Welcome Guest! To enable all features please Login or Register.



Go to last post Go to first unread
#1 Posted : Thursday, August 11, 2016 11:27:29 PM(UTC)

Rank: Advanced Member

Medals: ScreenConnect Advisor: Focus Group MemberLevel 1: Random Act of Kindness! Received One Thanks!

Joined: 12/10/2011(UTC)
Posts: 132

Thanks: 4 times
Was thanked: 6 time(s) in 6 post(s)
Has anyone successfully used Letsencrypt to get working certs for screenconnect? When you use lets encrypt you get 4 files cert.pem chain.pem fullchain.pem privkey.pem. I looked around for a bit but didn't see any way to get the pem files into the correct pvk format that screenconnect needs. Has anyone done this? I would like to automate the process if possible.

#2 Posted : Thursday, August 11, 2016 11:48:55 PM(UTC)

Rank: Advanced Member

Medals: ScreenConnect Advisor: Focus Group MemberLevel 1: Random Act of Kindness! Received One Thanks!

Joined: 12/10/2011(UTC)
Posts: 132

Thanks: 4 times
Was thanked: 6 time(s) in 6 post(s)
Found it. If anyone needs to use it here it is.


openssl rsa -in privkey.pem -outform PVK -out private.pvk -pvk-none
#3 Posted : Tuesday, September 13, 2016 4:25:10 PM(UTC)

Rank: Newbie

Joined: 3/26/2015(UTC)
Posts: 1

Thanks: 2 times
Thanks for linking this.

Were you able to automate the whole process? Can you share how you did it?
#4 Posted : Monday, January 16, 2017 3:58:03 PM(UTC)

Rank: Member

Medals: Level 1: Random Act of Kindness! Received One Thanks!

Joined: 10/31/2014(UTC)
Posts: 14

Was thanked: 2 time(s) in 1 post(s)
I run my screenconnect on an EC2 instance (Linux/Mono).

I ran a small apache server to get the initial certs.

After ten hours of trying to convert the certs for screenconnects' use, I gave up. I just do proxying through apache, and use regex to handle forcing everyone to the https port.

The below code does nothing but preserve URLS and push the visitor from HTTP to HTTPS. It belongs in the apache configuration file for the proxied site, not in a .htaccess file.

RewriteEngine on
RewriteCond %{HTTPS} !=on
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

I've done this with both Virtualmin and [url=Apachefriends.org]Apachefriends.org[/url] - quite a bit simpler and easier than modifying the certs for Screenconnect's use.

The screenconnect configurator kept crapping out trying to convert the intermediate certs, claimed the second intermediate cert lacked the "trusted" moniker.
P.P.S Really, screenconnect, you need to fix this. It should be simple to do, hell's jingling bells, SSL should be required.
#5 Posted : Thursday, April 27, 2017 4:55:46 PM(UTC)

Rank: Newbie

Joined: 11/16/2015(UTC)
Posts: 2
United States
Location: Chicopee

+1 for Windows Server 2012.
#6 Posted : Friday, June 9, 2017 7:12:03 PM(UTC)

Rank: Newbie

Joined: 5/23/2012(UTC)
Posts: 5
Location: Milwaukee, WI

Okay... guys... figured it out... and it's almost painless.

First, I used this document (https://docs.connectwise.com/ConnectWise_Control_Documentation/On-premises/Advanced_setup/SSL_certificate_installation/Install_and_bind_an_SSL_certificate_on_a_Windows_server) for the manual installation of an SSL with ScreenConnect/ConnectWiseControl.

Second, I used letsencrypt-win-simple (version 1.9.3). You can get that here (https://github.com/Lone-Coder/letsencrypt-win-simple).

So, here is what we do.

1) Unzip letsencrypt-win-simple.Vx.x.x (whereas x.x.x is the version number) to the desktop or other location (for this, I put it right on my desktop).
2) Run letsencrypt-win-simple from the location you unzipped it into (as administrator).
3) Select "M" for "Generate a certificate manually".
4) Follow the prompts... enter the hostname, enter your email address (if it's the first time running it) and agree to the terms (if it's the first time running it).
5) When prompted for the site path, you will use the installation location of ScreenConnect/ConnectWiseControl. Default is, I believe, "C:\Program Files (x86)\ScreenConnect\" (don't forget the trailing "\" in your path).
** At this point, the script should have made a ".well-known" directory under your ScreenConnect/ConnectWiseControl directory and should have authorized you to get certificates **
6) Once done, you will have some certificates... but, ScreenConnect/ConnectWiseControl isn't using them yet. And, they are in a goofy place.
7) Navigate to %userprofile%\appdata\Roaming\letsencrypt-win-simple which is where your certificates are saved. Letsencrypt-win-simple should have already installed the certificate onto your system in the COMPUTER ACCOUNT certificate store.
8) Now, you need to find the thumbprint of the certificate. You can do it manually (see instructions by ScreenConnect/ConnectWiseControl), if you like, or copy/paste the script below. This will put a document on your desktop called thumbprint.txt

GET THUMBPRINT SCRIPT (edit it for your needs)
--- START ---
const certpath = "%USERPROFILE%\AppData\Roaming\letsencrypt-win-simple\httpsacme-v01.api.letsencrypt.org\[your certificate name].der"
dim objStdOut
dim strLine, resString

set objStdOut = CreateObject("WScript.Shell").Exec("certutil " & certpath).StdOut

while not objStdOut.AtEndOfStream
strLine = objStdOut.ReadLine
if InStr(strLine, "(sha1)") > 0 then resString = trim(split(strLine, ":")(1))

resString = Replace(resString, " ", "")

Set objFSO=CreateObject("Scripting.FileSystemObject")

Set objFile = objFSO.CreateTextFile(outFile,True)
objFile.Write resString

wscript.echo resString
--- END ---

** Now you have a registered email address, a verified domain, certificate files, a certificate thumbprint and an installed certificate (into the COMPUTER ACCOUNT certificate store)

9) Now we need to bind the certificate for ScreenConnect/ConnectWiseControl's web server. As per the documentation we need to run this command line:
--- START ---
netsh http add sslcert ipport= certhash=[ your thumbprint from the thumbprint.txt file ] appid={00000000-0000-0000-0000-000000000000}
--- END ---

10) Now we need to edit the web.config file, located in the ScreenConnect/ConnectWiseControl directory. You SHOULD MAKE A BACKUP BEFORE YOU EDIT IT.
11) Search for the string "WebServerListenUri" in the web.config file.
12) Edit the line to be
<add key="WebServerListenUri" value="https://+:443/" />
and not (anymore)
<add key="WebServerListenUri" value="http://+:80/" />
13) Save the web.config file.
14) To to services and restart the ScreenConnect Web Server service (you can restart your machine if you like).

That's it.

Users browsing this topic
Forum Jump  
You cannot post new topics in this forum.
You cannot reply to topics in this forum.
You cannot delete your posts in this forum.
You cannot edit your posts in this forum.
You cannot create polls in this forum.
You cannot vote in polls in this forum.