SSL證書這麼貴，自簽名證書這麼不受瀏覽器待見，為什麼不用Let’s encrypt免費證書呢？而且這個證書基本上一鍵生成，下面是方法。

下載let’s encrypt客戶端

git clone https://github.com/certbot/certbot

進入下載的目錄，執行自動指令碼：

./certbot-auto --apache -d abc.com -d www.abc.com

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/abc.com/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/abc.com/privkey.pem
   Your cert will expire on 2018
 
-02-02. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot-auto
   again with the "certonly" option. To non-interactively renew *all*
   of your certificates, run "certbot-auto renew"
 - Your account credentials have been saved in your Certbot
   configuration directory at /etc/letsencrypt. You should make a
   secure backup of this folder now. This configuration directory will
   also contain certificates and private keys obtained by Certbot so
   making regular backups of this folder is ideal.
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le
 

證書更新

先切換到Python2，切換python2/3，點這裡。

./certbot-auto certonly --apache --renew-by-default -d abc.com -d www.abc.com

轉發一個自動更新的指令碼：

#!/bin/bash
#================================================================
# Let's Encrypt renewal script for Apache on Ubuntu/Debian
# @author Erika Heidi<[email protected]
 
>
# Usage: ./le-renew.sh [base-domain-name]
#================================================================
domain=$1
le_path='/opt/letsencrypt'
le_conf='/etc/letsencrypt'
exp_limit=30;

get_domain_list(){
        certdomain=$1
        config_file="$le_conf/renewal/$certdomain.conf"

        if [ ! -f $config_file ] ; then
                echo "[ERROR] The config file for the certificate $certdomain was not found."
                exit 1;
        fi

        domains=$(grep --only-matching --perl-regex "(?<=domains \= ).*" "${config_file}")
        last_char=$(echo "${domains}" | awk '{print substr($0,length,1)}')

        if [ "${last_char}" = "," ]; then
                domains=$(echo "${domains}" |awk '{print substr($0, 1, length-1)}')
        fi

        echo $domains;
}

if [ -z "$domain" ] ; then
        echo "[ERROR] you must provide the domain name for the certificate renewal."
        exit 1;
fi

cert_file="/etc/letsencrypt/live/$domain/fullchain.pem"

if [ ! -f $cert_file ]; then
        echo "[ERROR] certificate file not found for domain $domain."
        exit 1;
fi

exp=$(date -d "`openssl x509 -in $cert_file -text -noout|grep "Not After"|cut -c 25-`" +%s)
datenow=$(date -d "now" +%s)
days_exp=$(echo \( $exp - $datenow \) / 86400 |bc)

echo "Checking expiration date for $domain..."

if [ "$days_exp" -gt "$exp_limit" ] ; then
        echo "The certificate is up to date, no need for renewal ($days_exp days left)."
        exit 0;
else
        echo "The certificate for $domain is about to expire soon. Starting renewal request..."
        domain_list=$( get_domain_list $domain )
        "$le_path"/letsencrypt-auto certonly --apache --renew-by-default --domains "${domain_list}"
        echo "Restarting Apache..."
        /usr/sbin/service apache2 reload
        echo "Renewal process finished for domain $domain"
        exit 0;
fi

兩個問題：

• 一鍵生成SSL證書的指令碼是用python 2寫的，然後oj需要python3的支援。如何在SSL證書到期自動生成的指令碼中加入python2 、3之間的自動轉換（即生成證書前把python3轉到python2，生成自動轉3）
• http強制跳轉https有何潛在問題

第一個問題：

certbot指令碼基於python2，當系統裡有python2 和python3時，會報錯：

OSError: Command /root/.local/share/letsencrypt/bin/python2.7 - setuptools pkg_resources pip wheel failed with error code 2
Let's Encrypt returned an error status. Aborting.

解決辦法4，重新安裝virtualenv環境（有效）：
先解除安裝：

apt-get purge python-virtualenv python3-virtualenv virtualenv

再安裝：

pip install virtualenv

注意，安裝在python2環境下，執行certbot命令後又會安裝virtualenv環境

切換python2/3，點這裡。