You can do letsencrypt stuff using python standard library, without touching pip and virtualenv. This is my own weekly cron script, unchanged since 2020, with openssl(which is usually preinstalled) and acme_tiny.py with system python. You can easily check what the script is doing by adding set -x and acme_tiny.py is quite readable too. Unlike the monstrosity above.

#!/bin/sh

set -eu

set -o pipefail

cd /home/letsencrypt

openssl verify -CAfile lets-encrypt-x3-cross-signed.pem -attime `date -d 'next month' '+%s'` mah_domain.crt | grep expired || exit 0

DT=`date "+%Y%m%d"`

python3 acme-tiny/acme_tiny.py --account-key account.key --csr mah_domain.csr --acme-dir /srv/www/mah_domain/htdocs/.well-known/acme-challenge/ > signed_${DT}.crt

curl -sO https://letsencrypt.org/certs/lets-encrypt-x3-cross-signed.p...

cat signed_${DT}.crt lets-encrypt-x3-cross-signed.pem > mah_domain_chained_${DT}.pem

mv mah_domain_chained_${DT}.pem mah_domain_chained.pem

mv signed_${DT}.crt mah_domain.crt

set +e

nginx -c /srv/nginx/conf/nginx.conf -s reload

The point of using '#!/usr/bin/env python3' is that you don't have to mess with virtual environments.

Using this exact shebang line signals "This script is intended to be executed directly (not a python module) and it only needs the python3 standard library."