Merge pull request #2735 from acmesh-official/dev

sync
5 years ago · c768581829
9 changed files with 1000 additions and 6 deletions
--- a/acme.sh
+++ b/acme.sh
@ -6216,7 +6216,7 @@ Parameters:
  --force, -f                       Used to force to install or force to renew a cert immediately.
  --staging, --test                 Use staging server, just for test.
  --debug                           Output debug info.
  --output-insecure                 Output all the sensitive messages. By default all the credentials/sensitive messages are hidden from the output/debug/log for secure.
  --output-insecure                 Output all the sensitive messages. By default all the credentials/sensitive messages are hidden from the output/debug/log for security.
  --webroot, -w  /path/to/webroot   Specifies the web root folder for web root mode.
  --standalone                      Use standalone mode.
  --alpn                            Use standalone alpn mode.
@ -6225,8 +6225,8 @@ Parameters:
  --dns [dns_cf|dns_dp|dns_cx|/path/to/api/file]   Use dns mode or dns api.
  --dnssleep  [$DEFAULT_DNS_SLEEP]                  The time in seconds to wait for all the txt records to take effect in dns api mode. Default $DEFAULT_DNS_SLEEP seconds.
  --keylength, -k [2048]            Specifies the domain key length: 2048, 3072, 4096, 8192 or ec-256, ec-384.
  --accountkeylength, -ak [2048]    Specifies the account key length.
  --keylength, -k [2048]            Specifies the domain key length: 2048, 3072, 4096, 8192 or ec-256, ec-384, ec-521.
  --accountkeylength, -ak [2048]    Specifies the account key length: 2048, 3072, 4096
  --log    [/path/to/logfile]       Specifies the log file. The default is: \"$DEFAULT_LOG_FILE\" if you don't give a file path here.
  --log-level 1|2                   Specifies the log level, default is 1.
  --syslog [0|3|6|7]                Syslog level, 0: disable syslog, 3: error, 6: info, 7: debug.
@ -6240,7 +6240,7 @@ Parameters:
  --reloadcmd \"service nginx reload\" After issue/renew, it's used to reload the server.
  --server SERVER                   ACME Directory Resource URI. (default: https://acme-v01.api.letsencrypt.org/directory)
  --server SERVER                   ACME Directory Resource URI. (default: $DEFAULT_CA)
  --accountconf                     Specifies a customized account config file.
  --home                            Specifies the home dir for $PROJECT_NAME.
  --cert-home                       Specifies the home dir to save all the certs, only valid for '--install' command.
--- a/deploy/panos.sh
+++ b/deploy/panos.sh
@ -0,0 +1,139 @@
 #!/usr/bin/env sh
 # Script to deploy certificates to Palo Alto Networks PANOS via API
 # Note PANOS API KEY and IP address needs to be set prior to running.
 # The following variables exported from environment will be used.
 # If not set then values previously saved in domain.conf file are used.
 #
 # Firewall admin with superuser and IP address is required.
 #
 # export PANOS_USER=""  # required
 # export PANOS_PASS=""  # required
 # export PANOS_HOST=""  # required
 # This function is to parse the XML
 parse_response() {
  type=$2
  if [ "$type" = 'keygen' ]; then
    status=$(echo "$1" | sed 's/^.*\(['\'']\)\([a-z]*\)'\''.*/\2/g')
    if [ "$status" = "success" ]; then
      panos_key=$(echo "$1" | sed 's/^.*\(<key>\)\(.*\)<\/key>.*/\2/g')
      _panos_key=$panos_key
    else
      message="PAN-OS Key could not be set."
    fi
  else
    status=$(echo "$1" | sed 's/^.*"\([a-z]*\)".*/\1/g')
    message=$(echo "$1" | sed 's/^.*<result>\(.*\)<\/result.*/\1/g')
  fi
  return 0
 }
 deployer() {
  content=""
  type=$1 # Types are keygen, cert, key, commit
  _debug "**** Deploying $type *****"
  panos_url="https://$_panos_host/api/"
  if [ "$type" = 'keygen' ]; then
    _H1="Content-Type: application/x-www-form-urlencoded"
    content="type=keygen&user=$_panos_user&password=$_panos_pass"
    # content="$content${nl}--$delim${nl}Content-Disposition: form-data; type=\"keygen\"; user=\"$_panos_user\"; password=\"$_panos_pass\"${nl}Content-Type: application/octet-stream${nl}${nl}"
  fi
  if [ "$type" = 'cert' ] || [ "$type" = 'key' ]; then
    #Generate DEIM
    delim="-----MultipartDelimiter$(date "+%s%N")"
    nl="\015\012"
    #Set Header
    export _H1="Content-Type: multipart/form-data; boundary=$delim"
    if [ "$type" = 'cert' ]; then
      content="$content${nl}--$delim${nl}Content-Disposition: form-data; name=\"type\"\r\n\r\n\r\nimport"
      content="$content${nl}--$delim${nl}Content-Disposition: form-data; name=\"category\"\r\n\r\n\r\ncertificate"
      content="$content${nl}--$delim${nl}Content-Disposition: form-data; name=\"certificate-name\"\r\n\r\n\r\n$_cdomain"
      content="$content${nl}--$delim${nl}Content-Disposition: form-data; name=\"key\"\r\n\r\n\r\n$_panos_key"
      content="$content${nl}--$delim${nl}Content-Disposition: form-data; name=\"format\"\r\n\r\n\r\npem"
      content="$content${nl}--$delim${nl}Content-Disposition: form-data; name=\"file\"; filename=\"$(basename "$_cfullchain")\"${nl}Content-Type: application/octet-stream${nl}${nl}$(cat "$_cfullchain")"
    fi
    if [ "$type" = 'key' ]; then
      content="$content${nl}--$delim${nl}Content-Disposition: form-data; name=\"type\"\r\n\r\n\r\nimport"
      content="$content${nl}--$delim${nl}Content-Disposition: form-data; name=\"category\"\r\n\r\n\r\nprivate-key"
      content="$content${nl}--$delim${nl}Content-Disposition: form-data; name=\"certificate-name\"\r\n\r\n\r\n$_cdomain"
      content="$content${nl}--$delim${nl}Content-Disposition: form-data; name=\"key\"\r\n\r\n\r\n$_panos_key"
      content="$content${nl}--$delim${nl}Content-Disposition: form-data; name=\"format\"\r\n\r\n\r\npem"
      content="$content${nl}--$delim${nl}Content-Disposition: form-data; name=\"passphrase\"\r\n\r\n\r\n123456"
      content="$content${nl}--$delim${nl}Content-Disposition: form-data; name=\"file\"; filename=\"$(basename "$_ckey")\"${nl}Content-Type: application/octet-stream${nl}${nl}$(cat "$_ckey")"
    fi
    #Close multipart
    content="$content${nl}--$delim--${nl}"
    #Convert CRLF
    content=$(printf %b "$content")
  fi
  if [ "$type" = 'commit' ]; then
    export _H1="Content-Type: application/x-www-form-urlencoded"
    cmd=$(printf "%s" "<commit><partial><$_panos_user></$_panos_user></partial></commit>" | _url_encode)
    content="type=commit&key=$_panos_key&cmd=$cmd"
  fi
  response=$(_post "$content" "$panos_url" "" "POST")
  parse_response "$response" "$type"
  # Saving response to variables
  response_status=$status
  #DEBUG
  _debug response_status "$response_status"
  if [ "$response_status" = "success" ]; then
    _debug "Successfully deployed $type"
    return 0
  else
    _err "Deploy of type $type failed. Try deploying with --debug to troubleshoot."
    _debug "$message"
    return 1
  fi
 }
 # This is the main function that will call the other functions to deploy everything.
 panos_deploy() {
  _cdomain="$1"
  _ckey="$2"
  _cfullchain="$5"
  # PANOS ENV VAR check
  if [ -z "$PANOS_USER" ] || [ -z "$PANOS_PASS" ] || [ -z "$PANOS_HOST" ]; then
    _debug "No ENV variables found lets check for saved variables"
    _getdeployconf PANOS_USER
    _getdeployconf PANOS_PASS
    _getdeployconf PANOS_HOST
    _panos_user=$PANOS_USER
    _panos_pass=$PANOS_PASS
    _panos_host=$PANOS_HOST
    if [ -z "$_panos_user" ] && [ -z "$_panos_pass" ] && [ -z "$_panos_host" ]; then
      _err "No host, user and pass found.. If this is the first time deploying please set PANOS_HOST, PANOS_USER and PANOS_PASS in environment variables. Delete them after you have succesfully deployed certs."
      return 1
    else
      _debug "Using saved env variables."
    fi
  else
    _debug "Detected ENV variables to be saved to the deploy conf."
    # Encrypt and save user
    _savedeployconf PANOS_USER "$PANOS_USER" 1
    _savedeployconf PANOS_PASS "$PANOS_PASS" 1
    _savedeployconf PANOS_HOST "$PANOS_HOST" 1
    _panos_user="$PANOS_USER"
    _panos_pass="$PANOS_PASS"
    _panos_host="$PANOS_HOST"
  fi
  _debug "Let's use username and pass to generate token."
  if [ -z "$_panos_user" ] || [ -z "$_panos_pass" ] || [ -z "$_panos_host" ]; then
    _err "Please pass username and password and host as env variables PANOS_USER, PANOS_PASS and PANOS_HOST"
    return 1
  else
    _debug "Getting PANOS KEY"
    deployer keygen
    if [ -z "$_panos_key" ]; then
      _err "Missing apikey."
      return 1
    else
      deployer cert
      deployer key
      deployer commit
    fi
  fi
 }
--- a/deploy/synology_dsm.sh
+++ b/deploy/synology_dsm.sh
@ -0,0 +1,152 @@
 #!/usr/bin/env sh
 # Here is a script to deploy cert to Synology DSM
 #
 # it requires the jq and curl are in the $PATH and the following
 # environment variables must be set:
 #
 # SYNO_Username - Synology Username to login (must be an administrator)
 # SYNO_Password - Synology Password to login
 # SYNO_Certificate - Certificate description to target for replacement
 #
 # The following environmental variables may be set if you don't like their
 # default values:
 #
 # SYNO_Scheme - defaults to http
 # SYNO_Hostname - defaults to localhost
 # SYNO_Port - defaults to 5000
 #
 #returns 0 means success, otherwise error.
 ########  Public functions #####################
 _syno_get_cookie_data() {
  grep "\W$1=" "$HTTP_HEADER" | grep "^Set-Cookie:" | _tail_n 1 | _egrep_o "$1=[^;]*;" | tr -d ';'
 }
 #domain keyfile certfile cafile fullchain
 synology_dsm_deploy() {
  _cdomain="$1"
  _ckey="$2"
  _ccert="$3"
  _cca="$4"
  _debug _cdomain "$_cdomain"
  # Get Username and Password, but don't save until we successfully authenticate
  _getdeployconf SYNO_Username
  _getdeployconf SYNO_Password
  _getdeployconf SYNO_Create
  if [ -z "$SYNO_Username" ] || [ -z "$SYNO_Password" ]; then
    SYNO_Username=""
    SYNO_Password=""
    _err "SYNO_Username & SYNO_Password must be set"
    return 1
  fi
  _debug2 SYNO_Username "$SYNO_Username"
  _secure_debug2 SYNO_Password "$SYNO_Password"
  # Optional scheme, hostname, and port for Synology DSM
  _getdeployconf SYNO_Scheme
  _getdeployconf SYNO_Hostname
  _getdeployconf SYNO_Port
  # default vaules for scheme, hostname, and port
  # defaulting to localhost and http because it's localhost...
  [ -n "${SYNO_Scheme}" ] || SYNO_Scheme="http"
  [ -n "${SYNO_Hostname}" ] || SYNO_Hostname="localhost"
  [ -n "${SYNO_Port}" ] || SYNO_Port="5000"
  _savedeployconf SYNO_Scheme "$SYNO_Scheme"
  _savedeployconf SYNO_Hostname "$SYNO_Hostname"
  _savedeployconf SYNO_Port "$SYNO_Port"
  _debug2 SYNO_Scheme "$SYNO_Scheme"
  _debug2 SYNO_Hostname "$SYNO_Hostname"
  _debug2 SYNO_Port "$SYNO_Port"
  # Get the certificate description, but don't save it until we verfiy it's real
  _getdeployconf SYNO_Certificate
  if [ -z "${SYNO_Certificate:?}" ]; then
    _err "SYNO_Certificate needs to be defined (with the Certificate description name)"
    return 1
  fi
  _debug SYNO_Certificate "$SYNO_Certificate"
  _base_url="$SYNO_Scheme://$SYNO_Hostname:$SYNO_Port"
  _debug _base_url "$_base_url"
  # Login, get the token from JSON and session id from cookie
  _info "Logging into $SYNO_Hostname:$SYNO_Port"
  response=$(_get "$_base_url/webman/login.cgi?username=$SYNO_Username&passwd=$SYNO_Password&enable_syno_token=yes")
  token=$(echo "$response" | grep "SynoToken" | sed -n 's/.*"SynoToken" *: *"\([^"]*\).*/\1/p')
  _debug3 response "$response"
  if [ -z "$token" ]; then
    _err "Unable to authenticate to $SYNO_Hostname:$SYNO_Port using $SYNO_Scheme."
    _err "Check your username and password."
    return 1
  fi
  _H1="Cookie: $(_syno_get_cookie_data "id"); $(_syno_get_cookie_data "smid")"
  _H2="X-SYNO-TOKEN: $token"
  export _H1
  export _H2
  _debug2 H1 "${_H1}"
  _debug2 H2 "${_H2}"
  # Now that we know the username and password are good, save them
  _savedeployconf SYNO_Username "$SYNO_Username"
  _savedeployconf SYNO_Password "$SYNO_Password"
  _debug token "$token"
  _info "Getting certificates in Synology DSM"
  response=$(_post "api=SYNO.Core.Certificate.CRT&method=list&version=1" "$_base_url/webapi/entry.cgi")
  _debug3 response "$response"
  id=$(echo "$response" | sed -n "s/.*\"desc\":\"$SYNO_Certificate\",\"id\":\"\([^\"]*\).*/\1/p")
  _debug2 id "$id"
  if [ -z "$id" ] && [ -z "${SYNO_Create:?}" ]; then
    _err "Unable to find certificate: $SYNO_Certificate and \$SYNO_Create is not set"
    return 1
  fi
  # we've verified this certificate description is a thing, so save it
  _savedeployconf SYNO_Certificate "$SYNO_Certificate"
  default=false
  if echo "$response" | sed -n "s/.*\"desc\":\"$SYNO_Certificate\",\([^{]*\).*/\1/p" | grep -- 'is_default":true' >/dev/null; then
    default=true
  fi
  _debug2 default "$default"
  _info "Generate form POST request"
  nl="\015\012"
  delim="--------------------------$(_utc_date | tr -d -- '-: ')"
  content="--$delim${nl}Content-Disposition: form-data; name=\"key\"; filename=\"$(basename "$_ckey")\"${nl}Content-Type: application/octet-stream${nl}${nl}$(cat "$_ckey")\012"
  content="$content${nl}--$delim${nl}Content-Disposition: form-data; name=\"cert\"; filename=\"$(basename "$_ccert")\"${nl}Content-Type: application/octet-stream${nl}${nl}$(cat "$_ccert")\012"
  content="$content${nl}--$delim${nl}Content-Disposition: form-data; name=\"inter_cert\"; filename=\"$(basename "$_cca")\"${nl}Content-Type: application/octet-stream${nl}${nl}$(cat "$_cca")\012"
  content="$content${nl}--$delim${nl}Content-Disposition: form-data; name=\"id\"${nl}${nl}$id"
  content="$content${nl}--$delim${nl}Content-Disposition: form-data; name=\"desc\"${nl}${nl}${SYNO_Certificate}"
  content="$content${nl}--$delim${nl}Content-Disposition: form-data; name=\"as_default\"${nl}${nl}${default}"
  content="$content${nl}--$delim--${nl}"
  content="$(printf "%b_" "$content")"
  content="${content%_}" # protect trailing \n
  _info "Upload certificate to the Synology DSM"
  response=$(_post "$content" "$_base_url/webapi/entry.cgi?api=SYNO.Core.Certificate&method=import&version=1&SynoToken=$token" "" "POST" "multipart/form-data; boundary=${delim}")
  _debug3 response "$response"
  if ! echo "$response" | grep '"error":' >/dev/null; then
    if echo "$response" | grep '"restart_httpd":true' >/dev/null; then
      _info "http services were restarted"
    else
      _info "http services were NOT restarted"
    fi
    return 0
  else
    _err "Unable to update certificate, error code $response"
    return 1
  fi
 }
--- a/dnsapi/dns_constellix.sh
+++ b/dnsapi/dns_constellix.sh
@ -0,0 +1,141 @@
 #!/usr/bin/env sh
 # Author: Wout Decre <wout@canodus.be>
 CONSTELLIX_Api="https://api.dns.constellix.com/v1"
 #CONSTELLIX_Key="XXX"
 #CONSTELLIX_Secret="XXX"
 ########  Public functions #####################
 # Usage: add  _acme-challenge.www.domain.com   "XKrxpRBosdIKFzxW_CT3KLZNf6q0HG9i01zxXp5CPBs"
 # Used to add txt record
 dns_constellix_add() {
  fulldomain=$1
  txtvalue=$2
  CONSTELLIX_Key="${CONSTELLIX_Key:-$(_readaccountconf_mutable CONSTELLIX_Key)}"
  CONSTELLIX_Secret="${CONSTELLIX_Secret:-$(_readaccountconf_mutable CONSTELLIX_Secret)}"
  if [ -z "$CONSTELLIX_Key" ] || [ -z "$CONSTELLIX_Secret" ]; then
    _err "You did not specify the Contellix API key and secret yet."
    return 1
  fi
  _saveaccountconf_mutable CONSTELLIX_Key "$CONSTELLIX_Key"
  _saveaccountconf_mutable CONSTELLIX_Secret "$CONSTELLIX_Secret"
  if ! _get_root "$fulldomain"; then
    _err "Invalid domain"
    return 1
  fi
  _info "Adding TXT record"
  if _constellix_rest POST "domains/${_domain_id}/records" "[{\"type\":\"txt\",\"add\":true,\"set\":{\"name\":\"${_sub_domain}\",\"ttl\":120,\"roundRobin\":[{\"value\":\"${txtvalue}\"}]}}]"; then
    if printf -- "%s" "$response" | grep "{\"success\":\"1 record(s) added, 0 record(s) updated, 0 record(s) deleted\"}" >/dev/null; then
      _info "Added"
      return 0
    else
      _err "Error adding TXT record"
      return 1
    fi
  fi
 }
 # Usage: fulldomain txtvalue
 # Used to remove the txt record after validation
 dns_constellix_rm() {
  fulldomain=$1
  txtvalue=$2
  CONSTELLIX_Key="${CONSTELLIX_Key:-$(_readaccountconf_mutable CONSTELLIX_Key)}"
  CONSTELLIX_Secret="${CONSTELLIX_Secret:-$(_readaccountconf_mutable CONSTELLIX_Secret)}"
  if [ -z "$CONSTELLIX_Key" ] || [ -z "$CONSTELLIX_Secret" ]; then
    _err "You did not specify the Contellix API key and secret yet."
    return 1
  fi
  if ! _get_root "$fulldomain"; then
    _err "Invalid domain"
    return 1
  fi
  _info "Removing TXT record"
  if _constellix_rest POST "domains/${_domain_id}/records" "[{\"type\":\"txt\",\"delete\":true,\"filter\":{\"field\":\"name\",\"op\":\"eq\",\"value\":\"${_sub_domain}\"}}]"; then
    if printf -- "%s" "$response" | grep "{\"success\":\"0 record(s) added, 0 record(s) updated, 1 record(s) deleted\"}" >/dev/null; then
      _info "Removed"
      return 0
    else
      _err "Error removing TXT record"
      return 1
    fi
  fi
 }
 ####################  Private functions below ##################################
 _get_root() {
  domain=$1
  i=2
  p=1
  _debug "Detecting root zone"
  while true; do
    h=$(printf "%s" "$domain" | cut -d . -f $i-100)
    if [ -z "$h" ]; then
      return 1
    fi
    if ! _constellix_rest GET "domains"; then
      return 1
    fi
    if _contains "$response" "\"name\":\"$h\""; then
      _domain_id=$(printf "%s\n" "$response" | _egrep_o "\"id\":[^,]*" | head -n 1 | cut -d ':' -f 2 | tr -d '}')
      if [ "$_domain_id" ]; then
        _sub_domain=$(printf "%s" "$domain" | cut -d '.' -f 1-$p)
        _domain="$h"
        _debug _domain_id "$_domain_id"
        _debug _sub_domain "$_sub_domain"
        _debug _domain "$_domain"
        return 0
      fi
      return 1
    fi
    p=$i
    i=$(_math "$i" + 1)
  done
  return 1
 }
 _constellix_rest() {
  m=$1
  ep="$2"
  data="$3"
  _debug "$ep"
  rdate=$(date +"%s")"000"
  hmac=$(printf "%s" "$rdate" | _hmac sha1 "$(printf "%s" "$CONSTELLIX_Secret" | _hex_dump | tr -d ' ')" | _base64)
  export _H1="x-cnsdns-apiKey: $CONSTELLIX_Key"
  export _H2="x-cnsdns-requestDate: $rdate"
  export _H3="x-cnsdns-hmac: $hmac"
  export _H4="Accept: application/json"
  export _H5="Content-Type: application/json"
  if [ "$m" != "GET" ]; then
    _debug data "$data"
    response="$(_post "$data" "$CONSTELLIX_Api/$ep" "" "$m")"
  else
    response="$(_get "$CONSTELLIX_Api/$ep")"
  fi
  if [ "$?" != "0" ]; then
    _err "Error $ep"
    return 1
  fi
  _debug response "$response"
  return 0
 }
--- a/dnsapi/dns_ddnss.sh
+++ b/dnsapi/dns_ddnss.sh
@ -12,7 +12,7 @@
 # --
 #
 DDNSS_DNS_API="https://ddnss.de/upd.php"
 DDNSS_DNS_API="https://ip4.ddnss.de/upd.php"
 ########  Public functions #####################
--- a/dnsapi/dns_dynv6.sh
+++ b/dnsapi/dns_dynv6.sh
@ -0,0 +1,121 @@
 #!/usr/bin/env sh
 #Author StefanAbl
 #Usage specify a private keyfile to use with dynv6 'export KEY="path/to/keyfile"'
 #if no keyfile is specified, you will be asked if you want to create one in /home/$USER/.ssh/dynv6 and /home/$USER/.ssh/dynv6.pub
 ########  Public functions #####################
 # Please Read this guide first: https://github.com/Neilpang/acme.sh/wiki/DNS-API-Dev-Guide
 #Usage: dns_myapi_add  _acme-challenge.www.domain.com  "XKrxpRBosdIKFzxW_CT3KLZNf6q0HG9i01zxXp5CPBs"
 dns_dynv6_add() {
  fulldomain=$1
  txtvalue=$2
  _info "Using dynv6 api"
  _debug fulldomain "$fulldomain"
  _debug txtvalue "$txtvalue"
  _get_keyfile
  _info "using keyfile $dynv6_keyfile"
  _get_domain "$fulldomain"
  _your_hosts="$(ssh -i "$dynv6_keyfile" api@dynv6.com hosts)"
  if ! _contains "$_your_hosts" "$_host"; then
    _debug "The host is $_host and the record $_record"
    _debug "Dynv6 returned $_your_hosts"
    _err "The host $_host does not exists on your dynv6 account"
    return 1
  fi
  _debug "found host on your account"
  returnval="$(ssh -i "$dynv6_keyfile" api@dynv6.com hosts \""$_host"\" records set \""$_record"\" txt data \""$txtvalue"\")"
  _debug "Dynv6 returend this after record was added: $returnval"
  if _contains "$returnval" "created"; then
    return 0
  elif _contains "$returnval" "updated"; then
    return 0
  else
    _err "Something went wrong! it does not seem like the record was added succesfully"
    return 1
  fi
  return 1
 }
 #Usage: fulldomain txtvalue
 #Remove the txt record after validation.
 dns_dynv6_rm() {
  fulldomain=$1
  txtvalue=$2
  _info "Using dynv6 api"
  _debug fulldomain "$fulldomain"
  _debug txtvalue "$txtvalue"
  _get_keyfile
  _info "using keyfile $dynv6_keyfile"
  _get_domain "$fulldomain"
  _your_hosts="$(ssh -i "$dynv6_keyfile" api@dynv6.com hosts)"
  if ! _contains "$_your_hosts" "$_host"; then
    _debug "The host is $_host and the record $_record"
    _debug "Dynv6 returned $_your_hosts"
    _err "The host $_host does not exists on your dynv6 account"
    return 1
  fi
  _debug "found host on your account"
  _info "$(ssh -i "$dynv6_keyfile" api@dynv6.com hosts "\"$_host\"" records del "\"$_record\"" txt)"
  return 0
 }
 #################### Private functions below ##################################
 #Usage: No Input required
 #returns
 #dynv6_keyfile the path to the new keyfile that has been generated
 _generate_new_key() {
  dynv6_keyfile="$(eval echo ~"$USER")/.ssh/dynv6"
  _info "Path to key file used: $dynv6_keyfile"
  if [ ! -f "$dynv6_keyfile" ] && [ ! -f "$dynv6_keyfile.pub" ]; then
    _debug "generating key in $dynv6_keyfile and $dynv6_keyfile.pub"
    ssh-keygen -f "$dynv6_keyfile" -t ssh-ed25519 -N ''
  else
    _err "There is already a file in $dynv6_keyfile or $dynv6_keyfile.pub"
    return 1
  fi
 }
 #Usage: _acme-challenge.www.example.dynv6.net
 #returns
 #_host= example.dynv6.net
 #_record=_acme-challenge.www
 #aborts if not a valid domain
 _get_domain() {
  _full_domain="$1"
  _debug "getting domain for $_full_domain"
  if ! _contains "$_full_domain" 'dynv6.net' && ! _contains "$_full_domain" 'dns.army' && ! _contains "$_full_domain" 'dns.navy'; then
    _err "The hosts does not seem to be a dynv6 host"
    return 1
  fi
  _record="${_full_domain%.*}"
  _record="${_record%.*}"
  _record="${_record%.*}"
  _debug "The record we are ging to use is $_record"
  _host="$_full_domain"
  while [ "$(echo "$_host" | grep -o '\.' | wc -l)" != "2" ]; do
    _host="${_host#*.}"
  done
  _debug "And the host is $_host"
  return 0
 }
 # Usage: No input required
 #returns
 #dynv6_keyfile path to the key that will be used
 _get_keyfile() {
  _debug "get keyfile method called"
  dynv6_keyfile="${dynv6_keyfile:-$(_readaccountconf_mutable dynv6_keyfile)}"
  _debug Your key is "$dynv6_keyfile"
  if [ -z "$dynv6_keyfile" ]; then
    if [ -z "$KEY" ]; then
      _err "You did not specify a key to use with dynv6"
      _info "Creating new dynv6 api key to add to dynv6.com"
      _generate_new_key
      _info "Please add this key to dynv6.com $(cat "$dynv6_keyfile.pub")"
      _info "Hit Enter to contiue"
      read -r _
      #save the credentials to the account conf file.
    else
      dynv6_keyfile="$KEY"
    fi
    _saveaccountconf_mutable dynv6_keyfile "$dynv6_keyfile"
  fi
 }
--- a/dnsapi/dns_kas.sh
+++ b/dnsapi/dns_kas.sh
@ -0,0 +1,168 @@
 #!/usr/bin/env sh
 ########################################################################
 # All-inkl Kasserver hook script for acme.sh
 #
 # Environment variables:
 #
 #  - $KAS_Login (Kasserver API login name)
 #  - $KAS_Authtype (Kasserver API auth type. Default: sha1)
 #  - $KAS_Authdata (Kasserver API auth data.)
 #
 # Author: Martin Kammerlander, Phlegx Systems OG <martin.kammerlander@phlegx.com>
 # Updated by: Marc-Oliver Lange <git@die-lang.es>
 # Credits: Inspired by dns_he.sh. Thanks a lot man!
 # Git repo: https://github.com/phlegx/acme.sh
 # TODO: Better Error handling
 ########################################################################
 KAS_Api="https://kasapi.kasserver.com/dokumentation/formular.php"
 ########  Public functions  #####################
 dns_kas_add() {
  _fulldomain=$1
  _txtvalue=$2
  _info "Using DNS-01 All-inkl/Kasserver hook"
  _info "Adding $_fulldomain DNS TXT entry on All-inkl/Kasserver"
  _info "Check and Save Props"
  _check_and_save
  _info "Checking Zone and Record_Name"
  _get_zone_and_record_name "$_fulldomain"
  _info "Getting Record ID"
  _get_record_id
  _info "Creating TXT DNS record"
  params="?kas_login=$KAS_Login"
  params="$params&kas_auth_type=$KAS_Authtype"
  params="$params&kas_auth_data=$KAS_Authdata"
  params="$params&var1=record_name"
  params="$params&wert1=$_record_name"
  params="$params&var2=record_type"
  params="$params&wert2=TXT"
  params="$params&var3=record_data"
  params="$params&wert3=$_txtvalue"
  params="$params&var4=record_aux"
  params="$params&wert4=0"
  params="$params&kas_action=add_dns_settings"
  params="$params&var5=zone_host"
  params="$params&wert5=$_zone"
  _debug2 "Wait for 10 seconds by default before calling KAS API."
  _sleep 10
  response="$(_get "$KAS_Api$params")"
  _debug2 "response" "$response"
  if ! _contains "$response" "TRUE"; then
    _err "An unkown error occurred, please check manually."
    return 1
  fi
  return 0
 }
 dns_kas_rm() {
  _fulldomain=$1
  _txtvalue=$2
  _info "Using DNS-01 All-inkl/Kasserver hook"
  _info "Cleaning up after All-inkl/Kasserver hook"
  _info "Removing $_fulldomain DNS TXT entry on All-inkl/Kasserver"
  _info "Check and Save Props"
  _check_and_save
  _info "Checking Zone and Record_Name"
  _get_zone_and_record_name "$_fulldomain"
  _info "Getting Record ID"
  _get_record_id
  # If there is a record_id, delete the entry
  if [ -n "$_record_id" ]; then
    params="?kas_login=$KAS_Login"
    params="$params&kas_auth_type=$KAS_Authtype"
    params="$params&kas_auth_data=$KAS_Authdata"
    params="$params&kas_action=delete_dns_settings"
    for i in $_record_id; do
      params2="$params&var1=record_id"
      params2="$params2&wert1=$i"
      _debug2 "Wait for 10 seconds by default before calling KAS API."
      _sleep 10
      response="$(_get "$KAS_Api$params2")"
      _debug2 "response" "$response"
      if ! _contains "$response" "TRUE"; then
        _err "Either the txt record is not found or another error occurred, please check manually."
        return 1
      fi
    done
  else # Cannot delete or unkown error
    _err "No record_id found that can be deleted. Please check manually."
    return 1
  fi
  return 0
 }
 ########################## PRIVATE FUNCTIONS ###########################
 # Checks for the ENV variables and saves them
 _check_and_save() {
  KAS_Login="${KAS_Login:-$(_readaccountconf_mutable KAS_Login)}"
  KAS_Authtype="${KAS_Authtype:-$(_readaccountconf_mutable KAS_Authtype)}"
  KAS_Authdata="${KAS_Authdata:-$(_readaccountconf_mutable KAS_Authdata)}"
  if [ -z "$KAS_Login" ] || [ -z "$KAS_Authtype" ] || [ -z "$KAS_Authdata" ]; then
    KAS_Login=
    KAS_Authtype=
    KAS_Authdata=
    _err "No auth details provided. Please set user credentials using the \$KAS_Login, \$KAS_Authtype, and \$KAS_Authdata environment variables."
    return 1
  fi
  _saveaccountconf_mutable KAS_Login "$KAS_Login"
  _saveaccountconf_mutable KAS_Authtype "$KAS_Authtype"
  _saveaccountconf_mutable KAS_Authdata "$KAS_Authdata"
  return 0
 }
 # Gets back the base domain/zone and record name.
 # See: https://github.com/Neilpang/acme.sh/wiki/DNS-API-Dev-Guide
 _get_zone_and_record_name() {
  params="?kas_login=$KAS_Login"
  params="?kas_login=$KAS_Login"
  params="$params&kas_auth_type=$KAS_Authtype"
  params="$params&kas_auth_data=$KAS_Authdata"
  params="$params&kas_action=get_domains"
  _debug2 "Wait for 10 seconds by default before calling KAS API."
  _sleep 10
  response="$(_get "$KAS_Api$params")"
  _debug2 "response" "$response"
  _zonen="$(echo "$response" | tr -d "\n\r" | tr -d " " | tr '[]' '<>' | sed "s/=>Array/\n=> Array/g" | tr ' ' '\n' | grep "domain_name" | tr '<' '\n' | grep "domain_name" | sed "s/domain_name>=>//g")"
  _domain="$1"
  _temp_domain="$(echo "$1" | sed 's/\.$//')"
  _rootzone="$_domain"
  for i in $_zonen; do
    l1=${#_rootzone}
    l2=${#i}
    if _endswith "$_domain" "$i" && [ "$l1" -ge "$l2" ]; then
      _rootzone="$i"
    fi
  done
  _zone="${_rootzone}."
  _temp_record_name="$(echo "$_temp_domain" | sed "s/$_rootzone//g")"
  _record_name="$(echo "$_temp_record_name" | sed 's/\.$//')"
  _debug2 "Zone:" "$_zone"
  _debug2 "Domain:" "$_domain"
  _debug2 "Record_Name:" "$_record_name"
  return 0
 }
 # Retrieve the DNS record ID
 _get_record_id() {
  params="?kas_login=$KAS_Login"
  params="$params&kas_auth_type=$KAS_Authtype"
  params="$params&kas_auth_data=$KAS_Authdata"
  params="$params&kas_action=get_dns_settings"
  params="$params&var1=zone_host"
  params="$params&wert1=$_zone"
  _debug2 "Wait for 10 seconds by default before calling KAS API."
  _sleep 10
  response="$(_get "$KAS_Api$params")"
  _debug2 "response" "$response"
  _record_id="$(echo "$response" | tr -d "\n\r" | tr -d " " | tr '[]' '<>' | sed "s/=>Array/\n=> Array/g" | tr ' ' '\n' | grep "=>$_record_name<" | grep '>TXT<' | tr '<' '\n' | grep record_id | sed "s/record_id>=>//g")"
  _debug2 _record_id "$_record_id"
  return 0
 }
--- a/dnsapi/dns_me.sh
+++ b/dnsapi/dns_me.sh
@ -114,7 +114,7 @@ _get_root() {
    fi
    if _contains "$response" "\"name\":\"$h\""; then
      _domain_id=$(printf "%s\n" "$response" | _egrep_o "\"id\":[^,]*" | head -n 1 | cut -d : -f 2 | tr -d '}')
      _domain_id=$(printf "%s\n" "$response" | cut -c 2- | head -c -2 | sed 's/{.*}//' | sed -r 's/^.*"id":([0-9]+).*$/\1/')
      if [ "$_domain_id" ]; then
        _sub_domain=$(printf "%s" "$domain" | cut -d . -f 1-$p)
        _domain="$h"
--- a/dnsapi/dns_opnsense.sh
+++ b/dnsapi/dns_opnsense.sh
@ -0,0 +1,273 @@
 #!/usr/bin/env sh
 #OPNsense Bind API
 #https://docs.opnsense.org/development/api.html
 #
 #OPNs_Host="opnsense.example.com"
 #OPNs_Port="443"
 # optional, defaults to 443 if unset
 #OPNs_Key="qocfU9RSbt8vTIBcnW8bPqCrpfAHMDvj5OzadE7Str+rbjyCyk7u6yMrSCHtBXabgDDXx/dY0POUp7ZA"
 #OPNs_Token="pZEQ+3ce8dDlfBBdg3N8EpqpF5I1MhFqdxX06le6Gl8YzyQvYCfCzNaFX9O9+IOSyAs7X71fwdRiZ+Lv"
 #OPNs_Api_Insecure=0
 # optional, defaults to 0 if unset
 # Set 1 for insecure and 0 for secure -> difference is whether ssl cert is checked for validity (0) or whether it is just accepted (1)
 ########  Public functions #####################
 #Usage: add _acme-challenge.www.domain.com "123456789ABCDEF0000000000000000000000000000000000000"
 #fulldomain
 #txtvalue
 OPNs_DefaultPort=443
 OPNs_DefaultApi_Insecure=0
 dns_opnsense_add() {
  fulldomain=$1
  txtvalue=$2
  _opns_check_auth || return 1
  if ! set_record "$fulldomain" "$txtvalue"; then
    return 1
  fi
  return 0
 }
 #fulldomain
 dns_opnsense_rm() {
  fulldomain=$1
  txtvalue=$2
  _opns_check_auth || return 1
  if ! rm_record "$fulldomain" "$txtvalue"; then
    return 1
  fi
  return 0
 }
 set_record() {
  fulldomain=$1
  new_challenge=$2
  _info "Adding record $fulldomain with challenge: $new_challenge"
  _debug "Detect root zone"
  if ! _get_root "$fulldomain"; then
    _err "invalid domain"
    return 1
  fi
  _debug _domain "$_domain"
  _debug _host "$_host"
  _debug _domainid "$_domainid"
  _return_str=""
  _record_string=""
  _build_record_string "$_domainid" "$_host" "$new_challenge"
  _uuid=""
  if _existingchallenge "$_domain" "$_host" "$new_challenge"; then
    # Update
    if _opns_rest "POST" "/record/setRecord/${_uuid}" "$_record_string"; then
      _return_str="$response"
    else
      return 1
    fi
  else
    #create
    if _opns_rest "POST" "/record/addRecord" "$_record_string"; then
      _return_str="$response"
    else
      return 1
    fi
  fi
  if echo "$_return_str" | _egrep_o "\"result\":\"saved\"" >/dev/null; then
    _opns_rest "POST" "/service/reconfigure" "{}"
    _debug "Record created"
  else
    _err "Error creating record $_record_string"
    return 1
  fi
  return 0
 }
 rm_record() {
  fulldomain=$1
  new_challenge="$2"
  _info "Remove record $fulldomain with challenge: $new_challenge"
  _debug "Detect root zone"
  if ! _get_root "$fulldomain"; then
    _err "invalid domain"
    return 1
  fi
  _debug _domain "$_domain"
  _debug _host "$_host"
  _debug _domainid "$_domainid"
  _uuid=""
  if _existingchallenge "$_domain" "$_host" "$new_challenge"; then
    # Delete
    if _opns_rest "POST" "/record/delRecord/${_uuid}" "\{\}"; then
      if echo "$_return_str" | _egrep_o "\"result\":\"deleted\"" >/dev/null; then
        _opns_rest "POST" "/service/reconfigure" "{}"
        _debug "Record deleted"
      else
        _err "Error deleting record $_host from domain $fulldomain"
        return 1
      fi
    else
      _err "Error deleting record $_host from domain $fulldomain"
      return 1
    fi
  else
    _info "Record not found, nothing to remove"
  fi
  return 0
 }
 ####################  Private functions below ##################################
 #_acme-challenge.www.domain.com
 #returns
 # _domainid=domid
 #_domain=domain.com
 _get_root() {
  domain=$1
  i=2
  p=1
  if _opns_rest "GET" "/domain/get"; then
    _domain_response="$response"
  else
    return 1
  fi
  while true; do
    h=$(printf "%s" "$domain" | cut -d . -f $i-100)
    if [ -z "$h" ]; then
      #not valid
      return 1
    fi
    _debug h "$h"
    id=$(echo "$_domain_response" | _egrep_o "\"[^\"]*\":{\"enabled\":\"1\",\"type\":{\"master\":{\"value\":\"master\",\"selected\":1},\"slave\":{\"value\":\"slave\",\"selected\":0}},\"masterip\":\"[^\"]*\",\"domainname\":\"${h}\"" | cut -d ':' -f 1 | cut -d '"' -f 2)
    if [ -n "$id" ]; then
      _debug id "$id"
      _host=$(printf "%s" "$domain" | cut -d . -f 1-$p)
      _domain="${h}"
      _domainid="${id}"
      return 0
    fi
    p=$i
    i=$(_math $i + 1)
  done
  _debug "$domain not found"
  return 1
 }
 _opns_rest() {
  method=$1
  ep=$2
  data=$3
  #Percent encode user and token
  key=$(echo "$OPNs_Key" | tr -d "\n\r" | _url_encode)
  token=$(echo "$OPNs_Token" | tr -d "\n\r" | _url_encode)
  opnsense_url="https://${key}:${token}@${OPNs_Host}:${OPNs_Port:-$OPNs_DefaultPort}/api/bind${ep}"
  export _H1="Content-Type: application/json"
  _debug2 "Try to call api: https://${OPNs_Host}:${OPNs_Port:-$OPNs_DefaultPort}/api/bind${ep}"
  if [ ! "$method" = "GET" ]; then
    _debug data "$data"
    export _H1="Content-Type: application/json"
    response="$(_post "$data" "$opnsense_url" "" "$method")"
  else
    export _H1=""
    response="$(_get "$opnsense_url")"
  fi
  if [ "$?" != "0" ]; then
    _err "error $ep"
    return 1
  fi
  _debug2 response "$response"
  return 0
 }
 _build_record_string() {
  _record_string="{\"record\":{\"enabled\":\"1\",\"domain\":\"$1\",\"name\":\"$2\",\"type\":\"TXT\",\"value\":\"$3\"}}"
 }
 _existingchallenge() {
  if _opns_rest "GET" "/record/searchRecord"; then
    _record_response="$response"
  else
    return 1
  fi
  _uuid=""
  _uuid=$(echo "$_record_response" | _egrep_o "\"uuid\":\"[^\"]*\",\"enabled\":\"[01]\",\"domain\":\"$1\",\"name\":\"$2\",\"type\":\"TXT\",\"value\":\"$3\"" | cut -d ':' -f 2 | cut -d '"' -f 2)
  if [ -n "$_uuid" ]; then
    _debug uuid "$_uuid"
    return 0
  fi
  _debug "${2}.$1{1} record not found"
  return 1
 }
 _opns_check_auth() {
  OPNs_Host="${OPNs_Host:-$(_readaccountconf_mutable OPNs_Host)}"
  OPNs_Port="${OPNs_Port:-$(_readaccountconf_mutable OPNs_Port)}"
  OPNs_Key="${OPNs_Key:-$(_readaccountconf_mutable OPNs_Key)}"
  OPNs_Token="${OPNs_Token:-$(_readaccountconf_mutable OPNs_Token)}"
  OPNs_Api_Insecure="${OPNs_Api_Insecure:-$(_readaccountconf_mutable OPNs_Api_Insecure)}"
  if [ -z "$OPNs_Host" ]; then
    _err "You don't specify OPNsense address."
    return 1
  else
    _saveaccountconf_mutable OPNs_Host "$OPNs_Host"
  fi
  if ! printf '%s' "$OPNs_Port" | grep '^[0-9]*$' >/dev/null; then
    _err 'OPNs_Port specified but not numeric value'
    return 1
  elif [ -z "$OPNs_Port" ]; then
    _info "OPNSense port not specified. Defaulting to using port $OPNs_DefaultPort"
  else
    _saveaccountconf_mutable OPNs_Port "$OPNs_Port"
  fi
  if ! printf '%s' "$OPNs_Api_Insecure" | grep '^[01]$' >/dev/null; then
    _err 'OPNs_Api_Insecure specified but not 0/1 value'
    return 1
  elif [ -n "$OPNs_Api_Insecure" ]; then
    _saveaccountconf_mutable OPNs_Api_Insecure "$OPNs_Api_Insecure"
  fi
  export HTTPS_INSECURE="${OPNs_Api_Insecure:-$OPNs_DefaultApi_Insecure}"
  if [ -z "$OPNs_Key" ]; then
    _err "you have not specified your OPNsense api key id."
    _err "Please set OPNs_Key and try again."
    return 1
  else
    _saveaccountconf_mutable OPNs_Key "$OPNs_Key"
  fi
  if [ -z "$OPNs_Token" ]; then
    _err "you have not specified your OPNsense token."
    _err "Please create OPNs_Token and try again."
    return 1
  else
    _saveaccountconf_mutable OPNs_Token "$OPNs_Token"
  fi
  if ! _opns_rest "GET" "/general/get"; then
    _err "Call to OPNsense API interface failed. Unable to access OPNsense API."
    return 1
  fi
  return 0
 }