diff --git a/.github/workflows/dockerhub.yml b/.github/workflows/dockerhub.yml
index 435fd6b5..49173b4b 100644
--- a/.github/workflows/dockerhub.yml
+++ b/.github/workflows/dockerhub.yml
@@ -44,6 +44,8 @@ jobs:
     steps:
       - name: checkout code
         uses: actions/checkout@v4
+        with:
+          persist-credentials: false
       - name: Set up QEMU
         uses: docker/setup-qemu-action@v2
       - name: Extract Docker metadata
diff --git a/Dockerfile b/Dockerfile
index 3f400283..7523f0af 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,4 +1,4 @@
-FROM alpine:3.17
+FROM alpine:3.21
 
 RUN apk --no-cache add -f \
   openssl \
@@ -22,7 +22,11 @@ ARG AUTO_UPGRADE=1
 ENV AUTO_UPGRADE=$AUTO_UPGRADE
 
 #Install
-COPY ./ /install_acme.sh/
+COPY ./acme.sh /install_acme.sh/acme.sh
+COPY ./deploy /install_acme.sh/deploy
+COPY ./dnsapi /install_acme.sh/dnsapi
+COPY ./notify /install_acme.sh/notify
+
 RUN cd /install_acme.sh && ([ -f /install_acme.sh/acme.sh ] && /install_acme.sh/acme.sh --install || curl https://get.acme.sh | sh) && rm -rf /install_acme.sh/
 
 
diff --git a/acme.sh b/acme.sh
index f03d79d4..dd21785d 100755
--- a/acme.sh
+++ b/acme.sh
@@ -5005,9 +5005,11 @@ $_authorizations_map"
 
         _debug "Writing token: $token to $wellknown_path/$token"
 
-        mkdir -p "$wellknown_path"
-
-        if ! printf "%s" "$keyauthorization" >"$wellknown_path/$token"; then
+        # Ensure .well-known is visible to web server user/group
+        # https://github.com/Neilpang/acme.sh/pull/32
+        if ! (umask ugo+rx &&
+          mkdir -p "$wellknown_path" &&
+          printf "%s" "$keyauthorization" >"$wellknown_path/$token"); then
           _err "$d: Cannot write token to file: $wellknown_path/$token"
           _clearupwebbroot "$_currentRoot" "$removelevel" "$token"
           _clearup
@@ -5984,7 +5986,7 @@ _installcert() {
     ); then
       _info "$(__green "Reload successful")"
     else
-      _err "Reload error for: $Le_Domain"
+      _err "Reload error for: $_main_domain"
     fi
   fi
 
@@ -7018,7 +7020,7 @@ Parameters:
 
   --accountconf <file>              Specifies a customized account config file.
   --home <directory>                Specifies the home dir for $PROJECT_NAME.
-  --cert-home <directory>           Specifies the home dir to save all the certs, only valid for '--install' command.
+  --cert-home <directory>           Specifies the home dir to save all the certs.
   --config-home <directory>         Specifies the home dir to save all the configurations.
   --useragent <string>              Specifies the user agent string. it will be saved for future use too.
   -m, --email <email>               Specifies the account email, only valid for the '--install' and '--update-account' command.
diff --git a/deploy/ruckus.sh b/deploy/ruckus.sh
index f62e2fc0..d0fa4c3d 100755
--- a/deploy/ruckus.sh
+++ b/deploy/ruckus.sh
@@ -116,6 +116,30 @@ ruckus_deploy() {
   _H2="X-CSRF-Token: $(_response_header 'HTTP_X_CSRF_TOKEN')"
   export _H2
 
+  if _isRSA "$_ckey" >/dev/null 2>&1; then
+    _debug "Using RSA certificate."
+  else
+    _info "Verifying ECC certificate support."
+
+    _ul_version="$(_get_unleashed_version)"
+    if [ -z "$_ul_version" ]; then
+      _err "Your controller doesn't support ECC certificates. Please deploy an RSA certificate."
+      return 1
+    fi
+
+    _ul_version_major="$(echo "$_ul_version" | cut -d . -f 1)"
+    _ul_version_minor="$(echo "$_ul_version" | cut -d . -f 2)"
+    if [ "$_ul_version_major" -lt "200" ]; then
+      _err "ZoneDirector doesn't support ECC certificates. Please deploy an RSA certificate."
+      return 1
+    elif [ "$_ul_version_minor" -lt "13" ]; then
+      _err "Unleashed $_ul_version_major.$_ul_version_minor doesn't support ECC certificates. Please deploy an RSA certificate or upgrade to Unleashed 200.13+."
+      return 1
+    fi
+
+    _debug "ECC certificates OK for Unleashed $_ul_version_major.$_ul_version_minor."
+  fi
+
   _info "Uploading certificate"
   _post_upload "uploadcert" "$_cfullchain"
 
@@ -145,6 +169,10 @@ _response_cookie() {
   _response_header 'Set-Cookie' | sed 's/;.*//'
 }
 
+_get_unleashed_version() {
+  _post '<ajax-request action="getstat" comp="system"><sysinfo/></ajax-request>' "$_base_url/_cmdstat.jsp" | _egrep_o "version-num=\"[^\"]*\"" | cut -d '"' -f 2
+}
+
 _post_upload() {
   _post_action="$1"
   _post_file="$2"
diff --git a/dnsapi/dns_hetzner.sh b/dnsapi/dns_hetzner.sh
old mode 100644
new mode 100755
index 5a9cf2d9..f1bddc61
--- a/dnsapi/dns_hetzner.sh
+++ b/dnsapi/dns_hetzner.sh
@@ -212,7 +212,7 @@ _get_root() {
 _response_has_error() {
   unset _response_error
 
-  err_part="$(echo "$response" | _egrep_o '"error":{[^}]*}')"
+  err_part="$(echo "$response" | _egrep_o '"error":\{[^\}]*\}')"
 
   if [ -n "$err_part" ]; then
     err_code=$(echo "$err_part" | _egrep_o '"code":[0-9]+' | cut -d : -f 2)
diff --git a/notify/ntfy.sh b/notify/ntfy.sh
index 650d1c74..21e39559 100644
--- a/notify/ntfy.sh
+++ b/notify/ntfy.sh
@@ -4,6 +4,7 @@
 
 #NTFY_URL="https://ntfy.sh"
 #NTFY_TOPIC="xxxxxxxxxxxxx"
+#NTFY_TOKEN="xxxxxxxxxxxxx"
 
 ntfy_send() {
   _subject="$1"
@@ -23,6 +24,12 @@ ntfy_send() {
     _saveaccountconf_mutable NTFY_TOPIC "$NTFY_TOPIC"
   fi
 
+  NTFY_TOKEN="${NTFY_TOKEN:-$(_readaccountconf_mutable NTFY_TOKEN)}"
+  if [ "$NTFY_TOKEN" ]; then
+    _saveaccountconf_mutable NTFY_TOKEN "$NTFY_TOKEN"
+    export _H1="Authorization: Bearer $NTFY_TOKEN"
+  fi
+
   _data="${_subject}. $_content"
   response="$(_post "$_data" "$NTFY_URL/$NTFY_TOPIC" "" "POST" "")"
 
diff --git a/notify/telegram.sh b/notify/telegram.sh
index cca8ee25..ccbd1533 100644
--- a/notify/telegram.sh
+++ b/notify/telegram.sh
@@ -4,6 +4,7 @@
 
 #TELEGRAM_BOT_APITOKEN=""
 #TELEGRAM_BOT_CHATID=""
+#TELEGRAM_BOT_URLBASE=""
 
 telegram_send() {
   _subject="$1"
@@ -27,6 +28,12 @@ telegram_send() {
   fi
   _saveaccountconf_mutable TELEGRAM_BOT_CHATID "$TELEGRAM_BOT_CHATID"
 
+  TELEGRAM_BOT_URLBASE="${TELEGRAM_BOT_URLBASE:-$(_readaccountconf_mutable TELEGRAM_BOT_URLBASE)}"
+  if [ -z "$TELEGRAM_BOT_URLBASE" ]; then
+    TELEGRAM_BOT_URLBASE="https://api.telegram.org"
+  fi
+  _saveaccountconf_mutable TELEGRAM_BOT_URLBASE "$TELEGRAM_BOT_URLBASE"
+
   _subject="$(printf "%s" "$_subject" | sed 's/\\/\\\\\\\\/g' | sed 's/\]/\\\\\]/g' | sed 's/\([_*[()~`>#+--=|{}.!]\)/\\\\\1/g')"
   _content="$(printf "%s" "$_content" | sed 's/\\/\\\\\\\\/g' | sed 's/\]/\\\\\]/g' | sed 's/\([_*[()~`>#+--=|{}.!]\)/\\\\\1/g')"
   _content="$(printf "*%s*\n%s" "$_subject" "$_content" | _json_encode)"
@@ -38,7 +45,7 @@ telegram_send() {
   _debug "$_data"
 
   export _H1="Content-Type: application/json"
-  _telegram_bot_url="https://api.telegram.org/bot${TELEGRAM_BOT_APITOKEN}/sendMessage"
+  _telegram_bot_url="${TELEGRAM_BOT_URLBASE}/bot${TELEGRAM_BOT_APITOKEN}/sendMessage"
   if _post "$_data" "$_telegram_bot_url" >/dev/null; then
     # shellcheck disable=SC2154
     _message=$(printf "%s\n" "$response" | sed -n 's/.*"ok":\([^,]*\).*/\1/p')