Merge branch 'master' of github.com:DerVerruckteFuchs/acme.sh into 1984-hosting-cookie-fix

3 years ago · e992979113
30 changed files with 1333 additions and 357 deletions
--- a/.github/auto-comment.yml
+++ b/.github/auto-comment.yml
@ -1,40 +0,0 @@
 # Comment to a new issue.
 issuesOpened: >
  If this is a bug report, please upgrade to the latest code and try again:
  如果有 bug, 请先更新到最新版试试:
  ```
  acme.sh --upgrade
  ```
  please also provide the log with `--debug 2`.
  同时请提供调试输出 `--debug 2`
  see: https://github.com/acmesh-official/acme.sh/wiki/How-to-debug-acme.sh
  Without `--debug 2` log, your issue will NEVER get replied.
  没有调试输出, 你的 issue 不会得到任何解答.
 pullRequestOpened: >
  First, NEVER send a PR to `master` branch, it will NEVER be accepted. Please send to the `dev` branch instead.
  If this is a PR to support new DNS API or new notification API, please read this guide first:
  https://github.com/acmesh-official/acme.sh/wiki/DNS-API-Dev-Guide
  Please check the guide items one by one.
  Then add your usage here:
  https://github.com/acmesh-official/acme.sh/wiki/dnsapi
  Or some other wiki pages:
  https://github.com/acmesh-official/acme.sh/wiki/deployhooks
  https://github.com/acmesh-official/acme.sh/wiki/notify
--- a/.github/workflows/DNS.yml
+++ b/.github/workflows/DNS.yml
@ -61,22 +61,22 @@ jobs:
      run: |
        cd ../acmetest
        if [ "${{ secrets.TokenName1}}" ] ; then
          echo "${{ secrets.TokenName1}}=${{ secrets.TokenValue1}}" >> env.list
          echo "${{ secrets.TokenName1}}=${{ secrets.TokenValue1}}" >> docker.env
        fi
        if [ "${{ secrets.TokenName2}}" ] ; then
          echo "${{ secrets.TokenName2}}=${{ secrets.TokenValue2}}" >> env.list
          echo "${{ secrets.TokenName2}}=${{ secrets.TokenValue2}}" >> docker.env
        fi
        if [ "${{ secrets.TokenName3}}" ] ; then
          echo "${{ secrets.TokenName3}}=${{ secrets.TokenValue3}}" >> env.list
          echo "${{ secrets.TokenName3}}=${{ secrets.TokenValue3}}" >> docker.env
        fi
        if [ "${{ secrets.TokenName4}}" ] ; then
          echo "${{ secrets.TokenName4}}=${{ secrets.TokenValue4}}" >> env.list
          echo "${{ secrets.TokenName4}}=${{ secrets.TokenValue4}}" >> docker.env
        fi
        if [ "${{ secrets.TokenName5}}" ] ; then
          echo "${{ secrets.TokenName5}}=${{ secrets.TokenValue5}}" >> env.list
          echo "${{ secrets.TokenName5}}=${{ secrets.TokenValue5}}" >> docker.env
        fi
        echo "TEST_DNS_NO_WILDCARD" >> env.list 
        echo "TEST_DNS_SLEEP" >> env.list
        echo "TEST_DNS_NO_WILDCARD" >> docker.env
        echo "TEST_DNS_SLEEP" >> docker.env
    - name: Run acmetest
      run: cd ../acmetest && ./rundocker.sh  testall
@ -226,8 +226,10 @@ jobs:
    - uses: vmactions/solaris-vm@v0.0.3
      with:
        envs: 'TEST_DNS TestingDomain TEST_DNS_NO_WILDCARD TEST_DNS_SLEEP CASE TEST_LOCAL DEBUG ${{ secrets.TokenName1}} ${{ secrets.TokenName2}} ${{ secrets.TokenName3}} ${{ secrets.TokenName4}} ${{ secrets.TokenName5}}'
        prepare: pkgutil -y -i socat curl
        prepare: pkgutil -y -i socat
        run: |
          pkg set-mediator -v -I default@1.1 openssl
          export PATH=/usr/gnu/bin:$PATH
          if [ "${{ secrets.TokenName1}}" ] ; then
            export ${{ secrets.TokenName1}}=${{ secrets.TokenValue1}}
          fi
@ -245,5 +247,3 @@ jobs:
          fi
          cd ../acmetest
          ./letest.sh
--- a/.github/workflows/FreeBSD.yml
+++ b/.github/workflows/FreeBSD.yml
@ -0,0 +1,60 @@
 name: FreeBSD
 on:
  push:
    branches:
      - '*'
    paths:
      - '*.sh'
      - '.github/workflows/FreeBSD.yml'
  pull_request:
    branches:
      - dev
    paths:
      - '*.sh'
      - '.github/workflows/FreeBSD.yml'
 jobs:
  FreeBSD:
    strategy:
      matrix:
        include:
         - TEST_ACME_Server: "LetsEncrypt.org_test"
           CA_ECDSA: ""
           CA: ""
           CA_EMAIL: ""
         - TEST_ACME_Server: "ZeroSSL.com"
           CA_ECDSA: "ZeroSSL ECC Domain Secure Site CA"
           CA: "ZeroSSL RSA Domain Secure Site CA"
           CA_EMAIL: "githubtest@acme.sh"
    runs-on: macos-latest
    env:
      TEST_LOCAL: 1
      TEST_ACME_Server: ${{ matrix.TEST_ACME_Server }}
      CA_ECDSA: ${{ matrix.CA_ECDSA }}
      CA: ${{ matrix.CA }}
      CA_EMAIL: ${{ matrix.CA_EMAIL }}
    steps:
    - uses: actions/checkout@v2
    - uses: vmactions/cf-tunnel@v0.0.2
      id: tunnel
      with:
        protocol: http
        port: 8080
    - name: Set envs
      run: echo "TestingDomain=${{steps.tunnel.outputs.server}}" >> $GITHUB_ENV
    - name: Clone acmetest
      run: cd .. && git clone https://github.com/acmesh-official/acmetest.git  && cp -r acme.sh acmetest/
    - uses: vmactions/freebsd-vm@v0.1.4
      with:
        envs: 'TEST_LOCAL TestingDomain TEST_ACME_Server CA_ECDSA CA CA_EMAIL'
        nat: |
          "8080": "80"
        prepare: pkg install -y socat curl
        usesh: true
        run: |
          cd ../acmetest \
          && ./letest.sh
--- a/.github/workflows/LetsEncrypt.yml
+++ b/.github/workflows/LetsEncrypt.yml
@ -1,127 +0,0 @@
 name: LetsEncrypt
 on:
  push:
    branches:
      - '*'
    paths:
      - '**.sh'
      - '**.yml'
  pull_request:
    branches:
      - dev
    paths:
      - '**.sh'
      - '**.yml'
 jobs:
  Ubuntu:
    runs-on: ubuntu-latest
    env:
      TEST_LOCAL: 1
    steps:
    - uses: actions/checkout@v2
    - name: Install tools
      run: sudo apt-get install -y socat
    - name: Clone acmetest
      run: cd .. && git clone https://github.com/acmesh-official/acmetest.git  && cp -r acme.sh acmetest/
    - name: Run acmetest
      run: cd ../acmetest && sudo --preserve-env ./letest.sh
  MacOS:
    runs-on: macos-latest
    env:
      TEST_LOCAL: 1
    steps:
    - uses: actions/checkout@v2
    - name: Install tools
      run:  brew install socat
    - name: Clone acmetest
      run: cd .. && git clone https://github.com/acmesh-official/acmetest.git  && cp -r acme.sh acmetest/
    - name: Run acmetest
      run: cd ../acmetest && sudo --preserve-env ./letest.sh
  Windows:
    runs-on: windows-latest
    env:
      TEST_LOCAL: 1
      #The 80 port is used by Windows server, we have to use a custom port, tunnel will also use this port.
      Le_HTTPPort: 8888
    steps:
    - name: Set git to use LF
      run: |
          git config --global core.autocrlf false
    - uses: actions/checkout@v2
    - name: Install cygwin base packages with chocolatey
      run: |
          choco config get cacheLocation
          choco install --no-progress cygwin
      shell: cmd
    - name: Install cygwin additional packages
      run: |
          C:\tools\cygwin\cygwinsetup.exe -qgnNdO -R C:/tools/cygwin -s http://mirrors.kernel.org/sourceware/cygwin/ -P socat,curl,cron,unzip,git
      shell: cmd
    - name: Set ENV
      shell: cmd
      run: |
          echo PATH=C:\tools\cygwin\bin;C:\tools\cygwin\usr\bin >> %GITHUB_ENV%
    - name: Check ENV
      shell: cmd
      run: |
          echo "PATH=%PATH%"
    - name: Clone acmetest
      shell: cmd
      run: cd .. && git clone https://github.com/acmesh-official/acmetest.git  && cp -r acme.sh acmetest/
    - name: Run acmetest
      shell: cmd
      run: cd ../acmetest && bash.exe -c ./letest.sh
  FreeBSD:
    runs-on: macos-latest
    env:
      TEST_LOCAL: 1
    steps:
    - uses: actions/checkout@v2
    - uses: vmactions/cf-tunnel@v0.0.1
      id: tunnel
      with:
        protocol: http
        port: 8080
    - name: Set envs
      run: echo "TestingDomain=${{steps.tunnel.outputs.server}}" >> $GITHUB_ENV
    - name: Clone acmetest
      run: cd .. && git clone https://github.com/acmesh-official/acmetest.git  && cp -r acme.sh acmetest/
    - uses: vmactions/freebsd-vm@v0.1.4
      with:
        envs: 'TEST_LOCAL TestingDomain'
        nat: |
          "8080": "80"
        prepare: pkg install -y socat curl
        usesh: true
        run: |
          cd ../acmetest && ./letest.sh
  Solaris:
    runs-on: macos-latest
    env:
      TEST_LOCAL: 1
    steps:
    - uses: actions/checkout@v2
    - uses: vmactions/cf-tunnel@v0.0.1
      id: tunnel
      with:
        protocol: http
        port: 8080
    - name: Set envs
      run: echo "TestingDomain=${{steps.tunnel.outputs.server}}" >> $GITHUB_ENV
    - name: Clone acmetest
      run: cd .. && git clone https://github.com/acmesh-official/acmetest.git  && cp -r acme.sh acmetest/
    - uses: vmactions/solaris-vm@v0.0.3
      with:
        envs: 'TEST_LOCAL TestingDomain'
        nat: |
          "8080": "80"
        prepare: pkgutil -y -i socat curl
        run: |
          cd ../acmetest && ./letest.sh
--- a/.github/workflows/Linux.yml
+++ b/.github/workflows/Linux.yml
@ -0,0 +1,40 @@
 name: Linux
 on:
  push:
    branches:
      - '*'
    paths:
      - '*.sh'
      - '.github/workflows/Linux.yml'
  pull_request:
    branches:
      - dev
    paths:
      - '*.sh'
      - '.github/workflows/Linux.yml'
 jobs:
  Linux:
    strategy:
      matrix:
        os: ["ubuntu:latest", "debian:latest", "almalinux:latest", "fedora:latest", "centos:latest", "opensuse/leap:latest", "alpine:latest", "oraclelinux:8", "kalilinux/kali", "archlinux:latest", "mageia", "gentoo/stage3-amd64"]
    runs-on: ubuntu-latest
    env:
      TEST_LOCAL: 1
    steps:
    - uses: actions/checkout@v2
    - name: Clone acmetest
      run: |
          cd .. \
          && git clone https://github.com/acmesh-official/acmetest.git \
          && cp -r acme.sh acmetest/
    - name: Run acmetest
      run: |
          cd ../acmetest \
          && ./rundocker.sh  testplat ${{ matrix.os }}
--- a/.github/workflows/MacOS.yml
+++ b/.github/workflows/MacOS.yml
@ -0,0 +1,52 @@
 name: MacOS
 on:
  push:
    branches:
      - '*'
    paths:
      - '*.sh'
      - '.github/workflows/MacOS.yml'
  pull_request:
    branches:
      - dev
    paths:
      - '*.sh'
      - '.github/workflows/MacOS.yml'
 jobs:
  MacOS:
    strategy:
      matrix:
        include:
         - TEST_ACME_Server: "LetsEncrypt.org_test"
           CA_ECDSA: ""
           CA: ""
           CA_EMAIL: ""
         - TEST_ACME_Server: "ZeroSSL.com"
           CA_ECDSA: "ZeroSSL ECC Domain Secure Site CA"
           CA: "ZeroSSL RSA Domain Secure Site CA"
           CA_EMAIL: "githubtest@acme.sh"
    runs-on: macos-latest
    env:
      TEST_LOCAL: 1
      TEST_ACME_Server: ${{ matrix.TEST_ACME_Server }}
      CA_ECDSA: ${{ matrix.CA_ECDSA }}
      CA: ${{ matrix.CA }}
      CA_EMAIL: ${{ matrix.CA_EMAIL }}
    steps:
    - uses: actions/checkout@v2
    - name: Install tools
      run:  brew install socat
    - name: Clone acmetest
      run: |
          cd .. \
          && git clone https://github.com/acmesh-official/acmetest.git \
          && cp -r acme.sh acmetest/
    - name: Run acmetest
      run: |
          cd ../acmetest \
          && sudo --preserve-env ./letest.sh
--- a/.github/workflows/PebbleStrict.yml
+++ b/.github/workflows/PebbleStrict.yml
@ -4,14 +4,14 @@ on:
    branches:
      - '*'
    paths:
      - '**.sh'
      - '**.yml'
      - '*.sh'
      - '.github/workflows/PebbleStrict.yml'
  pull_request:
    branches:
      - dev
    paths:
      - '**.sh'
      - '**.yml'
      - '*.sh'
      - '.github/workflows/PebbleStrict.yml'
 jobs:
  PebbleStrict:
@ -19,7 +19,7 @@ jobs:
    env:
      TestingDomain: example.com
      TestingAltDomains: www.example.com
      ACME_DIRECTORY: https://localhost:14000/dir
      TEST_ACME_Server: https://localhost:14000/dir
      HTTPS_INSECURE: 1
      Le_HTTPPort: 5002
      TEST_LOCAL: 1
--- a/.github/workflows/Solaris.yml
+++ b/.github/workflows/Solaris.yml
@ -0,0 +1,58 @@
 name: Solaris
 on:
  push:
    branches:
      - '*'
    paths:
      - '*.sh'
      - '.github/workflows/Solaris.yml'
  pull_request:
    branches:
      - dev
    paths:
      - '*.sh'
      - '.github/workflows/Solaris.yml'
 jobs:
  Solaris:
    strategy:
      matrix:
        include:
         - TEST_ACME_Server: "LetsEncrypt.org_test"
           CA_ECDSA: ""
           CA: ""
           CA_EMAIL: ""
         - TEST_ACME_Server: "ZeroSSL.com"
           CA_ECDSA: "ZeroSSL ECC Domain Secure Site CA"
           CA: "ZeroSSL RSA Domain Secure Site CA"
           CA_EMAIL: "githubtest@acme.sh"
    runs-on: macos-latest
    env:
      TEST_LOCAL: 1
      TEST_ACME_Server: ${{ matrix.TEST_ACME_Server }}
      CA_ECDSA: ${{ matrix.CA_ECDSA }}
      CA: ${{ matrix.CA }}
      CA_EMAIL: ${{ matrix.CA_EMAIL }}
    steps:
    - uses: actions/checkout@v2
    - uses: vmactions/cf-tunnel@v0.0.2
      id: tunnel
      with:
        protocol: http
        port: 8080
    - name: Set envs
      run: echo "TestingDomain=${{steps.tunnel.outputs.server}}" >> $GITHUB_ENV
    - name: Clone acmetest
      run: cd .. && git clone https://github.com/acmesh-official/acmetest.git  && cp -r acme.sh acmetest/
    - uses: vmactions/solaris-vm@v0.0.3
      with:
        envs: 'TEST_LOCAL TestingDomain TEST_ACME_Server CA_ECDSA CA CA_EMAIL'
        nat: |
          "8080": "80"
        prepare: pkgutil -y -i socat curl
        run: |
          cd ../acmetest \
          && ./letest.sh
--- a/.github/workflows/Ubuntu.yml
+++ b/.github/workflows/Ubuntu.yml
@ -0,0 +1,54 @@
 name: Ubuntu
 on:
  push:
    branches:
      - '*'
    paths:
      - '*.sh'
      - '.github/workflows/Ubuntu.yml'
  pull_request:
    branches:
      - dev
    paths:
      - '*.sh'
      - '.github/workflows/Ubuntu.yml'
 jobs:
  Ubuntu:
    strategy:
      matrix:
        include:
         - TEST_ACME_Server: "LetsEncrypt.org_test"
           CA_ECDSA: ""
           CA: ""
           CA_EMAIL: ""
         - TEST_ACME_Server: "ZeroSSL.com"
           CA_ECDSA: "ZeroSSL ECC Domain Secure Site CA"
           CA: "ZeroSSL RSA Domain Secure Site CA"
           CA_EMAIL: "githubtest@acme.sh"
    runs-on: ubuntu-latest
    env:
      TEST_LOCAL: 1
      TEST_ACME_Server: ${{ matrix.TEST_ACME_Server }}
      CA_ECDSA: ${{ matrix.CA_ECDSA }}
      CA: ${{ matrix.CA }}
      CA_EMAIL: ${{ matrix.CA_EMAIL }}
      NO_ECC_384: ${{ matrix.NO_ECC_384 }}
    steps:
    - uses: actions/checkout@v2
    - name: Install tools
      run: sudo apt-get install -y socat
    - name: Clone acmetest
      run: |
          cd .. \
          && git clone https://github.com/acmesh-official/acmetest.git \
          && cp -r acme.sh acmetest/
    - name: Run acmetest
      run: |
          cd ../acmetest \
          && sudo --preserve-env ./letest.sh
--- a/.github/workflows/Windows.yml
+++ b/.github/workflows/Windows.yml
@ -0,0 +1,70 @@
 name: Windows
 on:
  push:
    branches:
      - '*'
    paths:
      - '*.sh'
      - '.github/workflows/Windows.yml'
  pull_request:
    branches:
      - dev
    paths:
      - '*.sh'
      - '.github/workflows/Windows.yml'
 jobs:
  Windows:
    strategy:
      matrix:
        include:
         - TEST_ACME_Server: "LetsEncrypt.org_test"
           CA_ECDSA: ""
           CA: ""
           CA_EMAIL: ""
         - TEST_ACME_Server: "ZeroSSL.com"
           CA_ECDSA: "ZeroSSL ECC Domain Secure Site CA"
           CA: "ZeroSSL RSA Domain Secure Site CA"
           CA_EMAIL: "githubtest@acme.sh"
    runs-on: windows-latest
    env:
      TEST_ACME_Server: ${{ matrix.TEST_ACME_Server }}
      CA_ECDSA: ${{ matrix.CA_ECDSA }}
      CA: ${{ matrix.CA }}
      CA_EMAIL: ${{ matrix.CA_EMAIL }}
      TEST_LOCAL: 1
      #The 80 port is used by Windows server, we have to use a custom port, tunnel will also use this port.
      Le_HTTPPort: 8888
    steps:
    - name: Set git to use LF
      run: |
          git config --global core.autocrlf false
    - uses: actions/checkout@v2
    - name: Install cygwin base packages with chocolatey
      run: |
          choco config get cacheLocation
          choco install --no-progress cygwin
      shell: cmd
    - name: Install cygwin additional packages
      run: |
          C:\tools\cygwin\cygwinsetup.exe -qgnNdO -R C:/tools/cygwin -s http://mirrors.kernel.org/sourceware/cygwin/ -P socat,curl,cron,unzip,git
      shell: cmd
    - name: Set ENV
      shell: cmd
      run: |
          echo PATH=C:\tools\cygwin\bin;C:\tools\cygwin\usr\bin >> %GITHUB_ENV%
    - name: Check ENV
      shell: cmd
      run: |
          echo "PATH=%PATH%"
    - name: Clone acmetest
      shell: cmd
      run: cd .. && git clone https://github.com/acmesh-official/acmetest.git  && cp -r acme.sh acmetest/
    - name: Run acmetest
      shell: cmd
      run: cd ../acmetest && bash.exe -c ./letest.sh
--- a/.github/workflows/dockerhub.yml
+++ b/.github/workflows/dockerhub.yml
@ -6,6 +6,11 @@ on:
      - '*'
    tags:
      - '*'
    paths:
      - '**.sh'
      - "Dockerfile"
      - '.github/workflows/dockerhub.yml'
 jobs:
  CheckToken:
--- a/.github/workflows/shellcheck.yml
+++ b/.github/workflows/shellcheck.yml
@ -5,13 +5,13 @@ on:
      - '*'
    paths:
      - '**.sh'
      - '**.yml'
      - '.github/workflows/shellcheck.yml'
  pull_request:
    branches:
      - dev
    paths:
      - '**.sh'
      - '**.yml'
      - '.github/workflows/shellcheck.yml'
 jobs:
  ShellCheck:
--- a/8
+++ b/8
@ -1,7 +1,6 @@
 FROM alpine:3.12
 RUN apk update -f \
  && apk --no-cache add -f \
 RUN apk --no-cache add -f \
  openssl \
  openssh-client \
  coreutils \
@ -12,8 +11,7 @@ RUN apk update -f \
  tzdata \
  oath-toolkit-oathtool \
  tar \
  libidn \
  && rm -rf /var/cache/apk/*
  libidn
 ENV LE_CONFIG_HOME /acme.sh
@ -22,7 +20,7 @@ ARG AUTO_UPGRADE=1
 ENV AUTO_UPGRADE $AUTO_UPGRADE
 #Install
 ADD ./ /install_acme.sh/
 COPY ./ /install_acme.sh/
 RUN cd /install_acme.sh && ([ -f /install_acme.sh/acme.sh ] && /install_acme.sh/acme.sh --install || curl https://get.acme.sh | sh) && rm -rf /install_acme.sh/
--- a/README.md
+++ b/README.md
@ -1,6 +1,11 @@
 # An ACME Shell script: acme.sh 
 ![LetsEncrypt](https://github.com/acmesh-official/acme.sh/workflows/LetsEncrypt/badge.svg)
 [![FreeBSD](https://github.com/acmesh-official/acme.sh/actions/workflows/FreeBSD.yml/badge.svg)](https://github.com/acmesh-official/acme.sh/actions/workflows/FreeBSD.yml)
 [![MacOS](https://github.com/acmesh-official/acme.sh/actions/workflows/MacOS.yml/badge.svg)](https://github.com/acmesh-official/acme.sh/actions/workflows/MacOS.yml)
 [![Ubuntu](https://github.com/acmesh-official/acme.sh/actions/workflows/Ubuntu.yml/badge.svg)](https://github.com/acmesh-official/acme.sh/actions/workflows/Ubuntu.yml)
 [![Windows](https://github.com/acmesh-official/acme.sh/actions/workflows/Windows.yml/badge.svg)](https://github.com/acmesh-official/acme.sh/actions/workflows/Windows.yml)
 [![Solaris](https://github.com/acmesh-official/acme.sh/actions/workflows/Solaris.yml/badge.svg)](https://github.com/acmesh-official/acme.sh/actions/workflows/Solaris.yml)
 ![Shellcheck](https://github.com/acmesh-official/acme.sh/workflows/Shellcheck/badge.svg)
 ![PebbleStrict](https://github.com/acmesh-official/acme.sh/workflows/PebbleStrict/badge.svg)
 ![DockerHub](https://github.com/acmesh-official/acme.sh/workflows/Build%20DockerHub/badge.svg)
@ -15,18 +20,18 @@
 - An ACME protocol client written purely in Shell (Unix shell) language.
 - Full ACME protocol implementation.
 - Support ACME v1 and ACME v2
 - Support ACME v2 wildcard certs
 - Support ECDSA certs
 - Support SAN and wildcard certs
 - Simple, powerful and very easy to use. You only need 3 minutes to learn it.
 - Bash, dash and sh compatible.
 - Purely written in Shell with no dependencies on python or the official Let's Encrypt client.
 - Purely written in Shell with no dependencies on python.
 - Just one script to issue, renew and install your certificates automatically.
 - DOES NOT require `root/sudoer` access.
 - Docker friendly
 - IPv6 support
 - Docker ready
 - IPv6 ready
 - Cron job notifications for renewal or error etc.
 It's probably the `easiest & smartest` shell script to automatically issue & renew the free certificates from Let's Encrypt.
 It's probably the `easiest & smartest` shell script to automatically issue & renew the free certificates.
 Wiki: https://github.com/acmesh-official/acme.sh/wiki
@ -57,37 +62,39 @@ Twitter: [@neilpangxa](https://twitter.com/neilpangxa)
 | NO | Status| Platform|
 |----|-------|---------|
 |1|[![MacOS](https://github.com/acmesh-official/acme.sh/workflows/LetsEncrypt/badge.svg)](https://github.com/acmesh-official/acme.sh/actions?query=workflow%3ALetsEncrypt)|Mac OSX
 |2|[![Windows](https://github.com/acmesh-official/acme.sh/workflows/LetsEncrypt/badge.svg)](https://github.com/acmesh-official/acme.sh/actions?query=workflow%3ALetsEncrypt)|Windows (cygwin with curl, openssl and crontab included)
 |3|[![FreeBSD](https://github.com/acmesh-official/acme.sh/workflows/LetsEncrypt/badge.svg)](https://github.com/acmesh-official/acme.sh/actions?query=workflow%3ALetsEncrypt)|FreeBSD
 |4|[![Solaris](https://github.com/acmesh-official/acme.sh/workflows/LetsEncrypt/badge.svg)](https://github.com/acmesh-official/acme.sh/actions?query=workflow%3ALetsEncrypt)|Solaris
 |5|[![Ubuntu](https://github.com/acmesh-official/acme.sh/workflows/LetsEncrypt/badge.svg)](https://github.com/acmesh-official/acme.sh/actions?query=workflow%3ALetsEncrypt)| Ubuntu
 |6|[![](https://acmesh-official.github.io/acmetest/status/pfsense.svg)](https://github.com/acmesh-official/acmetest#here-are-the-latest-status)|pfsense
 |7|[![](https://acmesh-official.github.io/acmetest/status/openbsd.svg)](https://github.com/acmesh-official/acmetest#here-are-the-latest-status)|OpenBSD
 |8|[![](https://acmesh-official.github.io/acmetest/status/debian-latest.svg)](https://github.com/acmesh-official/acmetest#here-are-the-latest-status)| Debian
 |9|[![](https://acmesh-official.github.io/acmetest/status/centos-latest.svg)](https://github.com/acmesh-official/acmetest#here-are-the-latest-status)|CentOS
 |10|[![](https://acmesh-official.github.io/acmetest/status/opensuse-leap-latest.svg)](https://github.com/acmesh-official/acmetest#here-are-the-latest-status)|openSUSE
 |11|[![](https://acmesh-official.github.io/acmetest/status/alpine-latest.svg)](https://github.com/acmesh-official/acmetest#here-are-the-latest-status)|Alpine Linux (with curl)
 |12|[![](https://acmesh-official.github.io/acmetest/status/archlinux-latest.svg)](https://github.com/acmesh-official/acmetest#here-are-the-latest-status)|Archlinux
 |13|[![](https://acmesh-official.github.io/acmetest/status/fedora-latest.svg)](https://github.com/acmesh-official/acmetest#here-are-the-latest-status)|fedora
 |14|[![](https://acmesh-official.github.io/acmetest/status/kalilinux-kali.svg)](https://github.com/acmesh-official/acmetest#here-are-the-latest-status)|Kali Linux
 |15|[![](https://acmesh-official.github.io/acmetest/status/oraclelinux-latest.svg)](https://github.com/acmesh-official/acmetest#here-are-the-latest-status)|Oracle Linux
 |16|[![](https://acmesh-official.github.io/acmetest/status/proxmox.svg)](https://github.com/acmesh-official/letest#here-are-the-latest-status)| Proxmox: See Proxmox VE Wiki. Version [4.x, 5.0, 5.1](https://pve.proxmox.com/wiki/HTTPS_Certificate_Configuration_(Version_4.x,_5.0_and_5.1)#Let.27s_Encrypt_using_acme.sh), version [5.2 and up](https://pve.proxmox.com/wiki/Certificate_Management)
 |17|-----| Cloud Linux  https://github.com/acmesh-official/acme.sh/issues/111
 |18|[![](https://acmesh-official.github.io/acmetest/status/mageia.svg)](https://github.com/acmesh-official/acmetest#here-are-the-latest-status)|Mageia
 |19|-----| OpenWRT: Tested and working. See [wiki page](https://github.com/acmesh-official/acme.sh/wiki/How-to-run-on-OpenWRT)
 |20|[![](https://acmesh-official.github.io/acmetest/status/gentoo-stage3-amd64.svg)](https://github.com/acmesh-official/acmetest#here-are-the-latest-status)|Gentoo Linux
 |21|[![](https://acmesh-official.github.io/acmetest/status/clearlinux-latest.svg)](https://github.com/acmesh-official/acmetest#here-are-the-latest-status)|ClearLinux
 For all build statuses, check our [weekly build project](https://github.com/acmesh-official/acmetest):
 |1|[![MacOS](https://github.com/acmesh-official/acme.sh/actions/workflows/MacOS.yml/badge.svg)](https://github.com/acmesh-official/acme.sh/actions/workflows/MacOS.yml)|Mac OSX
 |2|[![Windows](https://github.com/acmesh-official/acme.sh/actions/workflows/Windows.yml/badge.svg)](https://github.com/acmesh-official/acme.sh/actions/workflows/Windows.yml)|Windows (cygwin with curl, openssl and crontab included)
 |3|[![FreeBSD](https://github.com/acmesh-official/acme.sh/actions/workflows/FreeBSD.yml/badge.svg)](https://github.com/acmesh-official/acme.sh/actions/workflows/FreeBSD.yml)|FreeBSD
 |4|[![Solaris](https://github.com/acmesh-official/acme.sh/actions/workflows/Solaris.yml/badge.svg)](https://github.com/acmesh-official/acme.sh/actions/workflows/Solaris.yml)|Solaris
 |5|[![Ubuntu](https://github.com/acmesh-official/acme.sh/actions/workflows/Ubuntu.yml/badge.svg)](https://github.com/acmesh-official/acme.sh/actions/workflows/Ubuntu.yml)| Ubuntu
 |6|NA|pfsense
 |7|NA|OpenBSD
 |8|[![Linux](https://github.com/acmesh-official/acme.sh/actions/workflows/Linux.yml/badge.svg)](https://github.com/acmesh-official/acme.sh/actions/workflows/Linux.yml)| Debian
 |9|[![Linux](https://github.com/acmesh-official/acme.sh/actions/workflows/Linux.yml/badge.svg)](https://github.com/acmesh-official/acme.sh/actions/workflows/Linux.yml)|CentOS
 |10|[![Linux](https://github.com/acmesh-official/acme.sh/actions/workflows/Linux.yml/badge.svg)](https://github.com/acmesh-official/acme.sh/actions/workflows/Linux.yml)|openSUSE
 |11|[![Linux](https://github.com/acmesh-official/acme.sh/actions/workflows/Linux.yml/badge.svg)](https://github.com/acmesh-official/acme.sh/actions/workflows/Linux.yml)|Alpine Linux (with curl)
 |12|[![Linux](https://github.com/acmesh-official/acme.sh/actions/workflows/Linux.yml/badge.svg)](https://github.com/acmesh-official/acme.sh/actions/workflows/Linux.yml)|Archlinux
 |13|[![Linux](https://github.com/acmesh-official/acme.sh/actions/workflows/Linux.yml/badge.svg)](https://github.com/acmesh-official/acme.sh/actions/workflows/Linux.yml)|fedora
 |14|[![Linux](https://github.com/acmesh-official/acme.sh/actions/workflows/Linux.yml/badge.svg)](https://github.com/acmesh-official/acme.sh/actions/workflows/Linux.yml)|Kali Linux
 |15|[![Linux](https://github.com/acmesh-official/acme.sh/actions/workflows/Linux.yml/badge.svg)](https://github.com/acmesh-official/acme.sh/actions/workflows/Linux.yml)|Oracle Linux
 |16|[![Linux](https://github.com/acmesh-official/acme.sh/actions/workflows/Linux.yml/badge.svg)](https://github.com/acmesh-official/acme.sh/actions/workflows/Linux.yml)|Mageia
 |17|[![Linux](https://github.com/acmesh-official/acme.sh/actions/workflows/Linux.yml/badge.svg)](https://github.com/acmesh-official/acme.sh/actions/workflows/Linux.yml)|Gentoo Linux
 |18|[![Linux](https://github.com/acmesh-official/acme.sh/actions/workflows/Linux.yml/badge.svg)](https://github.com/acmesh-official/acme.sh/actions/workflows/Linux.yml)|ClearLinux
 |19|-----| Cloud Linux  https://github.com/acmesh-official/acme.sh/issues/111
 |20|-----| OpenWRT: Tested and working. See [wiki page](https://github.com/acmesh-official/acme.sh/wiki/How-to-run-on-OpenWRT)
 |21|[![](https://acmesh-official.github.io/acmetest/status/proxmox.svg)](https://github.com/acmesh-official/letest#here-are-the-latest-status)| Proxmox: See Proxmox VE Wiki. Version [4.x, 5.0, 5.1](https://pve.proxmox.com/wiki/HTTPS_Certificate_Configuration_(Version_4.x,_5.0_and_5.1)#Let.27s_Encrypt_using_acme.sh), version [5.2 and up](https://pve.proxmox.com/wiki/Certificate_Management)
 Check our [testing project](https://github.com/acmesh-official/acmetest):
 https://github.com/acmesh-official/acmetest
 # Supported CA
 - Letsencrypt.org CA(default)
 - [ZeroSSL.com CA](https://github.com/acmesh-official/acme.sh/wiki/ZeroSSL.com-CA)
 - [ZeroSSL.com CA](https://github.com/acmesh-official/acme.sh/wiki/ZeroSSL.com-CA)(default)
 - Letsencrypt.org CA
 - [BuyPass.com CA](https://github.com/acmesh-official/acme.sh/wiki/BuyPass.com-CA)
 - [SSL.com CA](https://github.com/acmesh-official/acme.sh/wiki/SSL.com-CA)
 - [Pebble strict Mode](https://github.com/letsencrypt/pebble)
 - Any other [RFC8555](https://tools.ietf.org/html/rfc8555)-compliant CA
@ -469,7 +476,7 @@ TODO:
 ### Code Contributors
 This project exists thanks to all the people who contribute. [[Contribute](CONTRIBUTING.md)].
 This project exists thanks to all the people who contribute.
 <a href="https://github.com/acmesh-official/acme.sh/graphs/contributors"><img src="https://opencollective.com/acmesh/contributors.svg?width=890&button=false" /></a>
 ### Financial Contributors
--- a/acme.sh
+++ b/acme.sh
@ -1,6 +1,6 @@
 #!/usr/bin/env sh
 VER=2.9.0
 VER=3.0.1
 PROJECT_NAME="acme.sh"
@ -20,6 +20,8 @@ _SUB_FOLDER_DEPLOY="deploy"
 _SUB_FOLDERS="$_SUB_FOLDER_DNSAPI $_SUB_FOLDER_DEPLOY $_SUB_FOLDER_NOTIFY"
 CA_LETSENCRYPT_V1="https://acme-v01.api.letsencrypt.org/directory"
 CA_LETSENCRYPT_V2="https://acme-v02.api.letsencrypt.org/directory"
 CA_LETSENCRYPT_V2_TEST="https://acme-staging-v02.api.letsencrypt.org/directory"
@ -29,18 +31,22 @@ CA_BUYPASS_TEST="https://api.test4.buypass.no/acme/directory"
 CA_ZEROSSL="https://acme.zerossl.com/v2/DV90"
 _ZERO_EAB_ENDPOINT="http://api.zerossl.com/acme/eab-credentials-email"
 DEFAULT_CA=$CA_LETSENCRYPT_V2
 CA_SSLCOM_RSA="https://acme.ssl.com/sslcom-dv-rsa"
 CA_SSLCOM_ECC="https://acme.ssl.com/sslcom-dv-ecc"
 DEFAULT_CA=$CA_ZEROSSL
 DEFAULT_STAGING_CA=$CA_LETSENCRYPT_V2_TEST
 CA_NAMES="
 ZeroSSL.com,zerossl
 LetsEncrypt.org,letsencrypt
 LetsEncrypt.org_test,letsencrypt_test,letsencrypttest
 BuyPass.com,buypass
 BuyPass.com_test,buypass_test,buypasstest
 ZeroSSL.com,zerossl
 SSL.com,sslcom
 "
 CA_SERVERS="$CA_LETSENCRYPT_V2,$CA_LETSENCRYPT_V2_TEST,$CA_BUYPASS,$CA_BUYPASS_TEST,$CA_ZEROSSL"
 CA_SERVERS="$CA_ZEROSSL,$CA_LETSENCRYPT_V2,$CA_LETSENCRYPT_V2_TEST,$CA_BUYPASS,$CA_BUYPASS_TEST,$CA_SSLCOM_RSA"
 DEFAULT_USER_AGENT="$PROJECT_NAME/$VER ($PROJECT)"
@ -155,6 +161,8 @@ _REVOKE_WIKI="https://github.com/acmesh-official/acme.sh/wiki/revokecert"
 _ZEROSSL_WIKI="https://github.com/acmesh-official/acme.sh/wiki/ZeroSSL.com-CA"
 _SSLCOM_WIKI="https://github.com/acmesh-official/acme.sh/wiki/SSL.com-CA"
 _SERVER_WIKI="https://github.com/acmesh-official/acme.sh/wiki/Server"
 _PREFERRED_CHAIN_WIKI="https://github.com/acmesh-official/acme.sh/wiki/Preferred-Chain"
@ -1210,7 +1218,7 @@ _createcsr() {
  _debug2 csr "$csr"
  _debug2 csrconf "$csrconf"
  printf "[ req_distinguished_name ]\n[ req ]\ndistinguished_name = req_distinguished_name\nreq_extensions = v3_req\n[ v3_req ]\n\nkeyUsage = nonRepudiation, digitalSignature, keyEncipherment" >"$csrconf"
  printf "[ req_distinguished_name ]\n[ req ]\ndistinguished_name = req_distinguished_name\nreq_extensions = v3_req\n[ v3_req ]\n\n" >"$csrconf"
  if [ "$acmeValidationv1" ]; then
    domainlist="$(_idn "$domainlist")"
@ -1762,7 +1770,7 @@ _inithttp() {
    if [ -z "$ACME_HTTP_NO_REDIRECTS" ]; then
      _ACME_CURL="$_ACME_CURL -L "
    fi
    if [ "$DEBUG" ] && [ "$DEBUG" -ge "2" ]; then
    if [ "$DEBUG" ] && [ "$DEBUG" -ge 2 ]; then
      _CURL_DUMP="$(_mktemp)"
      _ACME_CURL="$_ACME_CURL --trace-ascii $_CURL_DUMP "
    fi
@ -1802,6 +1810,8 @@ _inithttp() {
 }
 _HTTP_MAX_RETRY=8
 # body  url [needbase64] [POST|PUT|DELETE] [ContentType]
 _post() {
  body="$1"
@ -1809,6 +1819,33 @@ _post() {
  needbase64="$3"
  httpmethod="$4"
  _postContentType="$5"
  _sleep_retry_sec=1
  _http_retry_times=0
  _hcode=0
  while [ "${_http_retry_times}" -le "$_HTTP_MAX_RETRY" ]; do
    [ "$_http_retry_times" = "$_HTTP_MAX_RETRY" ]
    _lastHCode="$?"
    _debug "Retrying post"
    _post_impl "$body" "$_post_url" "$needbase64" "$httpmethod" "$_postContentType" "$_lastHCode"
    _hcode="$?"
    _debug _hcode "$_hcode"
    if [ "$_hcode" = "0" ]; then
      break
    fi
    _http_retry_times=$(_math $_http_retry_times + 1)
    _sleep $_sleep_retry_sec
  done
  return $_hcode
 }
 # body  url [needbase64] [POST|PUT|DELETE] [ContentType] [displayError]
 _post_impl() {
  body="$1"
  _post_url="$2"
  needbase64="$3"
  httpmethod="$4"
  _postContentType="$5"
  displayError="$6"
  if [ -z "$httpmethod" ]; then
    httpmethod="POST"
@ -1860,7 +1897,9 @@ _post() {
    fi
    _ret="$?"
    if [ "$_ret" != "0" ]; then
      if [ -z "$displayError" ] || [ "$displayError" = "0" ]; then
        _err "Please refer to https://curl.haxx.se/libcurl/c/libcurl-errors.html for error code: $_ret"
      fi
      if [ "$DEBUG" ] && [ "$DEBUG" -ge "2" ]; then
        _err "Here is the curl dump log:"
        _err "$(cat "$_CURL_DUMP")"
@ -1916,8 +1955,10 @@ _post() {
      _debug "wget returns 8, the server returns a 'Bad request' response, lets process the response later."
    fi
    if [ "$_ret" != "0" ]; then
      if [ -z "$displayError" ] || [ "$displayError" = "0" ]; then
        _err "Please refer to https://www.gnu.org/software/wget/manual/html_node/Exit-Status.html for error code: $_ret"
      fi
    fi
    _sed_i "s/^ *//g" "$HTTP_HEADER"
  else
    _ret="$?"
@ -1930,13 +1971,38 @@ _post() {
 # url getheader timeout
 _get() {
  url="$1"
  onlyheader="$2"
  t="$3"
  _sleep_retry_sec=1
  _http_retry_times=0
  _hcode=0
  while [ "${_http_retry_times}" -le "$_HTTP_MAX_RETRY" ]; do
    [ "$_http_retry_times" = "$_HTTP_MAX_RETRY" ]
    _lastHCode="$?"
    _debug "Retrying GET"
    _get_impl "$url" "$onlyheader" "$t" "$_lastHCode"
    _hcode="$?"
    _debug _hcode "$_hcode"
    if [ "$_hcode" = "0" ]; then
      break
    fi
    _http_retry_times=$(_math $_http_retry_times + 1)
    _sleep $_sleep_retry_sec
  done
  return $_hcode
 }
 # url getheader timeout displayError
 _get_impl() {
  _debug GET
  url="$1"
  onlyheader="$2"
  t="$3"
  displayError="$4"
  _debug url "$url"
  _debug "timeout=$t"
  _debug "displayError" "$displayError"
  _inithttp
  if [ "$_ACME_CURL" ] && [ "${ACME_USE_WGET:-0}" = "0" ]; then
@ -1955,7 +2021,9 @@ _get() {
    fi
    ret=$?
    if [ "$ret" != "0" ]; then
      if [ -z "$displayError" ] || [ "$displayError" = "0" ]; then
        _err "Please refer to https://curl.haxx.se/libcurl/c/libcurl-errors.html for error code: $ret"
      fi
      if [ "$DEBUG" ] && [ "$DEBUG" -ge "2" ]; then
        _err "Here is the curl dump log:"
        _err "$(cat "$_CURL_DUMP")"
@ -1981,8 +2049,10 @@ _get() {
      _debug "wget returns 8, the server returns a 'Bad request' response, lets process the response later."
    fi
    if [ "$ret" != "0" ]; then
      if [ -z "$displayError" ] || [ "$displayError" = "0" ]; then
        _err "Please refer to https://www.gnu.org/software/wget/manual/html_node/Exit-Status.html for error code: $ret"
      fi
    fi
  else
    ret=$?
    _err "Neither curl nor wget is found, can not do GET."
@ -2529,17 +2599,33 @@ __initHome() {
  fi
 }
 _clearAPI() {
  ACME_NEW_ACCOUNT=""
  ACME_KEY_CHANGE=""
  ACME_NEW_AUTHZ=""
  ACME_NEW_ORDER=""
  ACME_REVOKE_CERT=""
  ACME_NEW_NONCE=""
  ACME_AGREEMENT=""
 }
 #server
 _initAPI() {
  _api_server="${1:-$ACME_DIRECTORY}"
  _debug "_init api for server: $_api_server"
  if [ -z "$ACME_NEW_ACCOUNT" ]; then
  MAX_API_RETRY_TIMES=10
  _sleep_retry_sec=10
  _request_retry_times=0
  while [ -z "$ACME_NEW_ACCOUNT" ] && [ "${_request_retry_times}" -lt "$MAX_API_RETRY_TIMES" ]; do
    _request_retry_times=$(_math "$_request_retry_times" + 1)
    response=$(_get "$_api_server")
    if [ "$?" != "0" ]; then
      _debug2 "response" "$response"
      _err "Can not init api."
      return 1
      _info "Can not init api for: $_api_server."
      _info "Sleep $_sleep_retry_sec and retry."
      _sleep "$_sleep_retry_sec"
      continue
    fi
    response=$(echo "$response" | _json_decode)
    _debug2 "response" "$response"
@ -2572,8 +2658,17 @@ _initAPI() {
    _debug "ACME_REVOKE_CERT" "$ACME_REVOKE_CERT"
    _debug "ACME_AGREEMENT" "$ACME_AGREEMENT"
    _debug "ACME_NEW_NONCE" "$ACME_NEW_NONCE"
    if [ "$ACME_NEW_ACCOUNT" ] && [ "$ACME_NEW_ORDER" ]; then
      return 0
    fi
    _info "Sleep $_sleep_retry_sec and retry."
    _sleep "$_sleep_retry_sec"
  done
  if [ "$ACME_NEW_ACCOUNT" ] && [ "$ACME_NEW_ORDER" ]; then
    return 0
  fi
  _err "Can not init api, for $_api_server"
  return 1
 }
 #[domain]  [keylength or isEcc flag]
@ -2617,15 +2712,44 @@ _initpath() {
  _ACME_SERVER_HOST="$(echo "$ACME_DIRECTORY" | cut -d : -f 2 | tr -s / | cut -d / -f 2)"
  _debug2 "_ACME_SERVER_HOST" "$_ACME_SERVER_HOST"
  CA_DIR="$CA_HOME/$_ACME_SERVER_HOST"
  _ACME_SERVER_PATH="$(echo "$ACME_DIRECTORY" | cut -d : -f 2- | tr -s / | cut -d / -f 3-)"
  _debug2 "_ACME_SERVER_PATH" "$_ACME_SERVER_PATH"
  CA_DIR="$CA_HOME/$_ACME_SERVER_HOST/$_ACME_SERVER_PATH"
  _DEFAULT_CA_CONF="$CA_DIR/ca.conf"
  if [ -z "$CA_CONF" ]; then
    CA_CONF="$_DEFAULT_CA_CONF"
  fi
  _debug3 CA_CONF "$CA_CONF"
  _OLD_CADIR="$CA_HOME/$_ACME_SERVER_HOST"
  _OLD_ACCOUNT_KEY="$_OLD_CADIR/account.key"
  _OLD_ACCOUNT_JSON="$_OLD_CADIR/account.json"
  _OLD_CA_CONF="$_OLD_CADIR/ca.conf"
  _DEFAULT_ACCOUNT_KEY_PATH="$CA_DIR/account.key"
  _DEFAULT_ACCOUNT_JSON_PATH="$CA_DIR/account.json"
  if [ -z "$ACCOUNT_KEY_PATH" ]; then
    ACCOUNT_KEY_PATH="$_DEFAULT_ACCOUNT_KEY_PATH"
    if [ -f "$_OLD_ACCOUNT_KEY" ] && ! [ -f "$ACCOUNT_KEY_PATH" ]; then
      mkdir -p "$CA_DIR"
      mv "$_OLD_ACCOUNT_KEY" "$ACCOUNT_KEY_PATH"
    fi
  fi
  if [ -z "$ACCOUNT_JSON_PATH" ]; then
    ACCOUNT_JSON_PATH="$_DEFAULT_ACCOUNT_JSON_PATH"
    if [ -f "$_OLD_ACCOUNT_JSON" ] && ! [ -f "$ACCOUNT_JSON_PATH" ]; then
      mkdir -p "$CA_DIR"
      mv "$_OLD_ACCOUNT_JSON" "$ACCOUNT_JSON_PATH"
    fi
  fi
  if [ -f "$_OLD_CA_CONF" ] && ! [ -f "$CA_CONF" ]; then
    mkdir -p "$CA_DIR"
    mv "$_OLD_CA_CONF" "$CA_CONF"
  fi
  if [ -f "$CA_CONF" ]; then
    . "$CA_CONF"
  fi
@ -2646,19 +2770,6 @@ _initpath() {
    HTTP_HEADER="$LE_CONFIG_HOME/http.header"
  fi
  _OLD_ACCOUNT_KEY="$LE_WORKING_DIR/account.key"
  _OLD_ACCOUNT_JSON="$LE_WORKING_DIR/account.json"
  _DEFAULT_ACCOUNT_KEY_PATH="$CA_DIR/account.key"
  _DEFAULT_ACCOUNT_JSON_PATH="$CA_DIR/account.json"
  if [ -z "$ACCOUNT_KEY_PATH" ]; then
    ACCOUNT_KEY_PATH="$_DEFAULT_ACCOUNT_KEY_PATH"
  fi
  if [ -z "$ACCOUNT_JSON_PATH" ]; then
    ACCOUNT_JSON_PATH="$_DEFAULT_ACCOUNT_JSON_PATH"
  fi
  _DEFAULT_CERT_HOME="$LE_CONFIG_HOME"
  if [ -z "$CERT_HOME" ]; then
    CERT_HOME="$_DEFAULT_CERT_HOME"
@ -3059,7 +3170,7 @@ _checkConf() {
        if ! _startswith "$included" "/" && _exists dirname; then
          _relpath="$(dirname "$_c_file")"
          _debug "_relpath" "$_relpath"
          included="$_relpath/included"
          included="$_relpath/$included"
        fi
        if _checkConf "$1" "$included"; then
          return 0
@ -3271,6 +3382,8 @@ _on_before_issue() {
  if [ "$_chk_pre_hook" ]; then
    _info "Run pre hook:'$_chk_pre_hook'"
    if ! (
      export Le_Domain="$_chk_main_domain"
      export Le_Alt="$_chk_alt_domains"
      cd "$DOMAIN_PATH" && eval "$_chk_pre_hook"
    ); then
      _err "Error when run pre hook."
@ -3332,7 +3445,7 @@ _on_before_issue() {
      _netprc="$(_ss "$_checkport" | grep "$_checkport")"
      netprc="$(echo "$_netprc" | grep "$_checkaddr")"
      if [ -z "$netprc" ]; then
        netprc="$(echo "$_netprc" | grep "$LOCAL_ANY_ADDRESS")"
        netprc="$(echo "$_netprc" | grep "$LOCAL_ANY_ADDRESS:$_checkport")"
      fi
      if [ "$netprc" ]; then
        _err "$netprc"
@ -3489,15 +3602,6 @@ _regAccount() {
  _initAPI
  mkdir -p "$CA_DIR"
  if [ ! -f "$ACCOUNT_KEY_PATH" ] && [ -f "$_OLD_ACCOUNT_KEY" ]; then
    _info "mv $_OLD_ACCOUNT_KEY to $ACCOUNT_KEY_PATH"
    mv "$_OLD_ACCOUNT_KEY" "$ACCOUNT_KEY_PATH"
  fi
  if [ ! -f "$ACCOUNT_JSON_PATH" ] && [ -f "$_OLD_ACCOUNT_JSON" ]; then
    _info "mv $_OLD_ACCOUNT_JSON to $ACCOUNT_JSON_PATH"
    mv "$_OLD_ACCOUNT_JSON" "$ACCOUNT_JSON_PATH"
  fi
  if [ ! -f "$ACCOUNT_KEY_PATH" ]; then
    if ! _create_account_key "$_reg_length"; then
@ -3526,8 +3630,10 @@ _regAccount() {
    if [ -z "$_eab_id" ] || [ -z "$_eab_hmac_key" ]; then
      _info "No EAB credentials found for ZeroSSL, let's get one"
      if [ -z "$_email" ]; then
        _err "Please provide a email address for ZeroSSL account."
        _err "See ZeroSSL usage: $_ZEROSSL_WIKI"
        _info "$(__green "$PROJECT_NAME is using ZeroSSL as default CA now.")"
        _info "$(__green "Please update your account with an email address first.")"
        _info "$(__green "$PROJECT_ENTRY --register-account -m my@example.com")"
        _info "See: $(__green "$_ZEROSSL_WIKI")"
        return 1
      fi
      _eabresp=$(_post "email=$_email" $_ZERO_EAB_ENDPOINT)
@ -3536,13 +3642,15 @@ _regAccount() {
        _err "Can not get EAB credentials from ZeroSSL."
        return 1
      fi
      _debug2 "$_eabresp"
      _eab_id="$(echo "$_eabresp" | tr ',}' '\n' | grep '"eab_kid"' | cut -d : -f 2 | tr -d '"')"
      _secure_debug2 _eabresp "$_eabresp"
      _eab_id="$(echo "$_eabresp" | tr ',}' '\n\n' | grep '"eab_kid"' | cut -d : -f 2 | tr -d '"')"
      _secure_debug2 _eab_id "$_eab_id"
      if [ -z "$_eab_id" ]; then
        _err "Can not resolve _eab_id"
        return 1
      fi
      _eab_hmac_key="$(echo "$_eabresp" | tr ',}' '\n' | grep '"eab_hmac_key"' | cut -d : -f 2 | tr -d '"')"
      _eab_hmac_key="$(echo "$_eabresp" | tr ',}' '\n\n' | grep '"eab_hmac_key"' | cut -d : -f 2 | tr -d '"')"
      _secure_debug2 _eab_hmac_key "$_eab_hmac_key"
      if [ -z "$_eab_hmac_key" ]; then
        _err "Can not resolve _eab_hmac_key"
        return 1
@ -3564,7 +3672,7 @@ _regAccount() {
    eab_sign_t="$eab_protected64.$eab_payload64"
    _debug3 eab_sign_t "$eab_sign_t"
    key_hex="$(_durl_replace_base64 "$_eab_hmac_key" | _dbase64 | _hex_dump | tr -d ' ')"
    key_hex="$(_durl_replace_base64 "$_eab_hmac_key" | _dbase64 multi | _hex_dump | tr -d ' ')"
    _debug3 key_hex "$key_hex"
    eab_signature=$(printf "%s" "$eab_sign_t" | _hmac sha256 $key_hex | _base64 | _url_replace)
@ -3631,16 +3739,6 @@ _regAccount() {
 updateaccount() {
  _initpath
  if [ ! -f "$ACCOUNT_KEY_PATH" ] && [ -f "$_OLD_ACCOUNT_KEY" ]; then
    _info "mv $_OLD_ACCOUNT_KEY to $ACCOUNT_KEY_PATH"
    mv "$_OLD_ACCOUNT_KEY" "$ACCOUNT_KEY_PATH"
  fi
  if [ ! -f "$ACCOUNT_JSON_PATH" ] && [ -f "$_OLD_ACCOUNT_JSON" ]; then
    _info "mv $_OLD_ACCOUNT_JSON to $ACCOUNT_JSON_PATH"
    mv "$_OLD_ACCOUNT_JSON" "$ACCOUNT_JSON_PATH"
  fi
  if [ ! -f "$ACCOUNT_KEY_PATH" ]; then
    _err "Account key is not found at: $ACCOUNT_KEY_PATH"
    return 1
@ -3683,16 +3781,6 @@ updateaccount() {
 deactivateaccount() {
  _initpath
  if [ ! -f "$ACCOUNT_KEY_PATH" ] && [ -f "$_OLD_ACCOUNT_KEY" ]; then
    _info "mv $_OLD_ACCOUNT_KEY to $ACCOUNT_KEY_PATH"
    mv "$_OLD_ACCOUNT_KEY" "$ACCOUNT_KEY_PATH"
  fi
  if [ ! -f "$ACCOUNT_JSON_PATH" ] && [ -f "$_OLD_ACCOUNT_JSON" ]; then
    _info "mv $_OLD_ACCOUNT_JSON to $ACCOUNT_JSON_PATH"
    mv "$_OLD_ACCOUNT_JSON" "$ACCOUNT_JSON_PATH"
  fi
  if [ ! -f "$ACCOUNT_KEY_PATH" ]; then
    _err "Account key is not found at: $ACCOUNT_KEY_PATH"
    return 1
@ -3903,7 +3991,7 @@ _ns_lookup_ali() {
 }
 _ns_is_available_dp() {
  if _get "https://dns.alidns.com" "" 1 >/dev/null 2>&1; then
  if _get "https://doh.pub" "" 1 >/dev/null 2>&1; then
    return 0
  else
    return 1
@ -4123,6 +4211,10 @@ issue() {
  if [ -z "$_ACME_IS_RENEW" ]; then
    _initpath "$_main_domain" "$_key_length"
    mkdir -p "$DOMAIN_PATH"
  elif ! _hasfield "$_web_roots" "$W_DNS"; then
    Le_OrderFinalize=""
    Le_LinkOrder=""
    Le_LinkCert=""
  fi
  if _hasfield "$_web_roots" "$W_DNS" && [ -z "$FORCE_DNS_MANUAL" ]; then
@ -4132,7 +4224,9 @@ issue() {
  _debug "Using ACME_DIRECTORY: $ACME_DIRECTORY"
  _initAPI
  if ! _initAPI; then
    return 1
  fi
  if [ -f "$DOMAIN_CONF" ]; then
    Le_NextRenewTime=$(_readdomainconf Le_NextRenewTime)
@ -4688,26 +4782,13 @@ $_authorizations_map"
        return 1
      fi
      _debug "sleep 2 secs to verify"
      sleep 2
      _debug "checking"
      _send_signed_request "$uri"
      if [ "$?" != "0" ]; then
        _err "$d:Verify error:$response"
        _clearupwebbroot "$_currentRoot" "$removelevel" "$token"
        _clearup
        _on_issue_err "$_post_hook" "$vlist"
        return 1
      fi
      _debug2 original "$response"
      response="$(echo "$response" | _normalizeJson)"
      _debug2 response "$response"
      status=$(echo "$response" | _egrep_o '"status":"[^"]*' | cut -d : -f 2 | tr -d '"')
      _debug2 status "$status"
      if _contains "$status" "invalid"; then
        error="$(echo "$response" | _egrep_o '"error":\{[^\}]*')"
        _debug2 error "$error"
@ -4739,9 +4820,9 @@ $_authorizations_map"
      fi
      if [ "$status" = "pending" ]; then
        _info "Pending"
        _info "Pending, The CA is processing your order, please just wait. ($waittimes/$MAX_RETRY_TIMES)"
      elif [ "$status" = "processing" ]; then
        _info "Processing"
        _info "Processing, The CA is processing your order, please just wait. ($waittimes/$MAX_RETRY_TIMES)"
      else
        _err "$d:Verify error:$response"
        _clearupwebbroot "$_currentRoot" "$removelevel" "$token"
@ -4749,7 +4830,19 @@ $_authorizations_map"
        _on_issue_err "$_post_hook" "$vlist"
        return 1
      fi
      _debug "sleep 2 secs to verify again"
      sleep 2
      _debug "checking"
      _send_signed_request "$uri"
      if [ "$?" != "0" ]; then
        _err "$d:Verify error:$response"
        _clearupwebbroot "$_currentRoot" "$removelevel" "$token"
        _clearup
        _on_issue_err "$_post_hook" "$vlist"
        return 1
      fi
    done
  done
@ -4895,10 +4988,10 @@ $_authorizations_map"
    _info "$(__green "Cert success.")"
    cat "$CERT_PATH"
    _info "Your cert is in $(__green " $CERT_PATH ")"
    _info "Your cert is in: $(__green "$CERT_PATH")"
    if [ -f "$CERT_KEY_PATH" ]; then
      _info "Your cert key is in $(__green " $CERT_KEY_PATH ")"
      _info "Your cert key is in: $(__green "$CERT_KEY_PATH")"
    fi
    if [ ! "$USER_PATH" ] || [ ! "$_ACME_IN_CRON" ]; then
@ -4907,7 +5000,7 @@ $_authorizations_map"
    fi
  fi
  [ -f "$CA_CERT_PATH" ] && _info "The intermediate CA cert is in $(__green " $CA_CERT_PATH ")"
  [ -f "$CA_CERT_PATH" ] && _info "The intermediate CA cert is in: $(__green "$CA_CERT_PATH")"
  [ -f "$CERT_FULLCHAIN_PATH" ] && _info "And the full chain certs is there: $(__green "$CERT_FULLCHAIN_PATH")"
  Le_CertCreateTime=$(_time)
@ -5019,8 +5112,16 @@ renew() {
  . "$DOMAIN_CONF"
  _debug Le_API "$Le_API"
  if [ -z "$Le_API" ] || [ "$CA_LETSENCRYPT_V1" = "$Le_API" ]; then
    #if this is from an old version, Le_API is empty,
    #so, we force to use letsencrypt server
    Le_API="$CA_LETSENCRYPT_V2"
  fi
  if [ "$Le_API" ]; then
    if [ "$Le_API" != "$ACME_DIRECTORY" ]; then
      _clearAPI
    fi
    export ACME_DIRECTORY="$Le_API"
    #reload ca configs
    ACCOUNT_KEY_PATH=""
@ -5028,6 +5129,7 @@ renew() {
    CA_CONF=""
    _debug3 "initpath again."
    _initpath "$Le_Domain" "$_isEcc"
    _initAPI
  fi
  if [ -z "$FORCE" ] && [ "$Le_NextRenewTime" ] && [ "$(_time)" -lt "$Le_NextRenewTime" ]; then
@ -5645,7 +5747,7 @@ uninstallcronjob() {
  _info "Removing cron job"
  cr="$($_CRONTAB -l | grep "$PROJECT_ENTRY --cron")"
  if [ "$cr" ]; then
    if _exists uname && uname -a | grep solaris >/dev/null; then
    if _exists uname && uname -a | grep SunOS >/dev/null; then
      $_CRONTAB -l | sed "/$PROJECT_ENTRY --cron/d" | $_CRONTAB --
    else
      $_CRONTAB -l | sed "/$PROJECT_ENTRY --cron/d" | $_CRONTAB -
@ -5685,6 +5787,23 @@ revoke() {
    return 1
  fi
  . "$DOMAIN_CONF"
  _debug Le_API "$Le_API"
  if [ "$Le_API" ]; then
    if [ "$Le_API" != "$ACME_DIRECTORY" ]; then
      _clearAPI
    fi
    export ACME_DIRECTORY="$Le_API"
    #reload ca configs
    ACCOUNT_KEY_PATH=""
    ACCOUNT_JSON_PATH=""
    CA_CONF=""
    _debug3 "initpath again."
    _initpath "$Le_Domain" "$_isEcc"
    _initAPI
  fi
  cert="$(_getfile "${CERT_PATH}" "${BEGIN_CERT}" "${END_CERT}" | tr -d "\r\n" | _url_replace)"
  if [ -z "$cert" ]; then
@ -5764,7 +5883,24 @@ remove() {
 _deactivate() {
  _d_domain="$1"
  _d_type="$2"
  _initpath
  _initpath "$_d_domain" "$_d_type"
  . "$DOMAIN_CONF"
  _debug Le_API "$Le_API"
  if [ "$Le_API" ]; then
    if [ "$Le_API" != "$ACME_DIRECTORY" ]; then
      _clearAPI
    fi
    export ACME_DIRECTORY="$Le_API"
    #reload ca configs
    ACCOUNT_KEY_PATH=""
    ACCOUNT_JSON_PATH=""
    CA_CONF=""
    _debug3 "initpath again."
    _initpath "$Le_Domain" "$_d_type"
    _initAPI
  fi
  _identifiers="{\"type\":\"dns\",\"value\":\"$_d_domain\"}"
  if ! _send_signed_request "$ACME_NEW_ORDER" "{\"identifiers\": [$_identifiers]}"; then
@ -5795,7 +5931,7 @@ _deactivate() {
  _debug2 response "$response"
  _URL_NAME="url"
  entries="$(echo "$response" | tr '][' '==' | _egrep_o "challenges\": *=[^=]*=" | tr '}{' '\n' | grep "\"status\": *\"valid\"")"
  entries="$(echo "$response" | tr '][' '==' | _egrep_o "challenges\": *=[^=]*=" | tr '}{' '\n\n' | grep "\"status\": *\"valid\"")"
  if [ -z "$entries" ]; then
    _info "No valid entries found."
    if [ -z "$thumbprint" ]; then
@ -6559,7 +6695,7 @@ _getRepoHash() {
  _hash_path=$1
  shift
  _hash_url="https://api.github.com/repos/acmesh-official/$PROJECT_NAME/git/refs/$_hash_path"
  _get $_hash_url | tr -d "\r\n" | tr '{},' '\n' | grep '"sha":' | cut -d '"' -f 4
  _get $_hash_url | tr -d "\r\n" | tr '{},' '\n\n\n' | grep '"sha":' | cut -d '"' -f 4
 }
 _getUpgradeHash() {
@ -6632,9 +6768,10 @@ _checkSudo() {
  return 0
 }
 #server
 #server  #keylength
 _selectServer() {
  _server="$1"
  _skeylength="$2"
  _server_lower="$(echo "$_server" | _lower_case)"
  _sindex=0
  for snames in $CA_NAMES; do
@ -6645,6 +6782,9 @@ _selectServer() {
      if [ "$_server_lower" = "$sname" ]; then
        _debug2 "_selectServer match $sname"
        _serverdir="$(_getfield "$CA_SERVERS" $_sindex)"
        if [ "$_serverdir" = "$CA_SSLCOM_RSA" ] && _isEccKey "$_skeylength"; then
          _serverdir="$CA_SSLCOM_ECC"
        fi
        _debug "Selected server: $_serverdir"
        ACME_DIRECTORY="$_serverdir"
        export ACME_DIRECTORY
@ -6662,6 +6802,9 @@ _getCAShortName() {
  if [ -z "$caurl" ]; then
    caurl="$DEFAULT_CA"
  fi
  if [ "$CA_SSLCOM_ECC" = "$caurl" ]; then
    caurl="$CA_SSLCOM_RSA" #just hack to get the short name
  fi
  caurl_lower="$(echo $caurl | _lower_case)"
  _sindex=0
  for surl in $(echo "$CA_SERVERS" | _lower_case | tr , ' '); do
@ -6876,7 +7019,6 @@ _process() {
      ;;
    --server)
      _server="$2"
      _selectServer "$_server"
      shift
      ;;
    --debug)
@ -6975,7 +7117,6 @@ _process() {
      Le_DNSSleep="$_dnssleep"
      shift
      ;;
    --keylength | -k)
      _keylength="$2"
      shift
@ -6984,7 +7125,6 @@ _process() {
      _accountkeylength="$2"
      shift
      ;;
    --cert-file | --certpath)
      _cert_file="$2"
      shift
@ -7248,6 +7388,10 @@ _process() {
    shift 1
  done
  if [ "$_server" ]; then
    _selectServer "$_server" "${_ecc:-$_keylength}"
  fi
  if [ "${_CMD}" != "install" ]; then
    if [ "$__INTERACTIVE" ] && ! _checkSudo; then
      if [ -z "$FORCE" ]; then
--- a/deploy/consul.sh
+++ b/deploy/consul.sh
@ -0,0 +1,98 @@
 #!/usr/bin/env sh
 # Here is a script to deploy cert to hashicorp consul using curl
 # (https://www.consul.io/)
 #
 # it requires following environment variables:
 #
 # CONSUL_PREFIX - this contains the prefix path in consul
 # CONSUL_HTTP_ADDR - consul requires this to find your consul server
 #
 # additionally, you need to ensure that CONSUL_HTTP_TOKEN is available
 # to access the consul server
 #returns 0 means success, otherwise error.
 ########  Public functions #####################
 #domain keyfile certfile cafile fullchain
 consul_deploy() {
  _cdomain="$1"
  _ckey="$2"
  _ccert="$3"
  _cca="$4"
  _cfullchain="$5"
  _debug _cdomain "$_cdomain"
  _debug _ckey "$_ckey"
  _debug _ccert "$_ccert"
  _debug _cca "$_cca"
  _debug _cfullchain "$_cfullchain"
  # validate required env vars
  _getdeployconf CONSUL_PREFIX
  if [ -z "$CONSUL_PREFIX" ]; then
    _err "CONSUL_PREFIX needs to be defined (contains prefix path in vault)"
    return 1
  fi
  _savedeployconf CONSUL_PREFIX "$CONSUL_PREFIX"
  _getdeployconf CONSUL_HTTP_ADDR
  if [ -z "$CONSUL_HTTP_ADDR" ]; then
    _err "CONSUL_HTTP_ADDR needs to be defined (contains consul connection address)"
    return 1
  fi
  _savedeployconf CONSUL_HTTP_ADDR "$CONSUL_HTTP_ADDR"
  CONSUL_CMD=$(command -v consul)
  # force CLI, but the binary does not exist => error
  if [ -n "$USE_CLI" ] && [ -z "$CONSUL_CMD" ]; then
    _err "Cannot find the consul binary!"
    return 1
  fi
  # use the CLI first
  if [ -n "$USE_CLI" ] || [ -n "$CONSUL_CMD" ]; then
    _info "Found consul binary, deploying with CLI"
    consul_deploy_cli "$CONSUL_CMD" "$CONSUL_PREFIX"
  else
    _info "Did not find consul binary, deploying with API"
    consul_deploy_api "$CONSUL_HTTP_ADDR" "$CONSUL_PREFIX" "$CONSUL_HTTP_TOKEN"
  fi
 }
 consul_deploy_api() {
  CONSUL_HTTP_ADDR="$1"
  CONSUL_PREFIX="$2"
  CONSUL_HTTP_TOKEN="$3"
  URL="$CONSUL_HTTP_ADDR/v1/kv/$CONSUL_PREFIX"
  export _H1="X-Consul-Token: $CONSUL_HTTP_TOKEN"
  if [ -n "$FABIO" ]; then
    _post "$(cat "$_cfullchain")" "$URL/${_cdomain}-cert.pem" '' "PUT" || return 1
    _post "$(cat "$_ckey")" "$URL/${_cdomain}-key.pem" '' "PUT" || return 1
  else
    _post "$(cat "$_ccert")" "$URL/${_cdomain}/cert.pem" '' "PUT" || return 1
    _post "$(cat "$_ckey")" "$URL/${_cdomain}/cert.key" '' "PUT" || return 1
    _post "$(cat "$_cca")" "$URL/${_cdomain}/chain.pem" '' "PUT" || return 1
    _post "$(cat "$_cfullchain")" "$URL/${_cdomain}/fullchain.pem" '' "PUT" || return 1
  fi
 }
 consul_deploy_cli() {
  CONSUL_CMD="$1"
  CONSUL_PREFIX="$2"
  if [ -n "$FABIO" ]; then
    $CONSUL_CMD kv put "${CONSUL_PREFIX}/${_cdomain}-cert.pem" @"$_cfullchain" || return 1
    $CONSUL_CMD kv put "${CONSUL_PREFIX}/${_cdomain}-key.pem" @"$_ckey" || return 1
  else
    $CONSUL_CMD kv put "${CONSUL_PREFIX}/${_cdomain}/cert.pem" value=@"$_ccert" || return 1
    $CONSUL_CMD kv put "${CONSUL_PREFIX}/${_cdomain}/cert.key" value=@"$_ckey" || return 1
    $CONSUL_CMD kv put "${CONSUL_PREFIX}/${_cdomain}/chain.pem" value=@"$_cca" || return 1
    $CONSUL_CMD kv put "${CONSUL_PREFIX}/${_cdomain}/fullchain.pem" value=@"$_cfullchain" || return 1
  fi
 }
--- a/deploy/synology_dsm.sh
+++ b/deploy/synology_dsm.sh
@ -66,6 +66,12 @@ synology_dsm_deploy() {
  _getdeployconf SYNO_Certificate
  _debug SYNO_Certificate "${SYNO_Certificate:-}"
  # shellcheck disable=SC1003 # We are not trying to escape a single quote
  if printf "%s" "$SYNO_Certificate" | grep '\\'; then
    _err "Do not use a backslash (\) in your certificate description"
    return 1
  fi
  _base_url="$SYNO_Scheme://$SYNO_Hostname:$SYNO_Port"
  _debug _base_url "$_base_url"
@ -110,7 +116,9 @@ synology_dsm_deploy() {
  _info "Getting certificates in Synology DSM"
  response=$(_post "api=SYNO.Core.Certificate.CRT&method=list&version=1&_sid=$sid" "$_base_url/webapi/entry.cgi")
  _debug3 response "$response"
  id=$(echo "$response" | sed -n "s/.*\"desc\":\"$SYNO_Certificate\",\"id\":\"\([^\"]*\).*/\1/p")
  escaped_certificate="$(printf "%s" "$SYNO_Certificate" | sed 's/\([].*^$[]\)/\\\1/g;s/"/\\\\"/g')"
  _debug escaped_certificate "$escaped_certificate"
  id=$(echo "$response" | sed -n "s/.*\"desc\":\"$escaped_certificate\",\"id\":\"\([^\"]*\).*/\1/p")
  _debug2 id "$id"
  if [ -z "$id" ] && [ -z "${SYNO_Create:-}" ]; then
@ -119,7 +127,7 @@ synology_dsm_deploy() {
  fi
  # we've verified this certificate description is a thing, so save it
  _savedeployconf SYNO_Certificate "$SYNO_Certificate"
  _savedeployconf SYNO_Certificate "$SYNO_Certificate" "base64"
  _info "Generate form POST request"
  nl="\0015\0012"
@ -129,7 +137,7 @@ synology_dsm_deploy() {
  content="$content${nl}--$delim${nl}Content-Disposition: form-data; name=\"inter_cert\"; filename=\"$(basename "$_cca")\"${nl}Content-Type: application/octet-stream${nl}${nl}$(cat "$_cca")\0012"
  content="$content${nl}--$delim${nl}Content-Disposition: form-data; name=\"id\"${nl}${nl}$id"
  content="$content${nl}--$delim${nl}Content-Disposition: form-data; name=\"desc\"${nl}${nl}${SYNO_Certificate}"
  if echo "$response" | sed -n "s/.*\"desc\":\"$SYNO_Certificate\",\([^{]*\).*/\1/p" | grep -- 'is_default":true' >/dev/null; then
  if echo "$response" | sed -n "s/.*\"desc\":\"$escaped_certificate\",\([^{]*\).*/\1/p" | grep -- 'is_default":true' >/dev/null; then
    _debug2 default "this is the default certificate"
    content="$content${nl}--$delim${nl}Content-Disposition: form-data; name=\"as_default\"${nl}${nl}true"
  else
--- a/dnsapi/dns_1984hosting.sh
+++ b/dnsapi/dns_1984hosting.sh
@ -59,7 +59,7 @@ dns_1984hosting_add() {
  if _contains "$response" '"haserrors": true'; then
    _err "1984Hosting failed to add TXT record for $_sub_domain bad RC from _post"
    return 1
  elif _contains "$response" "<html>"; then
  elif _contains "$response" "html>"; then
    _err "1984Hosting failed to add TXT record for $_sub_domain. Check $HTTP_HEADER file"
    return 1
  elif _contains "$response" '"auth": false'; then
@ -145,7 +145,7 @@ _1984hosting_login() {
  password=$(printf '%s' "$One984HOSTING_Password" | _url_encode)
  url="https://management.1984hosting.com/accounts/checkuserauth/"
  response="$(_post "username=$username&password=$password&otpkey=" "$url")"
  response="$(_post "username=$username&password=$password&otpkey=" $url)"
  response="$(echo "$response" | _normalizeJson)"
  _debug2 response "$response"
@ -177,7 +177,6 @@ _check_cookie() {
  fi
  _authget "https://management.1984hosting.com/accounts/loginstatus/"
  response="$(echo "$_response" | _normalizeJson)"
  if _contains "$response" '"ok": true'; then
    _debug "Cached cookie still valid"
    return 0
@ -194,7 +193,7 @@ _check_cookie() {
 # _domain=domain.com
 _get_root() {
  domain="$1"
  i=2
  i=1
  p=1
  while true; do
    h=$(printf "%s" "$domain" | cut -d . -f $i-100)
@ -205,7 +204,7 @@ _get_root() {
    fi
    _authget "https://management.1984hosting.com/domains/soacheck/?zone=$h&nameserver=ns0.1984.is."
    if _contains "$_response" "serial"; then
    if _contains "$_response" "serial" && ! _contains "$_response" "null"; then
      _sub_domain=$(printf "%s" "$domain" | cut -d . -f 1-$p)
      _domain="$h"
      return 0
@ -219,7 +218,8 @@ _get_root() {
 # add extra headers to request
 _authget() {
  export _H1="Cookie: $One984HOSTING_COOKIE"
  _response=$(_get "$1")
  _response=$(_get "$1" | _normalizeJson)
  _debug2 _response "$_response"
 }
 # truncate huge HTML response
--- a/dnsapi/dns_aws.sh
+++ b/dnsapi/dns_aws.sh
@ -32,7 +32,7 @@ dns_aws_add() {
  if [ -z "$AWS_ACCESS_KEY_ID" ] || [ -z "$AWS_SECRET_ACCESS_KEY" ]; then
    AWS_ACCESS_KEY_ID=""
    AWS_SECRET_ACCESS_KEY=""
    _err "You haven't specifed the aws route53 api key id and and api key secret yet."
    _err "You haven't specified the aws route53 api key id and and api key secret yet."
    _err "Please create your key and try again. see $(__green $AWS_WIKI)"
    return 1
  fi
--- a/dnsapi/dns_azion.sh
+++ b/dnsapi/dns_azion.sh
@ -0,0 +1,204 @@
 #!/usr/bin/env sh
 #
 #AZION_Email=""
 #AZION_Password=""
 #
 AZION_Api="https://api.azionapi.net"
 ########  Public functions ########
 # Usage: add  _acme-challenge.www.domain.com   "XKrxpRBosdIKFzxW_CT3KLZNf6q0HG9i01zxXp5CPBs"
 # Used to add txt record
 dns_azion_add() {
  fulldomain=$1
  txtvalue=$2
  _debug "Detect the root zone"
  if ! _get_root "$fulldomain"; then
    _err "Domain not found"
    return 1
  fi
  _debug _sub_domain "$_sub_domain"
  _debug _domain "$_domain"
  _debug _domain_id "$_domain_id"
  _info "Add or update record"
  _get_record "$_domain_id" "$_sub_domain"
  if [ "$record_id" ]; then
    _payload="{\"record_type\": \"TXT\", \"entry\": \"$_sub_domain\", \"answers_list\": [$answers_list, \"$txtvalue\"], \"ttl\": 20}"
    if _azion_rest PUT "intelligent_dns/$_domain_id/records/$record_id" "$_payload"; then
      if _contains "$response" "$txtvalue"; then
        _info "Record updated."
        return 0
      fi
    fi
  else
    _payload="{\"record_type\": \"TXT\", \"entry\": \"$_sub_domain\", \"answers_list\": [\"$txtvalue\"], \"ttl\": 20}"
    if _azion_rest POST "intelligent_dns/$_domain_id/records" "$_payload"; then
      if _contains "$response" "$txtvalue"; then
        _info "Record added."
        return 0
      fi
    fi
  fi
  _err "Failed to add or update record."
  return 1
 }
 # Usage: fulldomain txtvalue
 # Used to remove the txt record after validation
 dns_azion_rm() {
  fulldomain=$1
  txtvalue=$2
  _debug "Detect the root zone"
  if ! _get_root "$fulldomain"; then
    _err "Domain not found"
    return 1
  fi
  _debug _sub_domain "$_sub_domain"
  _debug _domain "$_domain"
  _debug _domain_id "$_domain_id"
  _info "Removing record"
  _get_record "$_domain_id" "$_sub_domain"
  if [ "$record_id" ]; then
    if _azion_rest DELETE "intelligent_dns/$_domain_id/records/$record_id"; then
      _info "Record removed."
      return 0
    else
      _err "Failed to remove record."
      return 1
    fi
  else
    _info "Record not found or already removed."
    return 0
  fi
 }
 ####################  Private functions below ##################################
 # Usage: _acme-challenge.www.domain.com
 # returns
 #  _sub_domain=_acme-challenge.www
 #  _domain=domain.com
 #  _domain_id=sdjkglgdfewsdfg
 _get_root() {
  domain=$1
  i=1
  p=1
  if ! _azion_rest GET "intelligent_dns"; then
    return 1
  fi
  while true; do
    h=$(printf "%s" "$domain" | cut -d . -f $i-100)
    _debug h "$h"
    if [ -z "$h" ]; then
      # not valid
      return 1
    fi
    if _contains "$response" "\"domain\":\"$h\""; then
      _domain_id=$(echo "$response" | tr '{' "\n" | grep "\"domain\":\"$h\"" | _egrep_o "\"id\":[0-9]*" | _head_n 1 | cut -d : -f 2 | tr -d \")
      _debug _domain_id "$_domain_id"
      if [ "$_domain_id" ]; then
        _sub_domain=$(printf "%s" "$domain" | cut -d . -f 1-$p)
        _domain=$h
        return 0
      fi
      return 1
    fi
    p=$i
    i=$(_math "$i" + 1)
  done
  return 1
 }
 _get_record() {
  _domain_id=$1
  _record=$2
  if ! _azion_rest GET "intelligent_dns/$_domain_id/records"; then
    return 1
  fi
  if _contains "$response" "\"entry\":\"$_record\""; then
    _json_record=$(echo "$response" | tr '{' "\n" | grep "\"entry\":\"$_record\"")
    if [ "$_json_record" ]; then
      record_id=$(echo "$_json_record" | _egrep_o "\"record_id\":[0-9]*" | _head_n 1 | cut -d : -f 2 | tr -d \")
      answers_list=$(echo "$_json_record" | _egrep_o "\"answers_list\":\[.*\]" | _head_n 1 | cut -d : -f 2 | tr -d \[\])
      return 0
    fi
    return 1
  fi
  return 1
 }
 _get_token() {
  AZION_Email="${AZION_Email:-$(_readaccountconf_mutable AZION_Email)}"
  AZION_Password="${AZION_Password:-$(_readaccountconf_mutable AZION_Password)}"
  if ! _contains "$AZION_Email" "@"; then
    _err "It seems that the AZION_Email is not a valid email address. Revalidate your environments."
    return 1
  fi
  if [ -z "$AZION_Email" ] || [ -z "$AZION_Password" ]; then
    _err "You didn't specified a AZION_Email/AZION_Password to generate Azion token."
    return 1
  fi
  _saveaccountconf_mutable AZION_Email "$AZION_Email"
  _saveaccountconf_mutable AZION_Password "$AZION_Password"
  _basic_auth=$(printf "%s:%s" "$AZION_Email" "$AZION_Password" | _base64)
  _debug _basic_auth "$_basic_auth"
  export _H1="Accept: application/json; version=3"
  export _H2="Content-Type: application/json"
  export _H3="Authorization: Basic $_basic_auth"
  response="$(_post "" "$AZION_Api/tokens" "" "POST")"
  if _contains "$response" "\"token\":\"" >/dev/null; then
    _azion_token=$(echo "$response" | _egrep_o "\"token\":\"[^\"]*\"" | cut -d : -f 2 | tr -d \")
    export AZION_Token="$_azion_token"
  else
    _err "Failed to generate Azion token"
    return 1
  fi
 }
 _azion_rest() {
  _method=$1
  _uri="$2"
  _data="$3"
  if [ -z "$AZION_Token" ]; then
    _get_token
  fi
  _debug2 token "$AZION_Token"
  export _H1="Accept: application/json; version=3"
  export _H2="Content-Type: application/json"
  export _H3="Authorization: token $AZION_Token"
  if [ "$_method" != "GET" ]; then
    _debug _data "$_data"
    response="$(_post "$_data" "$AZION_Api/$_uri" "" "$_method")"
  else
    response="$(_get "$AZION_Api/$_uri")"
  fi
  _debug2 response "$response"
  if [ "$?" != "0" ]; then
    _err "error $_method $_uri $_data"
    return 1
  fi
  return 0
 }
--- a/dnsapi/dns_infoblox.sh
+++ b/dnsapi/dns_infoblox.sh
@ -9,7 +9,6 @@ dns_infoblox_add() {
  ## Nothing to see here, just some housekeeping
  fulldomain=$1
  txtvalue=$2
  baseurlnObject="https://$Infoblox_Server/wapi/v2.2.2/record:txt?name=$fulldomain&text=$txtvalue&view=$Infoblox_View"
  _info "Using Infoblox API"
  _debug fulldomain "$fulldomain"
@ -19,12 +18,13 @@ dns_infoblox_add() {
  if [ -z "$Infoblox_Creds" ] || [ -z "$Infoblox_Server" ]; then
    Infoblox_Creds=""
    Infoblox_Server=""
    _err "You didn't specify the credentials, server or infoblox view yet (Infoblox_Creds, Infoblox_Server and Infoblox_View)."
    _err "Please set them via EXPORT ([username:password], [ip or hostname]) and try again."
    _err "You didn't specify the Infoblox credentials or server (Infoblox_Creds; Infoblox_Server)."
    _err "Please set them via EXPORT Infoblox_Creds=username:password or EXPORT Infoblox_server=ip/hostname and try again."
    return 1
  fi
  if [ -z "$Infoblox_View" ]; then
    _info "No Infoblox_View set, using fallback value 'default'"
    Infoblox_View="default"
  fi
@ -33,6 +33,9 @@ dns_infoblox_add() {
  _saveaccountconf Infoblox_Server "$Infoblox_Server"
  _saveaccountconf Infoblox_View "$Infoblox_View"
  ## URLencode Infoblox View to deal with e.g. spaces
  Infoblox_ViewEncoded=$(printf "%b" "$Infoblox_View" | _url_encode)
  ## Base64 encode the credentials
  Infoblox_CredsEncoded=$(printf "%b" "$Infoblox_Creds" | _base64)
@ -40,11 +43,14 @@ dns_infoblox_add() {
  export _H1="Accept-Language:en-US"
  export _H2="Authorization: Basic $Infoblox_CredsEncoded"
  ## Construct the request URL
  baseurlnObject="https://$Infoblox_Server/wapi/v2.2.2/record:txt?name=$fulldomain&text=$txtvalue&view=${Infoblox_ViewEncoded}"
  ## Add the challenge record to the Infoblox grid member
  result="$(_post "" "$baseurlnObject" "" "POST")"
  ## Let's see if we get something intelligible back from the unit
  if [ "$(echo "$result" | _egrep_o "record:txt/.*:.*/$Infoblox_View")" ]; then
  if [ "$(echo "$result" | _egrep_o "record:txt/.*:.*/${Infoblox_ViewEncoded}")" ]; then
    _info "Successfully created the txt record"
    return 0
  else
@ -65,6 +71,9 @@ dns_infoblox_rm() {
  _debug fulldomain "$fulldomain"
  _debug txtvalue "$txtvalue"
  ## URLencode Infoblox View to deal with e.g. spaces
  Infoblox_ViewEncoded=$(printf "%b" "$Infoblox_View" | _url_encode)
  ## Base64 encode the credentials
  Infoblox_CredsEncoded="$(printf "%b" "$Infoblox_Creds" | _base64)"
@ -73,18 +82,18 @@ dns_infoblox_rm() {
  export _H2="Authorization: Basic $Infoblox_CredsEncoded"
  ## Does the record exist?  Let's check.
  baseurlnObject="https://$Infoblox_Server/wapi/v2.2.2/record:txt?name=$fulldomain&text=$txtvalue&view=$Infoblox_View&_return_type=xml-pretty"
  baseurlnObject="https://$Infoblox_Server/wapi/v2.2.2/record:txt?name=$fulldomain&text=$txtvalue&view=${Infoblox_ViewEncoded}&_return_type=xml-pretty"
  result="$(_get "$baseurlnObject")"
  ## Let's see if we get something intelligible back from the grid
  if [ "$(echo "$result" | _egrep_o "record:txt/.*:.*/$Infoblox_View")" ]; then
  if [ "$(echo "$result" | _egrep_o "record:txt/.*:.*/${Infoblox_ViewEncoded}")" ]; then
    ## Extract the object reference
    objRef="$(printf "%b" "$result" | _egrep_o "record:txt/.*:.*/$Infoblox_View")"
    objRef="$(printf "%b" "$result" | _egrep_o "record:txt/.*:.*/${Infoblox_ViewEncoded}")"
    objRmUrl="https://$Infoblox_Server/wapi/v2.2.2/$objRef"
    ## Delete them! All the stale records!
    rmResult="$(_post "" "$objRmUrl" "" "DELETE")"
    ## Let's see if that worked
    if [ "$(echo "$rmResult" | _egrep_o "record:txt/.*:.*/$Infoblox_View")" ]; then
    if [ "$(echo "$rmResult" | _egrep_o "record:txt/.*:.*/${Infoblox_ViewEncoded}")" ]; then
      _info "Successfully deleted $objRef"
      return 0
    else
--- a/dnsapi/dns_ionos.sh
+++ b/dnsapi/dns_ionos.sh
@ -149,14 +149,15 @@ _ionos_rest() {
    response="$(_post "$data" "$IONOS_API$route" "" "$method" "application/json")"
  else
    export _H2="Accept: */*"
    export _H3=
    response="$(_get "$IONOS_API$route")"
  fi
  if [ "$?" != "0" ]; then
    _err "Error $route"
    _err "Error $route: $response"
    return 1
  fi
  _debug2 "response" "$response"
  return 0
 }
--- a/dnsapi/dns_nsd.sh
+++ b/dnsapi/dns_nsd.sh
@ -51,7 +51,7 @@ dns_nsd_rm() {
  Nsd_ZoneFile="${Nsd_ZoneFile:-$(_readdomainconf Nsd_ZoneFile)}"
  Nsd_Command="${Nsd_Command:-$(_readdomainconf Nsd_Command)}"
  sed -i "/$fulldomain. $ttlvalue IN TXT \"$txtvalue\"/d" "$Nsd_ZoneFile"
  _sed_i "/$fulldomain. $ttlvalue IN TXT \"$txtvalue\"/d" "$Nsd_ZoneFile"
  _info "Removed TXT record for $fulldomain"
  _debug "Running $Nsd_Command"
  if eval "$Nsd_Command"; then
--- a/dnsapi/dns_oci.sh
+++ b/dnsapi/dns_oci.sh
@ -0,0 +1,324 @@
 #!/usr/bin/env sh
 #
 # Acme.sh DNS API plugin for Oracle Cloud Infrastructure
 # Copyright (c) 2021, Oracle and/or its affiliates
 #
 # The plugin will automatically use the default profile from an OCI SDK and CLI
 # configuration file, if it exists.
 #
 # Alternatively, set the following environment variables:
 # - OCI_CLI_TENANCY : OCID of tenancy that contains the target DNS zone
 # - OCI_CLI_USER    : OCID of user with permission to add/remove records from zones
 # - OCI_CLI_REGION  : Should point to the tenancy home region
 #
 # One of the following two variables is required:
 # - OCI_CLI_KEY_FILE: Path to private API signing key file in PEM format; or
 # - OCI_CLI_KEY     : The private API signing key in PEM format
 #
 # NOTE: using an encrypted private key that needs a passphrase is not supported.
 #
 dns_oci_add() {
  _fqdn="$1"
  _rdata="$2"
  if _get_oci_zone; then
    _add_record_body="{\"items\":[{\"domain\":\"${_sub_domain}.${_domain}\",\"rdata\":\"$_rdata\",\"rtype\":\"TXT\",\"ttl\": 30,\"operation\":\"ADD\"}]}"
    response=$(_signed_request "PATCH" "/20180115/zones/${_domain}/records" "$_add_record_body")
    if [ "$response" ]; then
      _info "Success: added TXT record for ${_sub_domain}.${_domain}."
    else
      _err "Error: failed to add TXT record for ${_sub_domain}.${_domain}."
      _err "Check that the user has permission to add records to this zone."
      return 1
    fi
  else
    return 1
  fi
 }
 dns_oci_rm() {
  _fqdn="$1"
  _rdata="$2"
  if _get_oci_zone; then
    _remove_record_body="{\"items\":[{\"domain\":\"${_sub_domain}.${_domain}\",\"rdata\":\"$_rdata\",\"rtype\":\"TXT\",\"operation\":\"REMOVE\"}]}"
    response=$(_signed_request "PATCH" "/20180115/zones/${_domain}/records" "$_remove_record_body")
    if [ "$response" ]; then
      _info "Success: removed TXT record for ${_sub_domain}.${_domain}."
    else
      _err "Error: failed to remove TXT record for ${_sub_domain}.${_domain}."
      _err "Check that the user has permission to remove records from this zone."
      return 1
    fi
  else
    return 1
  fi
 }
 ####################  Private functions below ##################################
 _get_oci_zone() {
  if ! _oci_config; then
    return 1
  fi
  if ! _get_zone "$_fqdn"; then
    _err "Error: DNS Zone not found for $_fqdn in $OCI_CLI_TENANCY"
    return 1
  fi
  return 0
 }
 _oci_config() {
  _DEFAULT_OCI_CLI_CONFIG_FILE="$HOME/.oci/config"
  OCI_CLI_CONFIG_FILE="${OCI_CLI_CONFIG_FILE:-$(_readaccountconf_mutable OCI_CLI_CONFIG_FILE)}"
  if [ -z "$OCI_CLI_CONFIG_FILE" ]; then
    OCI_CLI_CONFIG_FILE="$_DEFAULT_OCI_CLI_CONFIG_FILE"
  fi
  if [ "$_DEFAULT_OCI_CLI_CONFIG_FILE" != "$OCI_CLI_CONFIG_FILE" ]; then
    _saveaccountconf_mutable OCI_CLI_CONFIG_FILE "$OCI_CLI_CONFIG_FILE"
  else
    _clearaccountconf_mutable OCI_CLI_CONFIG_FILE
  fi
  _DEFAULT_OCI_CLI_PROFILE="DEFAULT"
  OCI_CLI_PROFILE="${OCI_CLI_PROFILE:-$(_readaccountconf_mutable OCI_CLI_PROFILE)}"
  if [ "$_DEFAULT_OCI_CLI_PROFILE" != "$OCI_CLI_PROFILE" ]; then
    _saveaccountconf_mutable OCI_CLI_PROFILE "$OCI_CLI_PROFILE"
  else
    OCI_CLI_PROFILE="$_DEFAULT_OCI_CLI_PROFILE"
    _clearaccountconf_mutable OCI_CLI_PROFILE
  fi
  OCI_CLI_TENANCY="${OCI_CLI_TENANCY:-$(_readaccountconf_mutable OCI_CLI_TENANCY)}"
  if [ "$OCI_CLI_TENANCY" ]; then
    _saveaccountconf_mutable OCI_CLI_TENANCY "$OCI_CLI_TENANCY"
  elif [ -f "$OCI_CLI_CONFIG_FILE" ]; then
    _debug "Reading OCI_CLI_TENANCY value from: $OCI_CLI_CONFIG_FILE"
    OCI_CLI_TENANCY="${OCI_CLI_TENANCY:-$(_readini "$OCI_CLI_CONFIG_FILE" tenancy "$OCI_CLI_PROFILE")}"
  fi
  if [ -z "$OCI_CLI_TENANCY" ]; then
    _err "Error: unable to read OCI_CLI_TENANCY from config file or environment variable."
    return 1
  fi
  OCI_CLI_USER="${OCI_CLI_USER:-$(_readaccountconf_mutable OCI_CLI_USER)}"
  if [ "$OCI_CLI_USER" ]; then
    _saveaccountconf_mutable OCI_CLI_USER "$OCI_CLI_USER"
  elif [ -f "$OCI_CLI_CONFIG_FILE" ]; then
    _debug "Reading OCI_CLI_USER value from: $OCI_CLI_CONFIG_FILE"
    OCI_CLI_USER="${OCI_CLI_USER:-$(_readini "$OCI_CLI_CONFIG_FILE" user "$OCI_CLI_PROFILE")}"
  fi
  if [ -z "$OCI_CLI_USER" ]; then
    _err "Error: unable to read OCI_CLI_USER from config file or environment variable."
    return 1
  fi
  OCI_CLI_REGION="${OCI_CLI_REGION:-$(_readaccountconf_mutable OCI_CLI_REGION)}"
  if [ "$OCI_CLI_REGION" ]; then
    _saveaccountconf_mutable OCI_CLI_REGION "$OCI_CLI_REGION"
  elif [ -f "$OCI_CLI_CONFIG_FILE" ]; then
    _debug "Reading OCI_CLI_REGION value from: $OCI_CLI_CONFIG_FILE"
    OCI_CLI_REGION="${OCI_CLI_REGION:-$(_readini "$OCI_CLI_CONFIG_FILE" region "$OCI_CLI_PROFILE")}"
  fi
  if [ -z "$OCI_CLI_REGION" ]; then
    _err "Error: unable to read OCI_CLI_REGION from config file or environment variable."
    return 1
  fi
  OCI_CLI_KEY="${OCI_CLI_KEY:-$(_readaccountconf_mutable OCI_CLI_KEY)}"
  if [ -z "$OCI_CLI_KEY" ]; then
    _clearaccountconf_mutable OCI_CLI_KEY
    OCI_CLI_KEY_FILE="${OCI_CLI_KEY_FILE:-$(_readini "$OCI_CLI_CONFIG_FILE" key_file "$OCI_CLI_PROFILE")}"
    if [ "$OCI_CLI_KEY_FILE" ] && [ -f "$OCI_CLI_KEY_FILE" ]; then
      _debug "Reading OCI_CLI_KEY value from: $OCI_CLI_KEY_FILE"
      OCI_CLI_KEY=$(_base64 <"$OCI_CLI_KEY_FILE")
      _saveaccountconf_mutable OCI_CLI_KEY "$OCI_CLI_KEY"
    fi
  else
    _saveaccountconf_mutable OCI_CLI_KEY "$OCI_CLI_KEY"
  fi
  if [ -z "$OCI_CLI_KEY_FILE" ] && [ -z "$OCI_CLI_KEY" ]; then
    _err "Error: unable to find key file path in OCI config file or OCI_CLI_KEY_FILE."
    _err "Error: unable to load private API signing key from OCI_CLI_KEY."
    return 1
  fi
  if [ "$(printf "%s\n" "$OCI_CLI_KEY" | wc -l)" -eq 1 ]; then
    OCI_CLI_KEY=$(printf "%s" "$OCI_CLI_KEY" | _dbase64 multiline)
  fi
  return 0
 }
 # _get_zone(): retrieves the Zone name and OCID
 #
 # _sub_domain=_acme-challenge.www
 # _domain=domain.com
 # _domain_ociid=ocid1.dns-zone.oc1..
 _get_zone() {
  domain=$1
  i=1
  p=1
  while true; do
    h=$(printf "%s" "$domain" | cut -d . -f $i-100)
    _debug h "$h"
    if [ -z "$h" ]; then
      # not valid
      return 1
    fi
    _domain_id=$(_signed_request "GET" "/20180115/zones/$h" "" "id")
    if [ "$_domain_id" ]; then
      _sub_domain=$(printf "%s" "$domain" | cut -d . -f 1-$p)
      _domain=$h
      _debug _domain_id "$_domain_id"
      _debug _sub_domain "$_sub_domain"
      _debug _domain "$_domain"
      return 0
    fi
    p=$i
    i=$(_math "$i" + 1)
  done
  return 1
 }
 #Usage: privatekey
 #Output MD5 fingerprint
 _fingerprint() {
  pkey="$1"
  if [ -z "$pkey" ]; then
    _usage "Usage: _fingerprint privkey"
    return 1
  fi
  printf "%s" "$pkey" | ${ACME_OPENSSL_BIN:-openssl} rsa -pubout -outform DER 2>/dev/null | ${ACME_OPENSSL_BIN:-openssl} md5 -c | cut -d = -f 2 | tr -d ' '
 }
 _signed_request() {
  _sig_method="$1"
  _sig_target="$2"
  _sig_body="$3"
  _return_field="$4"
  _key_fingerprint=$(_fingerprint "$OCI_CLI_KEY")
  _sig_host="dns.$OCI_CLI_REGION.oraclecloud.com"
  _sig_keyId="$OCI_CLI_TENANCY/$OCI_CLI_USER/$_key_fingerprint"
  _sig_alg="rsa-sha256"
  _sig_version="1"
  _sig_now="$(LC_ALL=C \date -u "+%a, %d %h %Y %H:%M:%S GMT")"
  _request_method=$(printf %s "$_sig_method" | _lower_case)
  _curl_method=$(printf %s "$_sig_method" | _upper_case)
  _request_target="(request-target): $_request_method $_sig_target"
  _date_header="date: $_sig_now"
  _host_header="host: $_sig_host"
  _string_to_sign="$_request_target\n$_date_header\n$_host_header"
  _sig_headers="(request-target) date host"
  if [ "$_sig_body" ]; then
    _secure_debug3 _sig_body "$_sig_body"
    _sig_body_sha256="x-content-sha256: $(printf %s "$_sig_body" | _digest sha256)"
    _sig_body_type="content-type: application/json"
    _sig_body_length="content-length: ${#_sig_body}"
    _string_to_sign="$_string_to_sign\n$_sig_body_sha256\n$_sig_body_type\n$_sig_body_length"
    _sig_headers="$_sig_headers x-content-sha256 content-type content-length"
  fi
  _tmp_file=$(_mktemp)
  if [ -f "$_tmp_file" ]; then
    printf '%s' "$OCI_CLI_KEY" >"$_tmp_file"
    _signature=$(printf '%b' "$_string_to_sign" | _sign "$_tmp_file" sha256 | tr -d '\r\n')
    rm -f "$_tmp_file"
  fi
  _signed_header="Authorization: Signature version=\"$_sig_version\",keyId=\"$_sig_keyId\",algorithm=\"$_sig_alg\",headers=\"$_sig_headers\",signature=\"$_signature\""
  _secure_debug3 _signed_header "$_signed_header"
  if [ "$_curl_method" = "GET" ]; then
    export _H1="$_date_header"
    export _H2="$_signed_header"
    _response="$(_get "https://${_sig_host}${_sig_target}")"
  elif [ "$_curl_method" = "PATCH" ]; then
    export _H1="$_date_header"
    export _H2="$_sig_body_sha256"
    export _H3="$_sig_body_type"
    export _H4="$_sig_body_length"
    export _H5="$_signed_header"
    _response="$(_post "$_sig_body" "https://${_sig_host}${_sig_target}" "" "PATCH")"
  else
    _err "Unable to process method: $_curl_method."
  fi
  _ret="$?"
  if [ "$_return_field" ]; then
    _response="$(echo "$_response" | sed 's/\\\"//g'))"
    _return=$(echo "${_response}" | _egrep_o "\"$_return_field\"\\s*:\\s*\"[^\"]*\"" | _head_n 1 | cut -d : -f 2 | tr -d "\"")
  else
    _return="$_response"
  fi
  printf "%s" "$_return"
  return $_ret
 }
 # file  key  [section]
 _readini() {
  _file="$1"
  _key="$2"
  _section="${3:-DEFAULT}"
  _start_n=$(grep -n '\['"$_section"']' "$_file" | cut -d : -f 1)
  _debug3 _start_n "$_start_n"
  if [ -z "$_start_n" ]; then
    _err "Can not find section: $_section"
    return 1
  fi
  _start_nn=$(_math "$_start_n" + 1)
  _debug3 "_start_nn" "$_start_nn"
  _left="$(sed -n "${_start_nn},99999p" "$_file")"
  _debug3 _left "$_left"
  _end="$(echo "$_left" | grep -n "^\[" | _head_n 1)"
  _debug3 "_end" "$_end"
  if [ "$_end" ]; then
    _end_n=$(echo "$_end" | cut -d : -f 1)
    _debug3 "_end_n" "$_end_n"
    _seg_n=$(echo "$_left" | sed -n "1,${_end_n}p")
  else
    _seg_n="$_left"
  fi
  _debug3 "_seg_n" "$_seg_n"
  _lineini="$(echo "$_seg_n" | grep "^ *$_key *= *")"
  _inivalue="$(printf "%b" "$(eval "echo $_lineini | sed \"s/^ *${_key} *= *//g\"")")"
  _debug2 _inivalue "$_inivalue"
  echo "$_inivalue"
 }
--- a/dnsapi/dns_ovh.sh
+++ b/dnsapi/dns_ovh.sh
@ -261,7 +261,9 @@ _get_root() {
      return 1
    fi
    if ! _contains "$response" "This service does not exist" >/dev/null && ! _contains "$response" "NOT_GRANTED_CALL" >/dev/null; then
    if ! _contains "$response" "This service does not exist" >/dev/null &&
      ! _contains "$response" "This call has not been granted" >/dev/null &&
      ! _contains "$response" "NOT_GRANTED_CALL" >/dev/null; then
      _sub_domain=$(printf "%s" "$domain" | cut -d . -f 1-$p)
      _domain="$h"
      return 0
--- a/dnsapi/dns_pdns.sh
+++ b/dnsapi/dns_pdns.sh
@ -103,7 +103,7 @@ set_record() {
    _build_record_string "$oldchallenge"
  done
  if ! _pdns_rest "PATCH" "/api/v1/servers/$PDNS_ServerId/zones/$root" "{\"rrsets\": [{\"changetype\": \"REPLACE\", \"name\": \"$full.\", \"type\": \"TXT\", \"ttl\": $PDNS_Ttl, \"records\": [$_record_string]}]}"; then
  if ! _pdns_rest "PATCH" "/api/v1/servers/$PDNS_ServerId/zones/$root" "{\"rrsets\": [{\"changetype\": \"REPLACE\", \"name\": \"$full.\", \"type\": \"TXT\", \"ttl\": $PDNS_Ttl, \"records\": [$_record_string]}]}" "application/json"; then
    _err "Set txt record error."
    return 1
  fi
@ -126,7 +126,7 @@ rm_record() {
  if _contains "$_existing_challenges" "$txtvalue"; then
    #Delete all challenges (PowerDNS API does not allow to delete content)
    if ! _pdns_rest "PATCH" "/api/v1/servers/$PDNS_ServerId/zones/$root" "{\"rrsets\": [{\"changetype\": \"DELETE\", \"name\": \"$full.\", \"type\": \"TXT\"}]}"; then
    if ! _pdns_rest "PATCH" "/api/v1/servers/$PDNS_ServerId/zones/$root" "{\"rrsets\": [{\"changetype\": \"DELETE\", \"name\": \"$full.\", \"type\": \"TXT\"}]}" "application/json"; then
      _err "Delete txt record error."
      return 1
    fi
@ -140,7 +140,7 @@ rm_record() {
        fi
      done
      #Recreate the existing challenges
      if ! _pdns_rest "PATCH" "/api/v1/servers/$PDNS_ServerId/zones/$root" "{\"rrsets\": [{\"changetype\": \"REPLACE\", \"name\": \"$full.\", \"type\": \"TXT\", \"ttl\": $PDNS_Ttl, \"records\": [$_record_string]}]}"; then
      if ! _pdns_rest "PATCH" "/api/v1/servers/$PDNS_ServerId/zones/$root" "{\"rrsets\": [{\"changetype\": \"REPLACE\", \"name\": \"$full.\", \"type\": \"TXT\", \"ttl\": $PDNS_Ttl, \"records\": [$_record_string]}]}" "application/json"; then
        _err "Set txt record error."
        return 1
      fi
@ -203,12 +203,13 @@ _pdns_rest() {
  method=$1
  ep=$2
  data=$3
  ct=$4
  export _H1="X-API-Key: $PDNS_Token"
  if [ ! "$method" = "GET" ]; then
    _debug data "$data"
    response="$(_post "$data" "$PDNS_Url$ep" "" "$method")"
    response="$(_post "$data" "$PDNS_Url$ep" "" "$method" "$ct")"
  else
    response="$(_get "$PDNS_Url$ep")"
  fi
--- a/dnsapi/dns_porkbun.sh
+++ b/dnsapi/dns_porkbun.sh
@ -110,8 +110,8 @@ _get_root() {
    if _porkbun_rest POST "dns/retrieve/$h"; then
      if _contains "$response" "\"status\":\"SUCCESS\""; then
        _sub_domain="$(echo "$fulldomain" | sed "s/\\.$_domain\$//")"
        _domain=$h
        _sub_domain="$(echo "$fulldomain" | sed "s/\\.$_domain\$//")"
        return 0
      else
        _debug "Go to next level of $_domain"
--- a/dnsapi/dns_vultr.sh
+++ b/dnsapi/dns_vultr.sh
@ -33,7 +33,7 @@ dns_vultr_add() {
  _debug 'Getting txt records'
  _vultr_rest GET "dns/records?domain=$_domain"
  if printf "%s\n" "$response" | grep "\"type\":\"TXT\",\"name\":\"$fulldomain\"" >/dev/null; then
  if printf "%s\n" "$response" | grep -- "\"type\":\"TXT\",\"name\":\"$fulldomain\"" >/dev/null; then
    _err 'Error'
    return 1
  fi
@ -73,12 +73,12 @@ dns_vultr_rm() {
  _debug 'Getting txt records'
  _vultr_rest GET "dns/records?domain=$_domain"
  if printf "%s\n" "$response" | grep "\"type\":\"TXT\",\"name\":\"$fulldomain\"" >/dev/null; then
  if printf "%s\n" "$response" | grep -- "\"type\":\"TXT\",\"name\":\"$fulldomain\"" >/dev/null; then
    _err 'Error'
    return 1
  fi
  _record_id="$(echo "$response" | tr '{}' '\n' | grep '"TXT"' | grep "$txtvalue" | tr ',' '\n' | grep -i 'RECORDID' | cut -d : -f 2)"
  _record_id="$(echo "$response" | tr '{}' '\n' | grep '"TXT"' | grep -- "$txtvalue" | tr ',' '\n' | grep -i 'RECORDID' | cut -d : -f 2)"
  _debug _record_id "$_record_id"
  if [ "$_record_id" ]; then
    _info "Successfully retrieved the record id for ACME challenge."
--- a/notify/sendgrid.sh
+++ b/notify/sendgrid.sh
@ -37,11 +37,19 @@ sendgrid_send() {
  fi
  _saveaccountconf_mutable SENDGRID_FROM "$SENDGRID_FROM"
  SENDGRID_FROM_NAME="${SENDGRID_FROM_NAME:-$(_readaccountconf_mutable SENDGRID_FROM_NAME)}"
  _saveaccountconf_mutable SENDGRID_FROM_NAME "$SENDGRID_FROM_NAME"
  export _H1="Authorization: Bearer $SENDGRID_API_KEY"
  export _H2="Content-Type: application/json"
  _content="$(echo "$_content" | _json_encode)"
  if [ -z "$SENDGRID_FROM_NAME" ]; then
    _data="{\"personalizations\": [{\"to\": [{\"email\": \"$SENDGRID_TO\"}]}],\"from\": {\"email\": \"$SENDGRID_FROM\"},\"subject\": \"$_subject\",\"content\": [{\"type\": \"text/plain\", \"value\": \"$_content\"}]}"
  else
    _data="{\"personalizations\": [{\"to\": [{\"email\": \"$SENDGRID_TO\"}]}],\"from\": {\"email\": \"$SENDGRID_FROM\", \"name\": \"$SENDGRID_FROM_NAME\"},\"subject\": \"$_subject\",\"content\": [{\"type\": \"text/plain\", \"value\": \"$_content\"}]}"
  fi
  response="$(_post "$_data" "https://api.sendgrid.com/v3/mail/send")"
  if [ "$?" = "0" ] && [ -z "$response" ]; then
--- a/notify/telegram.sh
+++ b/notify/telegram.sh
@ -27,7 +27,7 @@ telegram_send() {
  fi
  _saveaccountconf_mutable TELEGRAM_BOT_CHATID "$TELEGRAM_BOT_CHATID"
  _content="$(printf "%s" "$_content" | sed -e 's/*/\\\\*/')"
  _content="$(printf "%s" "$_content" | sed -e 's/\([_*`\[]\)/\\\\\1/g')"
  _content="$(printf "*%s*\n%s" "$_subject" "$_content" | _json_encode)"
  _data="{\"text\": \"$_content\", "
  _data="$_data\"chat_id\": \"$TELEGRAM_BOT_CHATID\", "