Using Let’s Encrypt certificates with Windows Admin Center

Certificates from Let’s Encrypt have a very short lifetime and therefore needs to be renewed quite often and that process needs to be automated. This little guide will show how to acquire certificates and automate the renewal for use with Windows Admin Center. I will use Posh-ACME to get the certificates from Let’s Encrypt.

First of all we will need to install the Powershell module Posh-ACME from Powershell Gallery

Install-Module -Name Posh-ACME

In order to use Posh-ACME you need to figure out how to let the script make changes to your public DNS-server. This is beyond the scope of this guide as that procedure varies depending on your provider. You will have to look in the documentation for Posh-ACME. List-of-Supported-DNS-Providers

Download Windows Admin Center if you haven’t done so already. https://aka.ms/WindowsAdminCenter

Make sure to move your downloaded file to C:\Temp and make a note of the filename.

In a production environment the following steps should be performed as a separate (batch/script) account. Posh-ACME saves the settings in the user profile and you need to schedule a task to update the certificates. You do not want to schedule a task with your regular user.

# Specify the environment to acquire certificates from (LE_PROD is Let's Encrypt production environment and LE_STAGE is the test environment).
Set-PAServer LE_PROD

$pArgs = @{ CFAuthEmail='xxx.domain.tlc'; CFAuthKey='xxx' }

# Acquire the certificate:
$newCert = New-PACertificate 'HOSTNAME' -AcceptTOS -Install -Contact [email protected] -DnsPlugin Cloudflare -PluginArgs $pArgs

# Specify the path to Windows Admin Center installer:
$msiFile = "C:\Temp\WindowsAdminCenter1904.msi"

# Install:
Start-Process msiexec.exe -Wait -ArgumentList "/i $msiFile /qn /L*v c:\temp\log.txt SME_PORT=1080 SME_THUMBPRINT=$($newCert.Thumbprint) SSL_CERTIFICATE_OPTION=installed"

Once installed you should be able to access Windows Admin Center at the following url: https://HOSTNAME:1080

If you want to do a manual install you can specify the thumbprint to the certificate. You will find it in the variable $newCert.Thumbprint after you have acquired the certificate.

This short script will check, then renew the certificate if needed, it will then configure Windows Admin Center with the new certificate and then remove the old certificate.

# Update existing certificate
# This task should be scheduled to run every day (or something similar)

# Specify the domainname to update:
$wacDomain = "HOSTNAME"

# Get the current certificate:
$currentCert = Get-Item Cert:\LocalMachine\My\* | Where Subject -like "CN=$wacDomain"

# Specify the environment (Production or Test)
Set-PAServer LE_PROD

# Specify what certificate to renew
Set-PAOrder -MainDomain $wacDomain

# Submit the renewal
$newCert = Submit-Renewal
if ($newCert -ne $null)
{
    # If atleast one new certificate is returned:
    foreach ($c in $newCert)
    {
        # Check if the returned certificate matches the domainname specified:
        if ($c.AllSANs -contains $wacDomain)
        {
            # Find MSI package for Windows Admin Center
            $wac = get-wmiobject Win32_Product | select IdentifyingNumber, Name, LocalPackage | Where Name -eq "Windows Admin Center"

            if ($wac -ne $null)
            {
                # Bind new certificate to the service
                Start-Process msiexec.exe -Wait -ArgumentList "/i $($wac.LocalPackage) /qn /L*v c:\script\log.txt SME_PORT=1080 SME_THUMBPRINT=$($c.Thumbprint) SSL_CERTIFICATE_OPTION=installed"

                # When upgrading WAC, the firewall rule may be deleted. If so create a new rule after upgrade.
                New-NetFirewallRule -DisplayName "SmeInboundOpenException" -Description "Windows Admin Center inbound port exception" -LocalPort 1080 -RemoteAddress Any -Protocol TCP

                # Restart Windows Admin Center
                Restart-Service ServerManagementGateway -Force
            }            

            # Remove the old certificate from the certificate store
            Remove-Item $currentCert.PSPath
        }
    }
}

If you install it to the 443 port, be aware this will stop anything using port 443 from working, including any websites running on IIS.
If this happens use the 2 lines below to remove the SSL binding for port 443

netsh http delete sslcert ipport=0.0.0.0:443
netsh http delete urlacl url=https://+:443/

Be sure to check any websites in IIS have the correct certificate bindings in place.