Merge pull request #3534 from acmesh-official/dev

sync

.github/workflows/DNS.yml

@@ -1,8 +1,6 @@
 name: DNS
 on:
   push:
-    branches:
-      - 'dev'
     paths:
       - 'dnsapi/*.sh'
       - '.github/workflows/DNS.yml'
@@ -38,10 +36,10 @@ jobs:
     steps:
     - name: "Read this:   https://github.com/acmesh-official/acme.sh/wiki/DNS-API-Test"
       run: |
-        echo "Plese see this page to fix the error: https://github.com/acmesh-official/acme.sh/wiki/DNS-API-Test"
-    - name: Fail
-      if: "github.actor != 'Neilpang'"
-      run: false
+        echo "Read this:   https://github.com/acmesh-official/acme.sh/wiki/DNS-API-Test"
+        if [ "${{github.actor}}" != "Neilpang" ]; then
+          false
+        fi
 
   Docker:
     runs-on: ubuntu-latest
@@ -151,25 +149,64 @@ jobs:
     - name: Clone acmetest
       run: cd .. && git clone https://github.com/acmesh-official/acmetest.git  && cp -r acme.sh acmetest/
     - name: Run acmetest
-      shell: cmd
+      shell: bash
       run: |
         if [ "${{ secrets.TokenName1}}" ] ; then
-          set ${{ secrets.TokenName1}}=${{ secrets.TokenValue1}}
+          export ${{ secrets.TokenName1}}=${{ secrets.TokenValue1}}
         fi
         if [ "${{ secrets.TokenName2}}" ] ; then
-          set ${{ secrets.TokenName2}}=${{ secrets.TokenValue2}}
+          export ${{ secrets.TokenName2}}=${{ secrets.TokenValue2}}
         fi
         if [ "${{ secrets.TokenName3}}" ] ; then
-          set ${{ secrets.TokenName3}}=${{ secrets.TokenValue3}}
+          export ${{ secrets.TokenName3}}=${{ secrets.TokenValue3}}
         fi
         if [ "${{ secrets.TokenName4}}" ] ; then
-          set ${{ secrets.TokenName4}}=${{ secrets.TokenValue4}}
+          export ${{ secrets.TokenName4}}=${{ secrets.TokenValue4}}
         fi
         if [ "${{ secrets.TokenName5}}" ] ; then
-          set ${{ secrets.TokenName5}}=${{ secrets.TokenValue5}}
+          export ${{ secrets.TokenName5}}=${{ secrets.TokenValue5}}
         fi
         cd ../acmetest
-        bash.exe -c ./letest.sh
+        ./letest.sh
+
+  FreeBSD:
+    runs-on: macos-latest
+    needs: Windows
+    env:
+      TEST_DNS : ${{ secrets.TEST_DNS }}
+      TestingDomain: ${{ secrets.TestingDomain }}
+      TEST_DNS_NO_WILDCARD: ${{ secrets.TEST_DNS_NO_WILDCARD }}
+      TEST_DNS_SLEEP: ${{ secrets.TEST_DNS_SLEEP }}
+      CASE: le_test_dnsapi
+      TEST_LOCAL: 1
+      DEBUG: 1
+    steps:
+    - uses: actions/checkout@v2
+    - name: Clone acmetest
+      run: cd .. && git clone https://github.com/acmesh-official/acmetest.git  && cp -r acme.sh acmetest/
+    - uses: vmactions/freebsd-vm@v0.1.4
+      with:
+        envs: 'TEST_DNS TestingDomain TEST_DNS_NO_WILDCARD TEST_DNS_SLEEP CASE TEST_LOCAL DEBUG ${{ secrets.TokenName1}} ${{ secrets.TokenName2}} ${{ secrets.TokenName3}} ${{ secrets.TokenName4}} ${{ secrets.TokenName5}}'
+        prepare: pkg install -y socat curl
+        usesh: true
+        run: |
+          if [ "${{ secrets.TokenName1}}" ] ; then
+            export ${{ secrets.TokenName1}}=${{ secrets.TokenValue1}}
+          fi
+          if [ "${{ secrets.TokenName2}}" ] ; then
+            export ${{ secrets.TokenName2}}=${{ secrets.TokenValue2}}
+          fi
+          if [ "${{ secrets.TokenName3}}" ] ; then
+            export ${{ secrets.TokenName3}}=${{ secrets.TokenValue3}}
+          fi
+          if [ "${{ secrets.TokenName4}}" ] ; then
+            export ${{ secrets.TokenName4}}=${{ secrets.TokenValue4}}
+          fi
+          if [ "${{ secrets.TokenName5}}" ] ; then
+            export ${{ secrets.TokenName5}}=${{ secrets.TokenValue5}}
+          fi
+          cd ../acmetest
+          ./letest.sh
 
   Solaris:
     runs-on: macos-latest
@@ -186,7 +223,7 @@ jobs:
     - uses: actions/checkout@v2
     - name: Clone acmetest
       run: cd .. && git clone https://github.com/acmesh-official/acmetest.git  && cp -r acme.sh acmetest/
-    - uses: vmactions/solaris-vm@v0.0.1
+    - uses: vmactions/solaris-vm@v0.0.3
       with:
         envs: 'TEST_DNS TestingDomain TEST_DNS_NO_WILDCARD TEST_DNS_SLEEP CASE TEST_LOCAL DEBUG ${{ secrets.TokenName1}} ${{ secrets.TokenName2}} ${{ secrets.TokenName3}} ${{ secrets.TokenName4}} ${{ secrets.TokenName5}}'
         prepare: pkgutil -y -i socat curl
@@ -209,3 +246,4 @@ jobs:
           cd ../acmetest
           ./letest.sh
 
+        

.github/workflows/LetsEncrypt.yml

@@ -15,30 +15,9 @@ on:
 
 
 jobs:
-  CheckToken:
-    runs-on: ubuntu-latest
-    outputs:
-      hasToken: ${{ steps.step_one.outputs.hasToken }}
-    env: 
-      NGROK_TOKEN : ${{ secrets.NGROK_TOKEN }}
-    steps:
-      - name: Set the value
-        id: step_one
-        run: |
-          if [ "$NGROK_TOKEN" ] ; then
-            echo "::set-output name=hasToken::true"
-          else
-            echo "::set-output name=hasToken::false"
-          fi
-      - name: Check the value
-        run: echo ${{ steps.step_one.outputs.hasToken }}
-
   Ubuntu:
     runs-on: ubuntu-latest
-    needs: CheckToken
-    if: "contains(needs.CheckToken.outputs.hasToken, 'true')"
     env:
-      NGROK_TOKEN : ${{ secrets.NGROK_TOKEN }}
       TEST_LOCAL: 1
     steps:
     - uses: actions/checkout@v2
@@ -51,14 +30,12 @@ jobs:
 
   MacOS:
     runs-on: macos-latest
-    needs: Ubuntu
     env:
-      NGROK_TOKEN : ${{ secrets.NGROK_TOKEN }}
       TEST_LOCAL: 1
     steps:
     - uses: actions/checkout@v2
     - name: Install tools
-      run:  brew update && brew install socat;
+      run:  brew install socat
     - name: Clone acmetest
       run: cd .. && git clone https://github.com/acmesh-official/acmetest.git  && cp -r acme.sh acmetest/
     - name: Run acmetest
@@ -66,11 +43,9 @@ jobs:
 
   Windows:
     runs-on: windows-latest
-    needs: MacOS
     env:
-      NGROK_TOKEN : ${{ secrets.NGROK_TOKEN }}
       TEST_LOCAL: 1
-      #The 80 port is used by Windows server, we have to use a custom port, ngrok will also use this port.
+      #The 80 port is used by Windows server, we have to use a custom port, tunnel will also use this port.
       Le_HTTPPort: 8888
     steps:
     - name: Set git to use LF
@@ -103,39 +78,45 @@ jobs:
 
   FreeBSD:
     runs-on: macos-latest
-    needs: Windows
     env:
-      NGROK_TOKEN : ${{ secrets.NGROK_TOKEN }}
       TEST_LOCAL: 1
     steps:
     - uses: actions/checkout@v2
+    - uses: vmactions/cf-tunnel@v0.0.2
+      id: tunnel
+      with:
+        protocol: http
+        port: 8080
+    - name: Set envs
+      run: echo "TestingDomain=${{steps.tunnel.outputs.server}}" >> $GITHUB_ENV
     - name: Clone acmetest
       run: cd .. && git clone https://github.com/acmesh-official/acmetest.git  && cp -r acme.sh acmetest/
-    - uses: vmactions/freebsd@main
+    - uses: vmactions/freebsd-vm@v0.1.4
       with:
-        envs: 'NGROK_TOKEN TEST_LOCAL'
-        prepare: pkg install -y socat
+        envs: 'TEST_LOCAL TestingDomain'
+        nat: |
+          "8080": "80"
+        prepare: pkg install -y socat curl
+        usesh: true
         run: |
           cd ../acmetest && ./letest.sh
 
   Solaris:
     runs-on: macos-latest
-    needs: FreeBSD
     env:
-      NGROK_TOKEN : ${{ secrets.NGROK_TOKEN }}
       TEST_LOCAL: 1
     steps:
     - uses: actions/checkout@v2
-    - uses: vmactions/ngrok-tunnel@v0.0.1
-      id: ngrok
+    - uses: vmactions/cf-tunnel@v0.0.2
+      id: tunnel
       with:
         protocol: http
         port: 8080
     - name: Set envs
-      run: echo "TestingDomain=${{steps.ngrok.outputs.server}}" >> $GITHUB_ENV
+      run: echo "TestingDomain=${{steps.tunnel.outputs.server}}" >> $GITHUB_ENV
     - name: Clone acmetest
       run: cd .. && git clone https://github.com/acmesh-official/acmetest.git  && cp -r acme.sh acmetest/
-    - uses: vmactions/solaris-vm@v0.0.1
+    - uses: vmactions/solaris-vm@v0.0.3
       with:
         envs: 'TEST_LOCAL TestingDomain'
         nat: |

.github/workflows/dockerhub.yml

@@ -33,12 +33,10 @@ jobs:
     steps:
       - name: checkout code
         uses: actions/checkout@v2
-      - name: install buildx
-        id: buildx
-        uses: crazy-max/ghaction-docker-buildx@v3
-        with:
-          buildx-version: latest
-          qemu-version: latest
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v1
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v1
       - name: login to docker hub
         run: |
           echo "${{ secrets.DOCKER_PASSWORD }}" | docker login -u "${{ secrets.DOCKER_USERNAME }}" --password-stdin

Dockerfile

@@ -12,6 +12,7 @@ RUN apk update -f \
   tzdata \
   oath-toolkit-oathtool \
   tar \
+  libidn \
   && rm -rf /var/cache/apk/*
 
 ENV LE_CONFIG_HOME /acme.sh

README.md

@@ -89,6 +89,7 @@ https://github.com/acmesh-official/acmetest
 - [ZeroSSL.com CA](https://github.com/acmesh-official/acme.sh/wiki/ZeroSSL.com-CA)
 - [BuyPass.com CA](https://github.com/acmesh-official/acme.sh/wiki/BuyPass.com-CA)
 - [Pebble strict Mode](https://github.com/letsencrypt/pebble)
+- Any other [RFC8555](https://tools.ietf.org/html/rfc8555)-compliant CA
 
 # Supported modes
 
@@ -109,13 +110,13 @@ https://github.com/acmesh-official/acmetest
 Check this project: https://github.com/acmesh-official/get.acme.sh
 
 ```bash
-curl https://get.acme.sh | sh
+curl https://get.acme.sh | sh -s email=my@example.com
 ```
 
 Or:
 
 ```bash
-wget -O -  https://get.acme.sh | sh
+wget -O -  https://get.acme.sh | sh -s email=my@example.com
 ```
 
 
@@ -126,7 +127,7 @@ Clone this project and launch installation:
 ```bash
 git clone https://github.com/acmesh-official/acme.sh.git
 cd ./acme.sh
-./acme.sh --install
+./acme.sh --install -m my@example.com
 ```
 
 You `don't have to be root` then, although `it is recommended`.

deploy/cleverreach.sh

@@ -17,6 +17,8 @@ cleverreach_deploy() {
   _cca="$4"
   _cfullchain="$5"
 
+  _rest_endpoint="https://rest.cleverreach.com"
+
   _debug _cdomain "$_cdomain"
   _debug _ckey "$_ckey"
   _debug _ccert "$_ccert"
@@ -25,6 +27,7 @@ cleverreach_deploy() {
 
   _getdeployconf DEPLOY_CLEVERREACH_CLIENT_ID
   _getdeployconf DEPLOY_CLEVERREACH_CLIENT_SECRET
+  _getdeployconf DEPLOY_CLEVERREACH_SUBCLIENT_ID
 
   if [ -z "${DEPLOY_CLEVERREACH_CLIENT_ID}" ]; then
     _err "CleverReach Client ID is not found, please define DEPLOY_CLEVERREACH_CLIENT_ID."
@@ -37,11 +40,12 @@ cleverreach_deploy() {
 
   _savedeployconf DEPLOY_CLEVERREACH_CLIENT_ID "${DEPLOY_CLEVERREACH_CLIENT_ID}"
   _savedeployconf DEPLOY_CLEVERREACH_CLIENT_SECRET "${DEPLOY_CLEVERREACH_CLIENT_SECRET}"
+  _savedeployconf DEPLOY_CLEVERREACH_SUBCLIENT_ID "${DEPLOY_CLEVERREACH_SUBCLIENT_ID}"
 
   _info "Obtaining a CleverReach access token"
 
   _data="{\"grant_type\": \"client_credentials\", \"client_id\": \"${DEPLOY_CLEVERREACH_CLIENT_ID}\", \"client_secret\": \"${DEPLOY_CLEVERREACH_CLIENT_SECRET}\"}"
-  _auth_result="$(_post "$_data" "https://rest.cleverreach.com/oauth/token.php" "" "POST" "application/json")"
+  _auth_result="$(_post "$_data" "$_rest_endpoint/oauth/token.php" "" "POST" "application/json")"
 
   _debug _data "$_data"
   _debug _auth_result "$_auth_result"
@@ -50,14 +54,32 @@ cleverreach_deploy() {
   _debug _regex "$_regex"
   _access_token=$(echo "$_auth_result" | _json_decode | sed -n "s/$_regex/\1/p")
 
+  _debug _subclient "${DEPLOY_CLEVERREACH_SUBCLIENT_ID}"
+
+  if [ -n "${DEPLOY_CLEVERREACH_SUBCLIENT_ID}" ]; then
+    _info "Obtaining token for sub-client ${DEPLOY_CLEVERREACH_SUBCLIENT_ID}"
+    export _H1="Authorization: Bearer ${_access_token}"
+    _subclient_token_result="$(_get "$_rest_endpoint/v3/clients/$DEPLOY_CLEVERREACH_SUBCLIENT_ID/token")"
+    _access_token=$(echo "$_subclient_token_result" | sed -n "s/\"//p")
+
+    _debug _subclient_token_result "$_access_token"
+
+    _info "Destroying parent token at CleverReach, as it not needed anymore"
+    _destroy_result="$(_post "" "$_rest_endpoint/v3/oauth/token.json" "" "DELETE" "application/json")"
+    _debug _destroy_result "$_destroy_result"
+  fi
+
   _info "Uploading certificate and key to CleverReach"
 
   _certData="{\"cert\":\"$(_json_encode <"$_cfullchain")\", \"key\":\"$(_json_encode <"$_ckey")\"}"
   export _H1="Authorization: Bearer ${_access_token}"
-  _add_cert_result="$(_post "$_certData" "https://rest.cleverreach.com/v3/ssl" "" "POST" "application/json")"
+  _add_cert_result="$(_post "$_certData" "$_rest_endpoint/v3/ssl" "" "POST" "application/json")"
 
-  _debug "Destroying token at CleverReach"
-  _post "" "https://rest.cleverreach.com/v3/oauth/token.json" "" "DELETE" "application/json"
+  if [ -z "${DEPLOY_CLEVERREACH_SUBCLIENT_ID}" ]; then
+    _info "Destroying token at CleverReach, as it not needed anymore"
+    _destroy_result="$(_post "" "$_rest_endpoint/v3/oauth/token.json" "" "DELETE" "application/json")"
+    _debug _destroy_result "$_destroy_result"
+  fi
 
   if ! echo "$_add_cert_result" | grep '"error":' >/dev/null; then
     _info "Uploaded certificate successfully"

deploy/gcore_cdn.sh

@@ -56,9 +56,9 @@ gcore_cdn_deploy() {
   _request="{\"username\":\"$Le_Deploy_gcore_cdn_username\",\"password\":\"$Le_Deploy_gcore_cdn_password\"}"
   _debug _request "$_request"
   export _H1="Content-Type:application/json"
-  _response=$(_post "$_request" "https://api.gcdn.co/auth/signin")
+  _response=$(_post "$_request" "https://api.gcdn.co/auth/jwt/login")
   _debug _response "$_response"
-  _regex=".*\"token\":\"\([-._0-9A-Za-z]*\)\".*$"
+  _regex=".*\"access\":\"\([-._0-9A-Za-z]*\)\".*$"
   _debug _regex "$_regex"
   _token=$(echo "$_response" | sed -n "s/$_regex/\1/p")
   _debug _token "$_token"
@@ -72,12 +72,15 @@ gcore_cdn_deploy() {
   export _H2="Authorization:Token $_token"
   _response=$(_get "https://api.gcdn.co/resources")
   _debug _response "$_response"
-  _regex=".*(\"id\".*?\"cname\":\"$_cdomain\".*?})"
+  _regex="\"primary_resource\":null},"
+  _debug _regex "$_regex"
+  _response=$(echo "$_response" | sed "s/$_regex/$_regex\n/g")
+  _debug _response "$_response"
   _regex="^.*\"cname\":\"$_cdomain\".*$"
   _debug _regex "$_regex"
-  _resource=$(echo "$_response" | sed 's/},{/},\n{/g' | _egrep_o "$_regex")
+  _resource=$(echo "$_response" | _egrep_o "$_regex")
   _debug _resource "$_resource"
-  _regex=".*\"id\":\([0-9]*\).*\"rules\".*$"
+  _regex=".*\"id\":\([0-9]*\).*$"
   _debug _regex "$_regex"
   _resourceId=$(echo "$_resource" | sed -n "s/$_regex/\1/p")
   _debug _resourceId "$_resourceId"

deploy/peplink.sh

@@ -0,0 +1,123 @@
+#!/usr/bin/env sh
+
+# Script to deploy cert to Peplink Routers
+#
+# The following environment variables must be set:
+#
+# PEPLINK_Hostname - Peplink hostname
+# PEPLINK_Username - Peplink username to login
+# PEPLINK_Password - Peplink password to login
+#
+# The following environmental variables may be set if you don't like their
+# default values:
+#
+# PEPLINK_Certtype - Certificate type to target for replacement
+#                    defaults to "webadmin", can be one of:
+#                      * "chub" (ContentHub)
+#                      * "openvpn" (OpenVPN CA)
+#                      * "portal" (Captive Portal SSL)
+#                      * "webadmin" (Web Admin SSL)
+#                      * "webproxy" (Proxy Root CA)
+#                      * "wwan_ca" (Wi-Fi WAN CA)
+#                      * "wwan_client" (Wi-Fi WAN Client)
+# PEPLINK_Scheme   - defaults to "https"
+# PEPLINK_Port     - defaults to "443"
+#
+#returns 0 means success, otherwise error.
+
+########  Public functions #####################
+
+_peplink_get_cookie_data() {
+  grep -i "\W$1=" | grep -i "^Set-Cookie:" | _tail_n 1 | _egrep_o "$1=[^;]*;" | tr -d ';'
+}
+
+#domain keyfile certfile cafile fullchain
+peplink_deploy() {
+
+  _cdomain="$1"
+  _ckey="$2"
+  _cfullchain="$5"
+
+  _debug _cdomain "$_cdomain"
+  _debug _cfullchain "$_cfullchain"
+  _debug _ckey "$_ckey"
+
+  # Get Hostname, Username and Password, but don't save until we successfully authenticate
+  _getdeployconf PEPLINK_Hostname
+  _getdeployconf PEPLINK_Username
+  _getdeployconf PEPLINK_Password
+  if [ -z "${PEPLINK_Hostname:-}" ] || [ -z "${PEPLINK_Username:-}" ] || [ -z "${PEPLINK_Password:-}" ]; then
+    _err "PEPLINK_Hostname & PEPLINK_Username & PEPLINK_Password must be set"
+    return 1
+  fi
+  _debug2 PEPLINK_Hostname "$PEPLINK_Hostname"
+  _debug2 PEPLINK_Username "$PEPLINK_Username"
+  _secure_debug2 PEPLINK_Password "$PEPLINK_Password"
+
+  # Optional certificate type, scheme, and port for Peplink
+  _getdeployconf PEPLINK_Certtype
+  _getdeployconf PEPLINK_Scheme
+  _getdeployconf PEPLINK_Port
+
+  # Don't save the certificate type until we verify it exists and is supported
+  _savedeployconf PEPLINK_Scheme "$PEPLINK_Scheme"
+  _savedeployconf PEPLINK_Port "$PEPLINK_Port"
+
+  # Default vaules for certificate type, scheme, and port
+  [ -n "${PEPLINK_Certtype}" ] || PEPLINK_Certtype="webadmin"
+  [ -n "${PEPLINK_Scheme}" ] || PEPLINK_Scheme="https"
+  [ -n "${PEPLINK_Port}" ] || PEPLINK_Port="443"
+
+  _debug2 PEPLINK_Certtype "$PEPLINK_Certtype"
+  _debug2 PEPLINK_Scheme "$PEPLINK_Scheme"
+  _debug2 PEPLINK_Port "$PEPLINK_Port"
+
+  _base_url="$PEPLINK_Scheme://$PEPLINK_Hostname:$PEPLINK_Port"
+  _debug _base_url "$_base_url"
+
+  # Login, get the auth token from the cookie
+  _info "Logging into $PEPLINK_Hostname:$PEPLINK_Port"
+  encoded_username="$(printf "%s" "$PEPLINK_Username" | _url_encode)"
+  encoded_password="$(printf "%s" "$PEPLINK_Password" | _url_encode)"
+  response=$(_post "func=login&username=$encoded_username&password=$encoded_password" "$_base_url/cgi-bin/MANGA/api.cgi")
+  auth_token=$(_peplink_get_cookie_data "bauth" <"$HTTP_HEADER")
+  _debug3 response "$response"
+  _debug auth_token "$auth_token"
+
+  if [ -z "$auth_token" ]; then
+    _err "Unable to authenticate to $PEPLINK_Hostname:$PEPLINK_Port using $PEPLINK_Scheme."
+    _err "Check your username and password."
+    return 1
+  fi
+
+  _H1="Cookie: $auth_token"
+  export _H1
+  _debug2 H1 "${_H1}"
+
+  # Now that we know the hostnameusername and password are good, save them
+  _savedeployconf PEPLINK_Hostname "$PEPLINK_Hostname"
+  _savedeployconf PEPLINK_Username "$PEPLINK_Username"
+  _savedeployconf PEPLINK_Password "$PEPLINK_Password"
+
+  _info "Generate form POST request"
+
+  encoded_key="$(_url_encode <"$_ckey")"
+  encoded_fullchain="$(_url_encode <"$_cfullchain")"
+  body="cert_type=$PEPLINK_Certtype&cert_uid=&section=CERT_modify&key_pem=$encoded_key&key_pem_passphrase=&key_pem_passphrase_confirm=&cert_pem=$encoded_fullchain"
+  _debug3 body "$body"
+
+  _info "Upload $PEPLINK_Certtype certificate to the Peplink"
+
+  response=$(_post "$body" "$_base_url/cgi-bin/MANGA/admin.cgi")
+  _debug3 response "$response"
+
+  if echo "$response" | grep 'Success' >/dev/null; then
+    # We've verified this certificate type is valid, so save it
+    _savedeployconf PEPLINK_Certtype "$PEPLINK_Certtype"
+    _info "Certificate was updated"
+    return 0
+  else
+    _err "Unable to update certificate, error code $response"
+    return 1
+  fi
+}

deploy/synology_dsm.sh

@@ -66,6 +66,12 @@ synology_dsm_deploy() {
   _getdeployconf SYNO_Certificate
   _debug SYNO_Certificate "${SYNO_Certificate:-}"
 
+  # shellcheck disable=SC1003 # We are not trying to escape a single quote
+  if printf "%s" "$SYNO_Certificate" | grep '\\'; then
+    _err "Do not use a backslash (\) in your certificate description"
+    return 1
+  fi
+
   _base_url="$SYNO_Scheme://$SYNO_Hostname:$SYNO_Port"
   _debug _base_url "$_base_url"
 
@@ -110,7 +116,9 @@ synology_dsm_deploy() {
   _info "Getting certificates in Synology DSM"
   response=$(_post "api=SYNO.Core.Certificate.CRT&method=list&version=1&_sid=$sid" "$_base_url/webapi/entry.cgi")
   _debug3 response "$response"
-  id=$(echo "$response" | sed -n "s/.*\"desc\":\"$SYNO_Certificate\",\"id\":\"\([^\"]*\).*/\1/p")
+  escaped_certificate="$(printf "%s" "$SYNO_Certificate" | sed 's/\([].*^$[]\)/\\\1/g;s/"/\\\\"/g')"
+  _debug escaped_certificate "$escaped_certificate"
+  id=$(echo "$response" | sed -n "s/.*\"desc\":\"$escaped_certificate\",\"id\":\"\([^\"]*\).*/\1/p")
   _debug2 id "$id"
 
   if [ -z "$id" ] && [ -z "${SYNO_Create:-}" ]; then
@@ -119,13 +127,7 @@ synology_dsm_deploy() {
   fi
 
   # we've verified this certificate description is a thing, so save it
-  _savedeployconf SYNO_Certificate "$SYNO_Certificate"
-
-  default=false
-  if echo "$response" | sed -n "s/.*\"desc\":\"$SYNO_Certificate\",\([^{]*\).*/\1/p" | grep -- 'is_default":true' >/dev/null; then
-    default=true
-  fi
-  _debug2 default "$default"
+  _savedeployconf SYNO_Certificate "$SYNO_Certificate" "base64"
 
   _info "Generate form POST request"
   nl="\0015\0012"
@@ -135,7 +137,12 @@ synology_dsm_deploy() {
   content="$content${nl}--$delim${nl}Content-Disposition: form-data; name=\"inter_cert\"; filename=\"$(basename "$_cca")\"${nl}Content-Type: application/octet-stream${nl}${nl}$(cat "$_cca")\0012"
   content="$content${nl}--$delim${nl}Content-Disposition: form-data; name=\"id\"${nl}${nl}$id"
   content="$content${nl}--$delim${nl}Content-Disposition: form-data; name=\"desc\"${nl}${nl}${SYNO_Certificate}"
-  content="$content${nl}--$delim${nl}Content-Disposition: form-data; name=\"as_default\"${nl}${nl}${default}"
+  if echo "$response" | sed -n "s/.*\"desc\":\"$escaped_certificate\",\([^{]*\).*/\1/p" | grep -- 'is_default":true' >/dev/null; then
+    _debug2 default "this is the default certificate"
+    content="$content${nl}--$delim${nl}Content-Disposition: form-data; name=\"as_default\"${nl}${nl}true"
+  else
+    _debug2 default "this is NOT the default certificate"
+  fi
   content="$content${nl}--$delim--${nl}"
   content="$(printf "%b_" "$content")"
   content="${content%_}" # protect trailing \n

deploy/unifi.sh

@@ -1,12 +1,43 @@
 #!/usr/bin/env sh
 
-#Here is a script to deploy cert to unifi server.
+# Here is a script to deploy cert on a Unifi Controller or Cloud Key device.
+# It supports:
+#   - self-hosted Unifi Controller
+#   - Unifi Cloud Key (Gen1/2/2+)
+#   - Unifi Cloud Key running UnifiOS (v2.0.0+, Gen2/2+ only)
+# Please report bugs to https://github.com/acmesh-official/acme.sh/issues/3359
 
 #returns 0 means success, otherwise error.
 
+# The deploy-hook automatically detects standard Unifi installations
+# for each of the supported environments. Most users should not need
+# to set any of these variables, but if you are running a self-hosted
+# Controller with custom locations, set these as necessary before running
+# the deploy hook. (Defaults shown below.)
+#
+# Settings for Unifi Controller:
+# Location of Java keystore or unifi.keystore.jks file:
 #DEPLOY_UNIFI_KEYSTORE="/usr/lib/unifi/data/keystore"
+# Keystore password (built into Unifi Controller, not a user-set password):
 #DEPLOY_UNIFI_KEYPASS="aircontrolenterprise"
+# Command to restart Unifi Controller:
 #DEPLOY_UNIFI_RELOAD="service unifi restart"
+#
+# Settings for Unifi Cloud Key Gen1 (nginx admin pages):
+# Directory where cloudkey.crt and cloudkey.key live:
+#DEPLOY_UNIFI_CLOUDKEY_CERTDIR="/etc/ssl/private"
+# Command to restart maintenance pages and Controller
+# (same setting as above, default is updated when running on Cloud Key Gen1):
+#DEPLOY_UNIFI_RELOAD="service nginx restart && service unifi restart"
+#
+# Settings for UnifiOS (Cloud Key Gen2):
+# Directory where unifi-core.crt and unifi-core.key live:
+#DEPLOY_UNIFI_CORE_CONFIG="/data/unifi-core/config/"
+# Command to restart unifi-core:
+#DEPLOY_UNIFI_RELOAD="systemctl restart unifi-core"
+#
+# At least one of DEPLOY_UNIFI_KEYSTORE, DEPLOY_UNIFI_CLOUDKEY_CERTDIR,
+# or DEPLOY_UNIFI_CORE_CONFIG must exist to receive the deployed certs.
 
 ########  Public functions #####################
 
@@ -24,77 +55,160 @@ unifi_deploy() {
   _debug _cca "$_cca"
   _debug _cfullchain "$_cfullchain"
 
-  if ! _exists keytool; then
-    _err "keytool not found"
-    return 1
-  fi
+  _getdeployconf DEPLOY_UNIFI_KEYSTORE
+  _getdeployconf DEPLOY_UNIFI_KEYPASS
+  _getdeployconf DEPLOY_UNIFI_CLOUDKEY_CERTDIR
+  _getdeployconf DEPLOY_UNIFI_CORE_CONFIG
+  _getdeployconf DEPLOY_UNIFI_RELOAD
 
-  DEFAULT_UNIFI_KEYSTORE="/usr/lib/unifi/data/keystore"
-  _unifi_keystore="${DEPLOY_UNIFI_KEYSTORE:-$DEFAULT_UNIFI_KEYSTORE}"
-  DEFAULT_UNIFI_KEYPASS="aircontrolenterprise"
-  _unifi_keypass="${DEPLOY_UNIFI_KEYPASS:-$DEFAULT_UNIFI_KEYPASS}"
-  DEFAULT_UNIFI_RELOAD="service unifi restart"
-  _reload="${DEPLOY_UNIFI_RELOAD:-$DEFAULT_UNIFI_RELOAD}"
+  _debug2 DEPLOY_UNIFI_KEYSTORE "$DEPLOY_UNIFI_KEYSTORE"
+  _debug2 DEPLOY_UNIFI_KEYPASS "$DEPLOY_UNIFI_KEYPASS"
+  _debug2 DEPLOY_UNIFI_CLOUDKEY_CERTDIR "$DEPLOY_UNIFI_CLOUDKEY_CERTDIR"
+  _debug2 DEPLOY_UNIFI_CORE_CONFIG "$DEPLOY_UNIFI_CORE_CONFIG"
+  _debug2 DEPLOY_UNIFI_RELOAD "$DEPLOY_UNIFI_RELOAD"
 
-  _debug _unifi_keystore "$_unifi_keystore"
-  if [ ! -f "$_unifi_keystore" ]; then
-    if [ -z "$DEPLOY_UNIFI_KEYSTORE" ]; then
-      _err "unifi keystore is not found, please define DEPLOY_UNIFI_KEYSTORE"
-      return 1
-    else
-      _err "It seems that the specified unifi keystore is not valid, please check."
+  # Space-separated list of environments detected and installed:
+  _services_updated=""
+
+  # Default reload commands accumulated as we auto-detect environments:
+  _reload_cmd=""
+
+  # Unifi Controller environment (self hosted or any Cloud Key) --
+  # auto-detect by file /usr/lib/unifi/data/keystore:
+  _unifi_keystore="${DEPLOY_UNIFI_KEYSTORE:-/usr/lib/unifi/data/keystore}"
+  if [ -f "$_unifi_keystore" ]; then
+    _info "Installing certificate for Unifi Controller (Java keystore)"
+    _debug _unifi_keystore "$_unifi_keystore"
+    if ! _exists keytool; then
+      _err "keytool not found"
       return 1
     fi
-  fi
-  if [ ! -w "$_unifi_keystore" ]; then
-    _err "The file $_unifi_keystore is not writable, please change the permission."
+    if [ ! -w "$_unifi_keystore" ]; then
+      _err "The file $_unifi_keystore is not writable, please change the permission."
+      return 1
+    fi
+
+    _unifi_keypass="${DEPLOY_UNIFI_KEYPASS:-aircontrolenterprise}"
+
+    _debug "Generate import pkcs12"
+    _import_pkcs12="$(_mktemp)"
+    _toPkcs "$_import_pkcs12" "$_ckey" "$_ccert" "$_cca" "$_unifi_keypass" unifi root
+    # shellcheck disable=SC2181
+    if [ "$?" != "0" ]; then
+      _err "Error generating pkcs12. Please re-run with --debug and report a bug."
+      return 1
+    fi
+
+    _debug "Import into keystore: $_unifi_keystore"
+    if keytool -importkeystore \
+      -deststorepass "$_unifi_keypass" -destkeypass "$_unifi_keypass" -destkeystore "$_unifi_keystore" \
+      -srckeystore "$_import_pkcs12" -srcstoretype PKCS12 -srcstorepass "$_unifi_keypass" \
+      -alias unifi -noprompt; then
+      _debug "Import keystore success!"
+      rm "$_import_pkcs12"
+    else
+      _err "Error importing into Unifi Java keystore."
+      _err "Please re-run with --debug and report a bug."
+      rm "$_import_pkcs12"
+      return 1
+    fi
+
+    if systemctl -q is-active unifi; then
+      _reload_cmd="${_reload_cmd:+$_reload_cmd && }service unifi restart"
+    fi
+    _services_updated="${_services_updated} unifi"
+    _info "Install Unifi Controller certificate success!"
+  elif [ "$DEPLOY_UNIFI_KEYSTORE" ]; then
+    _err "The specified DEPLOY_UNIFI_KEYSTORE='$DEPLOY_UNIFI_KEYSTORE' is not valid, please check."
     return 1
   fi
 
-  _info "Generate import pkcs12"
-  _import_pkcs12="$(_mktemp)"
-  _toPkcs "$_import_pkcs12" "$_ckey" "$_ccert" "$_cca" "$_unifi_keypass" unifi root
-  if [ "$?" != "0" ]; then
-    _err "Oops, error creating import pkcs12, please report bug to us."
+  # Cloud Key environment (non-UnifiOS -- nginx serves admin pages) --
+  # auto-detect by file /etc/ssl/private/cloudkey.key:
+  _cloudkey_certdir="${DEPLOY_UNIFI_CLOUDKEY_CERTDIR:-/etc/ssl/private}"
+  if [ -f "${_cloudkey_certdir}/cloudkey.key" ]; then
+    _info "Installing certificate for Cloud Key Gen1 (nginx admin pages)"
+    _debug _cloudkey_certdir "$_cloudkey_certdir"
+    if [ ! -w "$_cloudkey_certdir" ]; then
+      _err "The directory $_cloudkey_certdir is not writable; please check permissions."
+      return 1
+    fi
+    # Cloud Key expects to load the keystore from /etc/ssl/private/unifi.keystore.jks.
+    # Normally /usr/lib/unifi/data/keystore is a symlink there (so the keystore was
+    # updated above), but if not, we don't know how to handle this installation:
+    if ! cmp -s "$_unifi_keystore" "${_cloudkey_certdir}/unifi.keystore.jks"; then
+      _err "Unsupported Cloud Key configuration: keystore not found at '${_cloudkey_certdir}/unifi.keystore.jks'"
+      return 1
+    fi
+
+    cat "$_cfullchain" >"${_cloudkey_certdir}/cloudkey.crt"
+    cat "$_ckey" >"${_cloudkey_certdir}/cloudkey.key"
+    (cd "$_cloudkey_certdir" && tar -cf cert.tar cloudkey.crt cloudkey.key unifi.keystore.jks)
+
+    if systemctl -q is-active nginx; then
+      _reload_cmd="${_reload_cmd:+$_reload_cmd && }service nginx restart"
+    fi
+    _info "Install Cloud Key Gen1 certificate success!"
+    _services_updated="${_services_updated} nginx"
+  elif [ "$DEPLOY_UNIFI_CLOUDKEY_CERTDIR" ]; then
+    _err "The specified DEPLOY_UNIFI_CLOUDKEY_CERTDIR='$DEPLOY_UNIFI_CLOUDKEY_CERTDIR' is not valid, please check."
     return 1
   fi
 
-  _info "Modify unifi keystore: $_unifi_keystore"
-  if keytool -importkeystore \
-    -deststorepass "$_unifi_keypass" -destkeypass "$_unifi_keypass" -destkeystore "$_unifi_keystore" \
-    -srckeystore "$_import_pkcs12" -srcstoretype PKCS12 -srcstorepass "$_unifi_keypass" \
-    -alias unifi -noprompt; then
-    _info "Import keystore success!"
-    rm "$_import_pkcs12"
-  else
-    _err "Import unifi keystore error, please report bug to us."
-    rm "$_import_pkcs12"
+  # UnifiOS environment -- auto-detect by /data/unifi-core/config/unifi-core.key:
+  _unifi_core_config="${DEPLOY_UNIFI_CORE_CONFIG:-/data/unifi-core/config}"
+  if [ -f "${_unifi_core_config}/unifi-core.key" ]; then
+    _info "Installing certificate for UnifiOS"
+    _debug _unifi_core_config "$_unifi_core_config"
+    if [ ! -w "$_unifi_core_config" ]; then
+      _err "The directory $_unifi_core_config is not writable; please check permissions."
+      return 1
+    fi
+
+    cat "$_cfullchain" >"${_unifi_core_config}/unifi-core.crt"
+    cat "$_ckey" >"${_unifi_core_config}/unifi-core.key"
+
+    if systemctl -q is-active unifi-core; then
+      _reload_cmd="${_reload_cmd:+$_reload_cmd && }systemctl restart unifi-core"
+    fi
+    _info "Install UnifiOS certificate success!"
+    _services_updated="${_services_updated} unifi-core"
+  elif [ "$DEPLOY_UNIFI_CORE_CONFIG" ]; then
+    _err "The specified DEPLOY_UNIFI_CORE_CONFIG='$DEPLOY_UNIFI_CORE_CONFIG' is not valid, please check."
     return 1
   fi
 
-  _info "Run reload: $_reload"
-  if eval "$_reload"; then
+  if [ -z "$_services_updated" ]; then
+    # None of the Unifi environments were auto-detected, so no deployment has occurred
+    # (and none of DEPLOY_UNIFI_{KEYSTORE,CLOUDKEY_CERTDIR,CORE_CONFIG} were set).
+    _err "Unable to detect Unifi environment in standard location."
+    _err "(This deploy hook must be run on the Unifi device, not a remote machine.)"
+    _err "For non-standard Unifi installations, set DEPLOY_UNIFI_KEYSTORE,"
+    _err "DEPLOY_UNIFI_CLOUDKEY_CERTDIR, and/or DEPLOY_UNIFI_CORE_CONFIG as appropriate."
+    return 1
+  fi
+
+  _reload_cmd="${DEPLOY_UNIFI_RELOAD:-$_reload_cmd}"
+  if [ -z "$_reload_cmd" ]; then
+    _err "Certificates were installed for services:${_services_updated},"
+    _err "but none appear to be active. Please set DEPLOY_UNIFI_RELOAD"
+    _err "to a command that will restart the necessary services."
+    return 1
+  fi
+  _info "Reload services (this may take some time): $_reload_cmd"
+  if eval "$_reload_cmd"; then
     _info "Reload success!"
-    if [ "$DEPLOY_UNIFI_KEYSTORE" ]; then
-      _savedomainconf DEPLOY_UNIFI_KEYSTORE "$DEPLOY_UNIFI_KEYSTORE"
-    else
-      _cleardomainconf DEPLOY_UNIFI_KEYSTORE
-    fi
-    if [ "$DEPLOY_UNIFI_KEYPASS" ]; then
-      _savedomainconf DEPLOY_UNIFI_KEYPASS "$DEPLOY_UNIFI_KEYPASS"
-    else
-      _cleardomainconf DEPLOY_UNIFI_KEYPASS
-    fi
-    if [ "$DEPLOY_UNIFI_RELOAD" ]; then
-      _savedomainconf DEPLOY_UNIFI_RELOAD "$DEPLOY_UNIFI_RELOAD"
-    else
-      _cleardomainconf DEPLOY_UNIFI_RELOAD
-    fi
-    return 0
   else
     _err "Reload error"
     return 1
   fi
-  return 0
 
+  # Successful, so save all (non-default) config:
+  _savedeployconf DEPLOY_UNIFI_KEYSTORE "$DEPLOY_UNIFI_KEYSTORE"
+  _savedeployconf DEPLOY_UNIFI_KEYPASS "$DEPLOY_UNIFI_KEYPASS"
+  _savedeployconf DEPLOY_UNIFI_CLOUDKEY_CERTDIR "$DEPLOY_UNIFI_CLOUDKEY_CERTDIR"
+  _savedeployconf DEPLOY_UNIFI_CORE_CONFIG "$DEPLOY_UNIFI_CORE_CONFIG"
+  _savedeployconf DEPLOY_UNIFI_RELOAD "$DEPLOY_UNIFI_RELOAD"
+
+  return 0
 }

deploy/vault_cli.sh

@@ -50,12 +50,12 @@ vault_cli_deploy() {
   fi
 
   if [ -n "$FABIO" ]; then
-    $VAULT_CMD write "${VAULT_PREFIX}/${_cdomain}" cert=@"$_cfullchain" key=@"$_ckey" || return 1
+    $VAULT_CMD kv put "${VAULT_PREFIX}/${_cdomain}" cert=@"$_cfullchain" key=@"$_ckey" || return 1
   else
-    $VAULT_CMD write "${VAULT_PREFIX}/${_cdomain}/cert.pem" value=@"$_ccert" || return 1
-    $VAULT_CMD write "${VAULT_PREFIX}/${_cdomain}/cert.key" value=@"$_ckey" || return 1
-    $VAULT_CMD write "${VAULT_PREFIX}/${_cdomain}/chain.pem" value=@"$_cca" || return 1
-    $VAULT_CMD write "${VAULT_PREFIX}/${_cdomain}/fullchain.pem" value=@"$_cfullchain" || return 1
+    $VAULT_CMD kv put "${VAULT_PREFIX}/${_cdomain}/cert.pem" value=@"$_ccert" || return 1
+    $VAULT_CMD kv put "${VAULT_PREFIX}/${_cdomain}/cert.key" value=@"$_ckey" || return 1
+    $VAULT_CMD kv put "${VAULT_PREFIX}/${_cdomain}/chain.pem" value=@"$_cca" || return 1
+    $VAULT_CMD kv put "${VAULT_PREFIX}/${_cdomain}/fullchain.pem" value=@"$_cfullchain" || return 1
   fi
 
 }

dnsapi/dns_1984hosting.sh

@@ -145,7 +145,7 @@ _1984hosting_login() {
   password=$(printf '%s' "$One984HOSTING_Password" | _url_encode)
   url="https://management.1984hosting.com/accounts/checkuserauth/"
 
-  response="$(_post "username=$username&password=$password&otpkey=" "$url")"
+  response="$(_post "username=$username&password=$password&otpkey=" $url)"
   response="$(echo "$response" | _normalizeJson)"
   _debug2 response "$response"
 
@@ -177,7 +177,6 @@ _check_cookie() {
   fi
 
   _authget "https://management.1984hosting.com/accounts/loginstatus/"
-  response="$(echo "$_response" | _normalizeJson)"
   if _contains "$response" '"ok": true'; then
     _debug "Cached cookie still valid"
     return 0
@@ -194,7 +193,7 @@ _check_cookie() {
 # _domain=domain.com
 _get_root() {
   domain="$1"
-  i=2
+  i=1
   p=1
   while true; do
     h=$(printf "%s" "$domain" | cut -d . -f $i-100)
@@ -205,7 +204,7 @@ _get_root() {
     fi
 
     _authget "https://management.1984hosting.com/domains/soacheck/?zone=$h&nameserver=ns0.1984.is."
-    if _contains "$_response" "serial"; then
+    if _contains "$_response" "serial" && ! _contains "$_response" 'null}'; then
       _sub_domain=$(printf "%s" "$domain" | cut -d . -f 1-$p)
       _domain="$h"
       return 0
@@ -219,7 +218,8 @@ _get_root() {
 # add extra headers to request
 _authget() {
   export _H1="Cookie: $One984HOSTING_COOKIE"
-  _response=$(_get "$1")
+  _response=$(_get "$1" | _normalizeJson)
+  _debug2 _response "$_response"
 }
 
 # truncate huge HTML response

dnsapi/dns_arvan.sh

@@ -1,10 +1,9 @@
 #!/usr/bin/env sh
 
-#Arvan_Token="xxxx"
+#Arvan_Token="Apikey xxxx"
 
 ARVAN_API_URL="https://napi.arvancloud.com/cdn/4.0/domains"
-
-#Author: Ehsan Aliakbar
+#Author: Vahid Fardi
 #Report Bugs here: https://github.com/Neilpang/acme.sh
 #
 ########  Public functions #####################
@@ -38,6 +37,7 @@ dns_arvan_add() {
   _info "Adding record"
   if _arvan_rest POST "$_domain/dns-records" "{\"type\":\"TXT\",\"name\":\"$_sub_domain\",\"value\":{\"text\":\"$txtvalue\"},\"ttl\":120}"; then
     if _contains "$response" "$txtvalue"; then
+      _info "response id is $response"
       _info "Added, OK"
       return 0
     elif _contains "$response" "Record Data is Duplicated"; then
@@ -49,7 +49,7 @@ dns_arvan_add() {
     fi
   fi
   _err "Add txt record error."
-  return 1
+  return 0
 }
 
 #Usage: fulldomain txtvalue
@@ -73,33 +73,21 @@ dns_arvan_rm() {
   _debug _domain "$_domain"
 
   _debug "Getting txt records"
-  shorted_txtvalue=$(printf "%s" "$txtvalue" | cut -d "-" -d "_" -f1)
-  _arvan_rest GET "${_domain}/dns-records?search=$shorted_txtvalue"
-
+  _arvan_rest GET "${_domain}/dns-records"
   if ! printf "%s" "$response" | grep \"current_page\":1 >/dev/null; then
     _err "Error on Arvan Api"
     _err "Please create a github issue with debbug log"
     return 1
   fi
 
-  count=$(printf "%s\n" "$response" | _egrep_o "\"total\":[^,]*" | cut -d : -f 2)
-  _debug count "$count"
-  if [ "$count" = "0" ]; then
-    _info "Don't need to remove."
-  else
-    record_id=$(printf "%s\n" "$response" | _egrep_o "\"id\":\"[^\"]*\"" | cut -d : -f 2 | tr -d \" | head -n 1)
-    _debug "record_id" "$record_id"
-    if [ -z "$record_id" ]; then
-      _err "Can not get record id to remove."
-      return 1
-    fi
-    if ! _arvan_rest "DELETE" "${_domain}/dns-records/$record_id"; then
-      _err "Delete record error."
-      return 1
-    fi
-    _debug "$response"
-    _contains "$response" 'dns record deleted'
+  _record_id=$(echo "$response" | _egrep_o ".\"id\":\"[^\"]*\",\"type\":\"txt\",\"name\":\"_acme-challenge\",\"value\":{\"text\":\"$txtvalue\"}" | cut -d : -f 2 | cut -d , -f 1 | tr -d \")
+  if ! _arvan_rest "DELETE" "${_domain}/dns-records/${_record_id}"; then
+    _err "Error on Arvan Api"
+    return 1
   fi
+  _debug "$response"
+  _contains "$response" 'dns record deleted'
+  return 0
 }
 
 ####################  Private functions below ##################################
@@ -111,7 +99,7 @@ dns_arvan_rm() {
 # _domain_id=sdjkglgdfewsdfg
 _get_root() {
   domain=$1
-  i=1
+  i=2
   p=1
   while true; do
     h=$(printf "%s" "$domain" | cut -d . -f $i-100)
@@ -121,12 +109,11 @@ _get_root() {
       return 1
     fi
 
-    if ! _arvan_rest GET "?search=$h"; then
+    if ! _arvan_rest GET "$h"; then
       return 1
     fi
-
-    if _contains "$response" "\"domain\":\"$h\"" || _contains "$response" '"total":1'; then
-      _domain_id=$(echo "$response" | _egrep_o "\[.\"id\":\"[^\"]*\"" | _head_n 1 | cut -d : -f 2 | tr -d \")
+    if _contains "$response" "\"domain\":\"$h\""; then
+      _domain_id=$(echo "$response" | cut -d : -f 3 | cut -d , -f 1 | tr -d \")
       if [ "$_domain_id" ]; then
         _sub_domain=$(printf "%s" "$domain" | cut -d . -f 1-$p)
         _domain=$h
@@ -146,7 +133,6 @@ _arvan_rest() {
   data="$3"
 
   token_trimmed=$(echo "$Arvan_Token" | tr -d '"')
-
   export _H1="Authorization: $token_trimmed"
 
   if [ "$mtd" = "DELETE" ]; then
@@ -160,4 +146,5 @@ _arvan_rest() {
   else
     response="$(_get "$ARVAN_API_URL/$ep$data")"
   fi
+  return 0
 }

dnsapi/dns_aurora.sh

@@ -0,0 +1,171 @@
+#!/usr/bin/env sh
+
+#
+#AURORA_Key="sdfsdfsdfljlbjkljlkjsdfoiwje"
+#
+#AURORA_Secret="sdfsdfsdfljlbjkljlkjsdfoiwje"
+
+AURORA_Api="https://api.auroradns.eu"
+
+########  Public functions #####################
+
+#Usage: add  _acme-challenge.www.domain.com   "XKrxpRBosdIKFzxW_CT3KLZNf6q0HG9i01zxXp5CPBs"
+dns_aurora_add() {
+  fulldomain=$1
+  txtvalue=$2
+
+  AURORA_Key="${AURORA_Key:-$(_readaccountconf_mutable AURORA_Key)}"
+  AURORA_Secret="${AURORA_Secret:-$(_readaccountconf_mutable AURORA_Secret)}"
+
+  if [ -z "$AURORA_Key" ] || [ -z "$AURORA_Secret" ]; then
+    AURORA_Key=""
+    AURORA_Secret=""
+    _err "You didn't specify an Aurora api key and secret yet."
+    _err "You can get yours from here https://cp.pcextreme.nl/auroradns/users."
+    return 1
+  fi
+
+  #save the api key and secret to the account conf file.
+  _saveaccountconf_mutable AURORA_Key "$AURORA_Key"
+  _saveaccountconf_mutable AURORA_Secret "$AURORA_Secret"
+
+  _debug "First detect the root zone"
+  if ! _get_root "$fulldomain"; then
+    _err "invalid domain"
+    return 1
+  fi
+  _debug _domain_id "$_domain_id"
+  _debug _sub_domain "$_sub_domain"
+  _debug _domain "$_domain"
+
+  _info "Adding record"
+  if _aurora_rest POST "zones/$_domain_id/records" "{\"type\":\"TXT\",\"name\":\"$_sub_domain\",\"content\":\"$txtvalue\",\"ttl\":300}"; then
+    if _contains "$response" "$txtvalue"; then
+      _info "Added, OK"
+      return 0
+    elif _contains "$response" "RecordExistsError"; then
+      _info "Already exists, OK"
+      return 0
+    else
+      _err "Add txt record error."
+      return 1
+    fi
+  fi
+  _err "Add txt record error."
+  return 1
+
+}
+
+#fulldomain txtvalue
+dns_aurora_rm() {
+  fulldomain=$1
+  txtvalue=$2
+
+  AURORA_Key="${AURORA_Key:-$(_readaccountconf_mutable AURORA_Key)}"
+  AURORA_Secret="${AURORA_Secret:-$(_readaccountconf_mutable AURORA_Secret)}"
+
+  _debug "First detect the root zone"
+  if ! _get_root "$fulldomain"; then
+    _err "invalid domain"
+    return 1
+  fi
+  _debug _domain_id "$_domain_id"
+  _debug _sub_domain "$_sub_domain"
+  _debug _domain "$_domain"
+
+  _debug "Getting records"
+  _aurora_rest GET "zones/${_domain_id}/records"
+
+  if ! _contains "$response" "$txtvalue"; then
+    _info "Don't need to remove."
+  else
+    records=$(echo "$response" | _normalizeJson | tr -d "[]" | sed "s/},{/}|{/g" | tr "|" "\n")
+    if [ "$(echo "$records" | wc -l)" -le 2 ]; then
+      _err "Can not parse records."
+      return 1
+    fi
+    record_id=$(echo "$records" | grep "\"type\": *\"TXT\"" | grep "\"name\": *\"$_sub_domain\"" | grep "\"content\": *\"$txtvalue\"" | _egrep_o "\"id\": *\"[^\"]*\"" | cut -d : -f 2 | tr -d \" | _head_n 1 | tr -d " ")
+    _debug "record_id" "$record_id"
+    if [ -z "$record_id" ]; then
+      _err "Can not get record id to remove."
+      return 1
+    fi
+    if ! _aurora_rest DELETE "zones/$_domain_id/records/$record_id"; then
+      _err "Delete record error."
+      return 1
+    fi
+  fi
+  return 0
+
+}
+
+####################  Private functions below ##################################
+#_acme-challenge.www.domain.com
+#returns
+# _sub_domain=_acme-challenge.www
+# _domain=domain.com
+# _domain_id=sdjkglgdfewsdfg
+_get_root() {
+  domain=$1
+  i=1
+  p=1
+
+  while true; do
+    h=$(printf "%s" "$domain" | cut -d . -f $i-100)
+    _debug h "$h"
+    if [ -z "$h" ]; then
+      #not valid
+      return 1
+    fi
+
+    if ! _aurora_rest GET "zones/$h"; then
+      return 1
+    fi
+
+    if _contains "$response" "\"name\": \"$h\""; then
+      _domain_id=$(echo "$response" | _normalizeJson | tr -d "{}" | tr "," "\n" | grep "\"id\": *\"" | cut -d : -f 2 | tr -d \" | _head_n 1 | tr -d " ")
+      _debug _domain_id "$_domain_id"
+      if [ "$_domain_id" ]; then
+        _sub_domain=$(printf "%s" "$domain" | cut -d . -f 1-$p)
+        _domain=$h
+        return 0
+      fi
+      return 1
+    fi
+    p=$i
+    i=$(_math "$i" + 1)
+  done
+  return 1
+}
+
+_aurora_rest() {
+  m=$1
+  ep="$2"
+  data="$3"
+  _debug "$ep"
+
+  key_trimmed=$(echo "$AURORA_Key" | tr -d '"')
+  secret_trimmed=$(echo "$AURORA_Secret" | tr -d '"')
+
+  timestamp=$(date -u +"%Y%m%dT%H%M%SZ")
+  signature=$(printf "%s/%s%s" "$m" "$ep" "$timestamp" | _hmac sha256 "$(printf "%s" "$secret_trimmed" | _hex_dump | tr -d " ")" | _base64)
+  authorization=$(printf "AuroraDNSv1 %s" "$(printf "%s:%s" "$key_trimmed" "$signature" | _base64)")
+
+  export _H1="Content-Type: application/json; charset=UTF-8"
+  export _H2="X-AuroraDNS-Date: $timestamp"
+  export _H3="Authorization: $authorization"
+
+  if [ "$m" != "GET" ]; then
+    _debug data "$data"
+    response="$(_post "$data" "$AURORA_Api/$ep" "" "$m")"
+  else
+    response="$(_get "$AURORA_Api/$ep")"
+  fi
+
+  if [ "$?" != "0" ]; then
+    _err "error $ep"
+    return 1
+  fi
+  _debug2 response "$response"
+  return 0
+}

dnsapi/dns_constellix.sh

@@ -30,16 +30,41 @@ dns_constellix_add() {
     return 1
   fi
 
-  _info "Adding TXT record"
-  if _constellix_rest POST "domains/${_domain_id}/records" "[{\"type\":\"txt\",\"add\":true,\"set\":{\"name\":\"${_sub_domain}\",\"ttl\":120,\"roundRobin\":[{\"value\":\"${txtvalue}\"}]}}]"; then
-    if printf -- "%s" "$response" | grep "{\"success\":\"1 record(s) added, 0 record(s) updated, 0 record(s) deleted\"}" >/dev/null; then
-      _info "Added"
-      return 0
+  # The TXT record might already exist when working with wildcard certificates. In that case, update the record by adding the new value.
+  _debug "Search TXT record"
+  if _constellix_rest GET "domains/${_domain_id}/records/TXT/search?exact=${_sub_domain}"; then
+    if printf -- "%s" "$response" | grep "{\"errors\":\[\"Requested record was not found\"\]}" >/dev/null; then
+      _info "Adding TXT record"
+      if _constellix_rest POST "domains/${_domain_id}/records" "[{\"type\":\"txt\",\"add\":true,\"set\":{\"name\":\"${_sub_domain}\",\"ttl\":60,\"roundRobin\":[{\"value\":\"${txtvalue}\"}]}}]"; then
+        if printf -- "%s" "$response" | grep "{\"success\":\"1 record(s) added, 0 record(s) updated, 0 record(s) deleted\"}" >/dev/null; then
+          _info "Added"
+          return 0
+        else
+          _err "Error adding TXT record"
+        fi
+      fi
     else
-      _err "Error adding TXT record"
-      return 1
+      _record_id=$(printf "%s\n" "$response" | _egrep_o "\"id\":[0-9]*" | cut -d ':' -f 2)
+      if _constellix_rest GET "domains/${_domain_id}/records/TXT/${_record_id}"; then
+        _new_rr_values=$(printf "%s\n" "$response" | _egrep_o '"roundRobin":\[[^]]*\]' | sed "s/\]$/,{\"value\":\"${txtvalue}\"}]/")
+        _debug _new_rr_values "$_new_rr_values"
+        _info "Updating TXT record"
+        if _constellix_rest PUT "domains/${_domain_id}/records/TXT/${_record_id}" "{\"name\":\"${_sub_domain}\",\"ttl\":60,${_new_rr_values}}"; then
+          if printf -- "%s" "$response" | grep "{\"success\":\"Record.*updated successfully\"}" >/dev/null; then
+            _info "Updated"
+            return 0
+          elif printf -- "%s" "$response" | grep "{\"errors\":\[\"Contents are identical\"\]}" >/dev/null; then
+            _info "Already exists, no need to update"
+            return 0
+          else
+            _err "Error updating TXT record"
+          fi
+        fi
+      fi
     fi
   fi
+
+  return 1
 }
 
 # Usage: fulldomain txtvalue
@@ -61,16 +86,26 @@ dns_constellix_rm() {
     return 1
   fi
 
-  _info "Removing TXT record"
-  if _constellix_rest POST "domains/${_domain_id}/records" "[{\"type\":\"txt\",\"delete\":true,\"filter\":{\"field\":\"name\",\"op\":\"eq\",\"value\":\"${_sub_domain}\"}}]"; then
-    if printf -- "%s" "$response" | grep "{\"success\":\"0 record(s) added, 0 record(s) updated, 1 record(s) deleted\"}" >/dev/null; then
+  # The TXT record might have been removed already when working with some wildcard certificates.
+  _debug "Search TXT record"
+  if _constellix_rest GET "domains/${_domain_id}/records/TXT/search?exact=${_sub_domain}"; then
+    if printf -- "%s" "$response" | grep "{\"errors\":\[\"Requested record was not found\"\]}" >/dev/null; then
       _info "Removed"
       return 0
     else
-      _err "Error removing TXT record"
-      return 1
+      _info "Removing TXT record"
+      if _constellix_rest POST "domains/${_domain_id}/records" "[{\"type\":\"txt\",\"delete\":true,\"filter\":{\"field\":\"name\",\"op\":\"eq\",\"value\":\"${_sub_domain}\"}}]"; then
+        if printf -- "%s" "$response" | grep "{\"success\":\"0 record(s) added, 0 record(s) updated, 1 record(s) deleted\"}" >/dev/null; then
+          _info "Removed"
+          return 0
+        else
+          _err "Error removing TXT record"
+        fi
+      fi
     fi
   fi
+
+  return 1
 }
 
 ####################  Private functions below ##################################
@@ -91,7 +126,7 @@ _get_root() {
     fi
 
     if _contains "$response" "\"name\":\"$h\""; then
-      _domain_id=$(printf "%s\n" "$response" | _egrep_o "\"id\":[0-9]+" | cut -d ':' -f 2)
+      _domain_id=$(printf "%s\n" "$response" | _egrep_o "\"id\":[0-9]*" | cut -d ':' -f 2)
       if [ "$_domain_id" ]; then
         _sub_domain=$(printf "%s" "$domain" | cut -d '.' -f 1-$p)
         _domain="$h"

dnsapi/dns_desec.sh

@@ -20,21 +20,17 @@ dns_desec_add() {
   _debug txtvalue "$txtvalue"
 
   DEDYN_TOKEN="${DEDYN_TOKEN:-$(_readaccountconf_mutable DEDYN_TOKEN)}"
-  DEDYN_NAME="${DEDYN_NAME:-$(_readaccountconf_mutable DEDYN_NAME)}"
 
-  if [ -z "$DEDYN_TOKEN" ] || [ -z "$DEDYN_NAME" ]; then
+  if [ -z "$DEDYN_TOKEN" ]; then
     DEDYN_TOKEN=""
-    DEDYN_NAME=""
-    _err "You did not specify DEDYN_TOKEN and DEDYN_NAME yet."
+    _err "You did not specify DEDYN_TOKEN yet."
     _err "Please create your key and try again."
     _err "e.g."
     _err "export DEDYN_TOKEN=d41d8cd98f00b204e9800998ecf8427e"
-    _err "export DEDYN_NAME=foobar.dedyn.io"
     return 1
   fi
-  #save the api token and name to the account conf file.
+  #save the api token to the account conf file.
   _saveaccountconf_mutable DEDYN_TOKEN "$DEDYN_TOKEN"
-  _saveaccountconf_mutable DEDYN_NAME "$DEDYN_NAME"
 
   _debug "First detect the root zone"
   if ! _get_root "$fulldomain" "$REST_API/"; then
@@ -47,7 +43,7 @@ dns_desec_add() {
   # Get existing TXT record
   _debug "Getting txt records"
   txtvalues="\"\\\"$txtvalue\\\"\""
-  _desec_rest GET "$REST_API/$DEDYN_NAME/rrsets/$_sub_domain/TXT/"
+  _desec_rest GET "$REST_API/$_domain/rrsets/$_sub_domain/TXT/"
 
   if [ "$_code" = "200" ]; then
     oldtxtvalues="$(echo "$response" | _egrep_o "\"records\":\\[\"\\S*\"\\]" | cut -d : -f 2 | tr -d "[]\\\\\"" | sed "s/,/ /g")"
@@ -63,7 +59,7 @@ dns_desec_add() {
   _info "Adding record"
   body="[{\"subname\":\"$_sub_domain\", \"type\":\"TXT\", \"records\":[$txtvalues], \"ttl\":3600}]"
 
-  if _desec_rest PUT "$REST_API/$DEDYN_NAME/rrsets/" "$body"; then
+  if _desec_rest PUT "$REST_API/$_domain/rrsets/" "$body"; then
     if _contains "$response" "$txtvalue"; then
       _info "Added, OK"
       return 0
@@ -87,16 +83,13 @@ dns_desec_rm() {
   _debug txtvalue "$txtvalue"
 
   DEDYN_TOKEN="${DEDYN_TOKEN:-$(_readaccountconf_mutable DEDYN_TOKEN)}"
-  DEDYN_NAME="${DEDYN_NAME:-$(_readaccountconf_mutable DEDYN_NAME)}"
 
-  if [ -z "$DEDYN_TOKEN" ] || [ -z "$DEDYN_NAME" ]; then
+  if [ -z "$DEDYN_TOKEN" ]; then
     DEDYN_TOKEN=""
-    DEDYN_NAME=""
-    _err "You did not specify DEDYN_TOKEN and DEDYN_NAME yet."
+    _err "You did not specify DEDYN_TOKEN yet."
     _err "Please create your key and try again."
     _err "e.g."
     _err "export DEDYN_TOKEN=d41d8cd98f00b204e9800998ecf8427e"
-    _err "export DEDYN_NAME=foobar.dedyn.io"
     return 1
   fi
 
@@ -112,7 +105,7 @@ dns_desec_rm() {
   # Get existing TXT record
   _debug "Getting txt records"
   txtvalues=""
-  _desec_rest GET "$REST_API/$DEDYN_NAME/rrsets/$_sub_domain/TXT/"
+  _desec_rest GET "$REST_API/$_domain/rrsets/$_sub_domain/TXT/"
 
   if [ "$_code" = "200" ]; then
     oldtxtvalues="$(echo "$response" | _egrep_o "\"records\":\\[\"\\S*\"\\]" | cut -d : -f 2 | tr -d "[]\\\\\"" | sed "s/,/ /g")"
@@ -131,7 +124,7 @@ dns_desec_rm() {
 
   _info "Deleting record"
   body="[{\"subname\":\"$_sub_domain\", \"type\":\"TXT\", \"records\":[$txtvalues], \"ttl\":3600}]"
-  _desec_rest PUT "$REST_API/$DEDYN_NAME/rrsets/" "$body"
+  _desec_rest PUT "$REST_API/$_domain/rrsets/" "$body"
   if [ "$_code" = "200" ]; then
     _info "Deleted, OK"
     return 0

dnsapi/dns_dp.sh

@@ -89,7 +89,7 @@ add_record() {
 
   _info "Adding record"
 
-  if ! _rest POST "Record.Create" "login_token=$DP_Id,$DP_Key&format=json&lang=en&domain_id=$_domain_id&sub_domain=$_sub_domain&record_type=TXT&value=$txtvalue&record_line=默认"; then
+  if ! _rest POST "Record.Create" "login_token=$DP_Id,$DP_Key&format=json&lang=en&domain_id=$_domain_id&sub_domain=$_sub_domain&record_type=TXT&value=$txtvalue&record_line=%E9%BB%98%E8%AE%A4"; then
     return 1
   fi
 

dnsapi/dns_dpi.sh

@@ -53,7 +53,7 @@ dns_dpi_rm() {
     return 1
   fi
 
-  if ! _rest POST "Record.List" "user_token=$DPI_Id,$DPI_Key&format=json&domain_id=$_domain_id&sub_domain=$_sub_domain"; then
+  if ! _rest POST "Record.List" "login_token=$DPI_Id,$DPI_Key&format=json&domain_id=$_domain_id&sub_domain=$_sub_domain"; then
     _err "Record.Lis error."
     return 1
   fi
@@ -63,14 +63,14 @@ dns_dpi_rm() {
     return 0
   fi
 
-  record_id=$(echo "$response" | _egrep_o '{[^{]*"value":"'"$txtvalue"'"' | cut -d , -f 1 | cut -d : -f 2 | tr -d \")
+  record_id=$(echo "$response" | tr "{" "\n" | grep -- "$txtvalue" | grep '^"id"' | cut -d : -f 2 | cut -d '"' -f 2)
   _debug record_id "$record_id"
   if [ -z "$record_id" ]; then
     _err "Can not get record id."
     return 1
   fi
 
-  if ! _rest POST "Record.Remove" "user_token=$DPI_Id,$DPI_Key&format=json&domain_id=$_domain_id&record_id=$record_id"; then
+  if ! _rest POST "Record.Remove" "login_token=$DPI_Id,$DPI_Key&format=json&domain_id=$_domain_id&record_id=$record_id"; then
     _err "Record.Remove error."
     return 1
   fi
@@ -89,7 +89,7 @@ add_record() {
 
   _info "Adding record"
 
-  if ! _rest POST "Record.Create" "user_token=$DPI_Id,$DPI_Key&format=json&domain_id=$_domain_id&sub_domain=$_sub_domain&record_type=TXT&value=$txtvalue&record_line=default"; then
+  if ! _rest POST "Record.Create" "login_token=$DPI_Id,$DPI_Key&format=json&domain_id=$_domain_id&sub_domain=$_sub_domain&record_type=TXT&value=$txtvalue&record_line=default"; then
     return 1
   fi
 
@@ -113,7 +113,7 @@ _get_root() {
       return 1
     fi
 
-    if ! _rest POST "Domain.Info" "user_token=$DPI_Id,$DPI_Key&format=json&domain=$h"; then
+    if ! _rest POST "Domain.Info" "login_token=$DPI_Id,$DPI_Key&format=json&domain=$h"; then
       return 1
     fi
 

dnsapi/dns_duckdns.sh

@@ -12,7 +12,7 @@
 
 DuckDNS_API="https://www.duckdns.org/update"
 
-########  Public functions #####################
+########  Public functions ######################
 
 #Usage: dns_duckdns_add _acme-challenge.domain.duckdns.org "XKrxpRBosdIKFzxW_CT3KLZNf6q0HG9i01zxXp5CPBs"
 dns_duckdns_add() {
@@ -96,7 +96,7 @@ dns_duckdns_rm() {
 _duckdns_get_domain() {
 
   # We'll extract the domain/username from full domain
-  _duckdns_domain="$(printf "%s" "$fulldomain" | _lower_case | _egrep_o '^(_acme-challenge\.)?[a-z0-9-]*\.duckdns\.org' | sed 's/^\(_acme-challenge\.\)\{0,1\}\([a-z0-9-]*\)\.duckdns\.org/\2/')"
+  _duckdns_domain="$(printf "%s" "$fulldomain" | _lower_case | _egrep_o '^(_acme-challenge\.)?([a-z0-9-]+\.)+duckdns\.org' | sed -n 's/^\([^.]\{1,\}\.\)*\([a-z0-9-]\{1,\}\)\.duckdns\.org$/\2/p;')"
 
   if [ -z "$_duckdns_domain" ]; then
     _err "Error extracting the domain."
@@ -112,7 +112,7 @@ _duckdns_rest() {
   param="$2"
   _debug param "$param"
   url="$DuckDNS_API?$param"
-  if [ "$DEBUG" -gt 0 ]; then
+  if [ -n "$DEBUG" ] && [ "$DEBUG" -gt 0 ]; then
     url="$url&verbose=true"
   fi
   _debug url "$url"
@@ -121,7 +121,7 @@ _duckdns_rest() {
   if [ "$method" = "GET" ]; then
     response="$(_get "$url")"
     _debug2 response "$response"
-    if [ "$DEBUG" -gt 0 ] && _contains "$response" "UPDATED" && _contains "$response" "OK"; then
+    if [ -n "$DEBUG" ] && [ "$DEBUG" -gt 0 ] && _contains "$response" "UPDATED" && _contains "$response" "OK"; then
       response="OK"
     fi
   else

dnsapi/dns_dynv6.sh

@@ -1,39 +1,41 @@
 #!/usr/bin/env sh
 #Author StefanAbl
 #Usage specify a private keyfile to use with dynv6 'export KEY="path/to/keyfile"'
+#or use the HTTP REST API by by specifying a token 'export DYNV6_TOKEN="value"
 #if no keyfile is specified, you will be asked if you want to create one in /home/$USER/.ssh/dynv6 and /home/$USER/.ssh/dynv6.pub
+
+dynv6_api="https://dynv6.com/api/v2"
 ########  Public functions #####################
 # Please Read this guide first: https://github.com/Neilpang/acme.sh/wiki/DNS-API-Dev-Guide
-#Usage: dns_myapi_add  _acme-challenge.www.domain.com  "XKrxpRBosdIKFzxW_CT3KLZNf6q0HG9i01zxXp5CPBs"
+#Usage: dns_dynv6_add  _acme-challenge.www.domain.com  "XKrxpRBosdIKFzxW_CT3KLZNf6q0HG9i01zxXp5CPBs"
 dns_dynv6_add() {
   fulldomain=$1
   txtvalue=$2
   _info "Using dynv6 api"
   _debug fulldomain "$fulldomain"
   _debug txtvalue "$txtvalue"
-  _get_keyfile
-  _info "using keyfile $dynv6_keyfile"
-  _your_hosts="$(ssh -i "$dynv6_keyfile" api@dynv6.com hosts)"
-
-  if ! _get_domain "$fulldomain" "$_your_hosts"; then
-  	_err "Host not found on your account"
-  	return 1
-  fi
-#  if ! _contains "$_your_hosts" "$_host"; then
-#    _debug "The host is $_host and the record $_record"
-#    _debug "Dynv6 returned $_your_hosts"
-#    _err "The host $_host does not exists on your dynv6 account"
-#    return 1
-#  fi
-  _debug "found host on your account"
-  returnval="$(ssh -i "$dynv6_keyfile" api@dynv6.com hosts \""$_host"\" records set \""$_record"\" txt data \""$txtvalue"\")"
-  _debug "Dynv6 returend this after record was added: $returnval"
-  if _contains "$returnval" "created"; then
-    return 0
-  elif _contains "$returnval" "updated"; then
-    return 0
+  _get_authentication
+  if [ "$dynv6_token" ]; then
+    _dns_dynv6_add_http
+    return $?
   else
-    _err "Something went wrong! it does not seem like the record was added succesfully"
+    _info "using key file $dynv6_keyfile"
+    _your_hosts="$(ssh -i "$dynv6_keyfile" api@dynv6.com hosts)"
+    if ! _get_domain "$fulldomain" "$_your_hosts"; then
+      _err "Host not found on your account"
+      return 1
+    fi
+    _debug "found host on your account"
+    returnval="$(ssh -i "$dynv6_keyfile" api@dynv6.com hosts \""$_host"\" records set \""$_record"\" txt data \""$txtvalue"\")"
+    _debug "Dynv6 returned this after record was added: $returnval"
+    if _contains "$returnval" "created"; then
+      return 0
+    elif _contains "$returnval" "updated"; then
+      return 0
+    else
+      _err "Something went wrong! it does not seem like the record was added successfully"
+      return 1
+    fi
     return 1
   fi
   return 1
@@ -43,31 +45,29 @@ dns_dynv6_add() {
 dns_dynv6_rm() {
   fulldomain=$1
   txtvalue=$2
-  _info "Using dynv6 api"
+  _info "Using dynv6 API"
   _debug fulldomain "$fulldomain"
   _debug txtvalue "$txtvalue"
-  _get_keyfile
-  _info "using keyfile $dynv6_keyfile"
-  _your_hosts="$(ssh -i "$dynv6_keyfile" api@dynv6.com hosts)"
-  if ! _get_domain "$fulldomain" "$_your_hosts"; then
-  	_err "Host not found on your account"
-  	return 1
+  _get_authentication
+  if [ "$dynv6_token" ]; then
+    _dns_dynv6_rm_http
+    return $?
+  else
+    _info "using key file $dynv6_keyfile"
+    _your_hosts="$(ssh -i "$dynv6_keyfile" api@dynv6.com hosts)"
+    if ! _get_domain "$fulldomain" "$_your_hosts"; then
+      _err "Host not found on your account"
+      return 1
+    fi
+    _debug "found host on your account"
+    _info "$(ssh -i "$dynv6_keyfile" api@dynv6.com hosts "\"$_host\"" records del "\"$_record\"" txt)"
+    return 0
   fi
-#  if ! _contains "$_your_hosts" "$_host"; then
-#    _debug "The host is $_host and the record $_record"
-#   _debug "Dynv6 returned $_your_hosts"
-#    _err "The host $_host does not exists on your dynv6 account"
-#    return 1
-#  fi
-  _debug "found host on your account"
-  _info "$(ssh -i "$dynv6_keyfile" api@dynv6.com hosts "\"$_host\"" records del "\"$_record\"" txt)"
-  return 0
-
 }
 #################### Private functions below ##################################
 #Usage: No Input required
 #returns
-#dynv6_keyfile the path to the new keyfile that has been generated
+#dynv6_keyfile the path to the new key file that has been generated
 _generate_new_key() {
   dynv6_keyfile="$(eval echo ~"$USER")/.ssh/dynv6"
   _info "Path to key file used: $dynv6_keyfile"
@@ -93,13 +93,13 @@ _get_domain() {
 
   _your_hosts="$(echo "$_your_hosts" | awk '/\./ {print $1}')"
   for l in $_your_hosts; do
-  	#echo "host: $l"
-  	if test "${_full_domain#*$l}" != "$_full_domain"; then
-  	  _record="${_full_domain%.$l}"
-  	  _host=$l
-  	  _debug "The host is $_host and the record $_record"
-  	  return 0
-  	fi
+    #echo "host: $l"
+    if test "${_full_domain#*$l}" != "$_full_domain"; then
+      _record="${_full_domain%.$l}"
+      _host=$l
+      _debug "The host is $_host and the record $_record"
+      return 0
+    fi
   done
   _err "Either their is no such host on your dnyv6 account or it cannot be accessed with this key"
   return 1
@@ -108,22 +108,178 @@ _get_domain() {
 # Usage: No input required
 #returns
 #dynv6_keyfile path to the key that will be used
-_get_keyfile() {
-  _debug "get keyfile method called"
-  dynv6_keyfile="${dynv6_keyfile:-$(_readaccountconf_mutable dynv6_keyfile)}"
-  _debug "Your key is $dynv6_keyfile"
-  if [ -z "$dynv6_keyfile" ]; then
-    if [ -z "$KEY" ]; then
-      _err "You did not specify a key to use with dynv6"
-      _info "Creating new dynv6 api key to add to dynv6.com"
-      _generate_new_key
-      _info "Please add this key to dynv6.com $(cat "$dynv6_keyfile.pub")"
-      _info "Hit Enter to contiue"
-      read -r _
-      #save the credentials to the account conf file.
-    else
-      dynv6_keyfile="$KEY"
+_get_authentication() {
+  dynv6_token="${DYNV6_TOKEN:-$(_readaccountconf_mutable dynv6_token)}"
+  if [ "$dynv6_token" ]; then
+    _debug "Found HTTP Token. Going to use the HTTP API and not the SSH API"
+    if [ "$DYNV6_TOKEN" ]; then
+      _saveaccountconf_mutable dynv6_token "$dynv6_token"
+    fi
+  else
+    _debug "no HTTP token found. Looking for an SSH key"
+    dynv6_keyfile="${dynv6_keyfile:-$(_readaccountconf_mutable dynv6_keyfile)}"
+    _debug "Your key is $dynv6_keyfile"
+    if [ -z "$dynv6_keyfile" ]; then
+      if [ -z "$KEY" ]; then
+        _err "You did not specify a key to use with dynv6"
+        _info "Creating new dynv6 API key to add to dynv6.com"
+        _generate_new_key
+        _info "Please add this key to dynv6.com $(cat "$dynv6_keyfile.pub")"
+        _info "Hit Enter to continue"
+        read -r _
+        #save the credentials to the account conf file.
+      else
+        dynv6_keyfile="$KEY"
+      fi
+      _saveaccountconf_mutable dynv6_keyfile "$dynv6_keyfile"
     fi
-    _saveaccountconf_mutable dynv6_keyfile "$dynv6_keyfile"
   fi
 }
+
+_dns_dynv6_add_http() {
+  _debug "Got HTTP token form _get_authentication method. Going to use the HTTP API"
+  if ! _get_zone_id "$fulldomain"; then
+    _err "Could not find a matching zone for $fulldomain. Maybe your HTTP Token is not authorized to access the zone"
+    return 1
+  fi
+  _get_zone_name "$_zone_id"
+  record="${fulldomain%%.$_zone_name}"
+  _set_record TXT "$record" "$txtvalue"
+  if _contains "$response" "$txtvalue"; then
+    _info "Successfully added record"
+    return 0
+  else
+    _err "Something went wrong while adding the record"
+    return 1
+  fi
+}
+
+_dns_dynv6_rm_http() {
+  _debug "Got HTTP token form _get_authentication method. Going to use the HTTP API"
+  if ! _get_zone_id "$fulldomain"; then
+    _err "Could not find a matching zone for $fulldomain. Maybe your HTTP Token is not authorized to access the zone"
+    return 1
+  fi
+  _get_zone_name "$_zone_id"
+  record="${fulldomain%%.$_zone_name}"
+  _get_record_id "$_zone_id" "$record" "$txtvalue"
+  _del_record "$_zone_id" "$_record_id"
+  if [ -z "$response" ]; then
+    _info "Successfully deleted record"
+    return 0
+  else
+    _err "Something went wrong while deleting the record"
+    return 1
+  fi
+}
+
+#get the zoneid for a specifc record or zone
+#usage: _get_zone_id §record
+#where $record is the record to get the id for
+#returns _zone_id the id of the zone
+_get_zone_id() {
+  record="$1"
+  _debug "getting zone id for $record"
+  _dynv6_rest GET zones
+
+  zones="$(echo "$response" | tr '}' '\n' | tr ',' '\n' | grep name | sed 's/\[//g' | tr -d '{' | tr -d '"')"
+  #echo $zones
+
+  selected=""
+  for z in $zones; do
+    z="${z#name:}"
+    _debug zone: "$z"
+    if _contains "$record" "$z"; then
+      _debug "$z found in $record"
+      selected="$z"
+    fi
+  done
+  if [ -z "$selected" ]; then
+    _err "no zone found"
+    return 1
+  fi
+
+  zone_id="$(echo "$response" | tr '}' '\n' | grep "$selected" | tr ',' '\n' | grep id | tr -d '"')"
+  _zone_id="${zone_id#id:}"
+  _debug "zone id: $_zone_id"
+}
+
+_get_zone_name() {
+  _zone_id="$1"
+  _dynv6_rest GET zones/"$_zone_id"
+  _zone_name="$(echo "$response" | tr ',' '\n' | tr -d '{' | grep name | tr -d '"')"
+  _zone_name="${_zone_name#name:}"
+}
+
+#usaage _get_record_id $zone_id $record
+# where zone_id is thevalue returned by _get_zone_id
+# and record ist in the form _acme.www for an fqdn of _acme.www.example.com
+# returns _record_id
+_get_record_id() {
+  _zone_id="$1"
+  record="$2"
+  value="$3"
+  _dynv6_rest GET "zones/$_zone_id/records"
+  if ! _get_record_id_from_response "$response"; then
+    _err "no such record $record found in zone $_zone_id"
+    return 1
+  fi
+}
+
+_get_record_id_from_response() {
+  response="$1"
+  _record_id="$(echo "$response" | tr '}' '\n' | grep "\"name\":\"$record\"" | grep "\"data\":\"$value\"" | tr ',' '\n' | grep id | tr -d '"' | tr -d 'id:')"
+  #_record_id="${_record_id#id:}"
+  if [ -z "$_record_id" ]; then
+    _err "no such record: $record found in zone $_zone_id"
+    return 1
+  fi
+  _debug "record id: $_record_id"
+  return 0
+}
+#usage: _set_record TXT _acme_challenge.www longvalue 12345678
+#zone id is optional can also be set as vairable bevor calling this method
+_set_record() {
+  type="$1"
+  record="$2"
+  value="$3"
+  if [ "$4" ]; then
+    _zone_id="$4"
+  fi
+  data="{\"name\": \"$record\", \"data\": \"$value\", \"type\": \"$type\"}"
+  #data='{ "name": "acme.test.thorn.dynv6.net", "type": "A", "data": "192.168.0.1"}'
+  echo "$data"
+  #"{\"type\":\"TXT\",\"name\":\"$fulldomain\",\"content\":\"$txtvalue\",\"ttl\":120}"
+  _dynv6_rest POST "zones/$_zone_id/records" "$data"
+}
+_del_record() {
+  _zone_id=$1
+  _record_id=$2
+  _dynv6_rest DELETE zones/"$_zone_id"/records/"$_record_id"
+}
+
+_dynv6_rest() {
+  m=$1    #method GET,POST,DELETE or PUT
+  ep="$2" #the endpoint
+  data="$3"
+  _debug "$ep"
+
+  token_trimmed=$(echo "$dynv6_token" | tr -d '"')
+
+  export _H1="Authorization: Bearer $token_trimmed"
+  export _H2="Content-Type: application/json"
+
+  if [ "$m" != "GET" ]; then
+    _debug data "$data"
+    response="$(_post "$data" "$dynv6_api/$ep" "" "$m")"
+  else
+    response="$(_get "$dynv6_api/$ep")"
+  fi
+
+  if [ "$?" != "0" ]; then
+    _err "error $ep"
+    return 1
+  fi
+  _debug2 response "$response"
+  return 0
+}

dnsapi/dns_huaweicloud.sh

@@ -5,7 +5,7 @@
 # HUAWEICLOUD_ProjectID
 
 iam_api="https://iam.myhuaweicloud.com"
-dns_api="https://dns.ap-southeast-1.myhuaweicloud.com"
+dns_api="https://dns.ap-southeast-1.myhuaweicloud.com" # Should work
 
 ########  Public functions #####################
 
@@ -29,16 +29,27 @@ dns_huaweicloud_add() {
     return 1
   fi
 
+  unset token # Clear token
   token="$(_get_token "${HUAWEICLOUD_Username}" "${HUAWEICLOUD_Password}" "${HUAWEICLOUD_ProjectID}")"
-  _debug2 "${token}"
+  if [ -z "${token}" ]; then # Check token
+    _err "dns_api(dns_huaweicloud): Error getting token."
+    return 1
+  fi
+  _debug "Access token is: ${token}"
+
+  unset zoneid
   zoneid="$(_get_zoneid "${token}" "${fulldomain}")"
-  _debug "${zoneid}"
+  if [ -z "${zoneid}" ]; then
+    _err "dns_api(dns_huaweicloud): Error getting zone id."
+    return 1
+  fi
+  _debug "Zone ID is: ${zoneid}"
 
   _debug "Adding Record"
   _add_record "${token}" "${fulldomain}" "${txtvalue}"
   ret="$?"
   if [ "${ret}" != "0" ]; then
-    _err "dns_huaweicloud: Error adding record."
+    _err "dns_api(dns_huaweicloud): Error adding record."
     return 1
   fi
 
@@ -69,12 +80,21 @@ dns_huaweicloud_rm() {
     return 1
   fi
 
+  unset token # Clear token
   token="$(_get_token "${HUAWEICLOUD_Username}" "${HUAWEICLOUD_Password}" "${HUAWEICLOUD_ProjectID}")"
-  _debug2 "${token}"
+  if [ -z "${token}" ]; then # Check token
+    _err "dns_api(dns_huaweicloud): Error getting token."
+    return 1
+  fi
+  _debug "Access token is: ${token}"
+
+  unset zoneid
   zoneid="$(_get_zoneid "${token}" "${fulldomain}")"
-  _debug "${zoneid}"
-  record_id="$(_get_recordset_id "${token}" "${fulldomain}" "${zoneid}")"
-  _debug "Record Set ID is: ${record_id}"
+  if [ -z "${zoneid}" ]; then
+    _err "dns_api(dns_huaweicloud): Error getting zone id."
+    return 1
+  fi
+  _debug "Zone ID is: ${zoneid}"
 
   # Remove all records
   # Therotically HuaweiCloud does not allow more than one record set

dnsapi/dns_infomaniak.sh

@@ -85,7 +85,7 @@ dns_infomaniak_add() {
 
   # API call
   response=$(_post "$data" "${INFOMANIAK_API_URL}/1/domain/$domain_id/dns/record")
-  if [ -n "$response" ] && echo "$response" | grep -qF '"result":"success"'; then
+  if [ -n "$response" ] && echo "$response" | _contains '"result":"success"'; then
     _info "Record added"
     _debug "Response: $response"
     return 0
@@ -165,7 +165,7 @@ dns_infomaniak_rm() {
 
   # API call
   response=$(_post "" "${INFOMANIAK_API_URL}/1/domain/$domain_id/dns/record/$record_id" "" DELETE)
-  if [ -n "$response" ] && echo "$response" | grep -qF '"result":"success"'; then
+  if [ -n "$response" ] && echo "$response" | _contains '"result":"success"'; then
     _info "Record deleted"
     return 0
   fi
@@ -187,7 +187,7 @@ _find_zone() {
   zone="$1"
 
   # find domain in list, removing . parts sequentialy
-  while echo "$zone" | grep -q '\.'; do
+  while _contains "$zone" '\.'; do
     _debug "testing $zone"
     id=$(_get_domain_id "$zone")
     if [ -n "$id" ]; then

dnsapi/dns_ionos.sh

@@ -0,0 +1,163 @@
+#!/usr/bin/env sh
+
+# Supports IONOS DNS API Beta v1.0.0
+#
+# Usage:
+#   Export IONOS_PREFIX and IONOS_SECRET before calling acme.sh:
+#
+#   $ export IONOS_PREFIX="..."
+#   $ export IONOS_SECRET="..."
+#
+#   $ acme.sh --issue --dns dns_ionos ...
+
+IONOS_API="https://api.hosting.ionos.com/dns"
+IONOS_ROUTE_ZONES="/v1/zones"
+
+IONOS_TXT_TTL=60 # minimum accepted by API
+IONOS_TXT_PRIO=10
+
+dns_ionos_add() {
+  fulldomain=$1
+  txtvalue=$2
+
+  if ! _ionos_init; then
+    return 1
+  fi
+
+  _body="[{\"name\":\"$_sub_domain.$_domain\",\"type\":\"TXT\",\"content\":\"$txtvalue\",\"ttl\":$IONOS_TXT_TTL,\"prio\":$IONOS_TXT_PRIO,\"disabled\":false}]"
+
+  if _ionos_rest POST "$IONOS_ROUTE_ZONES/$_zone_id/records" "$_body" && [ -z "$response" ]; then
+    _info "TXT record has been created successfully."
+    return 0
+  fi
+
+  return 1
+}
+
+dns_ionos_rm() {
+  fulldomain=$1
+  txtvalue=$2
+
+  if ! _ionos_init; then
+    return 1
+  fi
+
+  if ! _ionos_get_record "$fulldomain" "$_zone_id" "$txtvalue"; then
+    _err "Could not find _acme-challenge TXT record."
+    return 1
+  fi
+
+  if _ionos_rest DELETE "$IONOS_ROUTE_ZONES/$_zone_id/records/$_record_id" && [ -z "$response" ]; then
+    _info "TXT record has been deleted successfully."
+    return 0
+  fi
+
+  return 1
+}
+
+_ionos_init() {
+  IONOS_PREFIX="${IONOS_PREFIX:-$(_readaccountconf_mutable IONOS_PREFIX)}"
+  IONOS_SECRET="${IONOS_SECRET:-$(_readaccountconf_mutable IONOS_SECRET)}"
+
+  if [ -z "$IONOS_PREFIX" ] || [ -z "$IONOS_SECRET" ]; then
+    _err "You didn't specify an IONOS api prefix and secret yet."
+    _err "Read https://beta.developer.hosting.ionos.de/docs/getstarted to learn how to get a prefix and secret."
+    _err ""
+    _err "Then set them before calling acme.sh:"
+    _err "\$ export IONOS_PREFIX=\"...\""
+    _err "\$ export IONOS_SECRET=\"...\""
+    _err "\$ acme.sh --issue -d ... --dns dns_ionos"
+    return 1
+  fi
+
+  _saveaccountconf_mutable IONOS_PREFIX "$IONOS_PREFIX"
+  _saveaccountconf_mutable IONOS_SECRET "$IONOS_SECRET"
+
+  if ! _get_root "$fulldomain"; then
+    _err "Cannot find this domain in your IONOS account."
+    return 1
+  fi
+}
+
+_get_root() {
+  domain=$1
+  i=1
+  p=1
+
+  if _ionos_rest GET "$IONOS_ROUTE_ZONES"; then
+    response="$(echo "$response" | tr -d "\n")"
+
+    while true; do
+      h=$(printf "%s" "$domain" | cut -d . -f $i-100)
+      if [ -z "$h" ]; then
+        return 1
+      fi
+
+      _zone="$(echo "$response" | _egrep_o "\"name\":\"$h\".*\}")"
+      if [ "$_zone" ]; then
+        _zone_id=$(printf "%s\n" "$_zone" | _egrep_o "\"id\":\"[a-fA-F0-9\-]*\"" | _head_n 1 | cut -d : -f 2 | tr -d '\"')
+        if [ "$_zone_id" ]; then
+          _sub_domain=$(printf "%s" "$domain" | cut -d . -f 1-$p)
+          _domain=$h
+
+          return 0
+        fi
+
+        return 1
+      fi
+
+      p=$i
+      i=$(_math "$i" + 1)
+    done
+  fi
+
+  return 1
+}
+
+_ionos_get_record() {
+  fulldomain=$1
+  zone_id=$2
+  txtrecord=$3
+
+  if _ionos_rest GET "$IONOS_ROUTE_ZONES/$zone_id?recordName=$fulldomain&recordType=TXT"; then
+    response="$(echo "$response" | tr -d "\n")"
+
+    _record="$(echo "$response" | _egrep_o "\"name\":\"$fulldomain\"[^\}]*\"type\":\"TXT\"[^\}]*\"content\":\"\\\\\"$txtrecord\\\\\"\".*\}")"
+    if [ "$_record" ]; then
+      _record_id=$(printf "%s\n" "$_record" | _egrep_o "\"id\":\"[a-fA-F0-9\-]*\"" | _head_n 1 | cut -d : -f 2 | tr -d '\"')
+
+      return 0
+    fi
+  fi
+
+  return 1
+}
+
+_ionos_rest() {
+  method="$1"
+  route="$2"
+  data="$3"
+
+  IONOS_API_KEY="$(printf "%s.%s" "$IONOS_PREFIX" "$IONOS_SECRET")"
+
+  export _H1="X-API-Key: $IONOS_API_KEY"
+
+  if [ "$method" != "GET" ]; then
+    export _H2="Accept: application/json"
+    export _H3="Content-Type: application/json"
+
+    response="$(_post "$data" "$IONOS_API$route" "" "$method" "application/json")"
+  else
+    export _H2="Accept: */*"
+    export _H3=
+    response="$(_get "$IONOS_API$route")"
+  fi
+
+  if [ "$?" != "0" ]; then
+    _err "Error $route: $response"
+    return 1
+  fi
+  _debug2 "response" "$response"
+
+  return 0
+}

dnsapi/dns_ispconfig.sh

@@ -75,7 +75,7 @@ _ISPC_getZoneInfo() {
     # suffix . needed for zone -> domain.tld.
     curData="{\"session_id\":\"${sessionID}\",\"primary_id\":{\"origin\":\"${curZone}.\"}}"
     curResult="$(_post "${curData}" "${ISPC_Api}?dns_zone_get")"
-    _debug "Calling _ISPC_getZoneInfo: '${curData}' '${ISPC_Api}?login'"
+    _debug "Calling _ISPC_getZoneInfo: '${curData}' '${ISPC_Api}?dns_zone_get'"
     _debug "Result of _ISPC_getZoneInfo: '$curResult'"
     if _contains "${curResult}" '"id":"'; then
       zoneFound=true
@@ -110,18 +110,32 @@ _ISPC_getZoneInfo() {
       ;;
     *) _info "Retrieved Zone ID" ;;
     esac
-    client_id=$(echo "${curResult}" | _egrep_o "sys_userid.*" | cut -d ':' -f 2 | cut -d '"' -f 2)
-    _debug "Client ID: '${client_id}'"
-    case "${client_id}" in
+    sys_userid=$(echo "${curResult}" | _egrep_o "sys_userid.*" | cut -d ':' -f 2 | cut -d '"' -f 2)
+    _debug "SYS User ID: '${sys_userid}'"
+    case "${sys_userid}" in
     '' | *[!0-9]*)
-      _err "Client ID is not numeric."
+      _err "SYS User ID is not numeric."
       return 1
       ;;
-    *) _info "Retrieved Client ID." ;;
+    *) _info "Retrieved SYS User ID." ;;
     esac
     zoneFound=""
     zoneEnd=""
   fi
+  # Need to get client_id as it is different from sys_userid
+  curData="{\"session_id\":\"${sessionID}\",\"sys_userid\":\"${sys_userid}\"}"
+  curResult="$(_post "${curData}" "${ISPC_Api}?client_get_id")"
+  _debug "Calling _ISPC_ClientGetID: '${curData}' '${ISPC_Api}?client_get_id'"
+  _debug "Result of _ISPC_ClientGetID: '$curResult'"
+  client_id=$(echo "${curResult}" | _egrep_o "response.*" | cut -d ':' -f 2 | cut -d '"' -f 2 | tr -d '{}')
+  _debug "Client ID: '${client_id}'"
+  case "${client_id}" in
+  '' | *[!0-9]*)
+    _err "Client ID is not numeric."
+    return 1
+    ;;
+  *) _info "Retrieved Client ID." ;;
+  esac
 }
 
 _ISPC_addTxt() {

dnsapi/dns_linode_v4.sh

@@ -106,6 +106,7 @@ dns_linode_v4_rm() {
 ####################  Private functions below ##################################
 
 _Linode_API() {
+  LINODE_V4_API_KEY="${LINODE_V4_API_KEY:-$(_readaccountconf_mutable LINODE_V4_API_KEY)}"
   if [ -z "$LINODE_V4_API_KEY" ]; then
     LINODE_V4_API_KEY=""
 
@@ -115,7 +116,7 @@ _Linode_API() {
     return 1
   fi
 
-  _saveaccountconf LINODE_V4_API_KEY "$LINODE_V4_API_KEY"
+  _saveaccountconf_mutable LINODE_V4_API_KEY "$LINODE_V4_API_KEY"
 }
 
 ####################  Private functions below ##################################

dnsapi/dns_namecheap.sh

@@ -157,7 +157,7 @@ _namecheap_set_publicip() {
 
   if [ -z "$NAMECHEAP_SOURCEIP" ]; then
     _err "No Source IP specified for Namecheap API."
-    _err "Use your public ip address or an url to retrieve it (e.g. https://ipconfig.co/ip) and export it as NAMECHEAP_SOURCEIP"
+    _err "Use your public ip address or an url to retrieve it (e.g. https://ifconfig.co/ip) and export it as NAMECHEAP_SOURCEIP"
     return 1
   else
     _saveaccountconf NAMECHEAP_SOURCEIP "$NAMECHEAP_SOURCEIP"
@@ -175,7 +175,7 @@ _namecheap_set_publicip() {
       _publicip=$(_get "$addr")
     else
       _err "No Source IP specified for Namecheap API."
-      _err "Use your public ip address or an url to retrieve it (e.g. https://ipconfig.co/ip) and export it as NAMECHEAP_SOURCEIP"
+      _err "Use your public ip address or an url to retrieve it (e.g. https://ifconfig.co/ip) and export it as NAMECHEAP_SOURCEIP"
       return 1
     fi
   fi
@@ -208,7 +208,7 @@ _namecheap_parse_host() {
   _hostid=$(echo "$_host" | _egrep_o ' HostId="[^"]*' | cut -d '"' -f 2)
   _hostname=$(echo "$_host" | _egrep_o ' Name="[^"]*' | cut -d '"' -f 2)
   _hosttype=$(echo "$_host" | _egrep_o ' Type="[^"]*' | cut -d '"' -f 2)
-  _hostaddress=$(echo "$_host" | _egrep_o ' Address="[^"]*' | cut -d '"' -f 2)
+  _hostaddress=$(echo "$_host" | _egrep_o ' Address="[^"]*' | cut -d '"' -f 2 | _xml_decode)
   _hostmxpref=$(echo "$_host" | _egrep_o ' MXPref="[^"]*' | cut -d '"' -f 2)
   _hostttl=$(echo "$_host" | _egrep_o ' TTL="[^"]*' | cut -d '"' -f 2)
 
@@ -405,3 +405,7 @@ _namecheap_set_tld_sld() {
   done
 
 }
+
+_xml_decode() {
+  sed 's/"/"/g'
+}

dnsapi/dns_one.sh

@@ -1,22 +1,9 @@
 #!/usr/bin/env sh
-# -*- mode: sh; tab-width: 2; indent-tabs-mode: s; coding: utf-8 -*-
-
 # one.com ui wrapper for acme.sh
-# Author: github: @diseq
-# Created: 2019-02-17
-# Fixed by: @der-berni
-# Modified: 2020-04-07
-#
-#     Use ONECOM_KeepCnameProxy to keep the CNAME DNS record
-#     export ONECOM_KeepCnameProxy="1"
+
 #
 #     export ONECOM_User="username"
 #     export ONECOM_Password="password"
-#
-# Usage:
-#     acme.sh --issue --dns dns_one -d example.com
-#
-#     only single domain supported atm
 
 dns_one_add() {
   fulldomain=$1
@@ -36,27 +23,9 @@ dns_one_add() {
   subdomain="${_sub_domain}"
   maindomain=${_domain}
 
-  useProxy=0
-  if [ "${_sub_domain}" = "_acme-challenge" ]; then
-    subdomain="proxy${_sub_domain}"
-    useProxy=1
-  fi
-
   _debug subdomain "$subdomain"
   _debug maindomain "$maindomain"
 
-  if [ $useProxy -eq 1 ]; then
-    #Check if the CNAME exists
-    _dns_one_getrecord "CNAME" "$_sub_domain" "$subdomain.$maindomain"
-    if [ -z "$id" ]; then
-      _info "$(__red "Add CNAME Proxy record: '$(__green "\"$_sub_domain\" => \"$subdomain.$maindomain\"")'")"
-      _dns_one_addrecord "CNAME" "$_sub_domain" "$subdomain.$maindomain"
-
-      _info "Not valid yet, let's wait 1 hour to take effect."
-      _sleep 3600
-    fi
-  fi
-
   #Check if the TXT exists
   _dns_one_getrecord "TXT" "$subdomain" "$txtvalue"
   if [ -n "$id" ]; then
@@ -92,26 +61,8 @@ dns_one_rm() {
   subdomain="${_sub_domain}"
   maindomain=${_domain}
 
-  useProxy=0
-  if [ "${_sub_domain}" = "_acme-challenge" ]; then
-    subdomain="proxy${_sub_domain}"
-    useProxy=1
-  fi
-
   _debug subdomain "$subdomain"
   _debug maindomain "$maindomain"
-  if [ $useProxy -eq 1 ]; then
-    if [ "$ONECOM_KeepCnameProxy" = "1" ]; then
-      _info "$(__red "Keeping CNAME Proxy record: '$(__green "\"$_sub_domain\" => \"$subdomain.$maindomain\"")'")"
-    else
-      #Check if the CNAME exists
-      _dns_one_getrecord "CNAME" "$_sub_domain" "$subdomain.$maindomain"
-      if [ -n "$id" ]; then
-        _info "$(__red "Removing CNAME Proxy record: '$(__green "\"$_sub_domain\" => \"$subdomain.$maindomain\"")'")"
-        _dns_one_delrecord "$id"
-      fi
-    fi
-  fi
 
   #Check if the TXT exists
   _dns_one_getrecord "TXT" "$subdomain" "$txtvalue"
@@ -136,7 +87,7 @@ dns_one_rm() {
 # _domain=domain.com
 _get_root() {
   domain="$1"
-  i=2
+  i=1
   p=1
   while true; do
     h=$(printf "%s" "$domain" | cut -d . -f $i-100)
@@ -163,8 +114,6 @@ _get_root() {
 _dns_one_login() {
 
   # get credentials
-  ONECOM_KeepCnameProxy="${ONECOM_KeepCnameProxy:-$(_readaccountconf_mutable ONECOM_KeepCnameProxy)}"
-  ONECOM_KeepCnameProxy="${ONECOM_KeepCnameProxy:-0}"
   ONECOM_User="${ONECOM_User:-$(_readaccountconf_mutable ONECOM_User)}"
   ONECOM_Password="${ONECOM_Password:-$(_readaccountconf_mutable ONECOM_Password)}"
   if [ -z "$ONECOM_User" ] || [ -z "$ONECOM_Password" ]; then
@@ -176,7 +125,6 @@ _dns_one_login() {
   fi
 
   #save the api key and email to the account conf file.
-  _saveaccountconf_mutable ONECOM_KeepCnameProxy "$ONECOM_KeepCnameProxy"
   _saveaccountconf_mutable ONECOM_User "$ONECOM_User"
   _saveaccountconf_mutable ONECOM_Password "$ONECOM_Password"
 

dnsapi/dns_pdns.sh

@@ -175,13 +175,13 @@ _get_root() {
   i=1
 
   if _pdns_rest "GET" "/api/v1/servers/$PDNS_ServerId/zones"; then
-    _zones_response="$response"
+    _zones_response=$(echo "$response" | _normalizeJson)
   fi
 
   while true; do
     h=$(printf "%s" "$domain" | cut -d . -f $i-100)
 
-    if _contains "$_zones_response" "\"name\": \"$h.\""; then
+    if _contains "$_zones_response" "\"name\":\"$h.\""; then
       _domain="$h."
       if [ -z "$h" ]; then
         _domain="=2E"

dnsapi/dns_porkbun.sh

@@ -0,0 +1,157 @@
+#!/usr/bin/env sh
+
+#
+#PORKBUN_API_KEY="pk1_0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef"
+#PORKBUN_SECRET_API_KEY="sk1_0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef"
+
+PORKBUN_Api="https://porkbun.com/api/json/v3"
+
+########  Public functions #####################
+
+#Usage: add  _acme-challenge.www.domain.com   "XKrxpRBosdIKFzxW_CT3KLZNf6q0HG9i01zxXp5CPBs"
+dns_porkbun_add() {
+  fulldomain=$1
+  txtvalue=$2
+
+  PORKBUN_API_KEY="${PORKBUN_API_KEY:-$(_readaccountconf_mutable PORKBUN_API_KEY)}"
+  PORKBUN_SECRET_API_KEY="${PORKBUN_SECRET_API_KEY:-$(_readaccountconf_mutable PORKBUN_SECRET_API_KEY)}"
+
+  if [ -z "$PORKBUN_API_KEY" ] || [ -z "$PORKBUN_SECRET_API_KEY" ]; then
+    PORKBUN_API_KEY=''
+    PORKBUN_SECRET_API_KEY=''
+    _err "You didn't specify a Porkbun api key and secret api key yet."
+    _err "You can get yours from here https://porkbun.com/account/api."
+    return 1
+  fi
+
+  #save the credentials to the account conf file.
+  _saveaccountconf_mutable PORKBUN_API_KEY "$PORKBUN_API_KEY"
+  _saveaccountconf_mutable PORKBUN_SECRET_API_KEY "$PORKBUN_SECRET_API_KEY"
+
+  _debug 'First detect the root zone'
+  if ! _get_root "$fulldomain"; then
+    return 1
+  fi
+  _debug _sub_domain "$_sub_domain"
+  _debug _domain "$_domain"
+
+  # For wildcard cert, the main root domain and the wildcard domain have the same txt subdomain name, so
+  # we can not use updating anymore.
+  #  count=$(printf "%s\n" "$response" | _egrep_o "\"count\":[^,]*" | cut -d : -f 2)
+  #  _debug count "$count"
+  #  if [ "$count" = "0" ]; then
+  _info "Adding record"
+  if _porkbun_rest POST "dns/create/$_domain" "{\"name\":\"$_sub_domain\",\"type\":\"TXT\",\"content\":\"$txtvalue\",\"ttl\":120}"; then
+    if _contains "$response" '\"status\":"SUCCESS"'; then
+      _info "Added, OK"
+      return 0
+    elif _contains "$response" "The record already exists"; then
+      _info "Already exists, OK"
+      return 0
+    else
+      _err "Add txt record error. ($response)"
+      return 1
+    fi
+  fi
+  _err "Add txt record error."
+  return 1
+
+}
+
+#fulldomain txtvalue
+dns_porkbun_rm() {
+  fulldomain=$1
+  txtvalue=$2
+
+  PORKBUN_API_KEY="${PORKBUN_API_KEY:-$(_readaccountconf_mutable PORKBUN_API_KEY)}"
+  PORKBUN_SECRET_API_KEY="${PORKBUN_SECRET_API_KEY:-$(_readaccountconf_mutable PORKBUN_SECRET_API_KEY)}"
+
+  _debug 'First detect the root zone'
+  if ! _get_root "$fulldomain"; then
+    return 1
+  fi
+  _debug _sub_domain "$_sub_domain"
+  _debug _domain "$_domain"
+
+  count=$(echo "$response" | _egrep_o "\"count\": *[^,]*" | cut -d : -f 2 | tr -d " ")
+  _debug count "$count"
+  if [ "$count" = "0" ]; then
+    _info "Don't need to remove."
+  else
+    record_id=$(echo "$response" | tr '{' '\n' | grep -- "$txtvalue" | cut -d, -f1 | cut -d: -f2 | tr -d \")
+    _debug "record_id" "$record_id"
+    if [ -z "$record_id" ]; then
+      _err "Can not get record id to remove."
+      return 1
+    fi
+    if ! _porkbun_rest POST "dns/delete/$_domain/$record_id"; then
+      _err "Delete record error."
+      return 1
+    fi
+    echo "$response" | tr -d " " | grep '\"status\":"SUCCESS"' >/dev/null
+  fi
+
+}
+
+####################  Private functions below ##################################
+#_acme-challenge.www.domain.com
+#returns
+# _sub_domain=_acme-challenge.www
+# _domain=domain.com
+_get_root() {
+  domain=$1
+  i=1
+  while true; do
+    h=$(printf "%s" "$domain" | cut -d . -f $i-100)
+    _debug h "$h"
+    if [ -z "$h" ]; then
+      return 1
+    fi
+
+    if _porkbun_rest POST "dns/retrieve/$h"; then
+      if _contains "$response" "\"status\":\"SUCCESS\""; then
+        _domain=$h
+        _sub_domain="$(echo "$fulldomain" | sed "s/\\.$_domain\$//")"
+        return 0
+      else
+        _debug "Go to next level of $_domain"
+      fi
+    else
+      _debug "Go to next level of $_domain"
+    fi
+    i=$(_math "$i" + 1)
+  done
+
+  return 1
+}
+
+_porkbun_rest() {
+  m=$1
+  ep="$2"
+  data="$3"
+  _debug "$ep"
+
+  api_key_trimmed=$(echo "$PORKBUN_API_KEY" | tr -d '"')
+  secret_api_key_trimmed=$(echo "$PORKBUN_SECRET_API_KEY" | tr -d '"')
+
+  test -z "$data" && data="{" || data="$(echo $data | cut -d'}' -f1),"
+  data="$data\"apikey\":\"$api_key_trimmed\",\"secretapikey\":\"$secret_api_key_trimmed\"}"
+
+  export _H1="Content-Type: application/json"
+
+  if [ "$m" != "GET" ]; then
+    _debug data "$data"
+    response="$(_post "$data" "$PORKBUN_Api/$ep" "" "$m")"
+  else
+    response="$(_get "$PORKBUN_Api/$ep")"
+  fi
+
+  _sleep 3 # prevent rate limit
+
+  if [ "$?" != "0" ]; then
+    _err "error $ep"
+    return 1
+  fi
+  _debug2 response "$response"
+  return 0
+}

dnsapi/dns_rackcorp.sh

@@ -0,0 +1,156 @@
+#!/usr/bin/env sh
+
+# Provider: RackCorp (www.rackcorp.com)
+# Author: Stephen Dendtler (sdendtler@rackcorp.com)
+# Report Bugs here: https://github.com/senjoo/acme.sh
+# Alternate email contact: support@rackcorp.com
+#
+# You'll need an API key (Portal: ADMINISTRATION -> API)
+# Set the environment variables as below:
+#
+#    export RACKCORP_APIUUID="UUIDHERE"
+#    export RACKCORP_APISECRET="SECRETHERE"
+#
+
+RACKCORP_API_ENDPOINT="https://api.rackcorp.net/api/rest/v2.4/json.php"
+
+########  Public functions #####################
+
+dns_rackcorp_add() {
+  fulldomain="$1"
+  txtvalue="$2"
+
+  _debug fulldomain="$fulldomain"
+  _debug txtvalue="$txtvalue"
+
+  if ! _rackcorp_validate; then
+    return 1
+  fi
+
+  _debug "Searching for root zone"
+  if ! _get_root "$fulldomain"; then
+    return 1
+  fi
+  _debug _lookup "$_lookup"
+  _debug _domain "$_domain"
+
+  _info "Creating TXT record."
+
+  if ! _rackcorp_api dns.record.create "\"name\":\"$_domain\",\"type\":\"TXT\",\"lookup\":\"$_lookup\",\"data\":\"$txtvalue\",\"ttl\":300"; then
+    return 1
+  fi
+
+  return 0
+}
+
+#Usage: fulldomain txtvalue
+#Remove the txt record after validation.
+dns_rackcorp_rm() {
+  fulldomain=$1
+  txtvalue=$2
+
+  _debug fulldomain="$fulldomain"
+  _debug txtvalue="$txtvalue"
+
+  if ! _rackcorp_validate; then
+    return 1
+  fi
+
+  _debug "Searching for root zone"
+  if ! _get_root "$fulldomain"; then
+    return 1
+  fi
+  _debug _lookup "$_lookup"
+  _debug _domain "$_domain"
+
+  _info "Creating TXT record."
+
+  if ! _rackcorp_api dns.record.delete "\"name\":\"$_domain\",\"type\":\"TXT\",\"lookup\":\"$_lookup\",\"data\":\"$txtvalue\""; then
+    return 1
+  fi
+
+  return 0
+}
+
+####################  Private functions below ##################################
+#_acme-challenge.domain.com
+#returns
+# _lookup=_acme-challenge
+# _domain=domain.com
+_get_root() {
+  domain=$1
+  i=1
+  p=1
+  if ! _rackcorp_api dns.domain.getall "\"name\":\"$domain\""; then
+    return 1
+  fi
+  while true; do
+    h=$(printf "%s" "$domain" | cut -d . -f $i-100)
+    _debug searchhost "$h"
+    if [ -z "$h" ]; then
+      _err "Could not find domain for record $domain in RackCorp using the provided credentials"
+      #not valid
+      return 1
+    fi
+
+    _rackcorp_api dns.domain.getall "\"exactName\":\"$h\""
+
+    if _contains "$response" "\"matches\":1"; then
+      if _contains "$response" "\"name\":\"$h\""; then
+        _lookup=$(printf "%s" "$domain" | cut -d . -f 1-$p)
+        _domain="$h"
+        return 0
+      fi
+    fi
+    p=$i
+    i=$(_math "$i" + 1)
+  done
+
+  return 1
+}
+
+_rackcorp_validate() {
+  RACKCORP_APIUUID="${RACKCORP_APIUUID:-$(_readaccountconf_mutable RACKCORP_APIUUID)}"
+  if [ -z "$RACKCORP_APIUUID" ]; then
+    RACKCORP_APIUUID=""
+    _err "You require a RackCorp API UUID (export RACKCORP_APIUUID=\"<api uuid>\")"
+    _err "Please login to the portal and create an API key and try again."
+    return 1
+  fi
+
+  _saveaccountconf_mutable RACKCORP_APIUUID "$RACKCORP_APIUUID"
+
+  RACKCORP_APISECRET="${RACKCORP_APISECRET:-$(_readaccountconf_mutable RACKCORP_APISECRET)}"
+  if [ -z "$RACKCORP_APISECRET" ]; then
+    RACKCORP_APISECRET=""
+    _err "You require a RackCorp API secret (export RACKCORP_APISECRET=\"<api secret>\")"
+    _err "Please login to the portal and create an API key and try again."
+    return 1
+  fi
+
+  _saveaccountconf_mutable RACKCORP_APISECRET "$RACKCORP_APISECRET"
+
+  return 0
+}
+_rackcorp_api() {
+  _rackcorpcmd=$1
+  _rackcorpinputdata=$2
+  _debug cmd "$_rackcorpcmd $_rackcorpinputdata"
+
+  export _H1="Accept: application/json"
+  response="$(_post "{\"APIUUID\":\"$RACKCORP_APIUUID\",\"APISECRET\":\"$RACKCORP_APISECRET\",\"cmd\":\"$_rackcorpcmd\",$_rackcorpinputdata}" "$RACKCORP_API_ENDPOINT" "" "POST")"
+
+  if [ "$?" != "0" ]; then
+    _err "error $response"
+    return 1
+  fi
+  _debug2 response "$response"
+  if _contains "$response" "\"code\":\"OK\""; then
+    _debug code "OK"
+  else
+    _debug code "FAILED"
+    response=""
+    return 1
+  fi
+  return 0
+}

dnsapi/dns_servercow.sh

@@ -49,16 +49,42 @@ dns_servercow_add() {
   _debug _sub_domain "$_sub_domain"
   _debug _domain "$_domain"
 
-  if _servercow_api POST "$_domain" "{\"type\":\"TXT\",\"name\":\"$fulldomain\",\"content\":\"$txtvalue\",\"ttl\":20}"; then
-    if printf -- "%s" "$response" | grep "ok" >/dev/null; then
-      _info "Added, OK"
-      return 0
-    else
-      _err "add txt record error."
-      return 1
+  # check whether a txt record already exists for the subdomain
+  if printf -- "%s" "$response" | grep "{\"name\":\"$_sub_domain\",\"ttl\":20,\"type\":\"TXT\"" >/dev/null; then
+    _info "A txt record with the same name already exists."
+    # trim the string on the left
+    txtvalue_old=${response#*{\"name\":\"$_sub_domain\",\"ttl\":20,\"type\":\"TXT\",\"content\":\"}
+    # trim the string on the right
+    txtvalue_old=${txtvalue_old%%\"*}
+
+    _debug txtvalue_old "$txtvalue_old"
+
+    _info "Add the new txtvalue to the existing txt record."
+    if _servercow_api POST "$_domain" "{\"type\":\"TXT\",\"name\":\"$fulldomain\",\"content\":[\"$txtvalue\",\"$txtvalue_old\"],\"ttl\":20}"; then
+      if printf -- "%s" "$response" | grep "ok" >/dev/null; then
+        _info "Added additional txtvalue, OK"
+        return 0
+      else
+        _err "add txt record error."
+        return 1
+      fi
     fi
+    _err "add txt record error."
+    return 1
+  else
+    _info "There is no txt record with the name yet."
+    if _servercow_api POST "$_domain" "{\"type\":\"TXT\",\"name\":\"$fulldomain\",\"content\":\"$txtvalue\",\"ttl\":20}"; then
+      if printf -- "%s" "$response" | grep "ok" >/dev/null; then
+        _info "Added, OK"
+        return 0
+      else
+        _err "add txt record error."
+        return 1
+      fi
+    fi
+    _err "add txt record error."
+    return 1
   fi
-  _err "add txt record error."
 
   return 1
 }

dnsapi/dns_simply.sh

@@ -6,10 +6,12 @@
 #SIMPLY_ApiKey="apikey"
 #
 #SIMPLY_Api="https://api.simply.com/1/[ACCOUNTNAME]/[APIKEY]"
+SIMPLY_Api_Default="https://api.simply.com/1"
+
+#This is used for determining success of REST call
+SIMPLY_SUCCESS_CODE='"status": 200'
 
-SIMPLY_Api="https://api.simply.com/1"
 ########  Public functions #####################
-
 #Usage: add  _acme-challenge.www.domain.com   "XKrxpRBosdIKFzxW_CT3KLZNf6q0HG9i01zxXp5CPBs"
 dns_simply_add() {
   fulldomain=$1
@@ -26,24 +28,23 @@ dns_simply_add() {
     _err "invalid domain"
     return 1
   fi
-  
+
   _debug _sub_domain "$_sub_domain"
   _debug _domain "$_domain"
 
   _info "Adding record"
 
-  if ! _simply_add_record "$_domain" "$_sub_domain" "$txtvalue"; then  
+  if ! _simply_add_record "$_domain" "$_sub_domain" "$txtvalue"; then
     _err "Could not add DNS record"
     return 1
   fi
-  
   return 0
 }
 
 dns_simply_rm() {
   fulldomain=$1
   txtvalue=$2
-  
+
   if ! _simply_load_config; then
     return 1
   fi
@@ -51,7 +52,7 @@ dns_simply_rm() {
   _simply_save_config
 
   _debug "First detect the root zone"
-  
+
   if ! _get_root "$fulldomain"; then
     _err "invalid domain"
     return 1
@@ -59,52 +60,59 @@ dns_simply_rm() {
 
   _debug _sub_domain "$_sub_domain"
   _debug _domain "$_domain"
-  _debug "$txtvalue"
+  _debug txtvalue "$txtvalue"
+
+  _info "Getting all existing records"
 
-  _debug "Getting existing records"
-  
   if ! _simply_get_all_records "$_domain"; then
     _err "invalid domain"
     return 1
   fi
-  
-  records=$(echo "$response" | tr '{' "\n" | grep 'record_id\|type\|data\|\name' | sed 's/\"record_id/;\"record_id/')
-  record_array=(`echo $records |tr -d ' ' | tr ';' ' '`)
-  nr_of_deleted_records=0
 
-  for (( i=0; i<=${#record_array[@]}; i++ )); do
-  
-  record="${record_array[$i]}"
-  
-  if [[ "$record" == *"$txtvalue"* && "$record" == *"TXT"* ]]; then
-  
-    _info "Deleting record: $record"
-    
-    record_id=`echo $record | cut -d "," -f 1 | grep "record_id" | cut -d ":" -f 2`
-    
-    if [[ $record_id -gt 0 ]]; then
-      
-      if ! _simply_delete_record "$_domain" "$_sub_domain" "$record_id"; then
-        _err "Record with id $record_id could not be deleted"
-        return 1
+  records=$(echo "$response" | tr '{' "\n" | grep 'record_id\|type\|data\|\name' | sed 's/\"record_id/;\"record_id/' | tr "\n" ' ' | tr -d ' ' | tr ';' ' ')
+
+  nr_of_deleted_records=0
+  _info "Fetching txt record"
+
+  for record in $records; do
+    _debug record "$record"
+
+    record_data=$(echo "$record" | cut -d "," -f 3 | sed 's/"//g' | grep "data" | cut -d ":" -f 2)
+    record_type=$(echo "$record" | cut -d "," -f 4 | sed 's/"//g' | grep "type" | cut -d ":" -f 2)
+
+    _debug2 record_data "$record_data"
+    _debug2 record_type "$record_type"
+
+    if [ "$record_data" = "$txtvalue" ] && [ "$record_type" = "TXT" ]; then
+
+      record_id=$(echo "$record" | cut -d "," -f 1 | grep "record_id" | cut -d ":" -f 2)
+
+      _info "Deleting record $record"
+      _debug2 record_id "$record_id"
+
+      if [ "$record_id" -gt 0 ]; then
+
+        if ! _simply_delete_record "$_domain" "$_sub_domain" "$record_id"; then
+          _err "Record with id $record_id could not be deleted"
+          return 1
+        fi
+
+        nr_of_deleted_records=1
+        break
+      else
+        _err "Fetching record_id could not be done, this should not happen, exiting function. Failing record is $record"
+        break
       fi
-      
-      nr_of_deleted_records=1
-      break
-    else  
-      _err "Fetching record_id could not be done, this should not happen, exiting function. Failing record is $record"
-      break
     fi
-  fi
-  
+
   done
 
-  if [[ $nr_of_deleted_records -eq 0 ]]; then
-    _err "No record deleted, the DNS record needs to be removed manually." 
+  if [ "$nr_of_deleted_records" -eq 0 ]; then
+    _err "No record deleted, the DNS record needs to be removed manually."
   else
     _info "Deleted $nr_of_deleted_records record"
   fi
-  
+
   return 0
 }
 
@@ -118,7 +126,7 @@ _simply_load_config() {
   if [ -z "$SIMPLY_Api" ]; then
     SIMPLY_Api="$SIMPLY_Api_Default"
   fi
-  
+
   if [ -z "$SIMPLY_AccountName" ] || [ -z "$SIMPLY_ApiKey" ]; then
     SIMPLY_AccountName=""
     SIMPLY_ApiKey=""
@@ -141,8 +149,8 @@ _simply_save_config() {
 }
 
 _simply_get_all_records() {
-  domain=$1  
-      
+  domain=$1
+
   if ! _simply_rest GET "my/products/$domain/dns/records"; then
     return 1
   fi
@@ -165,7 +173,7 @@ _get_root() {
       return 1
     fi
 
-    if _contains "$response" '"code":"NOT_FOUND"'; then
+    if ! _contains "$response" "$SIMPLY_SUCCESS_CODE"; then
       _debug "$h not found"
     else
       _sub_domain=$(printf "%s" "$domain" | cut -d . -f 1-$p)
@@ -182,14 +190,20 @@ _simply_add_record() {
   domain=$1
   sub_domain=$2
   txtval=$3
-  
+
   data="{\"name\": \"$sub_domain\", \"type\":\"TXT\", \"data\": \"$txtval\", \"priority\":0, \"ttl\": 3600}"
 
   if ! _simply_rest POST "my/products/$domain/dns/records" "$data"; then
     _err "Adding record not successfull!"
     return 1
   fi
-  
+
+  if ! _contains "$response" "$SIMPLY_SUCCESS_CODE"; then
+    _err "Call to API not sucessfull, see below message for more details"
+    _err "$response"
+    return 1
+  fi
+
   return 0
 }
 
@@ -197,14 +211,20 @@ _simply_delete_record() {
   domain=$1
   sub_domain=$2
   record_id=$3
-  
-  _debug "Delete record with id $record_id"
-  
+
+  _debug record_id "Delete record with id $record_id"
+
   if ! _simply_rest DELETE "my/products/$domain/dns/records/$record_id"; then
     _err "Deleting record not successfull!"
     return 1
   fi
-  
+
+  if ! _contains "$response" "$SIMPLY_SUCCESS_CODE"; then
+    _err "Call to API not sucessfull, see below message for more details"
+    _err "$response"
+    return 1
+  fi
+
   return 0
 }
 
@@ -212,10 +232,10 @@ _simply_rest() {
   m=$1
   ep="$2"
   data="$3"
-    
-  _debug "Data: $data"
-  _debug "Methodcall: $ep"
-  _debug "Call type: $m"
+
+  _debug2 data "$data"
+  _debug2 ep "$ep"
+  _debug2 m "$m"
 
   export _H1="Content-Type: application/json"
 
@@ -229,12 +249,13 @@ _simply_rest() {
     _err "error $ep"
     return 1
   fi
-  
+
   _debug2 response "$response"
-  
+
   if _contains "$response" "Invalid account authorization"; then
     _err "It seems that your api key or accountnumber is not correct."
     return 1
   fi
+
   return 0
 }

dnsapi/dns_websupport.sh

@@ -0,0 +1,207 @@
+#!/usr/bin/env sh
+
+# Acme.sh DNS API wrapper for websupport.sk
+#
+# Original author: trgo.sk (https://github.com/trgosk)
+# Tweaks by: akulumbeg (https://github.com/akulumbeg)
+# Report Bugs here: https://github.com/akulumbeg/acme.sh
+
+# Requirements: API Key and Secret from https://admin.websupport.sk/en/auth/apiKey
+#
+# WS_ApiKey="xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
+# (called "Identifier" in the WS Admin)
+#
+# WS_ApiSecret="xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
+# (called "Secret key" in the WS Admin)
+
+WS_Api="https://rest.websupport.sk"
+
+########  Public functions #####################
+
+dns_websupport_add() {
+  fulldomain=$1
+  txtvalue=$2
+
+  WS_ApiKey="${WS_ApiKey:-$(_readaccountconf_mutable WS_ApiKey)}"
+  WS_ApiSecret="${WS_ApiSecret:-$(_readaccountconf_mutable WS_ApiSecret)}"
+
+  if [ "$WS_ApiKey" ] && [ "$WS_ApiSecret" ]; then
+    _saveaccountconf_mutable WS_ApiKey "$WS_ApiKey"
+    _saveaccountconf_mutable WS_ApiSecret "$WS_ApiSecret"
+  else
+    WS_ApiKey=""
+    WS_ApiSecret=""
+    _err "You did not specify the API Key and/or API Secret"
+    _err "You can get the API login credentials from https://admin.websupport.sk/en/auth/apiKey"
+    return 1
+  fi
+
+  _debug "First detect the root zone"
+  if ! _get_root "$fulldomain"; then
+    _err "invalid domain"
+    return 1
+  fi
+  _debug _sub_domain "$_sub_domain"
+  _debug _domain "$_domain"
+
+  # For wildcard cert, the main root domain and the wildcard domain have the same txt subdomain name, so
+  # we can not use updating anymore.
+  #  count=$(printf "%s\n" "$response" | _egrep_o "\"count\":[^,]*" | cut -d : -f 2)
+  #  _debug count "$count"
+  #  if [ "$count" = "0" ]; then
+  _info "Adding record"
+  if _ws_rest POST "/v1/user/self/zone/$_domain/record" "{\"type\":\"TXT\",\"name\":\"$_sub_domain\",\"content\":\"$txtvalue\",\"ttl\":120}"; then
+    if _contains "$response" "$txtvalue"; then
+      _info "Added, OK"
+      return 0
+    elif _contains "$response" "The record already exists"; then
+      _info "Already exists, OK"
+      return 0
+    else
+      _err "Add txt record error."
+      return 1
+    fi
+  fi
+  _err "Add txt record error."
+  return 1
+
+}
+
+dns_websupport_rm() {
+  fulldomain=$1
+  txtvalue=$2
+
+  _debug2 fulldomain "$fulldomain"
+  _debug2 txtvalue "$txtvalue"
+
+  _debug "First detect the root zone"
+  if ! _get_root "$fulldomain"; then
+    _err "invalid domain"
+    return 1
+  fi
+
+  _debug _sub_domain "$_sub_domain"
+  _debug _domain "$_domain"
+
+  _debug "Getting txt records"
+  _ws_rest GET "/v1/user/self/zone/$_domain/record"
+
+  if [ "$(printf "%s" "$response" | tr -d " " | grep -c \"items\")" -lt "1" ]; then
+    _err "Error: $response"
+    return 1
+  fi
+
+  record_line="$(_get_from_array "$response" "$txtvalue")"
+  _debug record_line "$record_line"
+  if [ -z "$record_line" ]; then
+    _info "Don't need to remove."
+  else
+    record_id=$(echo "$record_line" | _egrep_o "\"id\": *[^,]*" | _head_n 1 | cut -d : -f 2 | tr -d \" | tr -d " ")
+    _debug "record_id" "$record_id"
+    if [ -z "$record_id" ]; then
+      _err "Can not get record id to remove."
+      return 1
+    fi
+    if ! _ws_rest DELETE "/v1/user/self/zone/$_domain/record/$record_id"; then
+      _err "Delete record error."
+      return 1
+    fi
+    if [ "$(printf "%s" "$response" | tr -d " " | grep -c \"success\")" -lt "1" ]; then
+      return 1
+    else
+      return 0
+    fi
+  fi
+
+}
+
+####################  Private Functions ##################################
+
+_get_root() {
+  domain=$1
+  i=1
+  p=1
+
+  while true; do
+    h=$(printf "%s" "$domain" | cut -d . -f $i-100)
+    _debug h "$h"
+    if [ -z "$h" ]; then
+      #not valid
+      return 1
+    fi
+
+    if ! _ws_rest GET "/v1/user/self/zone"; then
+      return 1
+    fi
+
+    if _contains "$response" "\"name\":\"$h\""; then
+      _domain_id=$(echo "$response" | _egrep_o "\[.\"id\": *[^,]*" | _head_n 1 | cut -d : -f 2 | tr -d \" | tr -d " ")
+      if [ "$_domain_id" ]; then
+        _sub_domain=$(printf "%s" "$domain" | cut -d . -f 1-$p)
+        _domain=$h
+        return 0
+      fi
+      return 1
+    fi
+    p=$i
+    i=$(_math "$i" + 1)
+  done
+  return 1
+}
+
+_ws_rest() {
+  me=$1
+  pa="$2"
+  da="$3"
+
+  _debug2 api_key "$WS_ApiKey"
+  _debug2 api_secret "$WS_ApiSecret"
+
+  timestamp=$(_time)
+  datez="$(_utc_date | sed "s/ /T/" | sed "s/$/+0000/")"
+  canonical_request="${me} ${pa} ${timestamp}"
+  signature_hash=$(printf "%s" "$canonical_request" | _hmac sha1 "$(printf "%s" "$WS_ApiSecret" | _hex_dump | tr -d " ")" hex)
+  basicauth="$(printf "%s:%s" "$WS_ApiKey" "$signature_hash" | _base64)"
+
+  _debug2 method "$me"
+  _debug2 path "$pa"
+  _debug2 data "$da"
+  _debug2 timestamp "$timestamp"
+  _debug2 datez "$datez"
+  _debug2 canonical_request "$canonical_request"
+  _debug2 signature_hash "$signature_hash"
+  _debug2 basicauth "$basicauth"
+
+  export _H1="Accept: application/json"
+  export _H2="Content-Type: application/json"
+  export _H3="Authorization: Basic ${basicauth}"
+  export _H4="Date: ${datez}"
+
+  _debug2 H1 "$_H1"
+  _debug2 H2 "$_H2"
+  _debug2 H3 "$_H3"
+  _debug2 H4 "$_H4"
+
+  if [ "$me" != "GET" ]; then
+    _debug2 "${me} $WS_Api${pa}"
+    _debug data "$da"
+    response="$(_post "$da" "${WS_Api}${pa}" "" "$me")"
+  else
+    _debug2 "GET $WS_Api${pa}"
+    response="$(_get "$WS_Api${pa}")"
+  fi
+
+  _debug2 response "$response"
+  return "$?"
+}
+
+_get_from_array() {
+  va="$1"
+  fi="$2"
+  for i in $(echo "$va" | sed "s/{/ /g"); do
+    if _contains "$i" "$fi"; then
+      echo "$i"
+      break
+    fi
+  done
+}

notify/mail.sh

@@ -79,7 +79,7 @@ mail_send() {
 _mail_bin() {
   _MAIL_BIN=""
 
-  for b in "$MAIL_BIN" sendmail ssmtp mutt mail msmtp; do
+  for b in $MAIL_BIN sendmail ssmtp mutt mail msmtp; do
     if _exists "$b"; then
       _MAIL_BIN="$b"
       break

notify/smtp.sh

@@ -2,14 +2,398 @@
 
 # support smtp
 
-smtp_send() {
-  _subject="$1"
-  _content="$2"
-  _statusCode="$3" #0: success, 1: error 2($RENEW_SKIP): skipped
-  _debug "_subject" "$_subject"
-  _debug "_content" "$_content"
-  _debug "_statusCode" "$_statusCode"
+# Please report bugs to https://github.com/acmesh-official/acme.sh/issues/3358
 
-  _err "Not implemented yet."
-  return 1
+# This implementation uses either curl or Python (3 or 2.7).
+# (See also the "mail" notify hook, which supports other ways to send mail.)
+
+# SMTP_FROM="from@example.com"  # required
+# SMTP_TO="to@example.com"  # required
+# SMTP_HOST="smtp.example.com"  # required
+# SMTP_PORT="25"  # defaults to 25, 465 or 587 depending on SMTP_SECURE
+# SMTP_SECURE="tls"  # one of "none", "ssl" (implicit TLS, TLS Wrapper), "tls" (explicit TLS, STARTTLS)
+# SMTP_USERNAME=""  # set if SMTP server requires login
+# SMTP_PASSWORD=""  # set if SMTP server requires login
+# SMTP_TIMEOUT="30"  # seconds for SMTP operations to timeout
+# SMTP_BIN="/path/to/python_or_curl"  # default finds first of python3, python2.7, python, pypy3, pypy, curl on PATH
+
+SMTP_SECURE_DEFAULT="tls"
+SMTP_TIMEOUT_DEFAULT="30"
+
+# subject content statuscode
+smtp_send() {
+  SMTP_SUBJECT="$1"
+  SMTP_CONTENT="$2"
+  # UNUSED: _statusCode="$3" # 0: success, 1: error 2($RENEW_SKIP): skipped
+
+  # Load and validate config:
+  SMTP_BIN="$(_readaccountconf_mutable_default SMTP_BIN)"
+  if [ -n "$SMTP_BIN" ] && ! _exists "$SMTP_BIN"; then
+    _err "SMTP_BIN '$SMTP_BIN' does not exist."
+    return 1
+  fi
+  if [ -z "$SMTP_BIN" ]; then
+    # Look for a command that can communicate with an SMTP server.
+    # (Please don't add sendmail, ssmtp, mutt, mail, or msmtp here.
+    # Those are already handled by the "mail" notify hook.)
+    for cmd in python3 python2.7 python pypy3 pypy curl; do
+      if _exists "$cmd"; then
+        SMTP_BIN="$cmd"
+        break
+      fi
+    done
+    if [ -z "$SMTP_BIN" ]; then
+      _err "The smtp notify-hook requires curl or Python, but can't find any."
+      _err 'If you have one of them, define SMTP_BIN="/path/to/curl_or_python".'
+      _err 'Otherwise, see if you can use the "mail" notify-hook instead.'
+      return 1
+    fi
+  fi
+  _debug SMTP_BIN "$SMTP_BIN"
+  _saveaccountconf_mutable_default SMTP_BIN "$SMTP_BIN"
+
+  SMTP_FROM="$(_readaccountconf_mutable_default SMTP_FROM)"
+  SMTP_FROM="$(_clean_email_header "$SMTP_FROM")"
+  if [ -z "$SMTP_FROM" ]; then
+    _err "You must define SMTP_FROM as the sender email address."
+    return 1
+  fi
+  if _email_has_display_name "$SMTP_FROM"; then
+    _err "SMTP_FROM must be only a simple email address (sender@example.com)."
+    _err "Change your SMTP_FROM='$SMTP_FROM' to remove the display name."
+    return 1
+  fi
+  _debug SMTP_FROM "$SMTP_FROM"
+  _saveaccountconf_mutable_default SMTP_FROM "$SMTP_FROM"
+
+  SMTP_TO="$(_readaccountconf_mutable_default SMTP_TO)"
+  SMTP_TO="$(_clean_email_header "$SMTP_TO")"
+  if [ -z "$SMTP_TO" ]; then
+    _err "You must define SMTP_TO as the recipient email address(es)."
+    return 1
+  fi
+  if _email_has_display_name "$SMTP_TO"; then
+    _err "SMTP_TO must be only simple email addresses (to@example.com,to2@example.com)."
+    _err "Change your SMTP_TO='$SMTP_TO' to remove the display name(s)."
+    return 1
+  fi
+  _debug SMTP_TO "$SMTP_TO"
+  _saveaccountconf_mutable_default SMTP_TO "$SMTP_TO"
+
+  SMTP_HOST="$(_readaccountconf_mutable_default SMTP_HOST)"
+  if [ -z "$SMTP_HOST" ]; then
+    _err "You must define SMTP_HOST as the SMTP server hostname."
+    return 1
+  fi
+  _debug SMTP_HOST "$SMTP_HOST"
+  _saveaccountconf_mutable_default SMTP_HOST "$SMTP_HOST"
+
+  SMTP_SECURE="$(_readaccountconf_mutable_default SMTP_SECURE "$SMTP_SECURE_DEFAULT")"
+  case "$SMTP_SECURE" in
+  "none") smtp_port_default="25" ;;
+  "ssl") smtp_port_default="465" ;;
+  "tls") smtp_port_default="587" ;;
+  *)
+    _err "Invalid SMTP_SECURE='$SMTP_SECURE'. It must be 'ssl', 'tls' or 'none'."
+    return 1
+    ;;
+  esac
+  _debug SMTP_SECURE "$SMTP_SECURE"
+  _saveaccountconf_mutable_default SMTP_SECURE "$SMTP_SECURE" "$SMTP_SECURE_DEFAULT"
+
+  SMTP_PORT="$(_readaccountconf_mutable_default SMTP_PORT "$smtp_port_default")"
+  case "$SMTP_PORT" in
+  *[!0-9]*)
+    _err "Invalid SMTP_PORT='$SMTP_PORT'. It must be a port number."
+    return 1
+    ;;
+  esac
+  _debug SMTP_PORT "$SMTP_PORT"
+  _saveaccountconf_mutable_default SMTP_PORT "$SMTP_PORT" "$smtp_port_default"
+
+  SMTP_USERNAME="$(_readaccountconf_mutable_default SMTP_USERNAME)"
+  _debug SMTP_USERNAME "$SMTP_USERNAME"
+  _saveaccountconf_mutable_default SMTP_USERNAME "$SMTP_USERNAME"
+
+  SMTP_PASSWORD="$(_readaccountconf_mutable_default SMTP_PASSWORD)"
+  _secure_debug SMTP_PASSWORD "$SMTP_PASSWORD"
+  _saveaccountconf_mutable_default SMTP_PASSWORD "$SMTP_PASSWORD"
+
+  SMTP_TIMEOUT="$(_readaccountconf_mutable_default SMTP_TIMEOUT "$SMTP_TIMEOUT_DEFAULT")"
+  _debug SMTP_TIMEOUT "$SMTP_TIMEOUT"
+  _saveaccountconf_mutable_default SMTP_TIMEOUT "$SMTP_TIMEOUT" "$SMTP_TIMEOUT_DEFAULT"
+
+  SMTP_X_MAILER="$(_clean_email_header "$PROJECT_NAME $VER --notify-hook smtp")"
+
+  # Run with --debug 2 (or above) to echo the transcript of the SMTP session.
+  # Careful: this may include SMTP_PASSWORD in plaintext!
+  if [ "${DEBUG:-$DEBUG_LEVEL_NONE}" -ge "$DEBUG_LEVEL_2" ]; then
+    SMTP_SHOW_TRANSCRIPT="True"
+  else
+    SMTP_SHOW_TRANSCRIPT=""
+  fi
+
+  SMTP_SUBJECT=$(_clean_email_header "$SMTP_SUBJECT")
+  _debug SMTP_SUBJECT "$SMTP_SUBJECT"
+  _debug SMTP_CONTENT "$SMTP_CONTENT"
+
+  # Send the message:
+  case "$(basename "$SMTP_BIN")" in
+  curl) _smtp_send=_smtp_send_curl ;;
+  py*) _smtp_send=_smtp_send_python ;;
+  *)
+    _err "Can't figure out how to invoke '$SMTP_BIN'."
+    _err "Check your SMTP_BIN setting."
+    return 1
+    ;;
+  esac
+
+  if ! smtp_output="$($_smtp_send)"; then
+    _err "Error sending message with $SMTP_BIN."
+    if [ -n "$smtp_output" ]; then
+      _err "$smtp_output"
+    fi
+    return 1
+  fi
+
+  return 0
+}
+
+# Strip CR and NL from text to prevent MIME header injection
+# text
+_clean_email_header() {
+  printf "%s" "$(echo "$1" | tr -d "\r\n")"
+}
+
+# Simple check for display name in an email address (< > or ")
+# email
+_email_has_display_name() {
+  _email="$1"
+  expr "$_email" : '^.*[<>"]' >/dev/null
+}
+
+##
+## curl smtp sending
+##
+
+# Send the message via curl using SMTP_* variables
+_smtp_send_curl() {
+  # Build curl args in $@
+  case "$SMTP_SECURE" in
+  none)
+    set -- --url "smtp://${SMTP_HOST}:${SMTP_PORT}"
+    ;;
+  ssl)
+    set -- --url "smtps://${SMTP_HOST}:${SMTP_PORT}"
+    ;;
+  tls)
+    set -- --url "smtp://${SMTP_HOST}:${SMTP_PORT}" --ssl-reqd
+    ;;
+  *)
+    # This will only occur if someone adds a new SMTP_SECURE option above
+    # without updating this code for it.
+    _err "Unhandled SMTP_SECURE='$SMTP_SECURE' in _smtp_send_curl"
+    _err "Please re-run with --debug and report a bug."
+    return 1
+    ;;
+  esac
+
+  set -- "$@" \
+    --upload-file - \
+    --mail-from "$SMTP_FROM" \
+    --max-time "$SMTP_TIMEOUT"
+
+  # Burst comma-separated $SMTP_TO into individual --mail-rcpt args.
+  _to="${SMTP_TO},"
+  while [ -n "$_to" ]; do
+    _rcpt="${_to%%,*}"
+    _to="${_to#*,}"
+    set -- "$@" --mail-rcpt "$_rcpt"
+  done
+
+  _smtp_login="${SMTP_USERNAME}:${SMTP_PASSWORD}"
+  if [ "$_smtp_login" != ":" ]; then
+    set -- "$@" --user "$_smtp_login"
+  fi
+
+  if [ "$SMTP_SHOW_TRANSCRIPT" = "True" ]; then
+    set -- "$@" --verbose
+  else
+    set -- "$@" --silent --show-error
+  fi
+
+  raw_message="$(_smtp_raw_message)"
+
+  _debug2 "curl command:" "$SMTP_BIN" "$*"
+  _debug2 "raw_message:\n$raw_message"
+
+  echo "$raw_message" | "$SMTP_BIN" "$@"
+}
+
+# Output an RFC-822 / RFC-5322 email message using SMTP_* variables.
+# (This assumes variables have already been cleaned for use in email headers.)
+_smtp_raw_message() {
+  echo "From: $SMTP_FROM"
+  echo "To: $SMTP_TO"
+  echo "Subject: $(_mime_encoded_word "$SMTP_SUBJECT")"
+  echo "Date: $(_rfc2822_date)"
+  echo "Content-Type: text/plain; charset=utf-8"
+  echo "X-Mailer: $SMTP_X_MAILER"
+  echo
+  echo "$SMTP_CONTENT"
+}
+
+# Convert text to RFC-2047 MIME "encoded word" format if it contains non-ASCII chars
+# text
+_mime_encoded_word() {
+  _text="$1"
+  # (regex character ranges like [a-z] can be locale-dependent; enumerate ASCII chars to avoid that)
+  _ascii='] $`"'"[!#%&'()*+,./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ~^_abcdefghijklmnopqrstuvwxyz{|}~-"
+  if expr "$_text" : "^.*[^$_ascii]" >/dev/null; then
+    # At least one non-ASCII char; convert entire thing to encoded word
+    printf "%s" "=?UTF-8?B?$(printf "%s" "$_text" | _base64)?="
+  else
+    # Just printable ASCII, no conversion needed
+    printf "%s" "$_text"
+  fi
+}
+
+# Output current date in RFC-2822 Section 3.3 format as required in email headers
+# (e.g., "Mon, 15 Feb 2021 14:22:01 -0800")
+_rfc2822_date() {
+  # Notes:
+  #   - this is deliberately not UTC, because it "SHOULD express local time" per spec
+  #   - the spec requires weekday and month in the C locale (English), not localized
+  #   - this date format specifier has been tested on Linux, Mac, Solaris and FreeBSD
+  _old_lc_time="$LC_TIME"
+  LC_TIME=C
+  date +'%a, %-d %b %Y %H:%M:%S %z'
+  LC_TIME="$_old_lc_time"
+}
+
+##
+## Python smtp sending
+##
+
+# Send the message via Python using SMTP_* variables
+_smtp_send_python() {
+  _debug "Python version" "$("$SMTP_BIN" --version 2>&1)"
+
+  # language=Python
+  "$SMTP_BIN" <<PYTHON
+# This code is meant to work with either Python 2.7.x or Python 3.4+.
+try:
+    try:
+        from email.message import EmailMessage
+        from email.policy import default as email_policy_default
+    except ImportError:
+        # Python 2 (or < 3.3)
+        from email.mime.text import MIMEText as EmailMessage
+        email_policy_default = None
+    from email.utils import formatdate as rfc2822_date
+    from smtplib import SMTP, SMTP_SSL, SMTPException
+    from socket import error as SocketError
+except ImportError as err:
+    print("A required Python standard package is missing. This system may have"
+          " a reduced version of Python unsuitable for sending mail: %s" % err)
+    exit(1)
+
+show_transcript = """$SMTP_SHOW_TRANSCRIPT""" == "True"
+
+smtp_host = """$SMTP_HOST"""
+smtp_port = int("""$SMTP_PORT""")
+smtp_secure = """$SMTP_SECURE"""
+username = """$SMTP_USERNAME"""
+password = """$SMTP_PASSWORD"""
+timeout=int("""$SMTP_TIMEOUT""")  # seconds
+x_mailer="""$SMTP_X_MAILER"""
+
+from_email="""$SMTP_FROM"""
+to_emails="""$SMTP_TO"""  # can be comma-separated
+subject="""$SMTP_SUBJECT"""
+content="""$SMTP_CONTENT"""
+
+try:
+    msg = EmailMessage(policy=email_policy_default)
+    msg.set_content(content)
+except (AttributeError, TypeError):
+    # Python 2 MIMEText
+    msg = EmailMessage(content)
+msg["Subject"] = subject
+msg["From"] = from_email
+msg["To"] = to_emails
+msg["Date"] = rfc2822_date(localtime=True)
+msg["X-Mailer"] = x_mailer
+
+smtp = None
+try:
+    if smtp_secure == "ssl":
+        smtp = SMTP_SSL(smtp_host, smtp_port, timeout=timeout)
+    else:
+        smtp = SMTP(smtp_host, smtp_port, timeout=timeout)
+    smtp.set_debuglevel(show_transcript)
+    if smtp_secure == "tls":
+        smtp.starttls()
+    if username or password:
+        smtp.login(username, password)
+    smtp.sendmail(msg["From"], msg["To"].split(","), msg.as_string())
+
+except SMTPException as err:
+    # Output just the error (skip the Python stack trace) for SMTP errors
+    print("Error sending: %r" % err)
+    exit(1)
+
+except SocketError as err:
+    print("Error connecting to %s:%d: %r" % (smtp_host, smtp_port, err))
+    exit(1)
+
+finally:
+    if smtp is not None:
+        smtp.quit()
+PYTHON
+}
+
+##
+## Conf helpers
+##
+
+#_readaccountconf_mutable_default name default_value
+# Given a name like MY_CONF:
+#   - if MY_CONF is set and non-empty, output $MY_CONF
+#   - if MY_CONF is set _empty_, output $default_value
+#     (lets user `export MY_CONF=` to clear previous saved value
+#     and return to default, without user having to know default)
+#   - otherwise if _readaccountconf_mutable MY_CONF is non-empty, return that
+#     (value of SAVED_MY_CONF from account.conf)
+#   - otherwise output $default_value
+_readaccountconf_mutable_default() {
+  _name="$1"
+  _default_value="$2"
+
+  eval "_value=\"\$$_name\""
+  eval "_name_is_set=\"\${${_name}+true}\""
+  # ($_name_is_set is "true" if $$_name is set to anything, including empty)
+  if [ -z "${_value}" ] && [ "${_name_is_set:-}" != "true" ]; then
+    _value="$(_readaccountconf_mutable "$_name")"
+  fi
+  if [ -z "${_value}" ]; then
+    _value="$_default_value"
+  fi
+  printf "%s" "$_value"
+}
+
+#_saveaccountconf_mutable_default name value default_value base64encode
+# Like _saveaccountconf_mutable, but if value is default_value
+# then _clearaccountconf_mutable instead
+_saveaccountconf_mutable_default() {
+  _name="$1"
+  _value="$2"
+  _default_value="$3"
+  _base64encode="$4"
+
+  if [ "$_value" != "$_default_value" ]; then
+    _saveaccountconf_mutable "$_name" "$_value" "$_base64encode"
+  else
+    _clearaccountconf_mutable "$_name"
+  fi
 }

notify/telegram.sh

@@ -0,0 +1,52 @@
+#!/usr/bin/env sh
+
+#Support Telegram Bots
+
+#TELEGRAM_BOT_APITOKEN=""
+#TELEGRAM_BOT_CHATID=""
+
+telegram_send() {
+  _subject="$1"
+  _content="$2"
+  _statusCode="$3" #0: success, 1: error 2($RENEW_SKIP): skipped
+  _debug "_statusCode" "$_statusCode"
+
+  TELEGRAM_BOT_APITOKEN="${TELEGRAM_BOT_APITOKEN:-$(_readaccountconf_mutable TELEGRAM_BOT_APITOKEN)}"
+  if [ -z "$TELEGRAM_BOT_APITOKEN" ]; then
+    TELEGRAM_BOT_APITOKEN=""
+    _err "You didn't specify a Telegram BOT API Token TELEGRAM_BOT_APITOKEN yet."
+    return 1
+  fi
+  _saveaccountconf_mutable TELEGRAM_BOT_APITOKEN "$TELEGRAM_BOT_APITOKEN"
+
+  TELEGRAM_BOT_CHATID="${TELEGRAM_BOT_CHATID:-$(_readaccountconf_mutable TELEGRAM_BOT_CHATID)}"
+  if [ -z "$TELEGRAM_BOT_CHATID" ]; then
+    TELEGRAM_BOT_CHATID=""
+    _err "You didn't specify a Telegram Chat id TELEGRAM_BOT_CHATID yet."
+    return 1
+  fi
+  _saveaccountconf_mutable TELEGRAM_BOT_CHATID "$TELEGRAM_BOT_CHATID"
+
+  _content="$(printf "%s" "$_content" | sed -e 's/*/\\\\*/')"
+  _content="$(printf "*%s*\n%s" "$_subject" "$_content" | _json_encode)"
+  _data="{\"text\": \"$_content\", "
+  _data="$_data\"chat_id\": \"$TELEGRAM_BOT_CHATID\", "
+  _data="$_data\"parse_mode\": \"markdown\", "
+  _data="$_data\"disable_web_page_preview\": \"1\"}"
+
+  _debug "$_data"
+
+  export _H1="Content-Type: application/json"
+  _telegram_bot_url="https://api.telegram.org/bot${TELEGRAM_BOT_APITOKEN}/sendMessage"
+  if _post "$_data" "$_telegram_bot_url" >/dev/null; then
+    # shellcheck disable=SC2154
+    _message=$(printf "%s\n" "$response" | sed -n 's/.*"ok":\([^,]*\).*/\1/p')
+    if [ "$_message" = "true" ]; then
+      _info "telegram send success."
+      return 0
+    fi
+  fi
+  _err "telegram send error."
+  _err "$response"
+  return 1
+}