SSL. 
# Schedule to run 1-2 times per day if using LE/AutoSSL.



mkdir /tmp/sc_le
chmod 700 /tmp/sc_le
cd /tmp/sc_le

csplit -k -f both $COMBINED '/END CERTIFICATE/+1' {1}  > /dev/null 2>&1
csplit -k -f split both00 '/END /+1' {1}  > /dev/null 2>&1
mv split00 $KEY_NAME
mv split01 $CERT_NAME

C2=$(cksum  $CERT_NAME | colrm 16)

	if [[ "$C1" != "$C2" ]]
			openssl rsa -in "$KEY_NAME" -inform PEM -outform PVK -pvk-none -out "$SCREENCONNECT_SSL_PORT.pvk"
			[[ ! -d "$HTTPLISTENER_DIRECTORY/backup" ]] && mkdir $HTTPLISTENER_DIRECTORY/backup
			service screenconnect restart
rm -fr /tmp/sc_le

#11 Posted : Tuesday, December 5, 2017 5:31:34 PM(UTC)

Rank: Newbie

Joined: 8/17/2015(UTC)
Posts: 3
United States

Wondering if anybody has figured out an easy way to get this set up on a linux server? I've been messing with it for 2 days now and have yet to make any progress...
Users browsing this topic
Forum Jump  
You cannot post new topics in this forum.
You cannot reply to topics in this forum.
You cannot delete your posts in this forum.
You cannot edit your posts in this forum.
You cannot create polls in this forum.
You cannot vote in polls in this forum.