Merge branch 'acmesh-official:dev' into dev

2025-05-01 03:42:45 +00:00 · 2021-05-15 23:40:30 +09:00 · 2021-05-15 23:40:30 +09:00 · b1f5b3327d
commit b1f5b3327d
parent e11142b86e 461f602992
37 changed files with 2257 additions and 325 deletions
--- a/.github/workflows/DNS.yml
+++ b/.github/workflows/DNS.yml
@ -184,7 +184,7 @@ jobs:
    - uses: actions/checkout@v2
    - name: Clone acmetest
      run: cd .. && git clone https://github.com/acmesh-official/acmetest.git  && cp -r acme.sh acmetest/
-    - uses: vmactions/freebsd-vm@v0.0.7
+    - uses: vmactions/freebsd-vm@v0.1.4
      with:
        envs: 'TEST_DNS TestingDomain TEST_DNS_NO_WILDCARD TEST_DNS_SLEEP CASE TEST_LOCAL DEBUG ${{ secrets.TokenName1}} ${{ secrets.TokenName2}} ${{ secrets.TokenName3}} ${{ secrets.TokenName4}} ${{ secrets.TokenName5}}'
        prepare: pkg install -y socat curl
@ -223,7 +223,7 @@ jobs:
    - uses: actions/checkout@v2
    - name: Clone acmetest
      run: cd .. && git clone https://github.com/acmesh-official/acmetest.git  && cp -r acme.sh acmetest/
-    - uses: vmactions/solaris-vm@v0.0.1
+    - uses: vmactions/solaris-vm@v0.0.3
      with:
        envs: 'TEST_DNS TestingDomain TEST_DNS_NO_WILDCARD TEST_DNS_SLEEP CASE TEST_LOCAL DEBUG ${{ secrets.TokenName1}} ${{ secrets.TokenName2}} ${{ secrets.TokenName3}} ${{ secrets.TokenName4}} ${{ secrets.TokenName5}}'
        prepare: pkgutil -y -i socat curl
--- a/.github/workflows/LetsEncrypt.yml
+++ b/.github/workflows/LetsEncrypt.yml
@ -111,7 +111,7 @@ jobs:
    - uses: actions/checkout@v2
    - name: Clone acmetest
      run: cd .. && git clone https://github.com/acmesh-official/acmetest.git  && cp -r acme.sh acmetest/
-    - uses: vmactions/freebsd-vm@v0.0.7
+    - uses: vmactions/freebsd-vm@v0.1.4
      with:
        envs: 'NGROK_TOKEN TEST_LOCAL'
        prepare: pkg install -y socat curl
@ -136,7 +136,7 @@ jobs:
      run: echo "TestingDomain=${{steps.ngrok.outputs.server}}" >> $GITHUB_ENV
    - name: Clone acmetest
      run: cd .. && git clone https://github.com/acmesh-official/acmetest.git  && cp -r acme.sh acmetest/
-    - uses: vmactions/solaris-vm@v0.0.1
+    - uses: vmactions/solaris-vm@v0.0.3
      with:
        envs: 'TEST_LOCAL TestingDomain'
        nat: |
--- a/.github/workflows/dockerhub.yml
+++ b/.github/workflows/dockerhub.yml
@ -33,12 +33,10 @@ jobs:
    steps:
      - name: checkout code
        uses: actions/checkout@v2
-      - name: install buildx
+      - name: Set up QEMU
-        id: buildx
+        uses: docker/setup-qemu-action@v1
-        uses: crazy-max/ghaction-docker-buildx@v3
+      - name: Set up Docker Buildx
-        with:
+        uses: docker/setup-buildx-action@v1
          buildx-version: latest
          qemu-version: latest
      - name: login to docker hub
        run: |
          echo "${{ secrets.DOCKER_PASSWORD }}" | docker login -u "${{ secrets.DOCKER_USERNAME }}" --password-stdin
--- a/1
+++ b/1
@ -12,6 +12,7 @@ RUN apk update -f \
  tzdata \
  oath-toolkit-oathtool \
  tar \
  libidn \
  && rm -rf /var/cache/apk/*
 ENV LE_CONFIG_HOME /acme.sh
--- a/README.md
+++ b/README.md
@ -89,6 +89,7 @@ https://github.com/acmesh-official/acmetest
 - [ZeroSSL.com CA](https://github.com/acmesh-official/acme.sh/wiki/ZeroSSL.com-CA)
 - [BuyPass.com CA](https://github.com/acmesh-official/acme.sh/wiki/BuyPass.com-CA)
 - [Pebble strict Mode](https://github.com/letsencrypt/pebble)
 - Any other [RFC8555](https://tools.ietf.org/html/rfc8555)-compliant CA
 # Supported modes
@ -109,13 +110,13 @@ https://github.com/acmesh-official/acmetest
 Check this project: https://github.com/acmesh-official/get.acme.sh
 ```bash
-curl https://get.acme.sh | sh
+curl https://get.acme.sh | sh -s email=my@example.com
 ```
 Or:
 ```bash
-wget -O -  https://get.acme.sh | sh
+wget -O -  https://get.acme.sh | sh -s email=my@example.com
 ```
@ -126,7 +127,7 @@ Clone this project and launch installation:
 ```bash
 git clone https://github.com/acmesh-official/acme.sh.git
 cd ./acme.sh
-./acme.sh --install
+./acme.sh --install -m my@example.com
 ```
 You `don't have to be root` then, although `it is recommended`.
--- a/acme.sh
+++ b/acme.sh
@ -1,6 +1,6 @@
 #!/usr/bin/env sh
-VER=2.8.9
+VER=2.9.0
 PROJECT_NAME="acme.sh"
@ -102,6 +102,8 @@ DEBUG_LEVEL_NONE=0
 DOH_CLOUDFLARE=1
 DOH_GOOGLE=2
 DOH_ALI=3
 DOH_DP=4
 HIDDEN_VALUE="[hidden](please add '--output-insecure' to see this value)"
@ -160,6 +162,8 @@ _SERVER_WIKI="https://github.com/acmesh-official/acme.sh/wiki/Server"
 _PREFERRED_CHAIN_WIKI="https://github.com/acmesh-official/acme.sh/wiki/Preferred-Chain"
 _DNSCHECK_WIKI="https://github.com/acmesh-official/acme.sh/wiki/dnscheck"
 _DNS_MANUAL_ERR="The dns manual mode can not renew automatically, you must issue it again manually. You'd better use the other modes instead."
 _DNS_MANUAL_WARN="It seems that you are using dns manual mode. please take care: $_DNS_MANUAL_ERR"
@ -560,8 +564,16 @@ if _exists xargs && [ "$(printf %s '\\x41' | xargs printf)" = 'A' ]; then
 fi
 _h2b() {
-  if _exists xxd && xxd -r -p 2>/dev/null; then
+  if _exists xxd; then
-    return
+    if _contains "$(xxd --help 2>&1)" "assumes -c30"; then
      if xxd -r -p -c 9999 2>/dev/null; then
        return
      fi
    else
      if xxd -r -p 2>/dev/null; then
        return
      fi
    fi
  fi
  hex=$(cat)
@ -1122,7 +1134,7 @@ _createkey() {
  if _isEccKey "$length"; then
    _debug "Using ec name: $eccname"
-    if _opkey="$(${ACME_OPENSSL_BIN:-openssl} ecparam -name "$eccname" -genkey 2>/dev/null)"; then
+    if _opkey="$(${ACME_OPENSSL_BIN:-openssl} ecparam -name "$eccname" -noout -genkey 2>/dev/null)"; then
      echo "$_opkey" >"$f"
    else
      _err "error ecc key name: $eccname"
@ -1130,7 +1142,11 @@ _createkey() {
    fi
  else
    _debug "Using RSA: $length"
-    if _opkey="$(${ACME_OPENSSL_BIN:-openssl} genrsa "$length" 2>/dev/null)"; then
+    __traditional=""
    if _contains "$(${ACME_OPENSSL_BIN:-openssl} help genrsa 2>&1)" "-traditional"; then
      __traditional="-traditional"
    fi
    if _opkey="$(${ACME_OPENSSL_BIN:-openssl} genrsa $__traditional "$length" 2>/dev/null)"; then
      echo "$_opkey" >"$f"
    else
      _err "error rsa key: $length"
@ -2024,7 +2040,7 @@ _send_signed_request() {
        if _post "" "$nonceurl" "" "HEAD" "$__request_conent_type" >/dev/null; then
          _headers="$(cat "$HTTP_HEADER")"
          _debug2 _headers "$_headers"
-          _CACHED_NONCE="$(echo "$_headers" | grep -i "Replay-Nonce:" | _head_n 1 | tr -d "\r\n " | cut -d ':' -f 2)"
+          _CACHED_NONCE="$(echo "$_headers" | grep -i "Replay-Nonce:" | _head_n 1 | tr -d "\r\n " | cut -d ':' -f 2 | cut -d , -f 1)"
        fi
      fi
      if [ -z "$_CACHED_NONCE" ]; then
@ -2104,7 +2120,7 @@ _send_signed_request() {
    fi
    _debug2 response "$response"
-    _CACHED_NONCE="$(echo "$responseHeaders" | grep -i "Replay-Nonce:" | _head_n 1 | tr -d "\r\n " | cut -d ':' -f 2)"
+    _CACHED_NONCE="$(echo "$responseHeaders" | grep -i "Replay-Nonce:" | _head_n 1 | tr -d "\r\n " | cut -d ':' -f 2 | cut -d , -f 1)"
    if ! _startswith "$code" "2"; then
      _body="$response"
@ -2119,6 +2135,12 @@ _send_signed_request() {
        _sleep $_sleep_retry_sec
        continue
      fi
      if _contains "$_body" "The Replay Nonce is not recognized"; then
        _info "The replay Nonce is not valid, let's get a new one, Sleeping $_sleep_retry_sec seconds."
        _CACHED_NONCE=""
        _sleep $_sleep_retry_sec
        continue
      fi
    fi
    return 0
  done
@ -2246,7 +2268,7 @@ _getdeployconf() {
    return 0 # do nothing
  fi
  _saved=$(_readdomainconf "SAVED_$_rac_key")
-  eval "export $_rac_key=\"$_saved\""
+  eval "export $_rac_key=\"\$_saved\""
 }
 #_saveaccountconf  key  value  base64encode
@ -2277,6 +2299,13 @@ _clearaccountconf() {
  _clear_conf "$ACCOUNT_CONF_PATH" "$1"
 }
 #key
 _clearaccountconf_mutable() {
  _clearaccountconf "SAVED_$1"
  #remove later
  _clearaccountconf "$1"
 }
 #_savecaconf  key  value
 _savecaconf() {
  _save_conf "$CA_CONF" "$1" "$2"
@ -2330,7 +2359,7 @@ _startserver() {
 echo 'HTTP/1.0 200 OK'; \
 echo 'Content-Length\: $_content_len'; \
 echo ''; \
-printf -- '$content';" &
+printf '%s' '$content';" &
  serverproc="$!"
 }
@ -3069,6 +3098,11 @@ _checkConf() {
      _debug "Try include files"
      for included in $(cat "$2" | tr "\t" " " | grep "^ *include *.*;" | sed "s/include //" | tr -d " ;"); do
        _debug "check included $included"
        if !_startswith "$included" "/" && _exists dirname; then
          _relpath="$(dirname "$_c_file")"
          _debug "_relpath" "$_relpath"
          included="$_relpath/included"
        fi
        if _checkConf "$1" "$included"; then
          return 0
        fi
@ -3544,6 +3578,7 @@ _regAccount() {
          _err "Can not get EAB credentials from ZeroSSL."
          return 1
        fi
        _debug2 "$_eabresp"
        _eab_id="$(echo "$_eabresp" | tr ',}' '\n' | grep '"eab_kid"' | cut -d : -f 2 | tr -d '"')"
        if [ -z "$_eab_id" ]; then
          _err "Can not resolve _eab_id"
@ -3889,7 +3924,15 @@ _ns_purge_cf() {
 #checks if cf server is available
 _ns_is_available_cf() {
-  if _get "https://cloudflare-dns.com" >/dev/null 2>&1; then
+  if _get "https://cloudflare-dns.com" "" 1 >/dev/null 2>&1; then
    return 0
  else
    return 1
  fi
 }
 _ns_is_available_google() {
  if _get "https://dns.google" "" 1 >/dev/null 2>&1; then
    return 0
  else
    return 1
@ -3904,6 +3947,38 @@ _ns_lookup_google() {
  _ns_lookup_impl "$_cf_ep" "$_cf_ld" "$_cf_ld_type"
 }
 _ns_is_available_ali() {
  if _get "https://dns.alidns.com" "" 1 >/dev/null 2>&1; then
    return 0
  else
    return 1
  fi
 }
 #domain, type
 _ns_lookup_ali() {
  _cf_ld="$1"
  _cf_ld_type="$2"
  _cf_ep="https://dns.alidns.com/resolve"
  _ns_lookup_impl "$_cf_ep" "$_cf_ld" "$_cf_ld_type"
 }
 _ns_is_available_dp() {
  if _get "https://dns.alidns.com" "" 1 >/dev/null 2>&1; then
    return 0
  else
    return 1
  fi
 }
 #dnspod
 _ns_lookup_dp() {
  _cf_ld="$1"
  _cf_ld_type="$2"
  _cf_ep="https://doh.pub/dns-query"
  _ns_lookup_impl "$_cf_ep" "$_cf_ld" "$_cf_ld_type"
 }
 #domain, type
 _ns_lookup() {
  if [ -z "$DOH_USE" ]; then
@ -3911,16 +3986,30 @@ _ns_lookup() {
    if _ns_is_available_cf; then
      _debug "Use cloudflare doh server"
      export DOH_USE=$DOH_CLOUDFLARE
-    else
+    elif _ns_is_available_google; then
      _debug "Use google doh server"
      export DOH_USE=$DOH_GOOGLE
    elif _ns_is_available_ali; then
      _debug "Use aliyun doh server"
      export DOH_USE=$DOH_ALI
    elif _ns_is_available_dp; then
      _debug "Use dns pod doh server"
      export DOH_USE=$DOH_DP
    else
      _err "No doh"
    fi
  fi
  if [ "$DOH_USE" = "$DOH_CLOUDFLARE" ] || [ -z "$DOH_USE" ]; then
    _ns_lookup_cf "$@"
-  else
+  elif [ "$DOH_USE" = "$DOH_GOOGLE" ]; then
    _ns_lookup_google "$@"
  elif [ "$DOH_USE" = "$DOH_ALI" ]; then
    _ns_lookup_ali "$@"
  elif [ "$DOH_USE" = "$DOH_DP" ]; then
    _ns_lookup_dp "$@"
  else
    _err "Unknown doh provider: DOH_USE=$DOH_USE"
  fi
 }
@ -3945,7 +4034,7 @@ __purge_txt() {
  if [ "$DOH_USE" = "$DOH_CLOUDFLARE" ] || [ -z "$DOH_USE" ]; then
    _ns_purge_cf "$_p_txtdomain" "TXT"
  else
-    _debug "no purge api for google dns api, just sleep 5 secs"
+    _debug "no purge api for this doh api, just sleep 5 secs"
    _sleep 5
  fi
@ -3958,6 +4047,8 @@ _check_dns_entries() {
  _end_time="$(_math "$_end_time" + 1200)" #let's check no more than 20 minutes.
  while [ "$(_time)" -le "$_end_time" ]; do
    _info "You can use '--dnssleep' to disable public dns checks."
    _info "See: $_DNSCHECK_WIKI"
    _left=""
    for entry in $dns_entries; do
      d=$(_getfield "$entry" 1)
@ -4005,12 +4096,42 @@ _check_dns_entries() {
 }
 #file
-_get_cert_issuers() {
+_get_chain_issuers() {
  _cfile="$1"
-  if _contains "$(${ACME_OPENSSL_BIN:-openssl} help crl2pkcs7 2>&1)" "Usage: crl2pkcs7" || _contains "$(${ACME_OPENSSL_BIN:-openssl} crl2pkcs7 help 2>&1)" "unknown option help"; then
+  if _contains "$(${ACME_OPENSSL_BIN:-openssl} help crl2pkcs7 2>&1)" "Usage: crl2pkcs7" || _contains "$(${ACME_OPENSSL_BIN:-openssl} crl2pkcs7 -help 2>&1)" "Usage: crl2pkcs7" || _contains "$(${ACME_OPENSSL_BIN:-openssl} crl2pkcs7 help 2>&1)" "unknown option help"; then
-    ${ACME_OPENSSL_BIN:-openssl} crl2pkcs7 -nocrl -certfile $_cfile | ${ACME_OPENSSL_BIN:-openssl} pkcs7 -print_certs -text -noout | grep 'Issuer:' | _egrep_o "CN *=[^,]*" | cut -d = -f 2
+    ${ACME_OPENSSL_BIN:-openssl} crl2pkcs7 -nocrl -certfile $_cfile | ${ACME_OPENSSL_BIN:-openssl} pkcs7 -print_certs -text -noout | grep -i 'Issuer:' | _egrep_o "CN *=[^,]*" | cut -d = -f 2
  else
-    ${ACME_OPENSSL_BIN:-openssl} x509 -in $_cfile -text -noout | grep 'Issuer:' | _egrep_o "CN *=[^,]*" | cut -d = -f 2
+    _cindex=1
    for _startn in $(grep -n -- "$BEGIN_CERT" "$_cfile" | cut -d : -f 1); do
      _endn="$(grep -n -- "$END_CERT" "$_cfile" | cut -d : -f 1 | _head_n $_cindex | _tail_n 1)"
      _debug2 "_startn" "$_startn"
      _debug2 "_endn" "$_endn"
      if [ "$DEBUG" ]; then
        _debug2 "cert$_cindex" "$(sed -n "$_startn,${_endn}p" "$_cfile")"
      fi
      sed -n "$_startn,${_endn}p" "$_cfile" | ${ACME_OPENSSL_BIN:-openssl} x509 -text -noout | grep 'Issuer:' | _egrep_o "CN *=[^,]*" | cut -d = -f 2 | sed "s/ *\(.*\)/\1/"
      _cindex=$(_math $_cindex + 1)
    done
  fi
 }
 #
 _get_chain_subjects() {
  _cfile="$1"
  if _contains "$(${ACME_OPENSSL_BIN:-openssl} help crl2pkcs7 2>&1)" "Usage: crl2pkcs7" || _contains "$(${ACME_OPENSSL_BIN:-openssl} crl2pkcs7 -help 2>&1)" "Usage: crl2pkcs7" || _contains "$(${ACME_OPENSSL_BIN:-openssl} crl2pkcs7 help 2>&1)" "unknown option help"; then
    ${ACME_OPENSSL_BIN:-openssl} crl2pkcs7 -nocrl -certfile $_cfile | ${ACME_OPENSSL_BIN:-openssl} pkcs7 -print_certs -text -noout | grep -i 'Subject:' | _egrep_o "CN *=[^,]*" | cut -d = -f 2
  else
    _cindex=1
    for _startn in $(grep -n -- "$BEGIN_CERT" "$_cfile" | cut -d : -f 1); do
      _endn="$(grep -n -- "$END_CERT" "$_cfile" | cut -d : -f 1 | _head_n $_cindex | _tail_n 1)"
      _debug2 "_startn" "$_startn"
      _debug2 "_endn" "$_endn"
      if [ "$DEBUG" ]; then
        _debug2 "cert$_cindex" "$(sed -n "$_startn,${_endn}p" "$_cfile")"
      fi
      sed -n "$_startn,${_endn}p" "$_cfile" | ${ACME_OPENSSL_BIN:-openssl} x509 -text -noout | grep -i 'Subject:' | _egrep_o "CN *=[^,]*" | cut -d = -f 2 | sed "s/ *\(.*\)/\1/"
      _cindex=$(_math $_cindex + 1)
    done
  fi
 }
@ -4018,14 +4139,12 @@ _get_cert_issuers() {
 _match_issuer() {
  _cfile="$1"
  _missuer="$2"
-  _fissuers="$(_get_cert_issuers $_cfile)"
+  _fissuers="$(_get_chain_issuers $_cfile)"
  _debug2 _fissuers "$_fissuers"
-  if _contains "$_fissuers" "$_missuer"; then
+  _rootissuer="$(echo "$_fissuers" | _lower_case | _tail_n 1)"
-    return 0
+  _debug2 _rootissuer "$_rootissuer"
  fi
  _fissuers="$(echo "$_fissuers" | _lower_case)"
  _missuer="$(echo "$_missuer" | _lower_case)"
-  _contains "$_fissuers" "$_missuer"
+  _contains "$_rootissuer" "$_missuer"
 }
 #webroot, domain domainlist  keylength
@ -4663,15 +4782,8 @@ $_authorizations_map"
      _debug2 response "$response"
      status=$(echo "$response" | _egrep_o '"status":"[^"]*' | cut -d : -f 2 | tr -d '"')
      if [ "$status" = "valid" ]; then
        _info "$(__green Success)"
        _stopserver "$serverproc"
        serverproc=""
        _clearupwebbroot "$_currentRoot" "$removelevel" "$token"
        break
      fi
-      if [ "$status" = "invalid" ]; then
+      if _contains "$status" "invalid"; then
        error="$(echo "$response" | _egrep_o '"error":\{[^\}]*')"
        _debug2 error "$error"
        errordetail="$(echo "$error" | _egrep_o '"detail": *"[^"]*' | cut -d '"' -f 4)"
@ -4693,6 +4805,14 @@ $_authorizations_map"
        return 1
      fi
      if _contains "$status" "valid"; then
        _info "$(__green Success)"
        _stopserver "$serverproc"
        serverproc=""
        _clearupwebbroot "$_currentRoot" "$removelevel" "$token"
        break
      fi
      if [ "$status" = "pending" ]; then
        _info "Pending"
      elif [ "$status" = "processing" ]; then
@ -4799,6 +4919,9 @@ $_authorizations_map"
    _split_cert_chain "$CERT_PATH" "$CERT_FULLCHAIN_PATH" "$CA_CERT_PATH"
    if [ "$_preferred_chain" ] && [ -f "$CERT_FULLCHAIN_PATH" ]; then
      if [ "$DEBUG" ]; then
        _debug "default chain issuers: " "$(_get_chain_issuers "$CERT_FULLCHAIN_PATH")"
      fi
      if ! _match_issuer "$CERT_FULLCHAIN_PATH" "$_preferred_chain"; then
        rels="$(echo "$responseHeaders" | tr -d ' <>' | grep -i "^link:" | grep -i 'rel="alternate"' | cut -d : -f 2- | cut -d ';' -f 1)"
        _debug2 "rels" "$rels"
@ -4814,13 +4937,22 @@ $_authorizations_map"
          _relca="$CA_CERT_PATH.alt"
          echo "$response" >"$_relcert"
          _split_cert_chain "$_relcert" "$_relfullchain" "$_relca"
          if [ "$DEBUG" ]; then
            _debug "rel chain issuers: " "$(_get_chain_issuers "$_relfullchain")"
          fi
          if _match_issuer "$_relfullchain" "$_preferred_chain"; then
            _info "Matched issuer in: $rel"
            cat $_relcert >"$CERT_PATH"
            cat $_relfullchain >"$CERT_FULLCHAIN_PATH"
            cat $_relca >"$CA_CERT_PATH"
            rm -f "$_relcert"
            rm -f "$_relfullchain"
            rm -f "$_relca"
            break
          fi
          rm -f "$_relcert"
          rm -f "$_relfullchain"
          rm -f "$_relca"
        done
      fi
    fi
@ -5218,6 +5350,7 @@ signcsr() {
  _renew_hook="${10}"
  _local_addr="${11}"
  _challenge_alias="${12}"
  _preferred_chain="${13}"
  _csrsubj=$(_readSubjectFromCSR "$_csrfile")
  if [ "$?" != "0" ]; then
@ -5264,7 +5397,7 @@ signcsr() {
  _info "Copy csr to: $CSR_PATH"
  cp "$_csrfile" "$CSR_PATH"
-  issue "$_csrW" "$_csrsubj" "$_csrdomainlist" "$_csrkeylength" "$_real_cert" "$_real_key" "$_real_ca" "$_reload_cmd" "$_real_fullchain" "$_pre_hook" "$_post_hook" "$_renew_hook" "$_local_addr" "$_challenge_alias"
+  issue "$_csrW" "$_csrsubj" "$_csrdomainlist" "$_csrkeylength" "$_real_cert" "$_real_key" "$_real_ca" "$_reload_cmd" "$_real_fullchain" "$_pre_hook" "$_post_hook" "$_renew_hook" "$_local_addr" "$_challenge_alias" "$_preferred_chain"
 }
@ -6101,7 +6234,7 @@ _installalias() {
 }
-# nocron confighome noprofile
+# nocron confighome noprofile accountemail
 install() {
  if [ -z "$LE_WORKING_DIR" ]; then
@ -6111,6 +6244,8 @@ install() {
  _nocron="$1"
  _c_home="$2"
  _noprofile="$3"
  _accountemail="$4"
  if ! _initpath; then
    _err "Install failed."
    return 1
@ -6229,6 +6364,10 @@ install() {
    fi
  fi
  if [ "$_accountemail" ]; then
    _saveaccountconf "ACCOUNT_EMAIL" "$_accountemail"
  fi
  _info OK
 }
@ -6507,7 +6646,7 @@ Parameters:
  --cert-home <directory>           Specifies the home dir to save all the certs, only valid for '--install' command.
  --config-home <directory>         Specifies the home dir to save all the configurations.
  --useragent <string>              Specifies the user agent string. it will be saved for future use too.
-  -m, --accountemail <email>        Specifies the account email, only valid for the '--install' and '--update-account' command.
+  -m, --email <email>               Specifies the account email, only valid for the '--install' and '--update-account' command.
  --accountkey <file>               Specifies the account key path, only valid for the '--install' command.
  --days <ndays>                    Specifies the days to renew the cert when using '--issue' command. The default value is $DEFAULT_RENEW days.
  --httpport <port>                 Specifies the standalone listening port. Only valid if the server is behind a reverse proxy or load balancer.
@ -6518,9 +6657,9 @@ Parameters:
  --insecure                        Do not check the server certificate, in some devices, the api server's certificate may not be trusted.
  --ca-bundle <file>                Specifies the path to the CA certificate bundle to verify api server's certificate.
  --ca-path <directory>             Specifies directory containing CA certificates in PEM format, used by wget or curl.
-  --nocron                          Only valid for '--install' command, which means: do not install the default cron job.
+  --no-cron                         Only valid for '--install' command, which means: do not install the default cron job.
                                    In this case, the certs will not be renewed automatically.
-  --noprofile                       Only valid for '--install' command, which means: do not install aliases to user profile.
+  --no-profile                      Only valid for '--install' command, which means: do not install aliases to user profile.
  --no-color                        Do not output color text.
  --force-color                     Force output of color text. Useful for non-interactive use with the aha tool for HTML E-Mails.
  --ecc                             Specifies to use the ECC cert. Valid for '--install-cert', '--renew', '--revoke', '--to-pkcs12' and '--create-csr'
@ -6558,18 +6697,17 @@ Parameters:
 "
 }
-# nocron noprofile
+installOnline() {
 _installOnline() {
  _info "Installing from online archive."
-  _nocron="$1"
+
-  _noprofile="$2"
+  _branch="$BRANCH"
-  if [ ! "$BRANCH" ]; then
+  if [ -z "$_branch" ]; then
-    BRANCH="master"
+    _branch="master"
  fi
-  target="$PROJECT/archive/$BRANCH.tar.gz"
+  target="$PROJECT/archive/$_branch.tar.gz"
  _info "Downloading $target"
-  localname="$BRANCH.tar.gz"
+  localname="$_branch.tar.gz"
  if ! _get "$target" >$localname; then
    _err "Download error."
    return 1
@ -6581,9 +6719,9 @@ _installOnline() {
      exit 1
    fi
-    cd "$PROJECT_NAME-$BRANCH"
+    cd "$PROJECT_NAME-$_branch"
    chmod +x $PROJECT_ENTRY
-    if ./$PROJECT_ENTRY install "$_nocron" "" "$_noprofile"; then
+    if ./$PROJECT_ENTRY --install "$@"; then
      _info "Install success!"
      _initpath
      _saveaccountconf "UPGRADE_HASH" "$(_getUpgradeHash)"
@ -6591,7 +6729,7 @@ _installOnline() {
    cd ..
-    rm -rf "$PROJECT_NAME-$BRANCH"
+    rm -rf "$PROJECT_NAME-$_branch"
    rm -f "$localname"
  )
 }
@ -6619,7 +6757,7 @@ upgrade() {
    [ -z "$FORCE" ] && [ "$(_getUpgradeHash)" = "$(_readaccountconf "UPGRADE_HASH")" ] && _info "Already uptodate!" && exit 0
    export LE_WORKING_DIR
    cd "$LE_WORKING_DIR"
-    _installOnline "nocron" "noprofile"
+    installOnline "--nocron" "--noprofile"
  ); then
    _info "Upgrade success!"
    exit 0
@ -6799,6 +6937,11 @@ _process() {
    --install)
      _CMD="install"
      ;;
    --install-online)
      shift
      installOnline "$@"
      return
      ;;
    --uninstall)
      _CMD="uninstall"
      ;;
@ -7073,9 +7216,9 @@ _process() {
      USER_AGENT="$_useragent"
      shift
      ;;
-    -m | --accountemail)
+    -m | --email | --accountemail)
      _accountemail="$2"
-      ACCOUNT_EMAIL="$_accountemail"
+      export ACCOUNT_EMAIL="$_accountemail"
      shift
      ;;
    --accountkey)
@ -7118,10 +7261,10 @@ _process() {
      CA_PATH="$_ca_path"
      shift
      ;;
-    --nocron)
+    --no-cron | --nocron)
      _nocron="1"
      ;;
-    --noprofile)
+    --no-profile | --noprofile)
      _noprofile="1"
      ;;
    --no-color)
@ -7341,7 +7484,7 @@ _process() {
  fi
  _debug "Running cmd: ${_CMD}"
  case "${_CMD}" in
-  install) install "$_nocron" "$_confighome" "$_noprofile" ;;
+  install) install "$_nocron" "$_confighome" "$_noprofile" "$_accountemail" ;;
  uninstall) uninstall "$_nocron" ;;
  upgrade) upgrade ;;
  issue)
@ -7351,7 +7494,7 @@ _process() {
    deploy "$_domain" "$_deploy_hook" "$_ecc"
    ;;
  signcsr)
-    signcsr "$_csr" "$_webroot" "$_cert_file" "$_key_file" "$_ca_file" "$_reloadcmd" "$_fullchain_file" "$_pre_hook" "$_post_hook" "$_renew_hook" "$_local_address" "$_challenge_alias"
+    signcsr "$_csr" "$_webroot" "$_cert_file" "$_key_file" "$_ca_file" "$_reloadcmd" "$_fullchain_file" "$_pre_hook" "$_post_hook" "$_renew_hook" "$_local_address" "$_challenge_alias" "$_preferred_chain"
    ;;
  showcsr)
    showcsr "$_csr" "$_domain"
@ -7454,12 +7597,6 @@ _process() {
 }
 if [ "$INSTALLONLINE" ]; then
  INSTALLONLINE=""
  _installOnline
  exit
 fi
 main() {
  [ -z "$1" ] && showhelp && return
  if _startswith "$1" '-'; then _process "$@"; else "$@"; fi
--- a/deploy/cleverreach.sh
+++ b/deploy/cleverreach.sh
@ -17,6 +17,8 @@ cleverreach_deploy() {
  _cca="$4"
  _cfullchain="$5"
  _rest_endpoint="https://rest.cleverreach.com"
  _debug _cdomain "$_cdomain"
  _debug _ckey "$_ckey"
  _debug _ccert "$_ccert"
@ -25,6 +27,7 @@ cleverreach_deploy() {
  _getdeployconf DEPLOY_CLEVERREACH_CLIENT_ID
  _getdeployconf DEPLOY_CLEVERREACH_CLIENT_SECRET
  _getdeployconf DEPLOY_CLEVERREACH_SUBCLIENT_ID
  if [ -z "${DEPLOY_CLEVERREACH_CLIENT_ID}" ]; then
    _err "CleverReach Client ID is not found, please define DEPLOY_CLEVERREACH_CLIENT_ID."
@ -37,11 +40,12 @@ cleverreach_deploy() {
  _savedeployconf DEPLOY_CLEVERREACH_CLIENT_ID "${DEPLOY_CLEVERREACH_CLIENT_ID}"
  _savedeployconf DEPLOY_CLEVERREACH_CLIENT_SECRET "${DEPLOY_CLEVERREACH_CLIENT_SECRET}"
  _savedeployconf DEPLOY_CLEVERREACH_SUBCLIENT_ID "${DEPLOY_CLEVERREACH_SUBCLIENT_ID}"
  _info "Obtaining a CleverReach access token"
  _data="{\"grant_type\": \"client_credentials\", \"client_id\": \"${DEPLOY_CLEVERREACH_CLIENT_ID}\", \"client_secret\": \"${DEPLOY_CLEVERREACH_CLIENT_SECRET}\"}"
-  _auth_result="$(_post "$_data" "https://rest.cleverreach.com/oauth/token.php" "" "POST" "application/json")"
+  _auth_result="$(_post "$_data" "$_rest_endpoint/oauth/token.php" "" "POST" "application/json")"
  _debug _data "$_data"
  _debug _auth_result "$_auth_result"
@ -50,14 +54,32 @@ cleverreach_deploy() {
  _debug _regex "$_regex"
  _access_token=$(echo "$_auth_result" | _json_decode | sed -n "s/$_regex/\1/p")
  _debug _subclient "${DEPLOY_CLEVERREACH_SUBCLIENT_ID}"
  if [ -n "${DEPLOY_CLEVERREACH_SUBCLIENT_ID}" ]; then
    _info "Obtaining token for sub-client ${DEPLOY_CLEVERREACH_SUBCLIENT_ID}"
    export _H1="Authorization: Bearer ${_access_token}"
    _subclient_token_result="$(_get "$_rest_endpoint/v3/clients/$DEPLOY_CLEVERREACH_SUBCLIENT_ID/token")"
    _access_token=$(echo "$_subclient_token_result" | sed -n "s/\"//p")
    _debug _subclient_token_result "$_access_token"
    _info "Destroying parent token at CleverReach, as it not needed anymore"
    _destroy_result="$(_post "" "$_rest_endpoint/v3/oauth/token.json" "" "DELETE" "application/json")"
    _debug _destroy_result "$_destroy_result"
  fi
  _info "Uploading certificate and key to CleverReach"
  _certData="{\"cert\":\"$(_json_encode <"$_cfullchain")\", \"key\":\"$(_json_encode <"$_ckey")\"}"
  export _H1="Authorization: Bearer ${_access_token}"
-  _add_cert_result="$(_post "$_certData" "https://rest.cleverreach.com/v3/ssl" "" "POST" "application/json")"
+  _add_cert_result="$(_post "$_certData" "$_rest_endpoint/v3/ssl" "" "POST" "application/json")"
-  _debug "Destroying token at CleverReach"
+  if [ -z "${DEPLOY_CLEVERREACH_SUBCLIENT_ID}" ]; then
-  _post "" "https://rest.cleverreach.com/v3/oauth/token.json" "" "DELETE" "application/json"
+    _info "Destroying token at CleverReach, as it not needed anymore"
    _destroy_result="$(_post "" "$_rest_endpoint/v3/oauth/token.json" "" "DELETE" "application/json")"
    _debug _destroy_result "$_destroy_result"
  fi
  if ! echo "$_add_cert_result" | grep '"error":' >/dev/null; then
    _info "Uploaded certificate successfully"
--- a/deploy/docker.sh
+++ b/deploy/docker.sh
@ -275,6 +275,7 @@ _check_curl_version() {
  if [ "$_major$_minor" -lt "740" ]; then
    _err "curl v$_cversion doesn't support unit socket"
    _err "Please upgrade to curl 7.40 or later."
    return 1
  fi
  if [ "$_major$_minor" -lt "750" ]; then
--- a/deploy/gcore_cdn.sh
+++ b/deploy/gcore_cdn.sh
@ -56,9 +56,9 @@ gcore_cdn_deploy() {
  _request="{\"username\":\"$Le_Deploy_gcore_cdn_username\",\"password\":\"$Le_Deploy_gcore_cdn_password\"}"
  _debug _request "$_request"
  export _H1="Content-Type:application/json"
-  _response=$(_post "$_request" "https://api.gcdn.co/auth/signin")
+  _response=$(_post "$_request" "https://api.gcdn.co/auth/jwt/login")
  _debug _response "$_response"
-  _regex=".*\"token\":\"\([-._0-9A-Za-z]*\)\".*$"
+  _regex=".*\"access\":\"\([-._0-9A-Za-z]*\)\".*$"
  _debug _regex "$_regex"
  _token=$(echo "$_response" | sed -n "s/$_regex/\1/p")
  _debug _token "$_token"
@ -72,12 +72,15 @@ gcore_cdn_deploy() {
  export _H2="Authorization:Token $_token"
  _response=$(_get "https://api.gcdn.co/resources")
  _debug _response "$_response"
-  _regex=".*(\"id\".*?\"cname\":\"$_cdomain\".*?})"
+  _regex="\"primary_resource\":null},"
  _debug _regex "$_regex"
  _response=$(echo "$_response" | sed "s/$_regex/$_regex\n/g")
  _debug _response "$_response"
  _regex="^.*\"cname\":\"$_cdomain\".*$"
  _debug _regex "$_regex"
-  _resource=$(echo "$_response" | sed 's/},{/},\n{/g' | _egrep_o "$_regex")
+  _resource=$(echo "$_response" | _egrep_o "$_regex")
  _debug _resource "$_resource"
-  _regex=".*\"id\":\([0-9]*\).*\"rules\".*$"
+  _regex=".*\"id\":\([0-9]*\).*$"
  _debug _regex "$_regex"
  _resourceId=$(echo "$_resource" | sed -n "s/$_regex/\1/p")
  _debug _resourceId "$_resourceId"
--- a/deploy/peplink.sh
+++ b/deploy/peplink.sh
@ -0,0 +1,123 @@
 #!/usr/bin/env sh
 # Script to deploy cert to Peplink Routers
 #
 # The following environment variables must be set:
 #
 # PEPLINK_Hostname - Peplink hostname
 # PEPLINK_Username - Peplink username to login
 # PEPLINK_Password - Peplink password to login
 #
 # The following environmental variables may be set if you don't like their
 # default values:
 #
 # PEPLINK_Certtype - Certificate type to target for replacement
 #                    defaults to "webadmin", can be one of:
 #                      * "chub" (ContentHub)
 #                      * "openvpn" (OpenVPN CA)
 #                      * "portal" (Captive Portal SSL)
 #                      * "webadmin" (Web Admin SSL)
 #                      * "webproxy" (Proxy Root CA)
 #                      * "wwan_ca" (Wi-Fi WAN CA)
 #                      * "wwan_client" (Wi-Fi WAN Client)
 # PEPLINK_Scheme   - defaults to "https"
 # PEPLINK_Port     - defaults to "443"
 #
 #returns 0 means success, otherwise error.
 ########  Public functions #####################
 _peplink_get_cookie_data() {
  grep -i "\W$1=" | grep -i "^Set-Cookie:" | _tail_n 1 | _egrep_o "$1=[^;]*;" | tr -d ';'
 }
 #domain keyfile certfile cafile fullchain
 peplink_deploy() {
  _cdomain="$1"
  _ckey="$2"
  _cfullchain="$5"
  _debug _cdomain "$_cdomain"
  _debug _cfullchain "$_cfullchain"
  _debug _ckey "$_ckey"
  # Get Hostname, Username and Password, but don't save until we successfully authenticate
  _getdeployconf PEPLINK_Hostname
  _getdeployconf PEPLINK_Username
  _getdeployconf PEPLINK_Password
  if [ -z "${PEPLINK_Hostname:-}" ] || [ -z "${PEPLINK_Username:-}" ] || [ -z "${PEPLINK_Password:-}" ]; then
    _err "PEPLINK_Hostname & PEPLINK_Username & PEPLINK_Password must be set"
    return 1
  fi
  _debug2 PEPLINK_Hostname "$PEPLINK_Hostname"
  _debug2 PEPLINK_Username "$PEPLINK_Username"
  _secure_debug2 PEPLINK_Password "$PEPLINK_Password"
  # Optional certificate type, scheme, and port for Peplink
  _getdeployconf PEPLINK_Certtype
  _getdeployconf PEPLINK_Scheme
  _getdeployconf PEPLINK_Port
  # Don't save the certificate type until we verify it exists and is supported
  _savedeployconf PEPLINK_Scheme "$PEPLINK_Scheme"
  _savedeployconf PEPLINK_Port "$PEPLINK_Port"
  # Default vaules for certificate type, scheme, and port
  [ -n "${PEPLINK_Certtype}" ] || PEPLINK_Certtype="webadmin"
  [ -n "${PEPLINK_Scheme}" ] || PEPLINK_Scheme="https"
  [ -n "${PEPLINK_Port}" ] || PEPLINK_Port="443"
  _debug2 PEPLINK_Certtype "$PEPLINK_Certtype"
  _debug2 PEPLINK_Scheme "$PEPLINK_Scheme"
  _debug2 PEPLINK_Port "$PEPLINK_Port"
  _base_url="$PEPLINK_Scheme://$PEPLINK_Hostname:$PEPLINK_Port"
  _debug _base_url "$_base_url"
  # Login, get the auth token from the cookie
  _info "Logging into $PEPLINK_Hostname:$PEPLINK_Port"
  encoded_username="$(printf "%s" "$PEPLINK_Username" | _url_encode)"
  encoded_password="$(printf "%s" "$PEPLINK_Password" | _url_encode)"
  response=$(_post "func=login&username=$encoded_username&password=$encoded_password" "$_base_url/cgi-bin/MANGA/api.cgi")
  auth_token=$(_peplink_get_cookie_data "bauth" <"$HTTP_HEADER")
  _debug3 response "$response"
  _debug auth_token "$auth_token"
  if [ -z "$auth_token" ]; then
    _err "Unable to authenticate to $PEPLINK_Hostname:$PEPLINK_Port using $PEPLINK_Scheme."
    _err "Check your username and password."
    return 1
  fi
  _H1="Cookie: $auth_token"
  export _H1
  _debug2 H1 "${_H1}"
  # Now that we know the hostnameusername and password are good, save them
  _savedeployconf PEPLINK_Hostname "$PEPLINK_Hostname"
  _savedeployconf PEPLINK_Username "$PEPLINK_Username"
  _savedeployconf PEPLINK_Password "$PEPLINK_Password"
  _info "Generate form POST request"
  encoded_key="$(_url_encode <"$_ckey")"
  encoded_fullchain="$(_url_encode <"$_cfullchain")"
  body="cert_type=$PEPLINK_Certtype&cert_uid=&section=CERT_modify&key_pem=$encoded_key&key_pem_passphrase=&key_pem_passphrase_confirm=&cert_pem=$encoded_fullchain"
  _debug3 body "$body"
  _info "Upload $PEPLINK_Certtype certificate to the Peplink"
  response=$(_post "$body" "$_base_url/cgi-bin/MANGA/admin.cgi")
  _debug3 response "$response"
  if echo "$response" | grep 'Success' >/dev/null; then
    # We've verified this certificate type is valid, so save it
    _savedeployconf PEPLINK_Certtype "$PEPLINK_Certtype"
    _info "Certificate was updated"
    return 0
  else
    _err "Unable to update certificate, error code $response"
    return 1
  fi
 }
--- a/deploy/synology_dsm.sh
+++ b/deploy/synology_dsm.sh
@ -21,10 +21,6 @@
 ########  Public functions #####################
 _syno_get_cookie_data() {
  grep -i "\W$1=" | grep -i "^Set-Cookie:" | _tail_n 1 | _egrep_o "$1=[^;]*;" | tr -d ';'
 }
 #domain keyfile certfile cafile fullchain
 synology_dsm_deploy() {
@ -73,13 +69,25 @@ synology_dsm_deploy() {
  _base_url="$SYNO_Scheme://$SYNO_Hostname:$SYNO_Port"
  _debug _base_url "$_base_url"
  _debug "Getting API version"
  response=$(_get "$_base_url/webapi/query.cgi?api=SYNO.API.Info&version=1&method=query&query=SYNO.API.Auth")
  api_version=$(echo "$response" | grep "SYNO.API.Auth" | sed -n 's/.*"maxVersion" *: *\([0-9]*\).*/\1/p')
  _debug3 response "$response"
  _debug3 api_version "$api_version"
  # Login, get the token from JSON and session id from cookie
  _info "Logging into $SYNO_Hostname:$SYNO_Port"
  encoded_username="$(printf "%s" "$SYNO_Username" | _url_encode)"
  encoded_password="$(printf "%s" "$SYNO_Password" | _url_encode)"
-  encoded_did="$(printf "%s" "$SYNO_DID" | _url_encode)"
+
-  response=$(_get "$_base_url/webman/login.cgi?username=$encoded_username&passwd=$encoded_password&enable_syno_token=yes&device_id=$encoded_did" 1)
+  if [ -n "$SYNO_DID" ]; then
-  token=$(echo "$response" | grep -i "X-SYNO-TOKEN:" | sed -n 's/^X-SYNO-TOKEN: \(.*\)$/\1/pI' | tr -d "\r\n")
+    _H1="Cookie: did=$SYNO_DID"
    export _H1
    _debug3 H1 "${_H1}"
  fi
  response=$(_post "method=login&account=$encoded_username&passwd=$encoded_password&api=SYNO.API.Auth&version=$api_version&enable_syno_token=yes" "$_base_url/webapi/auth.cgi?enable_syno_token=yes")
  token=$(echo "$response" | grep "synotoken" | sed -n 's/.*"synotoken" *: *"\([^"]*\).*/\1/p')
  _debug3 response "$response"
  _debug token "$token"
@ -88,13 +96,11 @@ synology_dsm_deploy() {
    _err "Check your username and password."
    return 1
  fi
  sid=$(echo "$response" | grep "sid" | sed -n 's/.*"sid" *: *"\([^"]*\).*/\1/p')
-  _H1="Cookie: $(echo "$response" | _syno_get_cookie_data "id"); $(echo "$response" | _syno_get_cookie_data "smid")"
+  _H1="X-SYNO-TOKEN: $token"
  _H2="X-SYNO-TOKEN: $token"
  export _H1
  export _H2
  _debug2 H1 "${_H1}"
  _debug2 H2 "${_H2}"
  # Now that we know the username and password are good, save them
  _savedeployconf SYNO_Username "$SYNO_Username"
@ -102,7 +108,7 @@ synology_dsm_deploy() {
  _savedeployconf SYNO_DID "$SYNO_DID"
  _info "Getting certificates in Synology DSM"
-  response=$(_post "api=SYNO.Core.Certificate.CRT&method=list&version=1" "$_base_url/webapi/entry.cgi")
+  response=$(_post "api=SYNO.Core.Certificate.CRT&method=list&version=1&_sid=$sid" "$_base_url/webapi/entry.cgi")
  _debug3 response "$response"
  id=$(echo "$response" | sed -n "s/.*\"desc\":\"$SYNO_Certificate\",\"id\":\"\([^\"]*\).*/\1/p")
  _debug2 id "$id"
@ -115,7 +121,7 @@ synology_dsm_deploy() {
  # we've verified this certificate description is a thing, so save it
  _savedeployconf SYNO_Certificate "$SYNO_Certificate"
-  default=false
+  default=""
  if echo "$response" | sed -n "s/.*\"desc\":\"$SYNO_Certificate\",\([^{]*\).*/\1/p" | grep -- 'is_default":true' >/dev/null; then
    default=true
  fi
@ -135,7 +141,7 @@ synology_dsm_deploy() {
  content="${content%_}" # protect trailing \n
  _info "Upload certificate to the Synology DSM"
-  response=$(_post "$content" "$_base_url/webapi/entry.cgi?api=SYNO.Core.Certificate&method=import&version=1&SynoToken=$token" "" "POST" "multipart/form-data; boundary=${delim}")
+  response=$(_post "$content" "$_base_url/webapi/entry.cgi?api=SYNO.Core.Certificate&method=import&version=1&SynoToken=$token&_sid=$sid" "" "POST" "multipart/form-data; boundary=${delim}")
  _debug3 response "$response"
  if ! echo "$response" | grep '"error":' >/dev/null; then
--- a/deploy/unifi.sh
+++ b/deploy/unifi.sh
@ -1,12 +1,43 @@
 #!/usr/bin/env sh
-#Here is a script to deploy cert to unifi server.
+# Here is a script to deploy cert on a Unifi Controller or Cloud Key device.
 # It supports:
 #   - self-hosted Unifi Controller
 #   - Unifi Cloud Key (Gen1/2/2+)
 #   - Unifi Cloud Key running UnifiOS (v2.0.0+, Gen2/2+ only)
 # Please report bugs to https://github.com/acmesh-official/acme.sh/issues/3359
 #returns 0 means success, otherwise error.
 # The deploy-hook automatically detects standard Unifi installations
 # for each of the supported environments. Most users should not need
 # to set any of these variables, but if you are running a self-hosted
 # Controller with custom locations, set these as necessary before running
 # the deploy hook. (Defaults shown below.)
 #
 # Settings for Unifi Controller:
 # Location of Java keystore or unifi.keystore.jks file:
 #DEPLOY_UNIFI_KEYSTORE="/usr/lib/unifi/data/keystore"
 # Keystore password (built into Unifi Controller, not a user-set password):
 #DEPLOY_UNIFI_KEYPASS="aircontrolenterprise"
 # Command to restart Unifi Controller:
 #DEPLOY_UNIFI_RELOAD="service unifi restart"
 #
 # Settings for Unifi Cloud Key Gen1 (nginx admin pages):
 # Directory where cloudkey.crt and cloudkey.key live:
 #DEPLOY_UNIFI_CLOUDKEY_CERTDIR="/etc/ssl/private"
 # Command to restart maintenance pages and Controller
 # (same setting as above, default is updated when running on Cloud Key Gen1):
 #DEPLOY_UNIFI_RELOAD="service nginx restart && service unifi restart"
 #
 # Settings for UnifiOS (Cloud Key Gen2):
 # Directory where unifi-core.crt and unifi-core.key live:
 #DEPLOY_UNIFI_CORE_CONFIG="/data/unifi-core/config/"
 # Command to restart unifi-core:
 #DEPLOY_UNIFI_RELOAD="systemctl restart unifi-core"
 #
 # At least one of DEPLOY_UNIFI_KEYSTORE, DEPLOY_UNIFI_CLOUDKEY_CERTDIR,
 # or DEPLOY_UNIFI_CORE_CONFIG must exist to receive the deployed certs.
 ########  Public functions #####################
@ -24,77 +55,160 @@ unifi_deploy() {
  _debug _cca "$_cca"
  _debug _cfullchain "$_cfullchain"
-  if ! _exists keytool; then
+  _getdeployconf DEPLOY_UNIFI_KEYSTORE
-    _err "keytool not found"
+  _getdeployconf DEPLOY_UNIFI_KEYPASS
-    return 1
+  _getdeployconf DEPLOY_UNIFI_CLOUDKEY_CERTDIR
-  fi
+  _getdeployconf DEPLOY_UNIFI_CORE_CONFIG
  _getdeployconf DEPLOY_UNIFI_RELOAD
-  DEFAULT_UNIFI_KEYSTORE="/usr/lib/unifi/data/keystore"
+  _debug2 DEPLOY_UNIFI_KEYSTORE "$DEPLOY_UNIFI_KEYSTORE"
-  _unifi_keystore="${DEPLOY_UNIFI_KEYSTORE:-$DEFAULT_UNIFI_KEYSTORE}"
+  _debug2 DEPLOY_UNIFI_KEYPASS "$DEPLOY_UNIFI_KEYPASS"
-  DEFAULT_UNIFI_KEYPASS="aircontrolenterprise"
+  _debug2 DEPLOY_UNIFI_CLOUDKEY_CERTDIR "$DEPLOY_UNIFI_CLOUDKEY_CERTDIR"
-  _unifi_keypass="${DEPLOY_UNIFI_KEYPASS:-$DEFAULT_UNIFI_KEYPASS}"
+  _debug2 DEPLOY_UNIFI_CORE_CONFIG "$DEPLOY_UNIFI_CORE_CONFIG"
-  DEFAULT_UNIFI_RELOAD="service unifi restart"
+  _debug2 DEPLOY_UNIFI_RELOAD "$DEPLOY_UNIFI_RELOAD"
  _reload="${DEPLOY_UNIFI_RELOAD:-$DEFAULT_UNIFI_RELOAD}"
-  _debug _unifi_keystore "$_unifi_keystore"
+  # Space-separated list of environments detected and installed:
-  if [ ! -f "$_unifi_keystore" ]; then
+  _services_updated=""
-    if [ -z "$DEPLOY_UNIFI_KEYSTORE" ]; then
+
-      _err "unifi keystore is not found, please define DEPLOY_UNIFI_KEYSTORE"
+  # Default reload commands accumulated as we auto-detect environments:
-      return 1
+  _reload_cmd=""
-    else
+
-      _err "It seems that the specified unifi keystore is not valid, please check."
+  # Unifi Controller environment (self hosted or any Cloud Key) --
  # auto-detect by file /usr/lib/unifi/data/keystore:
  _unifi_keystore="${DEPLOY_UNIFI_KEYSTORE:-/usr/lib/unifi/data/keystore}"
  if [ -f "$_unifi_keystore" ]; then
    _info "Installing certificate for Unifi Controller (Java keystore)"
    _debug _unifi_keystore "$_unifi_keystore"
    if ! _exists keytool; then
      _err "keytool not found"
      return 1
    fi
-  fi
+    if [ ! -w "$_unifi_keystore" ]; then
-  if [ ! -w "$_unifi_keystore" ]; then
+      _err "The file $_unifi_keystore is not writable, please change the permission."
-    _err "The file $_unifi_keystore is not writable, please change the permission."
+      return 1
    fi
    _unifi_keypass="${DEPLOY_UNIFI_KEYPASS:-aircontrolenterprise}"
    _debug "Generate import pkcs12"
    _import_pkcs12="$(_mktemp)"
    _toPkcs "$_import_pkcs12" "$_ckey" "$_ccert" "$_cca" "$_unifi_keypass" unifi root
    # shellcheck disable=SC2181
    if [ "$?" != "0" ]; then
      _err "Error generating pkcs12. Please re-run with --debug and report a bug."
      return 1
    fi
    _debug "Import into keystore: $_unifi_keystore"
    if keytool -importkeystore \
      -deststorepass "$_unifi_keypass" -destkeypass "$_unifi_keypass" -destkeystore "$_unifi_keystore" \
      -srckeystore "$_import_pkcs12" -srcstoretype PKCS12 -srcstorepass "$_unifi_keypass" \
      -alias unifi -noprompt; then
      _debug "Import keystore success!"
      rm "$_import_pkcs12"
    else
      _err "Error importing into Unifi Java keystore."
      _err "Please re-run with --debug and report a bug."
      rm "$_import_pkcs12"
      return 1
    fi
    if systemctl -q is-active unifi; then
      _reload_cmd="${_reload_cmd:+$_reload_cmd && }service unifi restart"
    fi
    _services_updated="${_services_updated} unifi"
    _info "Install Unifi Controller certificate success!"
  elif [ "$DEPLOY_UNIFI_KEYSTORE" ]; then
    _err "The specified DEPLOY_UNIFI_KEYSTORE='$DEPLOY_UNIFI_KEYSTORE' is not valid, please check."
    return 1
  fi
-  _info "Generate import pkcs12"
+  # Cloud Key environment (non-UnifiOS -- nginx serves admin pages) --
-  _import_pkcs12="$(_mktemp)"
+  # auto-detect by file /etc/ssl/private/cloudkey.key:
-  _toPkcs "$_import_pkcs12" "$_ckey" "$_ccert" "$_cca" "$_unifi_keypass" unifi root
+  _cloudkey_certdir="${DEPLOY_UNIFI_CLOUDKEY_CERTDIR:-/etc/ssl/private}"
-  if [ "$?" != "0" ]; then
+  if [ -f "${_cloudkey_certdir}/cloudkey.key" ]; then
-    _err "Oops, error creating import pkcs12, please report bug to us."
+    _info "Installing certificate for Cloud Key Gen1 (nginx admin pages)"
    _debug _cloudkey_certdir "$_cloudkey_certdir"
    if [ ! -w "$_cloudkey_certdir" ]; then
      _err "The directory $_cloudkey_certdir is not writable; please check permissions."
      return 1
    fi
    # Cloud Key expects to load the keystore from /etc/ssl/private/unifi.keystore.jks.
    # Normally /usr/lib/unifi/data/keystore is a symlink there (so the keystore was
    # updated above), but if not, we don't know how to handle this installation:
    if ! cmp -s "$_unifi_keystore" "${_cloudkey_certdir}/unifi.keystore.jks"; then
      _err "Unsupported Cloud Key configuration: keystore not found at '${_cloudkey_certdir}/unifi.keystore.jks'"
      return 1
    fi
    cat "$_cfullchain" >"${_cloudkey_certdir}/cloudkey.crt"
    cat "$_ckey" >"${_cloudkey_certdir}/cloudkey.key"
    (cd "$_cloudkey_certdir" && tar -cf cert.tar cloudkey.crt cloudkey.key unifi.keystore.jks)
    if systemctl -q is-active nginx; then
      _reload_cmd="${_reload_cmd:+$_reload_cmd && }service nginx restart"
    fi
    _info "Install Cloud Key Gen1 certificate success!"
    _services_updated="${_services_updated} nginx"
  elif [ "$DEPLOY_UNIFI_CLOUDKEY_CERTDIR" ]; then
    _err "The specified DEPLOY_UNIFI_CLOUDKEY_CERTDIR='$DEPLOY_UNIFI_CLOUDKEY_CERTDIR' is not valid, please check."
    return 1
  fi
-  _info "Modify unifi keystore: $_unifi_keystore"
+  # UnifiOS environment -- auto-detect by /data/unifi-core/config/unifi-core.key:
-  if keytool -importkeystore \
+  _unifi_core_config="${DEPLOY_UNIFI_CORE_CONFIG:-/data/unifi-core/config}"
-    -deststorepass "$_unifi_keypass" -destkeypass "$_unifi_keypass" -destkeystore "$_unifi_keystore" \
+  if [ -f "${_unifi_core_config}/unifi-core.key" ]; then
-    -srckeystore "$_import_pkcs12" -srcstoretype PKCS12 -srcstorepass "$_unifi_keypass" \
+    _info "Installing certificate for UnifiOS"
-    -alias unifi -noprompt; then
+    _debug _unifi_core_config "$_unifi_core_config"
-    _info "Import keystore success!"
+    if [ ! -w "$_unifi_core_config" ]; then
-    rm "$_import_pkcs12"
+      _err "The directory $_unifi_core_config is not writable; please check permissions."
-  else
+      return 1
-    _err "Import unifi keystore error, please report bug to us."
+    fi
-    rm "$_import_pkcs12"
+
    cat "$_cfullchain" >"${_unifi_core_config}/unifi-core.crt"
    cat "$_ckey" >"${_unifi_core_config}/unifi-core.key"
    if systemctl -q is-active unifi-core; then
      _reload_cmd="${_reload_cmd:+$_reload_cmd && }systemctl restart unifi-core"
    fi
    _info "Install UnifiOS certificate success!"
    _services_updated="${_services_updated} unifi-core"
  elif [ "$DEPLOY_UNIFI_CORE_CONFIG" ]; then
    _err "The specified DEPLOY_UNIFI_CORE_CONFIG='$DEPLOY_UNIFI_CORE_CONFIG' is not valid, please check."
    return 1
  fi
-  _info "Run reload: $_reload"
+  if [ -z "$_services_updated" ]; then
-  if eval "$_reload"; then
+    # None of the Unifi environments were auto-detected, so no deployment has occurred
    # (and none of DEPLOY_UNIFI_{KEYSTORE,CLOUDKEY_CERTDIR,CORE_CONFIG} were set).
    _err "Unable to detect Unifi environment in standard location."
    _err "(This deploy hook must be run on the Unifi device, not a remote machine.)"
    _err "For non-standard Unifi installations, set DEPLOY_UNIFI_KEYSTORE,"
    _err "DEPLOY_UNIFI_CLOUDKEY_CERTDIR, and/or DEPLOY_UNIFI_CORE_CONFIG as appropriate."
    return 1
  fi
  _reload_cmd="${DEPLOY_UNIFI_RELOAD:-$_reload_cmd}"
  if [ -z "$_reload_cmd" ]; then
    _err "Certificates were installed for services:${_services_updated},"
    _err "but none appear to be active. Please set DEPLOY_UNIFI_RELOAD"
    _err "to a command that will restart the necessary services."
    return 1
  fi
  _info "Reload services (this may take some time): $_reload_cmd"
  if eval "$_reload_cmd"; then
    _info "Reload success!"
    if [ "$DEPLOY_UNIFI_KEYSTORE" ]; then
      _savedomainconf DEPLOY_UNIFI_KEYSTORE "$DEPLOY_UNIFI_KEYSTORE"
    else
      _cleardomainconf DEPLOY_UNIFI_KEYSTORE
    fi
    if [ "$DEPLOY_UNIFI_KEYPASS" ]; then
      _savedomainconf DEPLOY_UNIFI_KEYPASS "$DEPLOY_UNIFI_KEYPASS"
    else
      _cleardomainconf DEPLOY_UNIFI_KEYPASS
    fi
    if [ "$DEPLOY_UNIFI_RELOAD" ]; then
      _savedomainconf DEPLOY_UNIFI_RELOAD "$DEPLOY_UNIFI_RELOAD"
    else
      _cleardomainconf DEPLOY_UNIFI_RELOAD
    fi
    return 0
  else
    _err "Reload error"
    return 1
  fi
  return 0
  # Successful, so save all (non-default) config:
  _savedeployconf DEPLOY_UNIFI_KEYSTORE "$DEPLOY_UNIFI_KEYSTORE"
  _savedeployconf DEPLOY_UNIFI_KEYPASS "$DEPLOY_UNIFI_KEYPASS"
  _savedeployconf DEPLOY_UNIFI_CLOUDKEY_CERTDIR "$DEPLOY_UNIFI_CLOUDKEY_CERTDIR"
  _savedeployconf DEPLOY_UNIFI_CORE_CONFIG "$DEPLOY_UNIFI_CORE_CONFIG"
  _savedeployconf DEPLOY_UNIFI_RELOAD "$DEPLOY_UNIFI_RELOAD"
  return 0
 }
--- a/deploy/vault_cli.sh
+++ b/deploy/vault_cli.sh
@ -50,12 +50,12 @@ vault_cli_deploy() {
  fi
  if [ -n "$FABIO" ]; then
-    $VAULT_CMD write "${VAULT_PREFIX}/${_cdomain}" cert=@"$_cfullchain" key=@"$_ckey" || return 1
+    $VAULT_CMD kv put "${VAULT_PREFIX}/${_cdomain}" cert=@"$_cfullchain" key=@"$_ckey" || return 1
  else
-    $VAULT_CMD write "${VAULT_PREFIX}/${_cdomain}/cert.pem" value=@"$_ccert" || return 1
+    $VAULT_CMD kv put "${VAULT_PREFIX}/${_cdomain}/cert.pem" value=@"$_ccert" || return 1
-    $VAULT_CMD write "${VAULT_PREFIX}/${_cdomain}/cert.key" value=@"$_ckey" || return 1
+    $VAULT_CMD kv put "${VAULT_PREFIX}/${_cdomain}/cert.key" value=@"$_ckey" || return 1
-    $VAULT_CMD write "${VAULT_PREFIX}/${_cdomain}/chain.pem" value=@"$_cca" || return 1
+    $VAULT_CMD kv put "${VAULT_PREFIX}/${_cdomain}/chain.pem" value=@"$_cca" || return 1
-    $VAULT_CMD write "${VAULT_PREFIX}/${_cdomain}/fullchain.pem" value=@"$_cfullchain" || return 1
+    $VAULT_CMD kv put "${VAULT_PREFIX}/${_cdomain}/fullchain.pem" value=@"$_cfullchain" || return 1
  fi
 }
--- a/dnsapi/dns_arvan.sh
+++ b/dnsapi/dns_arvan.sh
@ -1,10 +1,9 @@
 #!/usr/bin/env sh
-#Arvan_Token="xxxx"
+#Arvan_Token="Apikey xxxx"
 ARVAN_API_URL="https://napi.arvancloud.com/cdn/4.0/domains"
-
+#Author: Vahid Fardi
 #Author: Ehsan Aliakbar
 #Report Bugs here: https://github.com/Neilpang/acme.sh
 #
 ########  Public functions #####################
@ -38,6 +37,7 @@ dns_arvan_add() {
  _info "Adding record"
  if _arvan_rest POST "$_domain/dns-records" "{\"type\":\"TXT\",\"name\":\"$_sub_domain\",\"value\":{\"text\":\"$txtvalue\"},\"ttl\":120}"; then
    if _contains "$response" "$txtvalue"; then
      _info "response id is $response"
      _info "Added, OK"
      return 0
    elif _contains "$response" "Record Data is Duplicated"; then
@ -49,7 +49,7 @@ dns_arvan_add() {
    fi
  fi
  _err "Add txt record error."
-  return 1
+  return 0
 }
 #Usage: fulldomain txtvalue
@ -73,33 +73,21 @@ dns_arvan_rm() {
  _debug _domain "$_domain"
  _debug "Getting txt records"
-  shorted_txtvalue=$(printf "%s" "$txtvalue" | cut -d "-" -d "_" -f1)
+  _arvan_rest GET "${_domain}/dns-records"
  _arvan_rest GET "${_domain}/dns-records?search=$shorted_txtvalue"
  if ! printf "%s" "$response" | grep \"current_page\":1 >/dev/null; then
    _err "Error on Arvan Api"
    _err "Please create a github issue with debbug log"
    return 1
  fi
-  count=$(printf "%s\n" "$response" | _egrep_o "\"total\":[^,]*" | cut -d : -f 2)
+  _record_id=$(echo "$response" | _egrep_o ".\"id\":\"[^\"]*\",\"type\":\"txt\",\"name\":\"_acme-challenge\",\"value\":{\"text\":\"$txtvalue\"}" | cut -d : -f 2 | cut -d , -f 1 | tr -d \")
-  _debug count "$count"
+  if ! _arvan_rest "DELETE" "${_domain}/dns-records/${_record_id}"; then
-  if [ "$count" = "0" ]; then
+    _err "Error on Arvan Api"
-    _info "Don't need to remove."
+    return 1
  else
    record_id=$(printf "%s\n" "$response" | _egrep_o "\"id\":\"[^\"]*\"" | cut -d : -f 2 | tr -d \" | head -n 1)
    _debug "record_id" "$record_id"
    if [ -z "$record_id" ]; then
      _err "Can not get record id to remove."
      return 1
    fi
    if ! _arvan_rest "DELETE" "${_domain}/dns-records/$record_id"; then
      _err "Delete record error."
      return 1
    fi
    _debug "$response"
    _contains "$response" 'dns record deleted'
  fi
  _debug "$response"
  _contains "$response" 'dns record deleted'
  return 0
 }
 ####################  Private functions below ##################################
@ -111,7 +99,7 @@ dns_arvan_rm() {
 # _domain_id=sdjkglgdfewsdfg
 _get_root() {
  domain=$1
-  i=1
+  i=2
  p=1
  while true; do
    h=$(printf "%s" "$domain" | cut -d . -f $i-100)
@ -121,12 +109,11 @@ _get_root() {
      return 1
    fi
-    if ! _arvan_rest GET "?search=$h"; then
+    if ! _arvan_rest GET "$h"; then
      return 1
    fi
-
+    if _contains "$response" "\"domain\":\"$h\""; then
-    if _contains "$response" "\"domain\":\"$h\"" || _contains "$response" '"total":1'; then
+      _domain_id=$(echo "$response" | cut -d : -f 3 | cut -d , -f 1 | tr -d \")
      _domain_id=$(echo "$response" | _egrep_o "\[.\"id\":\"[^\"]*\"" | _head_n 1 | cut -d : -f 2 | tr -d \")
      if [ "$_domain_id" ]; then
        _sub_domain=$(printf "%s" "$domain" | cut -d . -f 1-$p)
        _domain=$h
@ -146,7 +133,6 @@ _arvan_rest() {
  data="$3"
  token_trimmed=$(echo "$Arvan_Token" | tr -d '"')
  export _H1="Authorization: $token_trimmed"
  if [ "$mtd" = "DELETE" ]; then
@ -160,4 +146,5 @@ _arvan_rest() {
  else
    response="$(_get "$ARVAN_API_URL/$ep$data")"
  fi
  return 0
 }
--- a/dnsapi/dns_aurora.sh
+++ b/dnsapi/dns_aurora.sh
@ -0,0 +1,171 @@
 #!/usr/bin/env sh
 #
 #AURORA_Key="sdfsdfsdfljlbjkljlkjsdfoiwje"
 #
 #AURORA_Secret="sdfsdfsdfljlbjkljlkjsdfoiwje"
 AURORA_Api="https://api.auroradns.eu"
 ########  Public functions #####################
 #Usage: add  _acme-challenge.www.domain.com   "XKrxpRBosdIKFzxW_CT3KLZNf6q0HG9i01zxXp5CPBs"
 dns_aurora_add() {
  fulldomain=$1
  txtvalue=$2
  AURORA_Key="${AURORA_Key:-$(_readaccountconf_mutable AURORA_Key)}"
  AURORA_Secret="${AURORA_Secret:-$(_readaccountconf_mutable AURORA_Secret)}"
  if [ -z "$AURORA_Key" ] || [ -z "$AURORA_Secret" ]; then
    AURORA_Key=""
    AURORA_Secret=""
    _err "You didn't specify an Aurora api key and secret yet."
    _err "You can get yours from here https://cp.pcextreme.nl/auroradns/users."
    return 1
  fi
  #save the api key and secret to the account conf file.
  _saveaccountconf_mutable AURORA_Key "$AURORA_Key"
  _saveaccountconf_mutable AURORA_Secret "$AURORA_Secret"
  _debug "First detect the root zone"
  if ! _get_root "$fulldomain"; then
    _err "invalid domain"
    return 1
  fi
  _debug _domain_id "$_domain_id"
  _debug _sub_domain "$_sub_domain"
  _debug _domain "$_domain"
  _info "Adding record"
  if _aurora_rest POST "zones/$_domain_id/records" "{\"type\":\"TXT\",\"name\":\"$_sub_domain\",\"content\":\"$txtvalue\",\"ttl\":300}"; then
    if _contains "$response" "$txtvalue"; then
      _info "Added, OK"
      return 0
    elif _contains "$response" "RecordExistsError"; then
      _info "Already exists, OK"
      return 0
    else
      _err "Add txt record error."
      return 1
    fi
  fi
  _err "Add txt record error."
  return 1
 }
 #fulldomain txtvalue
 dns_aurora_rm() {
  fulldomain=$1
  txtvalue=$2
  AURORA_Key="${AURORA_Key:-$(_readaccountconf_mutable AURORA_Key)}"
  AURORA_Secret="${AURORA_Secret:-$(_readaccountconf_mutable AURORA_Secret)}"
  _debug "First detect the root zone"
  if ! _get_root "$fulldomain"; then
    _err "invalid domain"
    return 1
  fi
  _debug _domain_id "$_domain_id"
  _debug _sub_domain "$_sub_domain"
  _debug _domain "$_domain"
  _debug "Getting records"
  _aurora_rest GET "zones/${_domain_id}/records"
  if ! _contains "$response" "$txtvalue"; then
    _info "Don't need to remove."
  else
    records=$(echo "$response" | _normalizeJson | tr -d "[]" | sed "s/},{/}|{/g" | tr "|" "\n")
    if [ "$(echo "$records" | wc -l)" -le 2 ]; then
      _err "Can not parse records."
      return 1
    fi
    record_id=$(echo "$records" | grep "\"type\": *\"TXT\"" | grep "\"name\": *\"$_sub_domain\"" | grep "\"content\": *\"$txtvalue\"" | _egrep_o "\"id\": *\"[^\"]*\"" | cut -d : -f 2 | tr -d \" | _head_n 1 | tr -d " ")
    _debug "record_id" "$record_id"
    if [ -z "$record_id" ]; then
      _err "Can not get record id to remove."
      return 1
    fi
    if ! _aurora_rest DELETE "zones/$_domain_id/records/$record_id"; then
      _err "Delete record error."
      return 1
    fi
  fi
  return 0
 }
 ####################  Private functions below ##################################
 #_acme-challenge.www.domain.com
 #returns
 # _sub_domain=_acme-challenge.www
 # _domain=domain.com
 # _domain_id=sdjkglgdfewsdfg
 _get_root() {
  domain=$1
  i=1
  p=1
  while true; do
    h=$(printf "%s" "$domain" | cut -d . -f $i-100)
    _debug h "$h"
    if [ -z "$h" ]; then
      #not valid
      return 1
    fi
    if ! _aurora_rest GET "zones/$h"; then
      return 1
    fi
    if _contains "$response" "\"name\": \"$h\""; then
      _domain_id=$(echo "$response" | _normalizeJson | tr -d "{}" | tr "," "\n" | grep "\"id\": *\"" | cut -d : -f 2 | tr -d \" | _head_n 1 | tr -d " ")
      _debug _domain_id "$_domain_id"
      if [ "$_domain_id" ]; then
        _sub_domain=$(printf "%s" "$domain" | cut -d . -f 1-$p)
        _domain=$h
        return 0
      fi
      return 1
    fi
    p=$i
    i=$(_math "$i" + 1)
  done
  return 1
 }
 _aurora_rest() {
  m=$1
  ep="$2"
  data="$3"
  _debug "$ep"
  key_trimmed=$(echo "$AURORA_Key" | tr -d '"')
  secret_trimmed=$(echo "$AURORA_Secret" | tr -d '"')
  timestamp=$(date -u +"%Y%m%dT%H%M%SZ")
  signature=$(printf "%s/%s%s" "$m" "$ep" "$timestamp" | _hmac sha256 "$(printf "%s" "$secret_trimmed" | _hex_dump | tr -d " ")" | _base64)
  authorization=$(printf "AuroraDNSv1 %s" "$(printf "%s:%s" "$key_trimmed" "$signature" | _base64)")
  export _H1="Content-Type: application/json; charset=UTF-8"
  export _H2="X-AuroraDNS-Date: $timestamp"
  export _H3="Authorization: $authorization"
  if [ "$m" != "GET" ]; then
    _debug data "$data"
    response="$(_post "$data" "$AURORA_Api/$ep" "" "$m")"
  else
    response="$(_get "$AURORA_Api/$ep")"
  fi
  if [ "$?" != "0" ]; then
    _err "error $ep"
    return 1
  fi
  _debug2 response "$response"
  return 0
 }
--- a/dnsapi/dns_constellix.sh
+++ b/dnsapi/dns_constellix.sh
@ -30,16 +30,41 @@ dns_constellix_add() {
    return 1
  fi
-  _info "Adding TXT record"
+  # The TXT record might already exist when working with wildcard certificates. In that case, update the record by adding the new value.
-  if _constellix_rest POST "domains/${_domain_id}/records" "[{\"type\":\"txt\",\"add\":true,\"set\":{\"name\":\"${_sub_domain}\",\"ttl\":120,\"roundRobin\":[{\"value\":\"${txtvalue}\"}]}}]"; then
+  _debug "Search TXT record"
-    if printf -- "%s" "$response" | grep "{\"success\":\"1 record(s) added, 0 record(s) updated, 0 record(s) deleted\"}" >/dev/null; then
+  if _constellix_rest GET "domains/${_domain_id}/records/TXT/search?exact=${_sub_domain}"; then
-      _info "Added"
+    if printf -- "%s" "$response" | grep "{\"errors\":\[\"Requested record was not found\"\]}" >/dev/null; then
-      return 0
+      _info "Adding TXT record"
      if _constellix_rest POST "domains/${_domain_id}/records" "[{\"type\":\"txt\",\"add\":true,\"set\":{\"name\":\"${_sub_domain}\",\"ttl\":60,\"roundRobin\":[{\"value\":\"${txtvalue}\"}]}}]"; then
        if printf -- "%s" "$response" | grep "{\"success\":\"1 record(s) added, 0 record(s) updated, 0 record(s) deleted\"}" >/dev/null; then
          _info "Added"
          return 0
        else
          _err "Error adding TXT record"
        fi
      fi
    else
-      _err "Error adding TXT record"
+      _record_id=$(printf "%s\n" "$response" | _egrep_o "\"id\":[0-9]*" | cut -d ':' -f 2)
-      return 1
+      if _constellix_rest GET "domains/${_domain_id}/records/TXT/${_record_id}"; then
        _new_rr_values=$(printf "%s\n" "$response" | _egrep_o '"roundRobin":\[[^]]*\]' | sed "s/\]$/,{\"value\":\"${txtvalue}\"}]/")
        _debug _new_rr_values "$_new_rr_values"
        _info "Updating TXT record"
        if _constellix_rest PUT "domains/${_domain_id}/records/TXT/${_record_id}" "{\"name\":\"${_sub_domain}\",\"ttl\":60,${_new_rr_values}}"; then
          if printf -- "%s" "$response" | grep "{\"success\":\"Record.*updated successfully\"}" >/dev/null; then
            _info "Updated"
            return 0
          elif printf -- "%s" "$response" | grep "{\"errors\":\[\"Contents are identical\"\]}" >/dev/null; then
            _info "Already exists, no need to update"
            return 0
          else
            _err "Error updating TXT record"
          fi
        fi
      fi
    fi
  fi
  return 1
 }
 # Usage: fulldomain txtvalue
@ -61,16 +86,26 @@ dns_constellix_rm() {
    return 1
  fi
-  _info "Removing TXT record"
+  # The TXT record might have been removed already when working with some wildcard certificates.
-  if _constellix_rest POST "domains/${_domain_id}/records" "[{\"type\":\"txt\",\"delete\":true,\"filter\":{\"field\":\"name\",\"op\":\"eq\",\"value\":\"${_sub_domain}\"}}]"; then
+  _debug "Search TXT record"
-    if printf -- "%s" "$response" | grep "{\"success\":\"0 record(s) added, 0 record(s) updated, 1 record(s) deleted\"}" >/dev/null; then
+  if _constellix_rest GET "domains/${_domain_id}/records/TXT/search?exact=${_sub_domain}"; then
    if printf -- "%s" "$response" | grep "{\"errors\":\[\"Requested record was not found\"\]}" >/dev/null; then
      _info "Removed"
      return 0
    else
-      _err "Error removing TXT record"
+      _info "Removing TXT record"
-      return 1
+      if _constellix_rest POST "domains/${_domain_id}/records" "[{\"type\":\"txt\",\"delete\":true,\"filter\":{\"field\":\"name\",\"op\":\"eq\",\"value\":\"${_sub_domain}\"}}]"; then
        if printf -- "%s" "$response" | grep "{\"success\":\"0 record(s) added, 0 record(s) updated, 1 record(s) deleted\"}" >/dev/null; then
          _info "Removed"
          return 0
        else
          _err "Error removing TXT record"
        fi
      fi
    fi
  fi
  return 1
 }
 ####################  Private functions below ##################################
@ -91,7 +126,7 @@ _get_root() {
    fi
    if _contains "$response" "\"name\":\"$h\""; then
-      _domain_id=$(printf "%s\n" "$response" | _egrep_o "\"id\":[0-9]+" | cut -d ':' -f 2)
+      _domain_id=$(printf "%s\n" "$response" | _egrep_o "\"id\":[0-9]*" | cut -d ':' -f 2)
      if [ "$_domain_id" ]; then
        _sub_domain=$(printf "%s" "$domain" | cut -d '.' -f 1-$p)
        _domain="$h"
--- a/dnsapi/dns_desec.sh
+++ b/dnsapi/dns_desec.sh
@ -20,21 +20,17 @@ dns_desec_add() {
  _debug txtvalue "$txtvalue"
  DEDYN_TOKEN="${DEDYN_TOKEN:-$(_readaccountconf_mutable DEDYN_TOKEN)}"
  DEDYN_NAME="${DEDYN_NAME:-$(_readaccountconf_mutable DEDYN_NAME)}"
-  if [ -z "$DEDYN_TOKEN" ] || [ -z "$DEDYN_NAME" ]; then
+  if [ -z "$DEDYN_TOKEN" ]; then
    DEDYN_TOKEN=""
-    DEDYN_NAME=""
+    _err "You did not specify DEDYN_TOKEN yet."
    _err "You did not specify DEDYN_TOKEN and DEDYN_NAME yet."
    _err "Please create your key and try again."
    _err "e.g."
    _err "export DEDYN_TOKEN=d41d8cd98f00b204e9800998ecf8427e"
    _err "export DEDYN_NAME=foobar.dedyn.io"
    return 1
  fi
-  #save the api token and name to the account conf file.
+  #save the api token to the account conf file.
  _saveaccountconf_mutable DEDYN_TOKEN "$DEDYN_TOKEN"
  _saveaccountconf_mutable DEDYN_NAME "$DEDYN_NAME"
  _debug "First detect the root zone"
  if ! _get_root "$fulldomain" "$REST_API/"; then
@ -47,7 +43,7 @@ dns_desec_add() {
  # Get existing TXT record
  _debug "Getting txt records"
  txtvalues="\"\\\"$txtvalue\\\"\""
-  _desec_rest GET "$REST_API/$DEDYN_NAME/rrsets/$_sub_domain/TXT/"
+  _desec_rest GET "$REST_API/$_domain/rrsets/$_sub_domain/TXT/"
  if [ "$_code" = "200" ]; then
    oldtxtvalues="$(echo "$response" | _egrep_o "\"records\":\\[\"\\S*\"\\]" | cut -d : -f 2 | tr -d "[]\\\\\"" | sed "s/,/ /g")"
@ -63,7 +59,7 @@ dns_desec_add() {
  _info "Adding record"
  body="[{\"subname\":\"$_sub_domain\", \"type\":\"TXT\", \"records\":[$txtvalues], \"ttl\":3600}]"
-  if _desec_rest PUT "$REST_API/$DEDYN_NAME/rrsets/" "$body"; then
+  if _desec_rest PUT "$REST_API/$_domain/rrsets/" "$body"; then
    if _contains "$response" "$txtvalue"; then
      _info "Added, OK"
      return 0
@ -87,16 +83,13 @@ dns_desec_rm() {
  _debug txtvalue "$txtvalue"
  DEDYN_TOKEN="${DEDYN_TOKEN:-$(_readaccountconf_mutable DEDYN_TOKEN)}"
  DEDYN_NAME="${DEDYN_NAME:-$(_readaccountconf_mutable DEDYN_NAME)}"
-  if [ -z "$DEDYN_TOKEN" ] || [ -z "$DEDYN_NAME" ]; then
+  if [ -z "$DEDYN_TOKEN" ]; then
    DEDYN_TOKEN=""
-    DEDYN_NAME=""
+    _err "You did not specify DEDYN_TOKEN yet."
    _err "You did not specify DEDYN_TOKEN and DEDYN_NAME yet."
    _err "Please create your key and try again."
    _err "e.g."
    _err "export DEDYN_TOKEN=d41d8cd98f00b204e9800998ecf8427e"
    _err "export DEDYN_NAME=foobar.dedyn.io"
    return 1
  fi
@ -112,7 +105,7 @@ dns_desec_rm() {
  # Get existing TXT record
  _debug "Getting txt records"
  txtvalues=""
-  _desec_rest GET "$REST_API/$DEDYN_NAME/rrsets/$_sub_domain/TXT/"
+  _desec_rest GET "$REST_API/$_domain/rrsets/$_sub_domain/TXT/"
  if [ "$_code" = "200" ]; then
    oldtxtvalues="$(echo "$response" | _egrep_o "\"records\":\\[\"\\S*\"\\]" | cut -d : -f 2 | tr -d "[]\\\\\"" | sed "s/,/ /g")"
@ -131,7 +124,7 @@ dns_desec_rm() {
  _info "Deleting record"
  body="[{\"subname\":\"$_sub_domain\", \"type\":\"TXT\", \"records\":[$txtvalues], \"ttl\":3600}]"
-  _desec_rest PUT "$REST_API/$DEDYN_NAME/rrsets/" "$body"
+  _desec_rest PUT "$REST_API/$_domain/rrsets/" "$body"
  if [ "$_code" = "200" ]; then
    _info "Deleted, OK"
    return 0
--- a/dnsapi/dns_dp.sh
+++ b/dnsapi/dns_dp.sh
@ -89,7 +89,7 @@ add_record() {
  _info "Adding record"
-  if ! _rest POST "Record.Create" "login_token=$DP_Id,$DP_Key&format=json&lang=en&domain_id=$_domain_id&sub_domain=$_sub_domain&record_type=TXT&value=$txtvalue&record_line=默认"; then
+  if ! _rest POST "Record.Create" "login_token=$DP_Id,$DP_Key&format=json&lang=en&domain_id=$_domain_id&sub_domain=$_sub_domain&record_type=TXT&value=$txtvalue&record_line=%E9%BB%98%E8%AE%A4"; then
    return 1
  fi
--- a/dnsapi/dns_dpi.sh
+++ b/dnsapi/dns_dpi.sh
@ -53,7 +53,7 @@ dns_dpi_rm() {
    return 1
  fi
-  if ! _rest POST "Record.List" "user_token=$DPI_Id,$DPI_Key&format=json&domain_id=$_domain_id&sub_domain=$_sub_domain"; then
+  if ! _rest POST "Record.List" "login_token=$DPI_Id,$DPI_Key&format=json&domain_id=$_domain_id&sub_domain=$_sub_domain"; then
    _err "Record.Lis error."
    return 1
  fi
@ -63,14 +63,14 @@ dns_dpi_rm() {
    return 0
  fi
-  record_id=$(echo "$response" | _egrep_o '{[^{]*"value":"'"$txtvalue"'"' | cut -d , -f 1 | cut -d : -f 2 | tr -d \")
+  record_id=$(echo "$response" | tr "{" "\n" | grep -- "$txtvalue" | grep '^"id"' | cut -d : -f 2 | cut -d '"' -f 2)
  _debug record_id "$record_id"
  if [ -z "$record_id" ]; then
    _err "Can not get record id."
    return 1
  fi
-  if ! _rest POST "Record.Remove" "user_token=$DPI_Id,$DPI_Key&format=json&domain_id=$_domain_id&record_id=$record_id"; then
+  if ! _rest POST "Record.Remove" "login_token=$DPI_Id,$DPI_Key&format=json&domain_id=$_domain_id&record_id=$record_id"; then
    _err "Record.Remove error."
    return 1
  fi
@ -89,7 +89,7 @@ add_record() {
  _info "Adding record"
-  if ! _rest POST "Record.Create" "user_token=$DPI_Id,$DPI_Key&format=json&domain_id=$_domain_id&sub_domain=$_sub_domain&record_type=TXT&value=$txtvalue&record_line=default"; then
+  if ! _rest POST "Record.Create" "login_token=$DPI_Id,$DPI_Key&format=json&domain_id=$_domain_id&sub_domain=$_sub_domain&record_type=TXT&value=$txtvalue&record_line=default"; then
    return 1
  fi
@ -113,7 +113,7 @@ _get_root() {
      return 1
    fi
-    if ! _rest POST "Domain.Info" "user_token=$DPI_Id,$DPI_Key&format=json&domain=$h"; then
+    if ! _rest POST "Domain.Info" "login_token=$DPI_Id,$DPI_Key&format=json&domain=$h"; then
      return 1
    fi
--- a/dnsapi/dns_duckdns.sh
+++ b/dnsapi/dns_duckdns.sh
@ -12,7 +12,7 @@
 DuckDNS_API="https://www.duckdns.org/update"
-########  Public functions #####################
+########  Public functions ######################
 #Usage: dns_duckdns_add _acme-challenge.domain.duckdns.org "XKrxpRBosdIKFzxW_CT3KLZNf6q0HG9i01zxXp5CPBs"
 dns_duckdns_add() {
@ -96,7 +96,7 @@ dns_duckdns_rm() {
 _duckdns_get_domain() {
  # We'll extract the domain/username from full domain
-  _duckdns_domain="$(printf "%s" "$fulldomain" | _lower_case | _egrep_o '^(_acme-challenge\.)?[a-z0-9-]*\.duckdns\.org' | sed 's/^\(_acme-challenge\.\)\?\([a-z0-9-]*\)\.duckdns\.org/\2/')"
+  _duckdns_domain="$(printf "%s" "$fulldomain" | _lower_case | _egrep_o '^(_acme-challenge\.)?([a-z0-9-]+\.)+duckdns\.org' | sed -n 's/^\([^.]\{1,\}\.\)*\([a-z0-9-]\{1,\}\)\.duckdns\.org$/\2/p;')"
  if [ -z "$_duckdns_domain" ]; then
    _err "Error extracting the domain."
@ -112,7 +112,7 @@ _duckdns_rest() {
  param="$2"
  _debug param "$param"
  url="$DuckDNS_API?$param"
-  if [ "$DEBUG" -gt 0 ]; then
+  if [ -n "$DEBUG" ] && [ "$DEBUG" -gt 0 ]; then
    url="$url&verbose=true"
  fi
  _debug url "$url"
@ -121,7 +121,7 @@ _duckdns_rest() {
  if [ "$method" = "GET" ]; then
    response="$(_get "$url")"
    _debug2 response "$response"
-    if [ "$DEBUG" -gt 0 ] && _contains "$response" "UPDATED" && _contains "$response" "OK"; then
+    if [ -n "$DEBUG" ] && [ "$DEBUG" -gt 0 ] && _contains "$response" "UPDATED" && _contains "$response" "OK"; then
      response="OK"
    fi
  else
--- a/dnsapi/dns_huaweicloud.sh
+++ b/dnsapi/dns_huaweicloud.sh
@ -5,7 +5,7 @@
 # HUAWEICLOUD_ProjectID
 iam_api="https://iam.myhuaweicloud.com"
-dns_api="https://dns.ap-southeast-1.myhuaweicloud.com"
+dns_api="https://dns.ap-southeast-1.myhuaweicloud.com" # Should work
 ########  Public functions #####################
@ -29,16 +29,27 @@ dns_huaweicloud_add() {
    return 1
  fi
  unset token # Clear token
  token="$(_get_token "${HUAWEICLOUD_Username}" "${HUAWEICLOUD_Password}" "${HUAWEICLOUD_ProjectID}")"
-  _debug2 "${token}"
+  if [ -z "${token}" ]; then # Check token
    _err "dns_api(dns_huaweicloud): Error getting token."
    return 1
  fi
  _debug "Access token is: ${token}"
  unset zoneid
  zoneid="$(_get_zoneid "${token}" "${fulldomain}")"
-  _debug "${zoneid}"
+  if [ -z "${zoneid}" ]; then
    _err "dns_api(dns_huaweicloud): Error getting zone id."
    return 1
  fi
  _debug "Zone ID is: ${zoneid}"
  _debug "Adding Record"
  _add_record "${token}" "${fulldomain}" "${txtvalue}"
  ret="$?"
  if [ "${ret}" != "0" ]; then
-    _err "dns_huaweicloud: Error adding record."
+    _err "dns_api(dns_huaweicloud): Error adding record."
    return 1
  fi
@ -69,12 +80,21 @@ dns_huaweicloud_rm() {
    return 1
  fi
  unset token # Clear token
  token="$(_get_token "${HUAWEICLOUD_Username}" "${HUAWEICLOUD_Password}" "${HUAWEICLOUD_ProjectID}")"
-  _debug2 "${token}"
+  if [ -z "${token}" ]; then # Check token
    _err "dns_api(dns_huaweicloud): Error getting token."
    return 1
  fi
  _debug "Access token is: ${token}"
  unset zoneid
  zoneid="$(_get_zoneid "${token}" "${fulldomain}")"
-  _debug "${zoneid}"
+  if [ -z "${zoneid}" ]; then
-  record_id="$(_get_recordset_id "${token}" "${fulldomain}" "${zoneid}")"
+    _err "dns_api(dns_huaweicloud): Error getting zone id."
-  _debug "Record Set ID is: ${record_id}"
+    return 1
  fi
  _debug "Zone ID is: ${zoneid}"
  # Remove all records
  # Therotically HuaweiCloud does not allow more than one record set
--- a/dnsapi/dns_ionos.sh
+++ b/dnsapi/dns_ionos.sh
@ -0,0 +1,162 @@
 #!/usr/bin/env sh
 # Supports IONOS DNS API Beta v1.0.0
 #
 # Usage:
 #   Export IONOS_PREFIX and IONOS_SECRET before calling acme.sh:
 #
 #   $ export IONOS_PREFIX="..."
 #   $ export IONOS_SECRET="..."
 #
 #   $ acme.sh --issue --dns dns_ionos ...
 IONOS_API="https://api.hosting.ionos.com/dns"
 IONOS_ROUTE_ZONES="/v1/zones"
 IONOS_TXT_TTL=60 # minimum accepted by API
 IONOS_TXT_PRIO=10
 dns_ionos_add() {
  fulldomain=$1
  txtvalue=$2
  if ! _ionos_init; then
    return 1
  fi
  _body="[{\"name\":\"$_sub_domain.$_domain\",\"type\":\"TXT\",\"content\":\"$txtvalue\",\"ttl\":$IONOS_TXT_TTL,\"prio\":$IONOS_TXT_PRIO,\"disabled\":false}]"
  if _ionos_rest POST "$IONOS_ROUTE_ZONES/$_zone_id/records" "$_body" && [ -z "$response" ]; then
    _info "TXT record has been created successfully."
    return 0
  fi
  return 1
 }
 dns_ionos_rm() {
  fulldomain=$1
  txtvalue=$2
  if ! _ionos_init; then
    return 1
  fi
  if ! _ionos_get_record "$fulldomain" "$_zone_id" "$txtvalue"; then
    _err "Could not find _acme-challenge TXT record."
    return 1
  fi
  if _ionos_rest DELETE "$IONOS_ROUTE_ZONES/$_zone_id/records/$_record_id" && [ -z "$response" ]; then
    _info "TXT record has been deleted successfully."
    return 0
  fi
  return 1
 }
 _ionos_init() {
  IONOS_PREFIX="${IONOS_PREFIX:-$(_readaccountconf_mutable IONOS_PREFIX)}"
  IONOS_SECRET="${IONOS_SECRET:-$(_readaccountconf_mutable IONOS_SECRET)}"
  if [ -z "$IONOS_PREFIX" ] || [ -z "$IONOS_SECRET" ]; then
    _err "You didn't specify an IONOS api prefix and secret yet."
    _err "Read https://beta.developer.hosting.ionos.de/docs/getstarted to learn how to get a prefix and secret."
    _err ""
    _err "Then set them before calling acme.sh:"
    _err "\$ export IONOS_PREFIX=\"...\""
    _err "\$ export IONOS_SECRET=\"...\""
    _err "\$ acme.sh --issue -d ... --dns dns_ionos"
    return 1
  fi
  _saveaccountconf_mutable IONOS_PREFIX "$IONOS_PREFIX"
  _saveaccountconf_mutable IONOS_SECRET "$IONOS_SECRET"
  if ! _get_root "$fulldomain"; then
    _err "Cannot find this domain in your IONOS account."
    return 1
  fi
 }
 _get_root() {
  domain=$1
  i=1
  p=1
  if _ionos_rest GET "$IONOS_ROUTE_ZONES"; then
    response="$(echo "$response" | tr -d "\n")"
    while true; do
      h=$(printf "%s" "$domain" | cut -d . -f $i-100)
      if [ -z "$h" ]; then
        return 1
      fi
      _zone="$(echo "$response" | _egrep_o "\"name\":\"$h\".*\}")"
      if [ "$_zone" ]; then
        _zone_id=$(printf "%s\n" "$_zone" | _egrep_o "\"id\":\"[a-fA-F0-9\-]*\"" | _head_n 1 | cut -d : -f 2 | tr -d '\"')
        if [ "$_zone_id" ]; then
          _sub_domain=$(printf "%s" "$domain" | cut -d . -f 1-$p)
          _domain=$h
          return 0
        fi
        return 1
      fi
      p=$i
      i=$(_math "$i" + 1)
    done
  fi
  return 1
 }
 _ionos_get_record() {
  fulldomain=$1
  zone_id=$2
  txtrecord=$3
  if _ionos_rest GET "$IONOS_ROUTE_ZONES/$zone_id?recordName=$fulldomain&recordType=TXT"; then
    response="$(echo "$response" | tr -d "\n")"
    _record="$(echo "$response" | _egrep_o "\"name\":\"$fulldomain\"[^\}]*\"type\":\"TXT\"[^\}]*\"content\":\"\\\\\"$txtrecord\\\\\"\".*\}")"
    if [ "$_record" ]; then
      _record_id=$(printf "%s\n" "$_record" | _egrep_o "\"id\":\"[a-fA-F0-9\-]*\"" | _head_n 1 | cut -d : -f 2 | tr -d '\"')
      return 0
    fi
  fi
  return 1
 }
 _ionos_rest() {
  method="$1"
  route="$2"
  data="$3"
  IONOS_API_KEY="$(printf "%s.%s" "$IONOS_PREFIX" "$IONOS_SECRET")"
  export _H1="X-API-Key: $IONOS_API_KEY"
  if [ "$method" != "GET" ]; then
    export _H2="Accept: application/json"
    export _H3="Content-Type: application/json"
    response="$(_post "$data" "$IONOS_API$route" "" "$method" "application/json")"
  else
    export _H2="Accept: */*"
    response="$(_get "$IONOS_API$route")"
  fi
  if [ "$?" != "0" ]; then
    _err "Error $route"
    return 1
  fi
  return 0
 }
--- a/dnsapi/dns_ispconfig.sh
+++ b/dnsapi/dns_ispconfig.sh
@ -75,7 +75,7 @@ _ISPC_getZoneInfo() {
    # suffix . needed for zone -> domain.tld.
    curData="{\"session_id\":\"${sessionID}\",\"primary_id\":{\"origin\":\"${curZone}.\"}}"
    curResult="$(_post "${curData}" "${ISPC_Api}?dns_zone_get")"
-    _debug "Calling _ISPC_getZoneInfo: '${curData}' '${ISPC_Api}?login'"
+    _debug "Calling _ISPC_getZoneInfo: '${curData}' '${ISPC_Api}?dns_zone_get'"
    _debug "Result of _ISPC_getZoneInfo: '$curResult'"
    if _contains "${curResult}" '"id":"'; then
      zoneFound=true
@ -110,18 +110,32 @@ _ISPC_getZoneInfo() {
      ;;
    *) _info "Retrieved Zone ID" ;;
    esac
-    client_id=$(echo "${curResult}" | _egrep_o "sys_userid.*" | cut -d ':' -f 2 | cut -d '"' -f 2)
+    sys_userid=$(echo "${curResult}" | _egrep_o "sys_userid.*" | cut -d ':' -f 2 | cut -d '"' -f 2)
-    _debug "Client ID: '${client_id}'"
+    _debug "SYS User ID: '${sys_userid}'"
-    case "${client_id}" in
+    case "${sys_userid}" in
    '' | *[!0-9]*)
-      _err "Client ID is not numeric."
+      _err "SYS User ID is not numeric."
      return 1
      ;;
-    *) _info "Retrieved Client ID." ;;
+    *) _info "Retrieved SYS User ID." ;;
    esac
    zoneFound=""
    zoneEnd=""
  fi
  # Need to get client_id as it is different from sys_userid
  curData="{\"session_id\":\"${sessionID}\",\"sys_userid\":\"${sys_userid}\"}"
  curResult="$(_post "${curData}" "${ISPC_Api}?client_get_id")"
  _debug "Calling _ISPC_ClientGetID: '${curData}' '${ISPC_Api}?client_get_id'"
  _debug "Result of _ISPC_ClientGetID: '$curResult'"
  client_id=$(echo "${curResult}" | _egrep_o "response.*" | cut -d ':' -f 2 | cut -d '"' -f 2 | tr -d '{}')
  _debug "Client ID: '${client_id}'"
  case "${client_id}" in
  '' | *[!0-9]*)
    _err "Client ID is not numeric."
    return 1
    ;;
  *) _info "Retrieved Client ID." ;;
  esac
 }
 _ISPC_addTxt() {
--- a/dnsapi/dns_linode_v4.sh
+++ b/dnsapi/dns_linode_v4.sh
@ -106,6 +106,7 @@ dns_linode_v4_rm() {
 ####################  Private functions below ##################################
 _Linode_API() {
  LINODE_V4_API_KEY="${LINODE_V4_API_KEY:-$(_readaccountconf_mutable LINODE_V4_API_KEY)}"
  if [ -z "$LINODE_V4_API_KEY" ]; then
    LINODE_V4_API_KEY=""
@ -115,7 +116,7 @@ _Linode_API() {
    return 1
  fi
-  _saveaccountconf LINODE_V4_API_KEY "$LINODE_V4_API_KEY"
+  _saveaccountconf_mutable LINODE_V4_API_KEY "$LINODE_V4_API_KEY"
 }
 ####################  Private functions below ##################################
--- a/dnsapi/dns_namecheap.sh
+++ b/dnsapi/dns_namecheap.sh
@ -157,7 +157,7 @@ _namecheap_set_publicip() {
  if [ -z "$NAMECHEAP_SOURCEIP" ]; then
    _err "No Source IP specified for Namecheap API."
-    _err "Use your public ip address or an url to retrieve it (e.g. https://ipconfig.co/ip) and export it as NAMECHEAP_SOURCEIP"
+    _err "Use your public ip address or an url to retrieve it (e.g. https://ifconfig.co/ip) and export it as NAMECHEAP_SOURCEIP"
    return 1
  else
    _saveaccountconf NAMECHEAP_SOURCEIP "$NAMECHEAP_SOURCEIP"
@ -175,7 +175,7 @@ _namecheap_set_publicip() {
      _publicip=$(_get "$addr")
    else
      _err "No Source IP specified for Namecheap API."
-      _err "Use your public ip address or an url to retrieve it (e.g. https://ipconfig.co/ip) and export it as NAMECHEAP_SOURCEIP"
+      _err "Use your public ip address or an url to retrieve it (e.g. https://ifconfig.co/ip) and export it as NAMECHEAP_SOURCEIP"
      return 1
    fi
  fi
@ -208,7 +208,7 @@ _namecheap_parse_host() {
  _hostid=$(echo "$_host" | _egrep_o ' HostId="[^"]*' | cut -d '"' -f 2)
  _hostname=$(echo "$_host" | _egrep_o ' Name="[^"]*' | cut -d '"' -f 2)
  _hosttype=$(echo "$_host" | _egrep_o ' Type="[^"]*' | cut -d '"' -f 2)
-  _hostaddress=$(echo "$_host" | _egrep_o ' Address="[^"]*' | cut -d '"' -f 2)
+  _hostaddress=$(echo "$_host" | _egrep_o ' Address="[^"]*' | cut -d '"' -f 2 | _xml_decode)
  _hostmxpref=$(echo "$_host" | _egrep_o ' MXPref="[^"]*' | cut -d '"' -f 2)
  _hostttl=$(echo "$_host" | _egrep_o ' TTL="[^"]*' | cut -d '"' -f 2)
@ -405,3 +405,7 @@ _namecheap_set_tld_sld() {
  done
 }
 _xml_decode() {
  sed 's/&quot;/"/g'
 }
--- a/dnsapi/dns_one.sh
+++ b/dnsapi/dns_one.sh
@ -1,22 +1,9 @@
 #!/usr/bin/env sh
 # -*- mode: sh; tab-width: 2; indent-tabs-mode: s; coding: utf-8 -*-
 # one.com ui wrapper for acme.sh
-# Author: github: @diseq
+
 # Created: 2019-02-17
 # Fixed by: @der-berni
 # Modified: 2020-04-07
 #
 #     Use ONECOM_KeepCnameProxy to keep the CNAME DNS record
 #     export ONECOM_KeepCnameProxy="1"
 #
 #     export ONECOM_User="username"
 #     export ONECOM_Password="password"
 #
 # Usage:
 #     acme.sh --issue --dns dns_one -d example.com
 #
 #     only single domain supported atm
 dns_one_add() {
  fulldomain=$1
@ -36,27 +23,9 @@ dns_one_add() {
  subdomain="${_sub_domain}"
  maindomain=${_domain}
  useProxy=0
  if [ "${_sub_domain}" = "_acme-challenge" ]; then
    subdomain="proxy${_sub_domain}"
    useProxy=1
  fi
  _debug subdomain "$subdomain"
  _debug maindomain "$maindomain"
  if [ $useProxy -eq 1 ]; then
    #Check if the CNAME exists
    _dns_one_getrecord "CNAME" "$_sub_domain" "$subdomain.$maindomain"
    if [ -z "$id" ]; then
      _info "$(__red "Add CNAME Proxy record: '$(__green "\"$_sub_domain\" => \"$subdomain.$maindomain\"")'")"
      _dns_one_addrecord "CNAME" "$_sub_domain" "$subdomain.$maindomain"
      _info "Not valid yet, let's wait 1 hour to take effect."
      _sleep 3600
    fi
  fi
  #Check if the TXT exists
  _dns_one_getrecord "TXT" "$subdomain" "$txtvalue"
  if [ -n "$id" ]; then
@ -92,26 +61,8 @@ dns_one_rm() {
  subdomain="${_sub_domain}"
  maindomain=${_domain}
  useProxy=0
  if [ "${_sub_domain}" = "_acme-challenge" ]; then
    subdomain="proxy${_sub_domain}"
    useProxy=1
  fi
  _debug subdomain "$subdomain"
  _debug maindomain "$maindomain"
  if [ $useProxy -eq 1 ]; then
    if [ "$ONECOM_KeepCnameProxy" = "1" ]; then
      _info "$(__red "Keeping CNAME Proxy record: '$(__green "\"$_sub_domain\" => \"$subdomain.$maindomain\"")'")"
    else
      #Check if the CNAME exists
      _dns_one_getrecord "CNAME" "$_sub_domain" "$subdomain.$maindomain"
      if [ -n "$id" ]; then
        _info "$(__red "Removing CNAME Proxy record: '$(__green "\"$_sub_domain\" => \"$subdomain.$maindomain\"")'")"
        _dns_one_delrecord "$id"
      fi
    fi
  fi
  #Check if the TXT exists
  _dns_one_getrecord "TXT" "$subdomain" "$txtvalue"
@ -136,7 +87,7 @@ dns_one_rm() {
 # _domain=domain.com
 _get_root() {
  domain="$1"
-  i=2
+  i=1
  p=1
  while true; do
    h=$(printf "%s" "$domain" | cut -d . -f $i-100)
@ -163,8 +114,6 @@ _get_root() {
 _dns_one_login() {
  # get credentials
  ONECOM_KeepCnameProxy="${ONECOM_KeepCnameProxy:-$(_readaccountconf_mutable ONECOM_KeepCnameProxy)}"
  ONECOM_KeepCnameProxy="${ONECOM_KeepCnameProxy:-0}"
  ONECOM_User="${ONECOM_User:-$(_readaccountconf_mutable ONECOM_User)}"
  ONECOM_Password="${ONECOM_Password:-$(_readaccountconf_mutable ONECOM_Password)}"
  if [ -z "$ONECOM_User" ] || [ -z "$ONECOM_Password" ]; then
@ -176,7 +125,6 @@ _dns_one_login() {
  fi
  #save the api key and email to the account conf file.
  _saveaccountconf_mutable ONECOM_KeepCnameProxy "$ONECOM_KeepCnameProxy"
  _saveaccountconf_mutable ONECOM_User "$ONECOM_User"
  _saveaccountconf_mutable ONECOM_Password "$ONECOM_Password"
--- a/dnsapi/dns_pdns.sh
+++ b/dnsapi/dns_pdns.sh
@ -175,13 +175,13 @@ _get_root() {
  i=1
  if _pdns_rest "GET" "/api/v1/servers/$PDNS_ServerId/zones"; then
-    _zones_response="$response"
+    _zones_response=$(echo "$response" | _normalizeJson)
  fi
  while true; do
    h=$(printf "%s" "$domain" | cut -d . -f $i-100)
-    if _contains "$_zones_response" "\"name\": \"$h.\""; then
+    if _contains "$_zones_response" "\"name\":\"$h.\""; then
      _domain="$h."
      if [ -z "$h" ]; then
        _domain="=2E"
--- a/dnsapi/dns_porkbun.sh
+++ b/dnsapi/dns_porkbun.sh
@ -0,0 +1,157 @@
 #!/usr/bin/env sh
 #
 #PORKBUN_API_KEY="pk1_0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef"
 #PORKBUN_SECRET_API_KEY="sk1_0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef"
 PORKBUN_Api="https://porkbun.com/api/json/v3"
 ########  Public functions #####################
 #Usage: add  _acme-challenge.www.domain.com   "XKrxpRBosdIKFzxW_CT3KLZNf6q0HG9i01zxXp5CPBs"
 dns_porkbun_add() {
  fulldomain=$1
  txtvalue=$2
  PORKBUN_API_KEY="${PORKBUN_API_KEY:-$(_readaccountconf_mutable PORKBUN_API_KEY)}"
  PORKBUN_SECRET_API_KEY="${PORKBUN_SECRET_API_KEY:-$(_readaccountconf_mutable PORKBUN_SECRET_API_KEY)}"
  if [ -z "$PORKBUN_API_KEY" ] || [ -z "$PORKBUN_SECRET_API_KEY" ]; then
    PORKBUN_API_KEY=''
    PORKBUN_SECRET_API_KEY=''
    _err "You didn't specify a Porkbun api key and secret api key yet."
    _err "You can get yours from here https://porkbun.com/account/api."
    return 1
  fi
  #save the credentials to the account conf file.
  _saveaccountconf_mutable PORKBUN_API_KEY "$PORKBUN_API_KEY"
  _saveaccountconf_mutable PORKBUN_SECRET_API_KEY "$PORKBUN_SECRET_API_KEY"
  _debug 'First detect the root zone'
  if ! _get_root "$fulldomain"; then
    return 1
  fi
  _debug _sub_domain "$_sub_domain"
  _debug _domain "$_domain"
  # For wildcard cert, the main root domain and the wildcard domain have the same txt subdomain name, so
  # we can not use updating anymore.
  #  count=$(printf "%s\n" "$response" | _egrep_o "\"count\":[^,]*" | cut -d : -f 2)
  #  _debug count "$count"
  #  if [ "$count" = "0" ]; then
  _info "Adding record"
  if _porkbun_rest POST "dns/create/$_domain" "{\"name\":\"$_sub_domain\",\"type\":\"TXT\",\"content\":\"$txtvalue\",\"ttl\":120}"; then
    if _contains "$response" '\"status\":"SUCCESS"'; then
      _info "Added, OK"
      return 0
    elif _contains "$response" "The record already exists"; then
      _info "Already exists, OK"
      return 0
    else
      _err "Add txt record error. ($response)"
      return 1
    fi
  fi
  _err "Add txt record error."
  return 1
 }
 #fulldomain txtvalue
 dns_porkbun_rm() {
  fulldomain=$1
  txtvalue=$2
  PORKBUN_API_KEY="${PORKBUN_API_KEY:-$(_readaccountconf_mutable PORKBUN_API_KEY)}"
  PORKBUN_SECRET_API_KEY="${PORKBUN_SECRET_API_KEY:-$(_readaccountconf_mutable PORKBUN_SECRET_API_KEY)}"
  _debug 'First detect the root zone'
  if ! _get_root "$fulldomain"; then
    return 1
  fi
  _debug _sub_domain "$_sub_domain"
  _debug _domain "$_domain"
  count=$(echo "$response" | _egrep_o "\"count\": *[^,]*" | cut -d : -f 2 | tr -d " ")
  _debug count "$count"
  if [ "$count" = "0" ]; then
    _info "Don't need to remove."
  else
    record_id=$(echo "$response" | tr '{' '\n' | grep -- "$txtvalue" | cut -d, -f1 | cut -d: -f2 | tr -d \")
    _debug "record_id" "$record_id"
    if [ -z "$record_id" ]; then
      _err "Can not get record id to remove."
      return 1
    fi
    if ! _porkbun_rest POST "dns/delete/$_domain/$record_id"; then
      _err "Delete record error."
      return 1
    fi
    echo "$response" | tr -d " " | grep '\"status\":"SUCCESS"' >/dev/null
  fi
 }
 ####################  Private functions below ##################################
 #_acme-challenge.www.domain.com
 #returns
 # _sub_domain=_acme-challenge.www
 # _domain=domain.com
 _get_root() {
  domain=$1
  i=1
  while true; do
    h=$(printf "%s" "$domain" | cut -d . -f $i-100)
    _debug h "$h"
    if [ -z "$h" ]; then
      return 1
    fi
    if _porkbun_rest POST "dns/retrieve/$h"; then
      if _contains "$response" "\"status\":\"SUCCESS\""; then
        _sub_domain="$(echo "$fulldomain" | sed "s/\\.$_domain\$//")"
        _domain=$h
        return 0
      else
        _debug "Go to next level of $_domain"
      fi
    else
      _debug "Go to next level of $_domain"
    fi
    i=$(_math "$i" + 1)
  done
  return 1
 }
 _porkbun_rest() {
  m=$1
  ep="$2"
  data="$3"
  _debug "$ep"
  api_key_trimmed=$(echo "$PORKBUN_API_KEY" | tr -d '"')
  secret_api_key_trimmed=$(echo "$PORKBUN_SECRET_API_KEY" | tr -d '"')
  test -z "$data" && data="{" || data="$(echo $data | cut -d'}' -f1),"
  data="$data\"apikey\":\"$api_key_trimmed\",\"secretapikey\":\"$secret_api_key_trimmed\"}"
  export _H1="Content-Type: application/json"
  if [ "$m" != "GET" ]; then
    _debug data "$data"
    response="$(_post "$data" "$PORKBUN_Api/$ep" "" "$m")"
  else
    response="$(_get "$PORKBUN_Api/$ep")"
  fi
  _sleep 3 # prevent rate limit
  if [ "$?" != "0" ]; then
    _err "error $ep"
    return 1
  fi
  _debug2 response "$response"
  return 0
 }
--- a/dnsapi/dns_rackcorp.sh
+++ b/dnsapi/dns_rackcorp.sh
@ -0,0 +1,156 @@
 #!/usr/bin/env sh
 # Provider: RackCorp (www.rackcorp.com)
 # Author: Stephen Dendtler (sdendtler@rackcorp.com)
 # Report Bugs here: https://github.com/senjoo/acme.sh
 # Alternate email contact: support@rackcorp.com
 #
 # You'll need an API key (Portal: ADMINISTRATION -> API)
 # Set the environment variables as below:
 #
 #    export RACKCORP_APIUUID="UUIDHERE"
 #    export RACKCORP_APISECRET="SECRETHERE"
 #
 RACKCORP_API_ENDPOINT="https://api.rackcorp.net/api/rest/v2.4/json.php"
 ########  Public functions #####################
 dns_rackcorp_add() {
  fulldomain="$1"
  txtvalue="$2"
  _debug fulldomain="$fulldomain"
  _debug txtvalue="$txtvalue"
  if ! _rackcorp_validate; then
    return 1
  fi
  _debug "Searching for root zone"
  if ! _get_root "$fulldomain"; then
    return 1
  fi
  _debug _lookup "$_lookup"
  _debug _domain "$_domain"
  _info "Creating TXT record."
  if ! _rackcorp_api dns.record.create "\"name\":\"$_domain\",\"type\":\"TXT\",\"lookup\":\"$_lookup\",\"data\":\"$txtvalue\",\"ttl\":300"; then
    return 1
  fi
  return 0
 }
 #Usage: fulldomain txtvalue
 #Remove the txt record after validation.
 dns_rackcorp_rm() {
  fulldomain=$1
  txtvalue=$2
  _debug fulldomain="$fulldomain"
  _debug txtvalue="$txtvalue"
  if ! _rackcorp_validate; then
    return 1
  fi
  _debug "Searching for root zone"
  if ! _get_root "$fulldomain"; then
    return 1
  fi
  _debug _lookup "$_lookup"
  _debug _domain "$_domain"
  _info "Creating TXT record."
  if ! _rackcorp_api dns.record.delete "\"name\":\"$_domain\",\"type\":\"TXT\",\"lookup\":\"$_lookup\",\"data\":\"$txtvalue\""; then
    return 1
  fi
  return 0
 }
 ####################  Private functions below ##################################
 #_acme-challenge.domain.com
 #returns
 # _lookup=_acme-challenge
 # _domain=domain.com
 _get_root() {
  domain=$1
  i=1
  p=1
  if ! _rackcorp_api dns.domain.getall "\"name\":\"$domain\""; then
    return 1
  fi
  while true; do
    h=$(printf "%s" "$domain" | cut -d . -f $i-100)
    _debug searchhost "$h"
    if [ -z "$h" ]; then
      _err "Could not find domain for record $domain in RackCorp using the provided credentials"
      #not valid
      return 1
    fi
    _rackcorp_api dns.domain.getall "\"exactName\":\"$h\""
    if _contains "$response" "\"matches\":1"; then
      if _contains "$response" "\"name\":\"$h\""; then
        _lookup=$(printf "%s" "$domain" | cut -d . -f 1-$p)
        _domain="$h"
        return 0
      fi
    fi
    p=$i
    i=$(_math "$i" + 1)
  done
  return 1
 }
 _rackcorp_validate() {
  RACKCORP_APIUUID="${RACKCORP_APIUUID:-$(_readaccountconf_mutable RACKCORP_APIUUID)}"
  if [ -z "$RACKCORP_APIUUID" ]; then
    RACKCORP_APIUUID=""
    _err "You require a RackCorp API UUID (export RACKCORP_APIUUID=\"<api uuid>\")"
    _err "Please login to the portal and create an API key and try again."
    return 1
  fi
  _saveaccountconf_mutable RACKCORP_APIUUID "$RACKCORP_APIUUID"
  RACKCORP_APISECRET="${RACKCORP_APISECRET:-$(_readaccountconf_mutable RACKCORP_APISECRET)}"
  if [ -z "$RACKCORP_APISECRET" ]; then
    RACKCORP_APISECRET=""
    _err "You require a RackCorp API secret (export RACKCORP_APISECRET=\"<api secret>\")"
    _err "Please login to the portal and create an API key and try again."
    return 1
  fi
  _saveaccountconf_mutable RACKCORP_APISECRET "$RACKCORP_APISECRET"
  return 0
 }
 _rackcorp_api() {
  _rackcorpcmd=$1
  _rackcorpinputdata=$2
  _debug cmd "$_rackcorpcmd $_rackcorpinputdata"
  export _H1="Accept: application/json"
  response="$(_post "{\"APIUUID\":\"$RACKCORP_APIUUID\",\"APISECRET\":\"$RACKCORP_APISECRET\",\"cmd\":\"$_rackcorpcmd\",$_rackcorpinputdata}" "$RACKCORP_API_ENDPOINT" "" "POST")"
  if [ "$?" != "0" ]; then
    _err "error $response"
    return 1
  fi
  _debug2 response "$response"
  if _contains "$response" "\"code\":\"OK\""; then
    _debug code "OK"
  else
    _debug code "FAILED"
    response=""
    return 1
  fi
  return 0
 }
--- a/dnsapi/dns_scaleway.sh
+++ b/dnsapi/dns_scaleway.sh
@ -0,0 +1,176 @@
 #!/usr/bin/env sh
 # Scaleway API
 # https://developers.scaleway.com/en/products/domain/dns/api/
 #
 # Requires Scaleway API token set in SCALEWAY_API_TOKEN
 ########  Public functions #####################
 SCALEWAY_API="https://api.scaleway.com/domain/v2beta1"
 #Usage: add  _acme-challenge.www.domain.com   "XKrxpRBosdIKFzxW_CT3KLZNf6q0HG9i01zxXp5CPBs"
 dns_scaleway_add() {
  fulldomain=$1
  txtvalue=$2
  if ! _scaleway_check_config; then
    return 1
  fi
  _debug "First detect the root zone"
  if ! _get_root "$fulldomain"; then
    _err "invalid domain"
    return 1
  fi
  _debug _sub_domain "$_sub_domain"
  _debug _domain "$_domain"
  _info "Adding record"
  _scaleway_create_TXT_record "$_domain" "$_sub_domain" "$txtvalue"
  if _contains "$response" "records"; then
    return 0
  else
    _err error "$response"
    return 1
  fi
  _info "Record added."
  return 0
 }
 dns_scaleway_rm() {
  fulldomain=$1
  txtvalue=$2
  if ! _scaleway_check_config; then
    return 1
  fi
  _debug "First detect the root zone"
  if ! _get_root "$fulldomain"; then
    _err "invalid domain"
    return 1
  fi
  _debug _sub_domain "$_sub_domain"
  _debug _domain "$_domain"
  _info "Deleting record"
  _scaleway_delete_TXT_record "$_domain" "$_sub_domain" "$txtvalue"
  if _contains "$response" "records"; then
    return 0
  else
    _err error "$response"
    return 1
  fi
  _info "Record deleted."
  return 0
 }
 ####################  Private functions below ##################################
 _scaleway_check_config() {
  SCALEWAY_API_TOKEN="${SCALEWAY_API_TOKEN:-$(_readaccountconf_mutable SCALEWAY_API_TOKEN)}"
  if [ -z "$SCALEWAY_API_TOKEN" ]; then
    _err "No API key specified for Scaleway API."
    _err "Create your key and export it as SCALEWAY_API_TOKEN"
    return 1
  fi
  if ! _scaleway_rest GET "dns-zones"; then
    _err "Invalid API key specified for Scaleway API."
    return 1
  fi
  _saveaccountconf_mutable SCALEWAY_API_TOKEN "$SCALEWAY_API_TOKEN"
  return 0
 }
 #_acme-challenge.www.domain.com
 #returns
 # _sub_domain=_acme-challenge.www
 # _domain=domain.com
 _get_root() {
  domain=$1
  i=1
  p=1
  while true; do
    h=$(printf "%s" "$domain" | cut -d . -f $i-100)
    if [ -z "$h" ]; then
      #not valid
      return 1
    fi
    _scaleway_rest GET "dns-zones/$h/records"
    if ! _contains "$response" "subdomain not found" >/dev/null; then
      _sub_domain=$(printf "%s" "$domain" | cut -d . -f 1-$p)
      _domain="$h"
      return 0
    fi
    p=$i
    i=$(_math "$i" + 1)
  done
  _err "Unable to retrive DNS zone matching this domain"
  return 1
 }
 # this function add a TXT record
 _scaleway_create_TXT_record() {
  txt_zone=$1
  txt_name=$2
  txt_value=$3
  _scaleway_rest PATCH "dns-zones/$txt_zone/records" "{\"return_all_records\":false,\"changes\":[{\"add\":{\"records\":[{\"name\":\"$txt_name\",\"data\":\"$txt_value\",\"type\":\"TXT\",\"ttl\":60}]}}]}"
  if _contains "$response" "records"; then
    return 0
  else
    _err "error1 $response"
    return 1
  fi
 }
 # this function delete a TXT record based on name and content
 _scaleway_delete_TXT_record() {
  txt_zone=$1
  txt_name=$2
  txt_value=$3
  _scaleway_rest PATCH "dns-zones/$txt_zone/records" "{\"return_all_records\":false,\"changes\":[{\"delete\":{\"id_fields\":{\"name\":\"$txt_name\",\"data\":\"$txt_value\",\"type\":\"TXT\"}}}]}"
  if _contains "$response" "records"; then
    return 0
  else
    _err "error2 $response"
    return 1
  fi
 }
 _scaleway_rest() {
  m=$1
  ep="$2"
  data="$3"
  _debug "$ep"
  _scaleway_url="$SCALEWAY_API/$ep"
  _debug2 _scaleway_url "$_scaleway_url"
  export _H1="x-auth-token: $SCALEWAY_API_TOKEN"
  export _H2="Accept: application/json"
  export _H3="Content-Type: application/json"
  if [ "$data" ] || [ "$m" != "GET" ]; then
    _debug data "$data"
    response="$(_post "$data" "$_scaleway_url" "" "$m")"
  else
    response="$(_get "$_scaleway_url")"
  fi
  if [ "$?" != "0" ] || _contains "$response" "denied_authentication" || _contains "$response" "Method not allowed" || _contains "$response" "json parse error: unexpected EOF"; then
    _err "error $response"
    return 1
  fi
  _debug2 response "$response"
  return 0
 }
--- a/dnsapi/dns_servercow.sh
+++ b/dnsapi/dns_servercow.sh
@ -49,16 +49,42 @@ dns_servercow_add() {
  _debug _sub_domain "$_sub_domain"
  _debug _domain "$_domain"
-  if _servercow_api POST "$_domain" "{\"type\":\"TXT\",\"name\":\"$fulldomain\",\"content\":\"$txtvalue\",\"ttl\":20}"; then
+  # check whether a txt record already exists for the subdomain
-    if printf -- "%s" "$response" | grep "ok" >/dev/null; then
+  if printf -- "%s" "$response" | grep "{\"name\":\"$_sub_domain\",\"ttl\":20,\"type\":\"TXT\"" >/dev/null; then
-      _info "Added, OK"
+    _info "A txt record with the same name already exists."
-      return 0
+    # trim the string on the left
-    else
+    txtvalue_old=${response#*{\"name\":\"$_sub_domain\",\"ttl\":20,\"type\":\"TXT\",\"content\":\"}
-      _err "add txt record error."
+    # trim the string on the right
-      return 1
+    txtvalue_old=${txtvalue_old%%\"*}
    _debug txtvalue_old "$txtvalue_old"
    _info "Add the new txtvalue to the existing txt record."
    if _servercow_api POST "$_domain" "{\"type\":\"TXT\",\"name\":\"$fulldomain\",\"content\":[\"$txtvalue\",\"$txtvalue_old\"],\"ttl\":20}"; then
      if printf -- "%s" "$response" | grep "ok" >/dev/null; then
        _info "Added additional txtvalue, OK"
        return 0
      else
        _err "add txt record error."
        return 1
      fi
    fi
    _err "add txt record error."
    return 1
  else
    _info "There is no txt record with the name yet."
    if _servercow_api POST "$_domain" "{\"type\":\"TXT\",\"name\":\"$fulldomain\",\"content\":\"$txtvalue\",\"ttl\":20}"; then
      if printf -- "%s" "$response" | grep "ok" >/dev/null; then
        _info "Added, OK"
        return 0
      else
        _err "add txt record error."
        return 1
      fi
    fi
    _err "add txt record error."
    return 1
  fi
  _err "add txt record error."
  return 1
 }
--- a/dnsapi/dns_simply.sh
+++ b/dnsapi/dns_simply.sh
@ -6,9 +6,11 @@
 #SIMPLY_ApiKey="apikey"
 #
 #SIMPLY_Api="https://api.simply.com/1/[ACCOUNTNAME]/[APIKEY]"
 SIMPLY_Api_Default="https://api.simply.com/1"
 #This is used for determining success of REST call
 SIMPLY_SUCCESS_CODE='"status": 200'
 ########  Public functions #####################
 #Usage: add  _acme-challenge.www.domain.com   "XKrxpRBosdIKFzxW_CT3KLZNf6q0HG9i01zxXp5CPBs"
 dns_simply_add() {
@ -171,7 +173,7 @@ _get_root() {
      return 1
    fi
-    if _contains "$response" '"code":"NOT_FOUND"'; then
+    if ! _contains "$response" "$SIMPLY_SUCCESS_CODE"; then
      _debug "$h not found"
    else
      _sub_domain=$(printf "%s" "$domain" | cut -d . -f 1-$p)
@ -196,6 +198,12 @@ _simply_add_record() {
    return 1
  fi
  if ! _contains "$response" "$SIMPLY_SUCCESS_CODE"; then
    _err "Call to API not sucessfull, see below message for more details"
    _err "$response"
    return 1
  fi
  return 0
 }
@ -211,6 +219,12 @@ _simply_delete_record() {
    return 1
  fi
  if ! _contains "$response" "$SIMPLY_SUCCESS_CODE"; then
    _err "Call to API not sucessfull, see below message for more details"
    _err "$response"
    return 1
  fi
  return 0
 }
--- a/dnsapi/dns_websupport.sh
+++ b/dnsapi/dns_websupport.sh
@ -0,0 +1,207 @@
 #!/usr/bin/env sh
 # Acme.sh DNS API wrapper for websupport.sk
 #
 # Original author: trgo.sk (https://github.com/trgosk)
 # Tweaks by: akulumbeg (https://github.com/akulumbeg)
 # Report Bugs here: https://github.com/akulumbeg/acme.sh
 # Requirements: API Key and Secret from https://admin.websupport.sk/en/auth/apiKey
 #
 # WS_ApiKey="xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
 # (called "Identifier" in the WS Admin)
 #
 # WS_ApiSecret="xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
 # (called "Secret key" in the WS Admin)
 WS_Api="https://rest.websupport.sk"
 ########  Public functions #####################
 dns_websupport_add() {
  fulldomain=$1
  txtvalue=$2
  WS_ApiKey="${WS_ApiKey:-$(_readaccountconf_mutable WS_ApiKey)}"
  WS_ApiSecret="${WS_ApiSecret:-$(_readaccountconf_mutable WS_ApiSecret)}"
  if [ "$WS_ApiKey" ] && [ "$WS_ApiSecret" ]; then
    _saveaccountconf_mutable WS_ApiKey "$WS_ApiKey"
    _saveaccountconf_mutable WS_ApiSecret "$WS_ApiSecret"
  else
    WS_ApiKey=""
    WS_ApiSecret=""
    _err "You did not specify the API Key and/or API Secret"
    _err "You can get the API login credentials from https://admin.websupport.sk/en/auth/apiKey"
    return 1
  fi
  _debug "First detect the root zone"
  if ! _get_root "$fulldomain"; then
    _err "invalid domain"
    return 1
  fi
  _debug _sub_domain "$_sub_domain"
  _debug _domain "$_domain"
  # For wildcard cert, the main root domain and the wildcard domain have the same txt subdomain name, so
  # we can not use updating anymore.
  #  count=$(printf "%s\n" "$response" | _egrep_o "\"count\":[^,]*" | cut -d : -f 2)
  #  _debug count "$count"
  #  if [ "$count" = "0" ]; then
  _info "Adding record"
  if _ws_rest POST "/v1/user/self/zone/$_domain/record" "{\"type\":\"TXT\",\"name\":\"$_sub_domain\",\"content\":\"$txtvalue\",\"ttl\":120}"; then
    if _contains "$response" "$txtvalue"; then
      _info "Added, OK"
      return 0
    elif _contains "$response" "The record already exists"; then
      _info "Already exists, OK"
      return 0
    else
      _err "Add txt record error."
      return 1
    fi
  fi
  _err "Add txt record error."
  return 1
 }
 dns_websupport_rm() {
  fulldomain=$1
  txtvalue=$2
  _debug2 fulldomain "$fulldomain"
  _debug2 txtvalue "$txtvalue"
  _debug "First detect the root zone"
  if ! _get_root "$fulldomain"; then
    _err "invalid domain"
    return 1
  fi
  _debug _sub_domain "$_sub_domain"
  _debug _domain "$_domain"
  _debug "Getting txt records"
  _ws_rest GET "/v1/user/self/zone/$_domain/record"
  if [ "$(printf "%s" "$response" | tr -d " " | grep -c \"items\")" -lt "1" ]; then
    _err "Error: $response"
    return 1
  fi
  record_line="$(_get_from_array "$response" "$txtvalue")"
  _debug record_line "$record_line"
  if [ -z "$record_line" ]; then
    _info "Don't need to remove."
  else
    record_id=$(echo "$record_line" | _egrep_o "\"id\": *[^,]*" | _head_n 1 | cut -d : -f 2 | tr -d \" | tr -d " ")
    _debug "record_id" "$record_id"
    if [ -z "$record_id" ]; then
      _err "Can not get record id to remove."
      return 1
    fi
    if ! _ws_rest DELETE "/v1/user/self/zone/$_domain/record/$record_id"; then
      _err "Delete record error."
      return 1
    fi
    if [ "$(printf "%s" "$response" | tr -d " " | grep -c \"success\")" -lt "1" ]; then
      return 1
    else
      return 0
    fi
  fi
 }
 ####################  Private Functions ##################################
 _get_root() {
  domain=$1
  i=1
  p=1
  while true; do
    h=$(printf "%s" "$domain" | cut -d . -f $i-100)
    _debug h "$h"
    if [ -z "$h" ]; then
      #not valid
      return 1
    fi
    if ! _ws_rest GET "/v1/user/self/zone"; then
      return 1
    fi
    if _contains "$response" "\"name\":\"$h\""; then
      _domain_id=$(echo "$response" | _egrep_o "\[.\"id\": *[^,]*" | _head_n 1 | cut -d : -f 2 | tr -d \" | tr -d " ")
      if [ "$_domain_id" ]; then
        _sub_domain=$(printf "%s" "$domain" | cut -d . -f 1-$p)
        _domain=$h
        return 0
      fi
      return 1
    fi
    p=$i
    i=$(_math "$i" + 1)
  done
  return 1
 }
 _ws_rest() {
  me=$1
  pa="$2"
  da="$3"
  _debug2 api_key "$WS_ApiKey"
  _debug2 api_secret "$WS_ApiSecret"
  timestamp=$(_time)
  datez="$(_utc_date | sed "s/ /T/" | sed "s/$/+0000/")"
  canonical_request="${me} ${pa} ${timestamp}"
  signature_hash=$(printf "%s" "$canonical_request" | _hmac sha1 "$(printf "%s" "$WS_ApiSecret" | _hex_dump | tr -d " ")" hex)
  basicauth="$(printf "%s:%s" "$WS_ApiKey" "$signature_hash" | _base64)"
  _debug2 method "$me"
  _debug2 path "$pa"
  _debug2 data "$da"
  _debug2 timestamp "$timestamp"
  _debug2 datez "$datez"
  _debug2 canonical_request "$canonical_request"
  _debug2 signature_hash "$signature_hash"
  _debug2 basicauth "$basicauth"
  export _H1="Accept: application/json"
  export _H2="Content-Type: application/json"
  export _H3="Authorization: Basic ${basicauth}"
  export _H4="Date: ${datez}"
  _debug2 H1 "$_H1"
  _debug2 H2 "$_H2"
  _debug2 H3 "$_H3"
  _debug2 H4 "$_H4"
  if [ "$me" != "GET" ]; then
    _debug2 "${me} $WS_Api${pa}"
    _debug data "$da"
    response="$(_post "$da" "${WS_Api}${pa}" "" "$me")"
  else
    _debug2 "GET $WS_Api${pa}"
    response="$(_get "$WS_Api${pa}")"
  fi
  _debug2 response "$response"
  return "$?"
 }
 _get_from_array() {
  va="$1"
  fi="$2"
  for i in $(echo "$va" | sed "s/{/ /g"); do
    if _contains "$i" "$fi"; then
      echo "$i"
      break
    fi
  done
 }
--- a/dnsapi/dns_world4you.sh
+++ b/dnsapi/dns_world4you.sh
@ -52,17 +52,26 @@ AddDnsRecordForm[uniqueFormIdTTL]=$formidttl&AddDnsRecordForm[_token]=$form_toke
  ret=$(_post "$body" "$WORLD4YOU_API/$paketnr/dns" '' POST 'application/x-www-form-urlencoded')
  _resethttp
-  if grep '302' >/dev/null <"$HTTP_HEADER"; then
+  if _contains "$(_head_n 3 <"$HTTP_HEADER")" '302'; then
    res=$(_get "$WORLD4YOU_API/$paketnr/dns")
    if _contains "$res" "successfully"; then
      return 0
    else
      msg=$(echo "$res" | tr '\n' '\t' | sed 's/.*<h3 class="mb-5">[^\t]*\t *\([^\t]*\)\t.*/\1/')
      if _contains "$msg" '^<\!DOCTYPE html>'; then
        msg='Unknown error'
      fi
      _err "Unable to add record: $msg"
      if _contains "$msg" '^<\!DOCTYPE html>'; then
        echo "$ret" >'error-01.html'
        echo "$res" >'error-02.html'
        _err "View error-01.html and error-02.html for debugging"
      fi
      return 1
    fi
  else
-    _err "$(_head_n 1 <"$HTTP_HEADER")"
+    _err "$(_head_n 3 <"$HTTP_HEADER")"
    _err "View $HTTP_HEADER for debugging"
    return 1
  fi
 }
@ -111,17 +120,26 @@ DeleteDnsRecordForm[_token]=$form_token"
  ret=$(_post "$body" "$WORLD4YOU_API/$paketnr/deleteRecord" '' POST 'application/x-www-form-urlencoded')
  _resethttp
-  if grep '302' >/dev/null <"$HTTP_HEADER"; then
+  if _contains "$(_head_n 3 <"$HTTP_HEADER")" '302'; then
    res=$(_get "$WORLD4YOU_API/$paketnr/dns")
    if _contains "$res" "successfully"; then
      return 0
    else
      msg=$(echo "$res" | tr '\n' '\t' | sed 's/.*<h3 class="mb-5">[^\t]*\t *\([^\t]*\)\t.*/\1/')
      if _contains "$msg" '^<\!DOCTYPE html>'; then
        msg='Unknown error'
      fi
      _err "Unable to remove record: $msg"
      if _contains "$msg" '^<\!DOCTYPE html>'; then
        echo "$ret" >'error-01.html'
        echo "$res" >'error-02.html'
        _err "View error-01.html and error-02.html for debugging"
      fi
      return 1
    fi
  else
-    _err "$(_head_n 1 <"$HTTP_HEADER")"
+    _err "$(_head_n 3 <"$HTTP_HEADER")"
    _err "View $HTTP_HEADER for debugging"
    return 1
  fi
 }
@ -175,7 +193,7 @@ _get_paketnr() {
  domains=$(echo "$form" | grep '^ *[A-Za-z0-9_\.-]*\.[A-Za-z0-9_-]*$' | sed 's/^\s*\(\S*\)$/\1/')
  domain=''
  for domain in $domains; do
-    if echo "$fqdn" | grep "$domain\$" >/dev/null; then
+    if _contains "$fqdn" "$domain\$"; then
      break
    fi
    domain=''
@ -185,7 +203,8 @@ _get_paketnr() {
  fi
  TLD="$domain"
  _debug domain "$domain"
  RECORD=$(echo "$fqdn" | cut -c"1-$((${#fqdn} - ${#TLD} - 1))")
-  PAKETNR=$(echo "$form" | grep "data-textfilter=\" $domain " | _head_n 1 | sed 's/^.* \([0-9]*\) .*$/\1/')
+  PAKETNR=$(echo "$form" | grep "data-textfilter=\".* $domain " | _head_n 1 | sed 's/^.* \([0-9]*\) .*$/\1/')
  return 0
 }
--- a/notify/mail.sh
+++ b/notify/mail.sh
@ -79,7 +79,7 @@ mail_send() {
 _mail_bin() {
  _MAIL_BIN=""
-  for b in "$MAIL_BIN" sendmail ssmtp mutt mail msmtp; do
+  for b in $MAIL_BIN sendmail ssmtp mutt mail msmtp; do
    if _exists "$b"; then
      _MAIL_BIN="$b"
      break
--- a/notify/smtp.sh
+++ b/notify/smtp.sh
@ -2,14 +2,398 @@
 # support smtp
-smtp_send() {
+# Please report bugs to https://github.com/acmesh-official/acme.sh/issues/3358
  _subject="$1"
  _content="$2"
  _statusCode="$3" #0: success, 1: error 2($RENEW_SKIP): skipped
  _debug "_subject" "$_subject"
  _debug "_content" "$_content"
  _debug "_statusCode" "$_statusCode"
-  _err "Not implemented yet."
+# This implementation uses either curl or Python (3 or 2.7).
-  return 1
+# (See also the "mail" notify hook, which supports other ways to send mail.)
 # SMTP_FROM="from@example.com"  # required
 # SMTP_TO="to@example.com"  # required
 # SMTP_HOST="smtp.example.com"  # required
 # SMTP_PORT="25"  # defaults to 25, 465 or 587 depending on SMTP_SECURE
 # SMTP_SECURE="tls"  # one of "none", "ssl" (implicit TLS, TLS Wrapper), "tls" (explicit TLS, STARTTLS)
 # SMTP_USERNAME=""  # set if SMTP server requires login
 # SMTP_PASSWORD=""  # set if SMTP server requires login
 # SMTP_TIMEOUT="30"  # seconds for SMTP operations to timeout
 # SMTP_BIN="/path/to/python_or_curl"  # default finds first of python3, python2.7, python, pypy3, pypy, curl on PATH
 SMTP_SECURE_DEFAULT="tls"
 SMTP_TIMEOUT_DEFAULT="30"
 # subject content statuscode
 smtp_send() {
  SMTP_SUBJECT="$1"
  SMTP_CONTENT="$2"
  # UNUSED: _statusCode="$3" # 0: success, 1: error 2($RENEW_SKIP): skipped
  # Load and validate config:
  SMTP_BIN="$(_readaccountconf_mutable_default SMTP_BIN)"
  if [ -n "$SMTP_BIN" ] && ! _exists "$SMTP_BIN"; then
    _err "SMTP_BIN '$SMTP_BIN' does not exist."
    return 1
  fi
  if [ -z "$SMTP_BIN" ]; then
    # Look for a command that can communicate with an SMTP server.
    # (Please don't add sendmail, ssmtp, mutt, mail, or msmtp here.
    # Those are already handled by the "mail" notify hook.)
    for cmd in python3 python2.7 python pypy3 pypy curl; do
      if _exists "$cmd"; then
        SMTP_BIN="$cmd"
        break
      fi
    done
    if [ -z "$SMTP_BIN" ]; then
      _err "The smtp notify-hook requires curl or Python, but can't find any."
      _err 'If you have one of them, define SMTP_BIN="/path/to/curl_or_python".'
      _err 'Otherwise, see if you can use the "mail" notify-hook instead.'
      return 1
    fi
  fi
  _debug SMTP_BIN "$SMTP_BIN"
  _saveaccountconf_mutable_default SMTP_BIN "$SMTP_BIN"
  SMTP_FROM="$(_readaccountconf_mutable_default SMTP_FROM)"
  SMTP_FROM="$(_clean_email_header "$SMTP_FROM")"
  if [ -z "$SMTP_FROM" ]; then
    _err "You must define SMTP_FROM as the sender email address."
    return 1
  fi
  if _email_has_display_name "$SMTP_FROM"; then
    _err "SMTP_FROM must be only a simple email address (sender@example.com)."
    _err "Change your SMTP_FROM='$SMTP_FROM' to remove the display name."
    return 1
  fi
  _debug SMTP_FROM "$SMTP_FROM"
  _saveaccountconf_mutable_default SMTP_FROM "$SMTP_FROM"
  SMTP_TO="$(_readaccountconf_mutable_default SMTP_TO)"
  SMTP_TO="$(_clean_email_header "$SMTP_TO")"
  if [ -z "$SMTP_TO" ]; then
    _err "You must define SMTP_TO as the recipient email address(es)."
    return 1
  fi
  if _email_has_display_name "$SMTP_TO"; then
    _err "SMTP_TO must be only simple email addresses (to@example.com,to2@example.com)."
    _err "Change your SMTP_TO='$SMTP_TO' to remove the display name(s)."
    return 1
  fi
  _debug SMTP_TO "$SMTP_TO"
  _saveaccountconf_mutable_default SMTP_TO "$SMTP_TO"
  SMTP_HOST="$(_readaccountconf_mutable_default SMTP_HOST)"
  if [ -z "$SMTP_HOST" ]; then
    _err "You must define SMTP_HOST as the SMTP server hostname."
    return 1
  fi
  _debug SMTP_HOST "$SMTP_HOST"
  _saveaccountconf_mutable_default SMTP_HOST "$SMTP_HOST"
  SMTP_SECURE="$(_readaccountconf_mutable_default SMTP_SECURE "$SMTP_SECURE_DEFAULT")"
  case "$SMTP_SECURE" in
  "none") smtp_port_default="25" ;;
  "ssl") smtp_port_default="465" ;;
  "tls") smtp_port_default="587" ;;
  *)
    _err "Invalid SMTP_SECURE='$SMTP_SECURE'. It must be 'ssl', 'tls' or 'none'."
    return 1
    ;;
  esac
  _debug SMTP_SECURE "$SMTP_SECURE"
  _saveaccountconf_mutable_default SMTP_SECURE "$SMTP_SECURE" "$SMTP_SECURE_DEFAULT"
  SMTP_PORT="$(_readaccountconf_mutable_default SMTP_PORT "$smtp_port_default")"
  case "$SMTP_PORT" in
  *[!0-9]*)
    _err "Invalid SMTP_PORT='$SMTP_PORT'. It must be a port number."
    return 1
    ;;
  esac
  _debug SMTP_PORT "$SMTP_PORT"
  _saveaccountconf_mutable_default SMTP_PORT "$SMTP_PORT" "$smtp_port_default"
  SMTP_USERNAME="$(_readaccountconf_mutable_default SMTP_USERNAME)"
  _debug SMTP_USERNAME "$SMTP_USERNAME"
  _saveaccountconf_mutable_default SMTP_USERNAME "$SMTP_USERNAME"
  SMTP_PASSWORD="$(_readaccountconf_mutable_default SMTP_PASSWORD)"
  _secure_debug SMTP_PASSWORD "$SMTP_PASSWORD"
  _saveaccountconf_mutable_default SMTP_PASSWORD "$SMTP_PASSWORD"
  SMTP_TIMEOUT="$(_readaccountconf_mutable_default SMTP_TIMEOUT "$SMTP_TIMEOUT_DEFAULT")"
  _debug SMTP_TIMEOUT "$SMTP_TIMEOUT"
  _saveaccountconf_mutable_default SMTP_TIMEOUT "$SMTP_TIMEOUT" "$SMTP_TIMEOUT_DEFAULT"
  SMTP_X_MAILER="$(_clean_email_header "$PROJECT_NAME $VER --notify-hook smtp")"
  # Run with --debug 2 (or above) to echo the transcript of the SMTP session.
  # Careful: this may include SMTP_PASSWORD in plaintext!
  if [ "${DEBUG:-$DEBUG_LEVEL_NONE}" -ge "$DEBUG_LEVEL_2" ]; then
    SMTP_SHOW_TRANSCRIPT="True"
  else
    SMTP_SHOW_TRANSCRIPT=""
  fi
  SMTP_SUBJECT=$(_clean_email_header "$SMTP_SUBJECT")
  _debug SMTP_SUBJECT "$SMTP_SUBJECT"
  _debug SMTP_CONTENT "$SMTP_CONTENT"
  # Send the message:
  case "$(basename "$SMTP_BIN")" in
  curl) _smtp_send=_smtp_send_curl ;;
  py*) _smtp_send=_smtp_send_python ;;
  *)
    _err "Can't figure out how to invoke '$SMTP_BIN'."
    _err "Check your SMTP_BIN setting."
    return 1
    ;;
  esac
  if ! smtp_output="$($_smtp_send)"; then
    _err "Error sending message with $SMTP_BIN."
    if [ -n "$smtp_output" ]; then
      _err "$smtp_output"
    fi
    return 1
  fi
  return 0
 }
 # Strip CR and NL from text to prevent MIME header injection
 # text
 _clean_email_header() {
  printf "%s" "$(echo "$1" | tr -d "\r\n")"
 }
 # Simple check for display name in an email address (< > or ")
 # email
 _email_has_display_name() {
  _email="$1"
  expr "$_email" : '^.*[<>"]' >/dev/null
 }
 ##
 ## curl smtp sending
 ##
 # Send the message via curl using SMTP_* variables
 _smtp_send_curl() {
  # Build curl args in $@
  case "$SMTP_SECURE" in
  none)
    set -- --url "smtp://${SMTP_HOST}:${SMTP_PORT}"
    ;;
  ssl)
    set -- --url "smtps://${SMTP_HOST}:${SMTP_PORT}"
    ;;
  tls)
    set -- --url "smtp://${SMTP_HOST}:${SMTP_PORT}" --ssl-reqd
    ;;
  *)
    # This will only occur if someone adds a new SMTP_SECURE option above
    # without updating this code for it.
    _err "Unhandled SMTP_SECURE='$SMTP_SECURE' in _smtp_send_curl"
    _err "Please re-run with --debug and report a bug."
    return 1
    ;;
  esac
  set -- "$@" \
    --upload-file - \
    --mail-from "$SMTP_FROM" \
    --max-time "$SMTP_TIMEOUT"
  # Burst comma-separated $SMTP_TO into individual --mail-rcpt args.
  _to="${SMTP_TO},"
  while [ -n "$_to" ]; do
    _rcpt="${_to%%,*}"
    _to="${_to#*,}"
    set -- "$@" --mail-rcpt "$_rcpt"
  done
  _smtp_login="${SMTP_USERNAME}:${SMTP_PASSWORD}"
  if [ "$_smtp_login" != ":" ]; then
    set -- "$@" --user "$_smtp_login"
  fi
  if [ "$SMTP_SHOW_TRANSCRIPT" = "True" ]; then
    set -- "$@" --verbose
  else
    set -- "$@" --silent --show-error
  fi
  raw_message="$(_smtp_raw_message)"
  _debug2 "curl command:" "$SMTP_BIN" "$*"
  _debug2 "raw_message:\n$raw_message"
  echo "$raw_message" | "$SMTP_BIN" "$@"
 }
 # Output an RFC-822 / RFC-5322 email message using SMTP_* variables.
 # (This assumes variables have already been cleaned for use in email headers.)
 _smtp_raw_message() {
  echo "From: $SMTP_FROM"
  echo "To: $SMTP_TO"
  echo "Subject: $(_mime_encoded_word "$SMTP_SUBJECT")"
  echo "Date: $(_rfc2822_date)"
  echo "Content-Type: text/plain; charset=utf-8"
  echo "X-Mailer: $SMTP_X_MAILER"
  echo
  echo "$SMTP_CONTENT"
 }
 # Convert text to RFC-2047 MIME "encoded word" format if it contains non-ASCII chars
 # text
 _mime_encoded_word() {
  _text="$1"
  # (regex character ranges like [a-z] can be locale-dependent; enumerate ASCII chars to avoid that)
  _ascii='] $`"'"[!#%&'()*+,./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ~^_abcdefghijklmnopqrstuvwxyz{|}~-"
  if expr "$_text" : "^.*[^$_ascii]" >/dev/null; then
    # At least one non-ASCII char; convert entire thing to encoded word
    printf "%s" "=?UTF-8?B?$(printf "%s" "$_text" | _base64)?="
  else
    # Just printable ASCII, no conversion needed
    printf "%s" "$_text"
  fi
 }
 # Output current date in RFC-2822 Section 3.3 format as required in email headers
 # (e.g., "Mon, 15 Feb 2021 14:22:01 -0800")
 _rfc2822_date() {
  # Notes:
  #   - this is deliberately not UTC, because it "SHOULD express local time" per spec
  #   - the spec requires weekday and month in the C locale (English), not localized
  #   - this date format specifier has been tested on Linux, Mac, Solaris and FreeBSD
  _old_lc_time="$LC_TIME"
  LC_TIME=C
  date +'%a, %-d %b %Y %H:%M:%S %z'
  LC_TIME="$_old_lc_time"
 }
 ##
 ## Python smtp sending
 ##
 # Send the message via Python using SMTP_* variables
 _smtp_send_python() {
  _debug "Python version" "$("$SMTP_BIN" --version 2>&1)"
  # language=Python
  "$SMTP_BIN" <<PYTHON
 # This code is meant to work with either Python 2.7.x or Python 3.4+.
 try:
    try:
        from email.message import EmailMessage
        from email.policy import default as email_policy_default
    except ImportError:
        # Python 2 (or < 3.3)
        from email.mime.text import MIMEText as EmailMessage
        email_policy_default = None
    from email.utils import formatdate as rfc2822_date
    from smtplib import SMTP, SMTP_SSL, SMTPException
    from socket import error as SocketError
 except ImportError as err:
    print("A required Python standard package is missing. This system may have"
          " a reduced version of Python unsuitable for sending mail: %s" % err)
    exit(1)
 show_transcript = """$SMTP_SHOW_TRANSCRIPT""" == "True"
 smtp_host = """$SMTP_HOST"""
 smtp_port = int("""$SMTP_PORT""")
 smtp_secure = """$SMTP_SECURE"""
 username = """$SMTP_USERNAME"""
 password = """$SMTP_PASSWORD"""
 timeout=int("""$SMTP_TIMEOUT""")  # seconds
 x_mailer="""$SMTP_X_MAILER"""
 from_email="""$SMTP_FROM"""
 to_emails="""$SMTP_TO"""  # can be comma-separated
 subject="""$SMTP_SUBJECT"""
 content="""$SMTP_CONTENT"""
 try:
    msg = EmailMessage(policy=email_policy_default)
    msg.set_content(content)
 except (AttributeError, TypeError):
    # Python 2 MIMEText
    msg = EmailMessage(content)
 msg["Subject"] = subject
 msg["From"] = from_email
 msg["To"] = to_emails
 msg["Date"] = rfc2822_date(localtime=True)
 msg["X-Mailer"] = x_mailer
 smtp = None
 try:
    if smtp_secure == "ssl":
        smtp = SMTP_SSL(smtp_host, smtp_port, timeout=timeout)
    else:
        smtp = SMTP(smtp_host, smtp_port, timeout=timeout)
    smtp.set_debuglevel(show_transcript)
    if smtp_secure == "tls":
        smtp.starttls()
    if username or password:
        smtp.login(username, password)
    smtp.sendmail(msg["From"], msg["To"].split(","), msg.as_string())
 except SMTPException as err:
    # Output just the error (skip the Python stack trace) for SMTP errors
    print("Error sending: %r" % err)
    exit(1)
 except SocketError as err:
    print("Error connecting to %s:%d: %r" % (smtp_host, smtp_port, err))
    exit(1)
 finally:
    if smtp is not None:
        smtp.quit()
 PYTHON
 }
 ##
 ## Conf helpers
 ##
 #_readaccountconf_mutable_default name default_value
 # Given a name like MY_CONF:
 #   - if MY_CONF is set and non-empty, output $MY_CONF
 #   - if MY_CONF is set _empty_, output $default_value
 #     (lets user `export MY_CONF=` to clear previous saved value
 #     and return to default, without user having to know default)
 #   - otherwise if _readaccountconf_mutable MY_CONF is non-empty, return that
 #     (value of SAVED_MY_CONF from account.conf)
 #   - otherwise output $default_value
 _readaccountconf_mutable_default() {
  _name="$1"
  _default_value="$2"
  eval "_value=\"\$$_name\""
  eval "_name_is_set=\"\${${_name}+true}\""
  # ($_name_is_set is "true" if $$_name is set to anything, including empty)
  if [ -z "${_value}" ] && [ "${_name_is_set:-}" != "true" ]; then
    _value="$(_readaccountconf_mutable "$_name")"
  fi
  if [ -z "${_value}" ]; then
    _value="$_default_value"
  fi
  printf "%s" "$_value"
 }
 #_saveaccountconf_mutable_default name value default_value base64encode
 # Like _saveaccountconf_mutable, but if value is default_value
 # then _clearaccountconf_mutable instead
 _saveaccountconf_mutable_default() {
  _name="$1"
  _value="$2"
  _default_value="$3"
  _base64encode="$4"
  if [ "$_value" != "$_default_value" ]; then
    _saveaccountconf_mutable "$_name" "$_value" "$_base64encode"
  else
    _clearaccountconf_mutable "$_name"
  fi
 }
--- a/notify/telegram.sh
+++ b/notify/telegram.sh
@ -0,0 +1,52 @@
 #!/usr/bin/env sh
 #Support Telegram Bots
 #TELEGRAM_BOT_APITOKEN=""
 #TELEGRAM_BOT_CHATID=""
 telegram_send() {
  _subject="$1"
  _content="$2"
  _statusCode="$3" #0: success, 1: error 2($RENEW_SKIP): skipped
  _debug "_statusCode" "$_statusCode"
  TELEGRAM_BOT_APITOKEN="${TELEGRAM_BOT_APITOKEN:-$(_readaccountconf_mutable TELEGRAM_BOT_APITOKEN)}"
  if [ -z "$TELEGRAM_BOT_APITOKEN" ]; then
    TELEGRAM_BOT_APITOKEN=""
    _err "You didn't specify a Telegram BOT API Token TELEGRAM_BOT_APITOKEN yet."
    return 1
  fi
  _saveaccountconf_mutable TELEGRAM_BOT_APITOKEN "$TELEGRAM_BOT_APITOKEN"
  TELEGRAM_BOT_CHATID="${TELEGRAM_BOT_CHATID:-$(_readaccountconf_mutable TELEGRAM_BOT_CHATID)}"
  if [ -z "$TELEGRAM_BOT_CHATID" ]; then
    TELEGRAM_BOT_CHATID=""
    _err "You didn't specify a Telegram Chat id TELEGRAM_BOT_CHATID yet."
    return 1
  fi
  _saveaccountconf_mutable TELEGRAM_BOT_CHATID "$TELEGRAM_BOT_CHATID"
  _content="$(printf "%s" "$_content" | sed -e 's/*/\\\\*/')"
  _content="$(printf "*%s*\n%s" "$_subject" "$_content" | _json_encode)"
  _data="{\"text\": \"$_content\", "
  _data="$_data\"chat_id\": \"$TELEGRAM_BOT_CHATID\", "
  _data="$_data\"parse_mode\": \"markdown\", "
  _data="$_data\"disable_web_page_preview\": \"1\"}"
  _debug "$_data"
  export _H1="Content-Type: application/json"
  _telegram_bot_url="https://api.telegram.org/bot${TELEGRAM_BOT_APITOKEN}/sendMessage"
  if _post "$_data" "$_telegram_bot_url" >/dev/null; then
    # shellcheck disable=SC2154
    _message=$(printf "%s\n" "$response" | sed -n 's/.*"ok":\([^,]*\).*/\1/p')
    if [ "$_message" = "true" ]; then
      _info "telegram send success."
      return 0
    fi
  fi
  _err "telegram send error."
  _err "$response"
  return 1
 }