Skip to main content

ScreenConnect LetsEncrypt Certificate Automatic Renewal for Free

· 4 min read
David Szpunar
Author

Do you run your own self-hosted ConnectWise ScreenConnect server on Windows? If so, you may have wished to be able to stop manually renewing TLS certificates, and ConnectWise refused to add automation. I've documented how to provision LetsEncrypt certificates for ScreenConnect and automatically renew them, for free!

If you'd like the full README file and small script to plug in with the directions, you can go directly to the folder in my GitHub repository, or you can continue reading part of the README I've copied here to ensure it's a good fit for your situation before jumping over.

Context and Background

When using a self-hosted ConnectWise ScreenConnect server, if you don't want to manually renew the TLS/SSL certificates annually, you must set up TLS certificates using LetsEncrypt. This is a feature that ConnectWise has rejected including, but the application does not use IIS directly, so the certificate that's used must be manually bound to the application initially and after renewal. This script is designed for Windows and is NOT relevant for Linux or macOS, where older versions of ScreenConnect ran and where there is more documentation available online for automating this process (and ConnectWise doesn't support SSO on any servers except Windows, which is important for some people).

Introduction and Overview

There were too many possible options, libraries, and methods to try but no simple process with a very straightforward installation script that was tested for use on modern Windows versions with the default ScreenConnect web server configuration that didn't involve proxies or third parties like CloudFlare, so I assembled this process that requires the very well-written, easy-to-use, and frequently updated win-acme tool and a tiny script to install the certificate. Hopefully this provides the push to stop renewing certificates manually for ScreenConnect!

What this is not

This process assumes you already have an operational ScreenConnect installation on your own self-hosted server, and that it's already configured with a valid TLS certificate, perhaps issued by RapidSSL or any other certificate authority where you buy certificates and manually retrieve and install them, but that you'd like to switch to using LetsEncrypt certificates instead.

This process assumes you are having LetsEncrypt configured for TLS, are using the built-in web server and not proxying the web server through a third party like CloudFlare or yourself using nginx or Caddy, so it doesn't walk you through that process. It also assumes you have locked down the TLS settings yourself and validated it using a service like Qualys SSLLabs in order to ensure only modern and secure TLS configurations are used.

Alternate Solutions

We will assume you will not use a self-signed certificate, which is not recommended as it is not secure and is subject to being revoked. This is not a real option for a public server.

  1. Use a third-party tool like CertifyTheWeb to obtain and renew a certificate from LetsEncrypt. This should work and is well documented, but as of this writing costs approximately $60 per year, which is substantially more than a basic RapidSSL certificate (though you'd have to spend the time renewing it manually).
  2. Create your own PowerShell or command-line based script to obtain and renew a certificate from LetsEncrypt and apply it to ScreenConnect. There are various PowerShell modules for ACME v2 that would work; this solution is relatively close but it uses a third-party free tool called win-acme to obtain and renew the certificate, calling the Command Line script provided here to remove the old and install the new certificate for ScreenConnect use.

My Solution

win-acme and installation script

The script I've created in my MSP Scripts ScreenConnect Folder GitHub Repository, BindNewScreenConnectCert.cmd (the installation script that win-acme runs after obtaining the certificate) should be placed into a folder with the extracted win-acme zip file contents.

You'll also want to download the zip file from the win-acme website, to your Windows server where ScreenConnect is running, place the extracted win-acme zip file contents in a permanent location. You may wish to create a folder like C:\certs to hold the files, or place it in an existing location. I'm using C:\certs\win-acme-pluggable in this example and you're welcome to copy mine or choose your own. The executable that matters is C:\certs\win-acme-pluggable\wacs.exe or the same file inside the extracted zip on your system.

For the remaining directions and the ScreenConnect Stop, Rebind, Restart script, which I initially tested but, as of today, can confirm the first auto-renewal 60 days later does work in a fully automatic fashion, see the folder inside my GitHub repository!