Merge pull request #3534 from acmesh-official/dev

sync

.github/workflows/LetsEncrypt.yml

@@ -15,30 +15,9 @@ on:
 
 
 jobs:
-  CheckToken:
-    runs-on: ubuntu-latest
-    outputs:
-      hasToken: ${{ steps.step_one.outputs.hasToken }}
-    env: 
-      NGROK_TOKEN : ${{ secrets.NGROK_TOKEN }}
-    steps:
-      - name: Set the value
-        id: step_one
-        run: |
-          if [ "$NGROK_TOKEN" ] ; then
-            echo "::set-output name=hasToken::true"
-          else
-            echo "::set-output name=hasToken::false"
-          fi
-      - name: Check the value
-        run: echo ${{ steps.step_one.outputs.hasToken }}
-
   Ubuntu:
     runs-on: ubuntu-latest
-    needs: CheckToken
-    if: "contains(needs.CheckToken.outputs.hasToken, 'true')"
     env:
-      NGROK_TOKEN : ${{ secrets.NGROK_TOKEN }}
       TEST_LOCAL: 1
     steps:
     - uses: actions/checkout@v2
@@ -51,9 +30,7 @@ jobs:
 
   MacOS:
     runs-on: macos-latest
-    needs: Ubuntu
     env:
-      NGROK_TOKEN : ${{ secrets.NGROK_TOKEN }}
       TEST_LOCAL: 1
     steps:
     - uses: actions/checkout@v2
@@ -66,11 +43,9 @@ jobs:
 
   Windows:
     runs-on: windows-latest
-    needs: MacOS
     env:
-      NGROK_TOKEN : ${{ secrets.NGROK_TOKEN }}
       TEST_LOCAL: 1
-      #The 80 port is used by Windows server, we have to use a custom port, ngrok will also use this port.
+      #The 80 port is used by Windows server, we have to use a custom port, tunnel will also use this port.
       Le_HTTPPort: 8888
     steps:
     - name: Set git to use LF
@@ -103,17 +78,24 @@ jobs:
 
   FreeBSD:
     runs-on: macos-latest
-    needs: Windows
     env:
-      NGROK_TOKEN : ${{ secrets.NGROK_TOKEN }}
       TEST_LOCAL: 1
     steps:
     - uses: actions/checkout@v2
+    - uses: vmactions/cf-tunnel@v0.0.2
+      id: tunnel
+      with:
+        protocol: http
+        port: 8080
+    - name: Set envs
+      run: echo "TestingDomain=${{steps.tunnel.outputs.server}}" >> $GITHUB_ENV
     - name: Clone acmetest
       run: cd .. && git clone https://github.com/acmesh-official/acmetest.git  && cp -r acme.sh acmetest/
     - uses: vmactions/freebsd-vm@v0.1.4
       with:
-        envs: 'NGROK_TOKEN TEST_LOCAL'
+        envs: 'TEST_LOCAL TestingDomain'
+        nat: |
+          "8080": "80"
         prepare: pkg install -y socat curl
         usesh: true
         run: |
@@ -121,19 +103,17 @@ jobs:
 
   Solaris:
     runs-on: macos-latest
-    needs: FreeBSD
     env:
-      NGROK_TOKEN : ${{ secrets.NGROK_TOKEN }}
       TEST_LOCAL: 1
     steps:
     - uses: actions/checkout@v2
-    - uses: vmactions/ngrok-tunnel@v0.0.1
+    - uses: vmactions/cf-tunnel@v0.0.2
-      id: ngrok
+      id: tunnel
       with:
         protocol: http
         port: 8080
     - name: Set envs
-      run: echo "TestingDomain=${{steps.ngrok.outputs.server}}" >> $GITHUB_ENV
+      run: echo "TestingDomain=${{steps.tunnel.outputs.server}}" >> $GITHUB_ENV
     - name: Clone acmetest
       run: cd .. && git clone https://github.com/acmesh-official/acmetest.git  && cp -r acme.sh acmetest/
     - uses: vmactions/solaris-vm@v0.0.3

acme.sh

@@ -1,6 +1,6 @@
 #!/usr/bin/env sh
 
-VER=2.8.9
+VER=2.9.0
 
 PROJECT_NAME="acme.sh"
 
@@ -20,9 +20,6 @@ _SUB_FOLDER_DEPLOY="deploy"
 
 _SUB_FOLDERS="$_SUB_FOLDER_DNSAPI $_SUB_FOLDER_DEPLOY $_SUB_FOLDER_NOTIFY"
 
-LETSENCRYPT_CA_V1="https://acme-v01.api.letsencrypt.org/directory"
-LETSENCRYPT_STAGING_CA_V1="https://acme-staging.api.letsencrypt.org/directory"
-
 CA_LETSENCRYPT_V2="https://acme-v02.api.letsencrypt.org/directory"
 CA_LETSENCRYPT_V2_TEST="https://acme-staging-v02.api.letsencrypt.org/directory"
 
@@ -2072,17 +2069,15 @@ _send_signed_request() {
       _sleep 2
       continue
     fi
-    if [ "$ACME_VERSION" = "2" ]; then
+
-      if [ "$url" = "$ACME_NEW_ACCOUNT" ]; then
+    if [ "$url" = "$ACME_NEW_ACCOUNT" ]; then
-        protected="$JWK_HEADERPLACE_PART1$nonce\", \"url\": \"${url}$JWK_HEADERPLACE_PART2, \"jwk\": $jwk"'}'
-      elif [ "$url" = "$ACME_REVOKE_CERT" ] && [ "$keyfile" != "$ACCOUNT_KEY_PATH" ]; then
-        protected="$JWK_HEADERPLACE_PART1$nonce\", \"url\": \"${url}$JWK_HEADERPLACE_PART2, \"jwk\": $jwk"'}'
-      else
-        protected="$JWK_HEADERPLACE_PART1$nonce\", \"url\": \"${url}$JWK_HEADERPLACE_PART2, \"kid\": \"${ACCOUNT_URL}\""'}'
-      fi
-    else
       protected="$JWK_HEADERPLACE_PART1$nonce\", \"url\": \"${url}$JWK_HEADERPLACE_PART2, \"jwk\": $jwk"'}'
+    elif [ "$url" = "$ACME_REVOKE_CERT" ] && [ "$keyfile" != "$ACCOUNT_KEY_PATH" ]; then
+      protected="$JWK_HEADERPLACE_PART1$nonce\", \"url\": \"${url}$JWK_HEADERPLACE_PART2, \"jwk\": $jwk"'}'
+    else
+      protected="$JWK_HEADERPLACE_PART1$nonce\", \"url\": \"${url}$JWK_HEADERPLACE_PART2, \"kid\": \"${ACCOUNT_URL}\""'}'
     fi
+
     _debug3 protected "$protected"
 
     protected64="$(printf "%s" "$protected" | _base64 | _url_replace)"
@@ -2543,67 +2538,31 @@ _initAPI() {
     response=$(_get "$_api_server")
     if [ "$?" != "0" ]; then
       _debug2 "response" "$response"
-      _err "Can not init api."
+      _err "Can not init api for: $_api_server."
       return 1
     fi
     response=$(echo "$response" | _json_decode)
     _debug2 "response" "$response"
 
-    ACME_KEY_CHANGE=$(echo "$response" | _egrep_o 'key-change" *: *"[^"]*"' | cut -d '"' -f 3)
+    ACME_KEY_CHANGE=$(echo "$response" | _egrep_o 'keyChange" *: *"[^"]*"' | cut -d '"' -f 3)
-    if [ -z "$ACME_KEY_CHANGE" ]; then
-      ACME_KEY_CHANGE=$(echo "$response" | _egrep_o 'keyChange" *: *"[^"]*"' | cut -d '"' -f 3)
-    fi
     export ACME_KEY_CHANGE
 
-    ACME_NEW_AUTHZ=$(echo "$response" | _egrep_o 'new-authz" *: *"[^"]*"' | cut -d '"' -f 3)
+    ACME_NEW_AUTHZ=$(echo "$response" | _egrep_o 'newAuthz" *: *"[^"]*"' | cut -d '"' -f 3)
-    if [ -z "$ACME_NEW_AUTHZ" ]; then
-      ACME_NEW_AUTHZ=$(echo "$response" | _egrep_o 'newAuthz" *: *"[^"]*"' | cut -d '"' -f 3)
-    fi
     export ACME_NEW_AUTHZ
 
-    ACME_NEW_ORDER=$(echo "$response" | _egrep_o 'new-cert" *: *"[^"]*"' | cut -d '"' -f 3)
+    ACME_NEW_ORDER=$(echo "$response" | _egrep_o 'newOrder" *: *"[^"]*"' | cut -d '"' -f 3)
-    ACME_NEW_ORDER_RES="new-cert"
-    if [ -z "$ACME_NEW_ORDER" ]; then
-      ACME_NEW_ORDER=$(echo "$response" | _egrep_o 'new-order" *: *"[^"]*"' | cut -d '"' -f 3)
-      ACME_NEW_ORDER_RES="new-order"
-      if [ -z "$ACME_NEW_ORDER" ]; then
-        ACME_NEW_ORDER=$(echo "$response" | _egrep_o 'newOrder" *: *"[^"]*"' | cut -d '"' -f 3)
-      fi
-    fi
     export ACME_NEW_ORDER
-    export ACME_NEW_ORDER_RES
 
-    ACME_NEW_ACCOUNT=$(echo "$response" | _egrep_o 'new-reg" *: *"[^"]*"' | cut -d '"' -f 3)
+    ACME_NEW_ACCOUNT=$(echo "$response" | _egrep_o 'newAccount" *: *"[^"]*"' | cut -d '"' -f 3)
-    ACME_NEW_ACCOUNT_RES="new-reg"
-    if [ -z "$ACME_NEW_ACCOUNT" ]; then
-      ACME_NEW_ACCOUNT=$(echo "$response" | _egrep_o 'new-account" *: *"[^"]*"' | cut -d '"' -f 3)
-      ACME_NEW_ACCOUNT_RES="new-account"
-      if [ -z "$ACME_NEW_ACCOUNT" ]; then
-        ACME_NEW_ACCOUNT=$(echo "$response" | _egrep_o 'newAccount" *: *"[^"]*"' | cut -d '"' -f 3)
-        if [ "$ACME_NEW_ACCOUNT" ]; then
-          export ACME_VERSION=2
-        fi
-      fi
-    fi
     export ACME_NEW_ACCOUNT
-    export ACME_NEW_ACCOUNT_RES
 
-    ACME_REVOKE_CERT=$(echo "$response" | _egrep_o 'revoke-cert" *: *"[^"]*"' | cut -d '"' -f 3)
+    ACME_REVOKE_CERT=$(echo "$response" | _egrep_o 'revokeCert" *: *"[^"]*"' | cut -d '"' -f 3)
-    if [ -z "$ACME_REVOKE_CERT" ]; then
-      ACME_REVOKE_CERT=$(echo "$response" | _egrep_o 'revokeCert" *: *"[^"]*"' | cut -d '"' -f 3)
-    fi
     export ACME_REVOKE_CERT
 
-    ACME_NEW_NONCE=$(echo "$response" | _egrep_o 'new-nonce" *: *"[^"]*"' | cut -d '"' -f 3)
+    ACME_NEW_NONCE=$(echo "$response" | _egrep_o 'newNonce" *: *"[^"]*"' | cut -d '"' -f 3)
-    if [ -z "$ACME_NEW_NONCE" ]; then
-      ACME_NEW_NONCE=$(echo "$response" | _egrep_o 'newNonce" *: *"[^"]*"' | cut -d '"' -f 3)
-    fi
     export ACME_NEW_NONCE
 
-    ACME_AGREEMENT=$(echo "$response" | _egrep_o 'terms-of-service" *: *"[^"]*"' | cut -d '"' -f 3)
+    ACME_AGREEMENT=$(echo "$response" | _egrep_o 'termsOfService" *: *"[^"]*"' | cut -d '"' -f 3)
-    if [ -z "$ACME_AGREEMENT" ]; then
-      ACME_AGREEMENT=$(echo "$response" | _egrep_o 'termsOfService" *: *"[^"]*"' | cut -d '"' -f 3)
-    fi
     export ACME_AGREEMENT
 
     _debug "ACME_KEY_CHANGE" "$ACME_KEY_CHANGE"
@@ -2613,7 +2572,6 @@ _initAPI() {
     _debug "ACME_REVOKE_CERT" "$ACME_REVOKE_CERT"
     _debug "ACME_AGREEMENT" "$ACME_AGREEMENT"
     _debug "ACME_NEW_NONCE" "$ACME_NEW_NONCE"
-    _debug "ACME_VERSION" "$ACME_VERSION"
 
   fi
 }
@@ -3563,68 +3521,62 @@ _regAccount() {
   if [ "$_email" ]; then
     _savecaconf "CA_EMAIL" "$_email"
   fi
-  if [ "$ACME_VERSION" = "2" ]; then
+
-    if [ "$ACME_DIRECTORY" = "$CA_ZEROSSL" ]; then
+  if [ "$ACME_DIRECTORY" = "$CA_ZEROSSL" ]; then
-      if [ -z "$_eab_id" ] || [ -z "$_eab_hmac_key" ]; then
+    if [ -z "$_eab_id" ] || [ -z "$_eab_hmac_key" ]; then
-        _info "No EAB credentials found for ZeroSSL, let's get one"
+      _info "No EAB credentials found for ZeroSSL, let's get one"
-        if [ -z "$_email" ]; then
+      if [ -z "$_email" ]; then
-          _err "Please provide a email address for ZeroSSL account."
+        _err "Please provide a email address for ZeroSSL account."
-          _err "See ZeroSSL usage: $_ZEROSSL_WIKI"
+        _err "See ZeroSSL usage: $_ZEROSSL_WIKI"
-          return 1
+        return 1
-        fi
-        _eabresp=$(_post "email=$_email" $_ZERO_EAB_ENDPOINT)
-        if [ "$?" != "0" ]; then
-          _debug2 "$_eabresp"
-          _err "Can not get EAB credentials from ZeroSSL."
-          return 1
-        fi
-        _eab_id="$(echo "$_eabresp" | tr ',}' '\n' | grep '"eab_kid"' | cut -d : -f 2 | tr -d '"')"
-        if [ -z "$_eab_id" ]; then
-          _err "Can not resolve _eab_id"
-          return 1
-        fi
-        _eab_hmac_key="$(echo "$_eabresp" | tr ',}' '\n' | grep '"eab_hmac_key"' | cut -d : -f 2 | tr -d '"')"
-        if [ -z "$_eab_hmac_key" ]; then
-          _err "Can not resolve _eab_hmac_key"
-          return 1
-        fi
-        _savecaconf CA_EAB_KEY_ID "$_eab_id"
-        _savecaconf CA_EAB_HMAC_KEY "$_eab_hmac_key"
       fi
-    fi
+      _eabresp=$(_post "email=$_email" $_ZERO_EAB_ENDPOINT)
-    if [ "$_eab_id" ] && [ "$_eab_hmac_key" ]; then
+      if [ "$?" != "0" ]; then
-      eab_protected="{\"alg\":\"HS256\",\"kid\":\"$_eab_id\",\"url\":\"${ACME_NEW_ACCOUNT}\"}"
+        _debug2 "$_eabresp"
-      _debug3 eab_protected "$eab_protected"
+        _err "Can not get EAB credentials from ZeroSSL."
-
+        return 1
-      eab_protected64=$(printf "%s" "$eab_protected" | _base64 | _url_replace)
+      fi
-      _debug3 eab_protected64 "$eab_protected64"
+      _debug2 "$_eabresp"
-
+      _eab_id="$(echo "$_eabresp" | tr ',}' '\n' | grep '"eab_kid"' | cut -d : -f 2 | tr -d '"')"
-      eab_payload64=$(printf "%s" "$jwk" | _base64 | _url_replace)
+      if [ -z "$_eab_id" ]; then
-      _debug3 eab_payload64 "$eab_payload64"
+        _err "Can not resolve _eab_id"
-
+        return 1
-      eab_sign_t="$eab_protected64.$eab_payload64"
+      fi
-      _debug3 eab_sign_t "$eab_sign_t"
+      _eab_hmac_key="$(echo "$_eabresp" | tr ',}' '\n' | grep '"eab_hmac_key"' | cut -d : -f 2 | tr -d '"')"
-
+      if [ -z "$_eab_hmac_key" ]; then
-      key_hex="$(_durl_replace_base64 "$_eab_hmac_key" | _dbase64 | _hex_dump | tr -d ' ')"
+        _err "Can not resolve _eab_hmac_key"
-      _debug3 key_hex "$key_hex"
+        return 1
-
+      fi
-      eab_signature=$(printf "%s" "$eab_sign_t" | _hmac sha256 $key_hex | _base64 | _url_replace)
+      _savecaconf CA_EAB_KEY_ID "$_eab_id"
-      _debug3 eab_signature "$eab_signature"
+      _savecaconf CA_EAB_HMAC_KEY "$_eab_hmac_key"
-
-      externalBinding=",\"externalAccountBinding\":{\"protected\":\"$eab_protected64\", \"payload\":\"$eab_payload64\", \"signature\":\"$eab_signature\"}"
-      _debug3 externalBinding "$externalBinding"
-    fi
-    if [ "$_email" ]; then
-      email_sg="\"contact\": [\"mailto:$_email\"], "
-    fi
-    regjson="{$email_sg\"termsOfServiceAgreed\": true$externalBinding}"
-  else
-    _reg_res="$ACME_NEW_ACCOUNT_RES"
-    regjson='{"resource": "'$_reg_res'", "terms-of-service-agreed": true, "agreement": "'$ACME_AGREEMENT'"}'
-    if [ "$_email" ]; then
-      regjson='{"resource": "'$_reg_res'", "contact": ["mailto:'$_email'"], "terms-of-service-agreed": true, "agreement": "'$ACME_AGREEMENT'"}'
     fi
   fi
+  if [ "$_eab_id" ] && [ "$_eab_hmac_key" ]; then
+    eab_protected="{\"alg\":\"HS256\",\"kid\":\"$_eab_id\",\"url\":\"${ACME_NEW_ACCOUNT}\"}"
+    _debug3 eab_protected "$eab_protected"
+
+    eab_protected64=$(printf "%s" "$eab_protected" | _base64 | _url_replace)
+    _debug3 eab_protected64 "$eab_protected64"
+
+    eab_payload64=$(printf "%s" "$jwk" | _base64 | _url_replace)
+    _debug3 eab_payload64 "$eab_payload64"
+
+    eab_sign_t="$eab_protected64.$eab_payload64"
+    _debug3 eab_sign_t "$eab_sign_t"
+
+    key_hex="$(_durl_replace_base64 "$_eab_hmac_key" | _dbase64 | _hex_dump | tr -d ' ')"
+    _debug3 key_hex "$key_hex"
+
+    eab_signature=$(printf "%s" "$eab_sign_t" | _hmac sha256 $key_hex | _base64 | _url_replace)
+    _debug3 eab_signature "$eab_signature"
+
+    externalBinding=",\"externalAccountBinding\":{\"protected\":\"$eab_protected64\", \"payload\":\"$eab_payload64\", \"signature\":\"$eab_signature\"}"
+    _debug3 externalBinding "$externalBinding"
+  fi
+  if [ "$_email" ]; then
+    email_sg="\"contact\": [\"mailto:$_email\"], "
+  fi
+  regjson="{$email_sg\"termsOfServiceAgreed\": true$externalBinding}"
 
   _info "Registering account: $ACME_DIRECTORY"
 
@@ -3709,20 +3661,13 @@ updateaccount() {
   _initAPI
 
   _email="$(_getAccountEmail)"
-  if [ "$ACME_VERSION" = "2" ]; then
+
-    if [ "$ACCOUNT_EMAIL" ]; then
+  if [ "$ACCOUNT_EMAIL" ]; then
-      updjson='{"contact": ["mailto:'$_email'"]}'
+    updjson='{"contact": ["mailto:'$_email'"]}'
-    else
-      updjson='{"contact": []}'
-    fi
   else
-    # ACMEv1: Updates happen the same way a registration is done.
+    updjson='{"contact": []}'
-    # https://tools.ietf.org/html/draft-ietf-acme-acme-01#section-6.3
-    _regAccount
-    return
   fi
 
-  # this part handles ACMEv2 account updates.
   _send_signed_request "$_accUri" "$updjson"
 
   if [ "$code" = '200' ]; then
@@ -3767,11 +3712,8 @@ deactivateaccount() {
   fi
   _initAPI
 
-  if [ "$ACME_VERSION" = "2" ]; then
+  _djson="{\"status\":\"deactivated\"}"
-    _djson="{\"status\":\"deactivated\"}"
+
-  else
-    _djson="{\"resource\": \"reg\", \"status\":\"deactivated\"}"
-  fi
   if _send_signed_request "$_accUri" "$_djson" && _contains "$response" '"deactivated"'; then
     _info "Deactivate account success for $_accUri."
     _accid=$(echo "$response" | _egrep_o "\"id\" *: *[^,]*," | cut -d : -f 2 | tr -d ' ,')
@@ -3876,11 +3818,9 @@ __trigger_validation() {
   _debug2 _t_key_authz "$_t_key_authz"
   _t_vtype="$3"
   _debug2 _t_vtype "$_t_vtype"
-  if [ "$ACME_VERSION" = "2" ]; then
+
-    _send_signed_request "$_t_url" "{}"
+  _send_signed_request "$_t_url" "{}"
-  else
+
-    _send_signed_request "$_t_url" "{\"resource\": \"challenge\", \"type\": \"$_t_vtype\", \"keyAuthorization\": \"$_t_key_authz\"}"
-  fi
 }
 
 #endpoint  domain type
@@ -4192,7 +4132,9 @@ issue() {
 
   _debug "Using ACME_DIRECTORY: $ACME_DIRECTORY"
 
-  _initAPI
+  if ! _initAPI; then
+    return 1
+  fi
 
   if [ -f "$DOMAIN_CONF" ]; then
     Le_NextRenewTime=$(_readdomainconf Le_NextRenewTime)
@@ -4296,74 +4238,72 @@ issue() {
   sep='#'
   dvsep=','
   if [ -z "$vlist" ]; then
-    if [ "$ACME_VERSION" = "2" ]; then
+    #make new order request
-      #make new order request
+    _identifiers="{\"type\":\"dns\",\"value\":\"$(_idn "$_main_domain")\"}"
-      _identifiers="{\"type\":\"dns\",\"value\":\"$(_idn "$_main_domain")\"}"
+    _w_index=1
-      _w_index=1
+    while true; do
-      while true; do
+      d="$(echo "$_alt_domains," | cut -d , -f "$_w_index")"
-        d="$(echo "$_alt_domains," | cut -d , -f "$_w_index")"
+      _w_index="$(_math "$_w_index" + 1)"
-        _w_index="$(_math "$_w_index" + 1)"
+      _debug d "$d"
-        _debug d "$d"
+      if [ -z "$d" ]; then
-        if [ -z "$d" ]; then
+        break
-          break
-        fi
-        _identifiers="$_identifiers,{\"type\":\"dns\",\"value\":\"$(_idn "$d")\"}"
-      done
-      _debug2 _identifiers "$_identifiers"
-      if ! _send_signed_request "$ACME_NEW_ORDER" "{\"identifiers\": [$_identifiers]}"; then
-        _err "Create new order error."
-        _clearup
-        _on_issue_err "$_post_hook"
-        return 1
       fi
-      Le_LinkOrder="$(echo "$responseHeaders" | grep -i '^Location.*$' | _tail_n 1 | tr -d "\r\n " | cut -d ":" -f 2-)"
+      _identifiers="$_identifiers,{\"type\":\"dns\",\"value\":\"$(_idn "$d")\"}"
-      _debug Le_LinkOrder "$Le_LinkOrder"
+    done
-      Le_OrderFinalize="$(echo "$response" | _egrep_o '"finalize" *: *"[^"]*"' | cut -d '"' -f 4)"
+    _debug2 _identifiers "$_identifiers"
-      _debug Le_OrderFinalize "$Le_OrderFinalize"
+    if ! _send_signed_request "$ACME_NEW_ORDER" "{\"identifiers\": [$_identifiers]}"; then
-      if [ -z "$Le_OrderFinalize" ]; then
+      _err "Create new order error."
-        _err "Create new order error. Le_OrderFinalize not found. $response"
+      _clearup
-        _clearup
+      _on_issue_err "$_post_hook"
-        _on_issue_err "$_post_hook"
+      return 1
-        return 1
-      fi
-
-      #for dns manual mode
-      _savedomainconf "Le_OrderFinalize" "$Le_OrderFinalize"
-
-      _authorizations_seg="$(echo "$response" | _json_decode | _egrep_o '"authorizations" *: *\[[^\[]*\]' | cut -d '[' -f 2 | tr -d ']' | tr -d '"')"
-      _debug2 _authorizations_seg "$_authorizations_seg"
-      if [ -z "$_authorizations_seg" ]; then
-        _err "_authorizations_seg not found."
-        _clearup
-        _on_issue_err "$_post_hook"
-        return 1
-      fi
-
-      #domain and authz map
-      _authorizations_map=""
-      for _authz_url in $(echo "$_authorizations_seg" | tr ',' ' '); do
-        _debug2 "_authz_url" "$_authz_url"
-        if ! _send_signed_request "$_authz_url"; then
-          _err "get to authz error."
-          _err "_authorizations_seg" "$_authorizations_seg"
-          _err "_authz_url" "$_authz_url"
-          _clearup
-          _on_issue_err "$_post_hook"
-          return 1
-        fi
-
-        response="$(echo "$response" | _normalizeJson)"
-        _debug2 response "$response"
-        _d="$(echo "$response" | _egrep_o '"value" *: *"[^"]*"' | cut -d : -f 2 | tr -d ' "')"
-        if _contains "$response" "\"wildcard\" *: *true"; then
-          _d="*.$_d"
-        fi
-        _debug2 _d "$_d"
-        _authorizations_map="$_d,$response
-$_authorizations_map"
-      done
-      _debug2 _authorizations_map "$_authorizations_map"
     fi
+    Le_LinkOrder="$(echo "$responseHeaders" | grep -i '^Location.*$' | _tail_n 1 | tr -d "\r\n " | cut -d ":" -f 2-)"
+    _debug Le_LinkOrder "$Le_LinkOrder"
+    Le_OrderFinalize="$(echo "$response" | _egrep_o '"finalize" *: *"[^"]*"' | cut -d '"' -f 4)"
+    _debug Le_OrderFinalize "$Le_OrderFinalize"
+    if [ -z "$Le_OrderFinalize" ]; then
+      _err "Create new order error. Le_OrderFinalize not found. $response"
+      _clearup
+      _on_issue_err "$_post_hook"
+      return 1
+    fi
+
+    #for dns manual mode
+    _savedomainconf "Le_OrderFinalize" "$Le_OrderFinalize"
+
+    _authorizations_seg="$(echo "$response" | _json_decode | _egrep_o '"authorizations" *: *\[[^\[]*\]' | cut -d '[' -f 2 | tr -d ']' | tr -d '"')"
+    _debug2 _authorizations_seg "$_authorizations_seg"
+    if [ -z "$_authorizations_seg" ]; then
+      _err "_authorizations_seg not found."
+      _clearup
+      _on_issue_err "$_post_hook"
+      return 1
+    fi
+
+    #domain and authz map
+    _authorizations_map=""
+    for _authz_url in $(echo "$_authorizations_seg" | tr ',' ' '); do
+      _debug2 "_authz_url" "$_authz_url"
+      if ! _send_signed_request "$_authz_url"; then
+        _err "get to authz error."
+        _err "_authorizations_seg" "$_authorizations_seg"
+        _err "_authz_url" "$_authz_url"
+        _clearup
+        _on_issue_err "$_post_hook"
+        return 1
+      fi
+
+      response="$(echo "$response" | _normalizeJson)"
+      _debug2 response "$response"
+      _d="$(echo "$response" | _egrep_o '"value" *: *"[^"]*"' | cut -d : -f 2 | tr -d ' "')"
+      if _contains "$response" "\"wildcard\" *: *true"; then
+        _d="*.$_d"
+      fi
+      _debug2 _d "$_d"
+      _authorizations_map="$_d,$response
+$_authorizations_map"
+    done
+    _debug2 _authorizations_map "$_authorizations_map"
 
     _index=0
     _currentRoot=""
@@ -4394,33 +4334,25 @@ $_authorizations_map"
         vtype="$VTYPE_ALPN"
       fi
 
-      if [ "$ACME_VERSION" = "2" ]; then
+      _idn_d="$(_idn "$d")"
-        _idn_d="$(_idn "$d")"
+      _candidates="$(echo "$_authorizations_map" | grep -i "^$_idn_d,")"
-        _candidates="$(echo "$_authorizations_map" | grep -i "^$_idn_d,")"
+      _debug2 _candidates "$_candidates"
-        _debug2 _candidates "$_candidates"
+      if [ "$(echo "$_candidates" | wc -l)" -gt 1 ]; then
-        if [ "$(echo "$_candidates" | wc -l)" -gt 1 ]; then
+        for _can in $_candidates; do
-          for _can in $_candidates; do
+          if _startswith "$(echo "$_can" | tr '.' '|')" "$(echo "$_idn_d" | tr '.' '|'),"; then
-            if _startswith "$(echo "$_can" | tr '.' '|')" "$(echo "$_idn_d" | tr '.' '|'),"; then
+            _candidates="$_can"
-              _candidates="$_can"
+            break
-              break
+          fi
-            fi
+        done
-          done
+      fi
-        fi
+      response="$(echo "$_candidates" | sed "s/$_idn_d,//")"
-        response="$(echo "$_candidates" | sed "s/$_idn_d,//")"
+      _debug2 "response" "$response"
-        _debug2 "response" "$response"
+      if [ -z "$response" ]; then
-        if [ -z "$response" ]; then
+        _err "get to authz error."
-          _err "get to authz error."
+        _err "_authorizations_map" "$_authorizations_map"
-          _err "_authorizations_map" "$_authorizations_map"
+        _clearup
-          _clearup
+        _on_issue_err "$_post_hook"
-          _on_issue_err "$_post_hook"
+        return 1
-          return 1
-        fi
-      else
-        if ! __get_domain_new_authz "$d"; then
-          _clearup
-          _on_issue_err "$_post_hook"
-          return 1
-        fi
       fi
 
       if [ -z "$thumbprint" ]; then
@@ -4461,11 +4393,9 @@ $_authorizations_map"
           _on_issue_err "$_post_hook"
           return 1
         fi
-        if [ "$ACME_VERSION" = "2" ]; then
+
-          uri="$(echo "$entry" | _egrep_o '"url":"[^"]*' | cut -d '"' -f 4 | _head_n 1)"
+        uri="$(echo "$entry" | _egrep_o '"url":"[^"]*' | cut -d '"' -f 4 | _head_n 1)"
-        else
+
-          uri="$(echo "$entry" | _egrep_o '"uri":"[^"]*' | cut -d '"' -f 4)"
-        fi
         _debug uri "$uri"
 
         if [ -z "$uri" ]; then
@@ -4763,11 +4693,9 @@ $_authorizations_map"
       _debug "sleep 2 secs to verify"
       sleep 2
       _debug "checking"
-      if [ "$ACME_VERSION" = "2" ]; then
+
-        _send_signed_request "$uri"
+      _send_signed_request "$uri"
-      else
+
-        response="$(_get "$uri")"
-      fi
       if [ "$?" != "0" ]; then
         _err "$d:Verify error:$response"
         _clearupwebbroot "$_currentRoot" "$removelevel" "$token"
@@ -4781,15 +4709,8 @@ $_authorizations_map"
       _debug2 response "$response"
 
       status=$(echo "$response" | _egrep_o '"status":"[^"]*' | cut -d : -f 2 | tr -d '"')
-      if _contains "$status" "valid"; then
-        _info "$(__green Success)"
-        _stopserver "$serverproc"
-        serverproc=""
-        _clearupwebbroot "$_currentRoot" "$removelevel" "$token"
-        break
-      fi
 
-      if [ "$status" = "invalid" ]; then
+      if _contains "$status" "invalid"; then
         error="$(echo "$response" | _egrep_o '"error":\{[^\}]*')"
         _debug2 error "$error"
         errordetail="$(echo "$error" | _egrep_o '"detail": *"[^"]*' | cut -d '"' -f 4)"
@@ -4811,6 +4732,14 @@ $_authorizations_map"
         return 1
       fi
 
+      if _contains "$status" "valid"; then
+        _info "$(__green Success)"
+        _stopserver "$serverproc"
+        serverproc=""
+        _clearupwebbroot "$_currentRoot" "$removelevel" "$token"
+        break
+      fi
+
       if [ "$status" = "pending" ]; then
         _info "Pending"
       elif [ "$status" = "processing" ]; then
@@ -4831,150 +4760,127 @@ $_authorizations_map"
   _info "Verify finished, start to sign."
   der="$(_getfile "${CSR_PATH}" "${BEGIN_CSR}" "${END_CSR}" | tr -d "\r\n" | _url_replace)"
 
-  if [ "$ACME_VERSION" = "2" ]; then
+  _info "Lets finalize the order."
-    _info "Lets finalize the order."
+  _info "Le_OrderFinalize" "$Le_OrderFinalize"
-    _info "Le_OrderFinalize" "$Le_OrderFinalize"
+  if ! _send_signed_request "${Le_OrderFinalize}" "{\"csr\": \"$der\"}"; then
-    if ! _send_signed_request "${Le_OrderFinalize}" "{\"csr\": \"$der\"}"; then
+    _err "Sign failed."
-      _err "Sign failed."
+    _on_issue_err "$_post_hook"
-      _on_issue_err "$_post_hook"
+    return 1
-      return 1
+  fi
-    fi
+  if [ "$code" != "200" ]; then
-    if [ "$code" != "200" ]; then
+    _err "Sign failed, finalize code is not 200."
-      _err "Sign failed, finalize code is not 200."
+    _err "$response"
-      _err "$response"
+    _on_issue_err "$_post_hook"
-      _on_issue_err "$_post_hook"
+    return 1
-      return 1
+  fi
-    fi
+  if [ -z "$Le_LinkOrder" ]; then
-    if [ -z "$Le_LinkOrder" ]; then
+    Le_LinkOrder="$(echo "$responseHeaders" | grep -i '^Location.*$' | _tail_n 1 | tr -d "\r\n \t" | cut -d ":" -f 2-)"
-      Le_LinkOrder="$(echo "$responseHeaders" | grep -i '^Location.*$' | _tail_n 1 | tr -d "\r\n \t" | cut -d ":" -f 2-)"
+  fi
-    fi
 
-    _savedomainconf "Le_LinkOrder" "$Le_LinkOrder"
+  _savedomainconf "Le_LinkOrder" "$Le_LinkOrder"
 
-    _link_cert_retry=0
+  _link_cert_retry=0
-    _MAX_CERT_RETRY=30
+  _MAX_CERT_RETRY=30
-    while [ "$_link_cert_retry" -lt "$_MAX_CERT_RETRY" ]; do
+  while [ "$_link_cert_retry" -lt "$_MAX_CERT_RETRY" ]; do
-      if _contains "$response" "\"status\":\"valid\""; then
+    if _contains "$response" "\"status\":\"valid\""; then
-        _debug "Order status is valid."
+      _debug "Order status is valid."
-        Le_LinkCert="$(echo "$response" | _egrep_o '"certificate" *: *"[^"]*"' | cut -d '"' -f 4)"
+      Le_LinkCert="$(echo "$response" | _egrep_o '"certificate" *: *"[^"]*"' | cut -d '"' -f 4)"
-        _debug Le_LinkCert "$Le_LinkCert"
+      _debug Le_LinkCert "$Le_LinkCert"
-        if [ -z "$Le_LinkCert" ]; then
+      if [ -z "$Le_LinkCert" ]; then
-          _err "Sign error, can not find Le_LinkCert"
+        _err "Sign error, can not find Le_LinkCert"
-          _err "$response"
+        _err "$response"
-          _on_issue_err "$_post_hook"
+        _on_issue_err "$_post_hook"
-          return 1
+        return 1
-        fi
+      fi
-        break
+      break
-      elif _contains "$response" "\"processing\""; then
+    elif _contains "$response" "\"processing\""; then
-        _info "Order status is processing, lets sleep and retry."
+      _info "Order status is processing, lets sleep and retry."
-        _retryafter=$(echo "$responseHeaders" | grep -i "^Retry-After *:" | cut -d : -f 2 | tr -d ' ' | tr -d '\r')
+      _retryafter=$(echo "$responseHeaders" | grep -i "^Retry-After *:" | cut -d : -f 2 | tr -d ' ' | tr -d '\r')
-        _debug "_retryafter" "$_retryafter"
+      _debug "_retryafter" "$_retryafter"
-        if [ "$_retryafter" ]; then
+      if [ "$_retryafter" ]; then
-          _info "Retry after: $_retryafter"
+        _info "Retry after: $_retryafter"
-          _sleep $_retryafter
+        _sleep $_retryafter
-        else
-          _sleep 2
-        fi
       else
-        _err "Sign error, wrong status"
+        _sleep 2
-        _err "$response"
-        _on_issue_err "$_post_hook"
-        return 1
       fi
-      #the order is processing, so we are going to poll order status
+    else
-      if [ -z "$Le_LinkOrder" ]; then
+      _err "Sign error, wrong status"
-        _err "Sign error, can not get order link location header"
-        _err "responseHeaders" "$responseHeaders"
-        _on_issue_err "$_post_hook"
-        return 1
-      fi
-      _info "Polling order status: $Le_LinkOrder"
-      if ! _send_signed_request "$Le_LinkOrder"; then
-        _err "Sign failed, can not post to Le_LinkOrder cert:$Le_LinkOrder."
-        _err "$response"
-        _on_issue_err "$_post_hook"
-        return 1
-      fi
-      _link_cert_retry="$(_math $_link_cert_retry + 1)"
-    done
-
-    if [ -z "$Le_LinkCert" ]; then
-      _err "Sign failed, can not get Le_LinkCert, retry time limit."
       _err "$response"
       _on_issue_err "$_post_hook"
       return 1
     fi
-    _info "Downloading cert."
+    #the order is processing, so we are going to poll order status
-    _info "Le_LinkCert" "$Le_LinkCert"
+    if [ -z "$Le_LinkOrder" ]; then
-    if ! _send_signed_request "$Le_LinkCert"; then
+      _err "Sign error, can not get order link location header"
-      _err "Sign failed, can not download cert:$Le_LinkCert."
+      _err "responseHeaders" "$responseHeaders"
+      _on_issue_err "$_post_hook"
+      return 1
+    fi
+    _info "Polling order status: $Le_LinkOrder"
+    if ! _send_signed_request "$Le_LinkOrder"; then
+      _err "Sign failed, can not post to Le_LinkOrder cert:$Le_LinkOrder."
       _err "$response"
       _on_issue_err "$_post_hook"
       return 1
     fi
+    _link_cert_retry="$(_math $_link_cert_retry + 1)"
+  done
 
-    echo "$response" >"$CERT_PATH"
+  if [ -z "$Le_LinkCert" ]; then
-    _split_cert_chain "$CERT_PATH" "$CERT_FULLCHAIN_PATH" "$CA_CERT_PATH"
+    _err "Sign failed, can not get Le_LinkCert, retry time limit."
+    _err "$response"
+    _on_issue_err "$_post_hook"
+    return 1
+  fi
+  _info "Downloading cert."
+  _info "Le_LinkCert" "$Le_LinkCert"
+  if ! _send_signed_request "$Le_LinkCert"; then
+    _err "Sign failed, can not download cert:$Le_LinkCert."
+    _err "$response"
+    _on_issue_err "$_post_hook"
+    return 1
+  fi
 
-    if [ "$_preferred_chain" ] && [ -f "$CERT_FULLCHAIN_PATH" ]; then
+  echo "$response" >"$CERT_PATH"
-      if [ "$DEBUG" ]; then
+  _split_cert_chain "$CERT_PATH" "$CERT_FULLCHAIN_PATH" "$CA_CERT_PATH"
-        _debug "default chain issuers: " "$(_get_chain_issuers "$CERT_FULLCHAIN_PATH")"
+
-      fi
+  if [ "$_preferred_chain" ] && [ -f "$CERT_FULLCHAIN_PATH" ]; then
-      if ! _match_issuer "$CERT_FULLCHAIN_PATH" "$_preferred_chain"; then
+    if [ "$DEBUG" ]; then
-        rels="$(echo "$responseHeaders" | tr -d ' <>' | grep -i "^link:" | grep -i 'rel="alternate"' | cut -d : -f 2- | cut -d ';' -f 1)"
+      _debug "default chain issuers: " "$(_get_chain_issuers "$CERT_FULLCHAIN_PATH")"
-        _debug2 "rels" "$rels"
+    fi
-        for rel in $rels; do
+    if ! _match_issuer "$CERT_FULLCHAIN_PATH" "$_preferred_chain"; then
-          _info "Try rel: $rel"
+      rels="$(echo "$responseHeaders" | tr -d ' <>' | grep -i "^link:" | grep -i 'rel="alternate"' | cut -d : -f 2- | cut -d ';' -f 1)"
-          if ! _send_signed_request "$rel"; then
+      _debug2 "rels" "$rels"
-            _err "Sign failed, can not download cert:$rel"
+      for rel in $rels; do
-            _err "$response"
+        _info "Try rel: $rel"
-            continue
+        if ! _send_signed_request "$rel"; then
-          fi
+          _err "Sign failed, can not download cert:$rel"
-          _relcert="$CERT_PATH.alt"
+          _err "$response"
-          _relfullchain="$CERT_FULLCHAIN_PATH.alt"
+          continue
-          _relca="$CA_CERT_PATH.alt"
+        fi
-          echo "$response" >"$_relcert"
+        _relcert="$CERT_PATH.alt"
-          _split_cert_chain "$_relcert" "$_relfullchain" "$_relca"
+        _relfullchain="$CERT_FULLCHAIN_PATH.alt"
-          if [ "$DEBUG" ]; then
+        _relca="$CA_CERT_PATH.alt"
-            _debug "rel chain issuers: " "$(_get_chain_issuers "$_relfullchain")"
+        echo "$response" >"$_relcert"
-          fi
+        _split_cert_chain "$_relcert" "$_relfullchain" "$_relca"
-          if _match_issuer "$_relfullchain" "$_preferred_chain"; then
+        if [ "$DEBUG" ]; then
-            _info "Matched issuer in: $rel"
+          _debug "rel chain issuers: " "$(_get_chain_issuers "$_relfullchain")"
-            cat $_relcert >"$CERT_PATH"
+        fi
-            cat $_relfullchain >"$CERT_FULLCHAIN_PATH"
+        if _match_issuer "$_relfullchain" "$_preferred_chain"; then
-            cat $_relca >"$CA_CERT_PATH"
+          _info "Matched issuer in: $rel"
-            rm -f "$_relcert"
+          cat $_relcert >"$CERT_PATH"
-            rm -f "$_relfullchain"
+          cat $_relfullchain >"$CERT_FULLCHAIN_PATH"
-            rm -f "$_relca"
+          cat $_relca >"$CA_CERT_PATH"
-            break
-          fi
           rm -f "$_relcert"
           rm -f "$_relfullchain"
           rm -f "$_relca"
-        done
+          break
-      fi
+        fi
+        rm -f "$_relcert"
+        rm -f "$_relfullchain"
+        rm -f "$_relca"
+      done
     fi
-  else
-    if ! _send_signed_request "${ACME_NEW_ORDER}" "{\"resource\": \"$ACME_NEW_ORDER_RES\", \"csr\": \"$der\"}" "needbase64"; then
-      _err "Sign failed. $response"
-      _on_issue_err "$_post_hook"
-      return 1
-    fi
-    _rcert="$response"
-    Le_LinkCert="$(grep -i '^Location.*$' "$HTTP_HEADER" | _tail_n 1 | tr -d "\r\n" | cut -d " " -f 2)"
-    echo "$BEGIN_CERT" >"$CERT_PATH"
-
-    #if ! _get "$Le_LinkCert" | _base64 "multiline"  >> "$CERT_PATH" ; then
-    #  _debug "Get cert failed. Let's try last response."
-    #  printf -- "%s" "$_rcert" | _dbase64 "multiline" | _base64 "multiline" >> "$CERT_PATH"
-    #fi
-
-    if ! printf -- "%s" "$_rcert" | _dbase64 "multiline" | _base64 "multiline" >>"$CERT_PATH"; then
-      _debug "Try cert link."
-      _get "$Le_LinkCert" | _base64 "multiline" >>"$CERT_PATH"
-    fi
-
-    echo "$END_CERT" >>"$CERT_PATH"
   fi
 
   _debug "Le_LinkCert" "$Le_LinkCert"
@@ -5003,53 +4909,6 @@ $_authorizations_map"
     fi
   fi
 
-  if [ "$ACME_VERSION" = "2" ]; then
-    _debug "v2 chain."
-  else
-    cp "$CERT_PATH" "$CERT_FULLCHAIN_PATH"
-    Le_LinkIssuer=$(grep -i '^Link' "$HTTP_HEADER" | _head_n 1 | cut -d " " -f 2 | cut -d ';' -f 1 | tr -d '<>')
-
-    if [ "$Le_LinkIssuer" ]; then
-      if ! _contains "$Le_LinkIssuer" ":"; then
-        _info "$(__red "Relative issuer link found.")"
-        Le_LinkIssuer="$_ACME_SERVER_HOST$Le_LinkIssuer"
-      fi
-      _debug Le_LinkIssuer "$Le_LinkIssuer"
-      _savedomainconf "Le_LinkIssuer" "$Le_LinkIssuer"
-
-      _link_issuer_retry=0
-      _MAX_ISSUER_RETRY=5
-      while [ "$_link_issuer_retry" -lt "$_MAX_ISSUER_RETRY" ]; do
-        _debug _link_issuer_retry "$_link_issuer_retry"
-        if [ "$ACME_VERSION" = "2" ]; then
-          if _send_signed_request "$Le_LinkIssuer"; then
-            echo "$response" >"$CA_CERT_PATH"
-            break
-          fi
-        else
-          if _get "$Le_LinkIssuer" >"$CA_CERT_PATH.der"; then
-            echo "$BEGIN_CERT" >"$CA_CERT_PATH"
-            _base64 "multiline" <"$CA_CERT_PATH.der" >>"$CA_CERT_PATH"
-            echo "$END_CERT" >>"$CA_CERT_PATH"
-            if ! _checkcert "$CA_CERT_PATH"; then
-              _err "Can not get the ca cert."
-              break
-            fi
-            cat "$CA_CERT_PATH" >>"$CERT_FULLCHAIN_PATH"
-            rm -f "$CA_CERT_PATH.der"
-            break
-          fi
-        fi
-        _link_issuer_retry=$(_math $_link_issuer_retry + 1)
-        _sleep "$_link_issuer_retry"
-      done
-      if [ "$_link_issuer_retry" = "$_MAX_ISSUER_RETRY" ]; then
-        _err "Max retry for issuer ca cert is reached."
-      fi
-    else
-      _debug "No Le_LinkIssuer header found."
-    fi
-  fi
   [ -f "$CA_CERT_PATH" ] && _info "The intermediate CA cert is in $(__green " $CA_CERT_PATH ")"
   [ -f "$CERT_FULLCHAIN_PATH" ] && _info "And the full chain certs is there: $(__green " $CERT_FULLCHAIN_PATH ")"
 
@@ -5163,15 +5022,6 @@ renew() {
   . "$DOMAIN_CONF"
   _debug Le_API "$Le_API"
 
-  if [ "$Le_API" = "$LETSENCRYPT_CA_V1" ]; then
-    _cleardomainconf Le_API
-    Le_API="$DEFAULT_CA"
-  fi
-  if [ "$Le_API" = "$LETSENCRYPT_STAGING_CA_V1" ]; then
-    _cleardomainconf Le_API
-    Le_API="$DEFAULT_STAGING_CA"
-  fi
-
   if [ "$Le_API" ]; then
     export ACME_DIRECTORY="$Le_API"
     #reload ca configs
@@ -5386,9 +5236,6 @@ signcsr() {
     return 1
   fi
 
-  if [ -z "$ACME_VERSION" ] && _contains "$_csrsubj,$_csrdomainlist" "*."; then
-    export ACME_VERSION=2
-  fi
   _initpath "$_csrsubj" "$_csrkeylength"
   mkdir -p "$DOMAIN_PATH"
 
@@ -5849,11 +5696,8 @@ revoke() {
 
   _initAPI
 
-  if [ "$ACME_VERSION" = "2" ]; then
+  data="{\"certificate\": \"$cert\",\"reason\":$_reason}"
-    data="{\"certificate\": \"$cert\",\"reason\":$_reason}"
+
-  else
-    data="{\"resource\": \"revoke-cert\", \"certificate\": \"$cert\"}"
-  fi
   uri="${ACME_REVOKE_CERT}"
 
   if [ -f "$CERT_KEY_PATH" ]; then
@@ -5924,49 +5768,34 @@ _deactivate() {
   _d_type="$2"
   _initpath
 
-  if [ "$ACME_VERSION" = "2" ]; then
+  _identifiers="{\"type\":\"dns\",\"value\":\"$_d_domain\"}"
-    _identifiers="{\"type\":\"dns\",\"value\":\"$_d_domain\"}"
+  if ! _send_signed_request "$ACME_NEW_ORDER" "{\"identifiers\": [$_identifiers]}"; then
-    if ! _send_signed_request "$ACME_NEW_ORDER" "{\"identifiers\": [$_identifiers]}"; then
+    _err "Can not get domain new order."
-      _err "Can not get domain new order."
+    return 1
-      return 1
-    fi
-    _authorizations_seg="$(echo "$response" | _egrep_o '"authorizations" *: *\[[^\]*\]' | cut -d '[' -f 2 | tr -d ']' | tr -d '"')"
-    _debug2 _authorizations_seg "$_authorizations_seg"
-    if [ -z "$_authorizations_seg" ]; then
-      _err "_authorizations_seg not found."
-      _clearup
-      _on_issue_err "$_post_hook"
-      return 1
-    fi
-
-    authzUri="$_authorizations_seg"
-    _debug2 "authzUri" "$authzUri"
-    if ! _send_signed_request "$authzUri"; then
-      _err "get to authz error."
-      _err "_authorizations_seg" "$_authorizations_seg"
-      _err "authzUri" "$authzUri"
-      _clearup
-      _on_issue_err "$_post_hook"
-      return 1
-    fi
-
-    response="$(echo "$response" | _normalizeJson)"
-    _debug2 response "$response"
-    _URL_NAME="url"
-  else
-    if ! __get_domain_new_authz "$_d_domain"; then
-      _err "Can not get domain new authz token."
-      return 1
-    fi
-
-    authzUri="$(echo "$responseHeaders" | grep "^Location:" | _head_n 1 | cut -d ':' -f 2- | tr -d "\r\n")"
-    _debug "authzUri" "$authzUri"
-    if [ "$code" ] && [ ! "$code" = '201' ]; then
-      _err "new-authz error: $response"
-      return 1
-    fi
-    _URL_NAME="uri"
   fi
+  _authorizations_seg="$(echo "$response" | _egrep_o '"authorizations" *: *\[[^\]*\]' | cut -d '[' -f 2 | tr -d ']' | tr -d '"')"
+  _debug2 _authorizations_seg "$_authorizations_seg"
+  if [ -z "$_authorizations_seg" ]; then
+    _err "_authorizations_seg not found."
+    _clearup
+    _on_issue_err "$_post_hook"
+    return 1
+  fi
+
+  authzUri="$_authorizations_seg"
+  _debug2 "authzUri" "$authzUri"
+  if ! _send_signed_request "$authzUri"; then
+    _err "get to authz error."
+    _err "_authorizations_seg" "$_authorizations_seg"
+    _err "authzUri" "$authzUri"
+    _clearup
+    _on_issue_err "$_post_hook"
+    return 1
+  fi
+
+  response="$(echo "$response" | _normalizeJson)"
+  _debug2 response "$response"
+  _URL_NAME="url"
 
   entries="$(echo "$response" | tr '][' '==' | _egrep_o "challenges\": *=[^=]*=" | tr '}{' '\n' | grep "\"status\": *\"valid\"")"
   if [ -z "$entries" ]; then
@@ -6021,11 +5850,7 @@ _deactivate() {
 
     _info "Deactivate: $_vtype"
 
-    if [ "$ACME_VERSION" = "2" ]; then
+    _djson="{\"status\":\"deactivated\"}"
-      _djson="{\"status\":\"deactivated\"}"
-    else
-      _djson="{\"resource\": \"authz\", \"status\":\"deactivated\"}"
-    fi
 
     if _send_signed_request "$authzUri" "$_djson" && _contains "$response" '"deactivated"'; then
       _info "Deactivate: $_vtype success."
@@ -7031,10 +6856,6 @@ _process() {
           return 1
         fi
 
-        if _startswith "$_dvalue" "*."; then
-          _debug "Wildcard domain"
-          export ACME_VERSION=2
-        fi
         if [ -z "$_domain" ]; then
           _domain="$_dvalue"
         else

deploy/gcore_cdn.sh

@@ -56,9 +56,9 @@ gcore_cdn_deploy() {
   _request="{\"username\":\"$Le_Deploy_gcore_cdn_username\",\"password\":\"$Le_Deploy_gcore_cdn_password\"}"
   _debug _request "$_request"
   export _H1="Content-Type:application/json"
-  _response=$(_post "$_request" "https://api.gcdn.co/auth/signin")
+  _response=$(_post "$_request" "https://api.gcdn.co/auth/jwt/login")
   _debug _response "$_response"
-  _regex=".*\"token\":\"\([-._0-9A-Za-z]*\)\".*$"
+  _regex=".*\"access\":\"\([-._0-9A-Za-z]*\)\".*$"
   _debug _regex "$_regex"
   _token=$(echo "$_response" | sed -n "s/$_regex/\1/p")
   _debug _token "$_token"
@@ -72,12 +72,15 @@ gcore_cdn_deploy() {
   export _H2="Authorization:Token $_token"
   _response=$(_get "https://api.gcdn.co/resources")
   _debug _response "$_response"
-  _regex=".*(\"id\".*?\"cname\":\"$_cdomain\".*?})"
+  _regex="\"primary_resource\":null},"
+  _debug _regex "$_regex"
+  _response=$(echo "$_response" | sed "s/$_regex/$_regex\n/g")
+  _debug _response "$_response"
   _regex="^.*\"cname\":\"$_cdomain\".*$"
   _debug _regex "$_regex"
-  _resource=$(echo "$_response" | sed 's/},{/},\n{/g' | _egrep_o "$_regex")
+  _resource=$(echo "$_response" | _egrep_o "$_regex")
   _debug _resource "$_resource"
-  _regex=".*\"id\":\([0-9]*\).*\"rules\".*$"
+  _regex=".*\"id\":\([0-9]*\).*$"
   _debug _regex "$_regex"
   _resourceId=$(echo "$_resource" | sed -n "s/$_regex/\1/p")
   _debug _resourceId "$_resourceId"

deploy/synology_dsm.sh

@@ -66,6 +66,12 @@ synology_dsm_deploy() {
   _getdeployconf SYNO_Certificate
   _debug SYNO_Certificate "${SYNO_Certificate:-}"
 
+  # shellcheck disable=SC1003 # We are not trying to escape a single quote
+  if printf "%s" "$SYNO_Certificate" | grep '\\'; then
+    _err "Do not use a backslash (\) in your certificate description"
+    return 1
+  fi
+
   _base_url="$SYNO_Scheme://$SYNO_Hostname:$SYNO_Port"
   _debug _base_url "$_base_url"
 
@@ -110,7 +116,9 @@ synology_dsm_deploy() {
   _info "Getting certificates in Synology DSM"
   response=$(_post "api=SYNO.Core.Certificate.CRT&method=list&version=1&_sid=$sid" "$_base_url/webapi/entry.cgi")
   _debug3 response "$response"
-  id=$(echo "$response" | sed -n "s/.*\"desc\":\"$SYNO_Certificate\",\"id\":\"\([^\"]*\).*/\1/p")
+  escaped_certificate="$(printf "%s" "$SYNO_Certificate" | sed 's/\([].*^$[]\)/\\\1/g;s/"/\\\\"/g')"
+  _debug escaped_certificate "$escaped_certificate"
+  id=$(echo "$response" | sed -n "s/.*\"desc\":\"$escaped_certificate\",\"id\":\"\([^\"]*\).*/\1/p")
   _debug2 id "$id"
 
   if [ -z "$id" ] && [ -z "${SYNO_Create:-}" ]; then
@@ -119,13 +127,7 @@ synology_dsm_deploy() {
   fi
 
   # we've verified this certificate description is a thing, so save it
-  _savedeployconf SYNO_Certificate "$SYNO_Certificate"
+  _savedeployconf SYNO_Certificate "$SYNO_Certificate" "base64"
-
-  default=""
-  if echo "$response" | sed -n "s/.*\"desc\":\"$SYNO_Certificate\",\([^{]*\).*/\1/p" | grep -- 'is_default":true' >/dev/null; then
-    default=true
-  fi
-  _debug2 default "$default"
 
   _info "Generate form POST request"
   nl="\0015\0012"
@@ -135,7 +137,12 @@ synology_dsm_deploy() {
   content="$content${nl}--$delim${nl}Content-Disposition: form-data; name=\"inter_cert\"; filename=\"$(basename "$_cca")\"${nl}Content-Type: application/octet-stream${nl}${nl}$(cat "$_cca")\0012"
   content="$content${nl}--$delim${nl}Content-Disposition: form-data; name=\"id\"${nl}${nl}$id"
   content="$content${nl}--$delim${nl}Content-Disposition: form-data; name=\"desc\"${nl}${nl}${SYNO_Certificate}"
-  content="$content${nl}--$delim${nl}Content-Disposition: form-data; name=\"as_default\"${nl}${nl}${default}"
+  if echo "$response" | sed -n "s/.*\"desc\":\"$escaped_certificate\",\([^{]*\).*/\1/p" | grep -- 'is_default":true' >/dev/null; then
+    _debug2 default "this is the default certificate"
+    content="$content${nl}--$delim${nl}Content-Disposition: form-data; name=\"as_default\"${nl}${nl}true"
+  else
+    _debug2 default "this is NOT the default certificate"
+  fi
   content="$content${nl}--$delim--${nl}"
   content="$(printf "%b_" "$content")"
   content="${content%_}" # protect trailing \n

dnsapi/dns_1984hosting.sh

@@ -145,7 +145,7 @@ _1984hosting_login() {
   password=$(printf '%s' "$One984HOSTING_Password" | _url_encode)
   url="https://management.1984hosting.com/accounts/checkuserauth/"
 
-  response="$(_post "username=$username&password=$password&otpkey=" "$url")"
+  response="$(_post "username=$username&password=$password&otpkey=" $url)"
   response="$(echo "$response" | _normalizeJson)"
   _debug2 response "$response"
 
@@ -177,7 +177,6 @@ _check_cookie() {
   fi
 
   _authget "https://management.1984hosting.com/accounts/loginstatus/"
-  response="$(echo "$_response" | _normalizeJson)"
   if _contains "$response" '"ok": true'; then
     _debug "Cached cookie still valid"
     return 0
@@ -194,7 +193,7 @@ _check_cookie() {
 # _domain=domain.com
 _get_root() {
   domain="$1"
-  i=2
+  i=1
   p=1
   while true; do
     h=$(printf "%s" "$domain" | cut -d . -f $i-100)
@@ -205,7 +204,7 @@ _get_root() {
     fi
 
     _authget "https://management.1984hosting.com/domains/soacheck/?zone=$h&nameserver=ns0.1984.is."
-    if _contains "$_response" "serial"; then
+    if _contains "$_response" "serial" && ! _contains "$_response" 'null}'; then
       _sub_domain=$(printf "%s" "$domain" | cut -d . -f 1-$p)
       _domain="$h"
       return 0
@@ -219,7 +218,8 @@ _get_root() {
 # add extra headers to request
 _authget() {
   export _H1="Cookie: $One984HOSTING_COOKIE"
-  _response=$(_get "$1")
+  _response=$(_get "$1" | _normalizeJson)
+  _debug2 _response "$_response"
 }
 
 # truncate huge HTML response

dnsapi/dns_desec.sh

@@ -20,21 +20,17 @@ dns_desec_add() {
   _debug txtvalue "$txtvalue"
 
   DEDYN_TOKEN="${DEDYN_TOKEN:-$(_readaccountconf_mutable DEDYN_TOKEN)}"
-  DEDYN_NAME="${DEDYN_NAME:-$(_readaccountconf_mutable DEDYN_NAME)}"
 
-  if [ -z "$DEDYN_TOKEN" ] || [ -z "$DEDYN_NAME" ]; then
+  if [ -z "$DEDYN_TOKEN" ]; then
     DEDYN_TOKEN=""
-    DEDYN_NAME=""
+    _err "You did not specify DEDYN_TOKEN yet."
-    _err "You did not specify DEDYN_TOKEN and DEDYN_NAME yet."
     _err "Please create your key and try again."
     _err "e.g."
     _err "export DEDYN_TOKEN=d41d8cd98f00b204e9800998ecf8427e"
-    _err "export DEDYN_NAME=foobar.dedyn.io"
     return 1
   fi
-  #save the api token and name to the account conf file.
+  #save the api token to the account conf file.
   _saveaccountconf_mutable DEDYN_TOKEN "$DEDYN_TOKEN"
-  _saveaccountconf_mutable DEDYN_NAME "$DEDYN_NAME"
 
   _debug "First detect the root zone"
   if ! _get_root "$fulldomain" "$REST_API/"; then
@@ -47,7 +43,7 @@ dns_desec_add() {
   # Get existing TXT record
   _debug "Getting txt records"
   txtvalues="\"\\\"$txtvalue\\\"\""
-  _desec_rest GET "$REST_API/$DEDYN_NAME/rrsets/$_sub_domain/TXT/"
+  _desec_rest GET "$REST_API/$_domain/rrsets/$_sub_domain/TXT/"
 
   if [ "$_code" = "200" ]; then
     oldtxtvalues="$(echo "$response" | _egrep_o "\"records\":\\[\"\\S*\"\\]" | cut -d : -f 2 | tr -d "[]\\\\\"" | sed "s/,/ /g")"
@@ -63,7 +59,7 @@ dns_desec_add() {
   _info "Adding record"
   body="[{\"subname\":\"$_sub_domain\", \"type\":\"TXT\", \"records\":[$txtvalues], \"ttl\":3600}]"
 
-  if _desec_rest PUT "$REST_API/$DEDYN_NAME/rrsets/" "$body"; then
+  if _desec_rest PUT "$REST_API/$_domain/rrsets/" "$body"; then
     if _contains "$response" "$txtvalue"; then
       _info "Added, OK"
       return 0
@@ -87,16 +83,13 @@ dns_desec_rm() {
   _debug txtvalue "$txtvalue"
 
   DEDYN_TOKEN="${DEDYN_TOKEN:-$(_readaccountconf_mutable DEDYN_TOKEN)}"
-  DEDYN_NAME="${DEDYN_NAME:-$(_readaccountconf_mutable DEDYN_NAME)}"
 
-  if [ -z "$DEDYN_TOKEN" ] || [ -z "$DEDYN_NAME" ]; then
+  if [ -z "$DEDYN_TOKEN" ]; then
     DEDYN_TOKEN=""
-    DEDYN_NAME=""
+    _err "You did not specify DEDYN_TOKEN yet."
-    _err "You did not specify DEDYN_TOKEN and DEDYN_NAME yet."
     _err "Please create your key and try again."
     _err "e.g."
     _err "export DEDYN_TOKEN=d41d8cd98f00b204e9800998ecf8427e"
-    _err "export DEDYN_NAME=foobar.dedyn.io"
     return 1
   fi
 
@@ -112,7 +105,7 @@ dns_desec_rm() {
   # Get existing TXT record
   _debug "Getting txt records"
   txtvalues=""
-  _desec_rest GET "$REST_API/$DEDYN_NAME/rrsets/$_sub_domain/TXT/"
+  _desec_rest GET "$REST_API/$_domain/rrsets/$_sub_domain/TXT/"
 
   if [ "$_code" = "200" ]; then
     oldtxtvalues="$(echo "$response" | _egrep_o "\"records\":\\[\"\\S*\"\\]" | cut -d : -f 2 | tr -d "[]\\\\\"" | sed "s/,/ /g")"
@@ -131,7 +124,7 @@ dns_desec_rm() {
 
   _info "Deleting record"
   body="[{\"subname\":\"$_sub_domain\", \"type\":\"TXT\", \"records\":[$txtvalues], \"ttl\":3600}]"
-  _desec_rest PUT "$REST_API/$DEDYN_NAME/rrsets/" "$body"
+  _desec_rest PUT "$REST_API/$_domain/rrsets/" "$body"
   if [ "$_code" = "200" ]; then
     _info "Deleted, OK"
     return 0

dnsapi/dns_ionos.sh

@@ -149,14 +149,15 @@ _ionos_rest() {
     response="$(_post "$data" "$IONOS_API$route" "" "$method" "application/json")"
   else
     export _H2="Accept: */*"
-
+    export _H3=
     response="$(_get "$IONOS_API$route")"
   fi
 
   if [ "$?" != "0" ]; then
-    _err "Error $route"
+    _err "Error $route: $response"
     return 1
   fi
+  _debug2 "response" "$response"
 
   return 0
 }

dnsapi/dns_porkbun.sh

@@ -78,7 +78,7 @@ dns_porkbun_rm() {
   if [ "$count" = "0" ]; then
     _info "Don't need to remove."
   else
-    record_id=$(echo "$response" | tr '{' '\n' | grep "$txtvalue" | cut -d, -f1 | cut -d: -f2 | tr -d \")
+    record_id=$(echo "$response" | tr '{' '\n' | grep -- "$txtvalue" | cut -d, -f1 | cut -d: -f2 | tr -d \")
     _debug "record_id" "$record_id"
     if [ -z "$record_id" ]; then
       _err "Can not get record id to remove."
@@ -110,8 +110,8 @@ _get_root() {
 
     if _porkbun_rest POST "dns/retrieve/$h"; then
       if _contains "$response" "\"status\":\"SUCCESS\""; then
-        _sub_domain="$(echo "$fulldomain" | sed "s/\\.$_domain\$//")"
         _domain=$h
+        _sub_domain="$(echo "$fulldomain" | sed "s/\\.$_domain\$//")"
         return 0
       else
         _debug "Go to next level of $_domain"