为Ubuntu 16.04 添加永久免费https SSL证书（解决python2.7

SSL证书这么贵，自签名证书这么不受浏览器待见，为什么不用Let’s encrypt免费证书呢？而且这个证书基本上一键生成，下面是方法。

下载let’s encrypt客户端

git clone https://github.com/certbot/certbot

进入下载的目录，执行自动脚本：

./certbot-auto --apache -d abc.com -d www.abc.com

输入email之类的信息，就可以完成了！！！
检测一下看看：https://www.ssllabs.com/ssltest/analyze.html?d=abc.com&latest
是最高等级的评级！

IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at:   /etc/letsencrypt/live/abc.com/fullchain.pem   Your key file has been saved at:   /etc/letsencrypt/live/abc.com/privkey.pem   Your cert will expire on 2018-02-02. To obtain a new or tweaked   version of this certificate in the future, simply run certbot-auto   again with the "certonly" option. To non-interactively renew *all*   of your certificates, run "certbot-auto renew" - Your account credentials have been saved in your Certbot   configuration directory at /etc/letsencrypt. You should make a   secure backup of this folder now. This configuration directory will   also contain certificates and private keys obtained by Certbot so   making regular backups of this folder is ideal. - If you like Certbot, please consider supporting our work by:   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate   Donating to EFF:                    https://eff.org/donate-le

证书更新

./certbot-auto certonly --apache --renew-by-default -d abc.com -d www.abc.com

转发一个自动更新的脚本：

#!/bin/bash#================================================================# Let's Encrypt renewal script for Apache on Ubuntu/Debian# @author Erika Heidi<erika@do.co># Usage: ./le-renew.sh [base-domain-name]#================================================================domain=$1le_path='/opt/letsencrypt'le_conf='/etc/letsencrypt'exp_limit=30;get_domain_list(){        certdomain=$1        config_file="$le_conf/renewal/$certdomain.conf"        if [ ! -f $config_file ] ; then                echo "[ERROR] The config file for the certificate $certdomain was not found."                exit 1;        fi        domains=$(grep --only-matching --perl-regex "(?<=domains \= ).*" "${config_file}")        last_char=$(echo "${domains}" | awk '{print substr($0,length,1)}')        if [ "${last_char}" = "," ]; then                domains=$(echo "${domains}" |awk '{print substr($0, 1, length-1)}')        fi        echo $domains;}if [ -z "$domain" ] ; then        echo "[ERROR] you must provide the domain name for the certificate renewal."        exit 1;ficert_file="/etc/letsencrypt/live/$domain/fullchain.pem"if [ ! -f $cert_file ]; then        echo "[ERROR] certificate file not found for domain $domain."        exit 1;fiexp=$(date -d "`openssl x509 -in $cert_file -text -noout|grep "Not After"|cut -c 25-`" +%s)datenow=$(date -d "now" +%s)days_exp=$(echo \( $exp - $datenow \) / 86400 |bc)echo "Checking expiration date for $domain..."if [ "$days_exp" -gt "$exp_limit" ] ; then        echo "The certificate is up to date, no need for renewal ($days_exp days left)."        exit 0;else        echo "The certificate for $domain is about to expire soon. Starting renewal request..."        domain_list=$( get_domain_list $domain )        "$le_path"/letsencrypt-auto certonly --apache --renew-by-default --domains "${domain_list}"        echo "Restarting Apache..."        /usr/sbin/service apache2 reload        echo "Renewal process finished for domain $domain"        exit 0;fi

两个问题：

• 一键生成SSL证书的脚本是用python 2写的，然后oj需要python3的支持。如何在SSL证书到期自动生成的脚本中加入python2 、3之间的自动转换（即生成证书前把python3转到python2，生成自动转3）
• http强制跳转https有何潜在问题

第一个问题：

certbot脚本基于python2，当系统里有python2 和python3时，会报错：

OSError: Command /root/.local/share/letsencrypt/bin/python2.7 - setuptools pkg_resources pip wheel failed with error code 2Let's Encrypt returned an error status. Aborting.

解决方法1是升级pip，参考前3步：
https://github.com/interbrite/letsencrypt-vesta/issues/46#issuecomment-273014451

解决方法2,3是更新系统语言或者apt按照letsencrypt，更新语言尝试了但是没用。apt安装？～看着太混乱，没试：
https://github.com/certbot/certbot/issues/4062#issuecomment-273236106

解决办法4，重新安装virtualenv环境（有效）：
先卸载：

apt-get purge python-virtualenv python3-virtualenv virtualenv

再安装：

pip install virtualenv

注意，安装在python2环境下，运行certbot命令后又会安装virtualenv环境

切换python2/3，点这里。