Merge pull request #4820 from acmesh-official/dev

sync
Merge pull request #4809 from winromulus/dev
2025-11-24 09:49:50 +08:00 · 2023-10-05 13:25:27 +08:00 · 2023-09-26 09:23:43 +08:00 · 2023-09-25 18:43:01 +03:00 · 2023-09-24 17:03:38 +08:00 · 2023-09-20 18:07:16 +08:00
95 changed files with 5782 additions and 1271 deletions
--- a/.github/workflows/DNS.yml
+++ b/.github/workflows/DNS.yml
@@ -1,254 +1,465 @@
-name: DNS
-on:
-  push:
-    paths:
-      - 'dnsapi/*.sh'
-      - '.github/workflows/DNS.yml'
-  pull_request:
-    branches:
-      - 'dev'
-    paths:
-      - 'dnsapi/*.sh'
-      - '.github/workflows/DNS.yml'
-
-
-jobs:
-  CheckToken:
-    runs-on: ubuntu-latest
-    outputs:
-      hasToken: ${{ steps.step_one.outputs.hasToken }}
-    steps:
-      - name: Set the value
-        id: step_one
-        run: |
-          if [ "${{secrets.TokenName1}}" ] ; then
-            echo "::set-output name=hasToken::true"
-          else
-            echo "::set-output name=hasToken::false"
-          fi
-      - name: Check the value
-        run: echo ${{ steps.step_one.outputs.hasToken }}
-
-  Fail:
-    runs-on: ubuntu-latest
-    needs: CheckToken
-    if: "contains(needs.CheckToken.outputs.hasToken, 'false')"
-    steps:
-    - name: "Read this:   https://github.com/acmesh-official/acme.sh/wiki/DNS-API-Test"
-      run: |
-        echo "Read this:   https://github.com/acmesh-official/acme.sh/wiki/DNS-API-Test"
-        if [ "${{github.repository_owner}}" != "acmesh-official" ]; then
-          false
-        fi
-
-  Docker:
-    runs-on: ubuntu-latest
-    needs: CheckToken
-    if: "contains(needs.CheckToken.outputs.hasToken, 'true')"
-    env:
-      TEST_DNS : ${{ secrets.TEST_DNS }}
-      TestingDomain: ${{ secrets.TestingDomain }}
-      TEST_DNS_NO_WILDCARD: ${{ secrets.TEST_DNS_NO_WILDCARD }}
-      TEST_DNS_NO_SUBDOMAIN: ${{ secrets.TEST_DNS_NO_SUBDOMAIN }}
-      TEST_DNS_SLEEP: ${{ secrets.TEST_DNS_SLEEP }}
-      CASE: le_test_dnsapi
-      TEST_LOCAL: 1
-      DEBUG: 1
-    steps:
-    - uses: actions/checkout@v2
-    - name: Clone acmetest
-      run: cd .. && git clone https://github.com/acmesh-official/acmetest.git  && cp -r acme.sh acmetest/
-    - name: Set env file
-      run: |
-        cd ../acmetest
-        if [ "${{ secrets.TokenName1}}" ] ; then
-          echo "${{ secrets.TokenName1}}=${{ secrets.TokenValue1}}" >> docker.env
-        fi
-        if [ "${{ secrets.TokenName2}}" ] ; then
-          echo "${{ secrets.TokenName2}}=${{ secrets.TokenValue2}}" >> docker.env
-        fi
-        if [ "${{ secrets.TokenName3}}" ] ; then
-          echo "${{ secrets.TokenName3}}=${{ secrets.TokenValue3}}" >> docker.env
-        fi
-        if [ "${{ secrets.TokenName4}}" ] ; then
-          echo "${{ secrets.TokenName4}}=${{ secrets.TokenValue4}}" >> docker.env
-        fi
-        if [ "${{ secrets.TokenName5}}" ] ; then
-          echo "${{ secrets.TokenName5}}=${{ secrets.TokenValue5}}" >> docker.env
-        fi
-        echo "TEST_DNS_NO_WILDCARD" >> docker.env
-        echo "TEST_DNS_SLEEP" >> docker.env
-    - name: Run acmetest
-      run: cd ../acmetest && ./rundocker.sh  testall
-
-  MacOS:
-    runs-on: macos-latest
-    needs: Docker
-    env:
-      TEST_DNS : ${{ secrets.TEST_DNS }}
-      TestingDomain: ${{ secrets.TestingDomain }}
-      TEST_DNS_NO_WILDCARD: ${{ secrets.TEST_DNS_NO_WILDCARD }}
-      TEST_DNS_NO_SUBDOMAIN: ${{ secrets.TEST_DNS_NO_SUBDOMAIN }}
-      TEST_DNS_SLEEP: ${{ secrets.TEST_DNS_SLEEP }}
-      CASE: le_test_dnsapi
-      TEST_LOCAL: 1
-      DEBUG: 1
-    steps:
-    - uses: actions/checkout@v2
-    - name: Install tools
-      run:  brew install socat
-    - name: Clone acmetest
-      run: cd .. && git clone https://github.com/acmesh-official/acmetest.git  && cp -r acme.sh acmetest/
-    - name: Run acmetest
-      run: |
-        if [ "${{ secrets.TokenName1}}" ] ; then
-          export ${{ secrets.TokenName1}}=${{ secrets.TokenValue1}}
-        fi
-        if [ "${{ secrets.TokenName2}}" ] ; then
-          export ${{ secrets.TokenName2}}=${{ secrets.TokenValue2}}
-        fi
-        if [ "${{ secrets.TokenName3}}" ] ; then
-          export ${{ secrets.TokenName3}}=${{ secrets.TokenValue3}}
-        fi
-        if [ "${{ secrets.TokenName4}}" ] ; then
-          export ${{ secrets.TokenName4}}=${{ secrets.TokenValue4}}
-        fi
-        if [ "${{ secrets.TokenName5}}" ] ; then
-          export ${{ secrets.TokenName5}}=${{ secrets.TokenValue5}}
-        fi
-        cd ../acmetest
-        ./letest.sh
-
-  Windows:
-    runs-on: windows-latest
-    needs: MacOS
-    env:
-      TEST_DNS : ${{ secrets.TEST_DNS }}
-      TestingDomain: ${{ secrets.TestingDomain }}
-      TEST_DNS_NO_WILDCARD: ${{ secrets.TEST_DNS_NO_WILDCARD }}
-      TEST_DNS_NO_SUBDOMAIN: ${{ secrets.TEST_DNS_NO_SUBDOMAIN }}
-      TEST_DNS_SLEEP: ${{ secrets.TEST_DNS_SLEEP }}
-      CASE: le_test_dnsapi
-      TEST_LOCAL: 1
-      DEBUG: 1
-    steps:
-    - name: Set git to use LF
-      run: |
-          git config --global core.autocrlf false
-    - uses: actions/checkout@v2
-    - name: Install cygwin base packages with chocolatey
-      run: |
-          choco config get cacheLocation
-          choco install --no-progress cygwin
-      shell: cmd
-    - name: Install cygwin additional packages
-      run: |
-          C:\tools\cygwin\cygwinsetup.exe -qgnNdO -R C:/tools/cygwin -s http://mirrors.kernel.org/sourceware/cygwin/ -P socat,curl,cron,unzip,git
-      shell: cmd
-    - name: Set ENV
-      shell: cmd
-      run: |
-          echo PATH=C:\tools\cygwin\bin;C:\tools\cygwin\usr\bin >> %GITHUB_ENV%
-    - name: Clone acmetest
-      run: cd .. && git clone https://github.com/acmesh-official/acmetest.git  && cp -r acme.sh acmetest/
-    - name: Run acmetest
-      shell: bash
-      run: |
-        if [ "${{ secrets.TokenName1}}" ] ; then
-          export ${{ secrets.TokenName1}}=${{ secrets.TokenValue1}}
-        fi
-        if [ "${{ secrets.TokenName2}}" ] ; then
-          export ${{ secrets.TokenName2}}=${{ secrets.TokenValue2}}
-        fi
-        if [ "${{ secrets.TokenName3}}" ] ; then
-          export ${{ secrets.TokenName3}}=${{ secrets.TokenValue3}}
-        fi
-        if [ "${{ secrets.TokenName4}}" ] ; then
-          export ${{ secrets.TokenName4}}=${{ secrets.TokenValue4}}
-        fi
-        if [ "${{ secrets.TokenName5}}" ] ; then
-          export ${{ secrets.TokenName5}}=${{ secrets.TokenValue5}}
-        fi
-        cd ../acmetest
-        ./letest.sh
-
-  FreeBSD:
-    runs-on: macos-10.15
-    needs: Windows
-    env:
-      TEST_DNS : ${{ secrets.TEST_DNS }}
-      TestingDomain: ${{ secrets.TestingDomain }}
-      TEST_DNS_NO_WILDCARD: ${{ secrets.TEST_DNS_NO_WILDCARD }}
-      TEST_DNS_NO_SUBDOMAIN: ${{ secrets.TEST_DNS_NO_SUBDOMAIN }}
-      TEST_DNS_SLEEP: ${{ secrets.TEST_DNS_SLEEP }}
-      CASE: le_test_dnsapi
-      TEST_LOCAL: 1
-      DEBUG: 1
-    steps:
-    - uses: actions/checkout@v2
-    - name: Clone acmetest
-      run: cd .. && git clone https://github.com/acmesh-official/acmetest.git  && cp -r acme.sh acmetest/
-    - uses: vmactions/freebsd-vm@v0.1.4
-      with:
-        envs: 'TEST_DNS TestingDomain TEST_DNS_NO_WILDCARD TEST_DNS_NO_SUBDOMAIN TEST_DNS_SLEEP CASE TEST_LOCAL DEBUG ${{ secrets.TokenName1}} ${{ secrets.TokenName2}} ${{ secrets.TokenName3}} ${{ secrets.TokenName4}} ${{ secrets.TokenName5}}'
-        prepare: pkg install -y socat curl
-        usesh: true
-        run: |
-          if [ "${{ secrets.TokenName1}}" ] ; then
-            export ${{ secrets.TokenName1}}=${{ secrets.TokenValue1}}
-          fi
-          if [ "${{ secrets.TokenName2}}" ] ; then
-            export ${{ secrets.TokenName2}}=${{ secrets.TokenValue2}}
-          fi
-          if [ "${{ secrets.TokenName3}}" ] ; then
-            export ${{ secrets.TokenName3}}=${{ secrets.TokenValue3}}
-          fi
-          if [ "${{ secrets.TokenName4}}" ] ; then
-            export ${{ secrets.TokenName4}}=${{ secrets.TokenValue4}}
-          fi
-          if [ "${{ secrets.TokenName5}}" ] ; then
-            export ${{ secrets.TokenName5}}=${{ secrets.TokenValue5}}
-          fi
-          cd ../acmetest
-          ./letest.sh
-
-  Solaris:
-    runs-on: macos-10.15
-    needs: FreeBSD
-    env:
-      TEST_DNS : ${{ secrets.TEST_DNS }}
-      TestingDomain: ${{ secrets.TestingDomain }}
-      TEST_DNS_NO_WILDCARD: ${{ secrets.TEST_DNS_NO_WILDCARD }}
-      TEST_DNS_NO_SUBDOMAIN: ${{ secrets.TEST_DNS_NO_SUBDOMAIN }}
-      TEST_DNS_SLEEP: ${{ secrets.TEST_DNS_SLEEP }}
-      CASE: le_test_dnsapi
-      TEST_LOCAL: 1
-      DEBUG: 1
-    steps:
-    - uses: actions/checkout@v2
-    - name: Clone acmetest
-      run: cd .. && git clone https://github.com/acmesh-official/acmetest.git  && cp -r acme.sh acmetest/
-    - uses: vmactions/solaris-vm@v0.0.5
-      with:
-        envs: 'TEST_DNS TestingDomain TEST_DNS_NO_WILDCARD TEST_DNS_NO_SUBDOMAIN TEST_DNS_SLEEP CASE TEST_LOCAL DEBUG ${{ secrets.TokenName1}} ${{ secrets.TokenName2}} ${{ secrets.TokenName3}} ${{ secrets.TokenName4}} ${{ secrets.TokenName5}}'
-        prepare: pkgutil -y -i socat
-        run: |
-          pkg set-mediator -v -I default@1.1 openssl
-          export PATH=/usr/gnu/bin:$PATH
-          if [ "${{ secrets.TokenName1}}" ] ; then
-            export ${{ secrets.TokenName1}}=${{ secrets.TokenValue1}}
-          fi
-          if [ "${{ secrets.TokenName2}}" ] ; then
-            export ${{ secrets.TokenName2}}=${{ secrets.TokenValue2}}
-          fi
-          if [ "${{ secrets.TokenName3}}" ] ; then
-            export ${{ secrets.TokenName3}}=${{ secrets.TokenValue3}}
-          fi
-          if [ "${{ secrets.TokenName4}}" ] ; then
-            export ${{ secrets.TokenName4}}=${{ secrets.TokenValue4}}
-          fi
-          if [ "${{ secrets.TokenName5}}" ] ; then
-            export ${{ secrets.TokenName5}}=${{ secrets.TokenValue5}}
-          fi
-          cd ../acmetest
-          ./letest.sh
+name: DNS
+on:
+  push:
+    paths:
+      - 'dnsapi/*.sh'
+      - '.github/workflows/DNS.yml'
+  pull_request:
+    branches:
+      - 'dev'
+    paths:
+      - 'dnsapi/*.sh'
+      - '.github/workflows/DNS.yml'
+
+concurrency: 
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  CheckToken:
+    runs-on: ubuntu-latest
+    outputs:
+      hasToken: ${{ steps.step_one.outputs.hasToken }}
+    steps:
+      - name: Set the value
+        id: step_one
+        run: |
+          if [ "${{secrets.TokenName1}}" ] ; then
+            echo "::set-output name=hasToken::true"
+          else
+            echo "::set-output name=hasToken::false"
+          fi
+      - name: Check the value
+        run: echo ${{ steps.step_one.outputs.hasToken }}
+
+  Fail:
+    runs-on: ubuntu-latest
+    needs: CheckToken
+    if: "contains(needs.CheckToken.outputs.hasToken, 'false')"
+    steps:
+    - name: "Read this:   https://github.com/acmesh-official/acme.sh/wiki/DNS-API-Test"
+      run: |
+        echo "Read this:   https://github.com/acmesh-official/acme.sh/wiki/DNS-API-Test"
+        if [ "${{github.repository_owner}}" != "acmesh-official" ]; then
+          false
+        fi
+
+  Docker:
+    runs-on: ubuntu-latest
+    needs: CheckToken
+    if: "contains(needs.CheckToken.outputs.hasToken, 'true')"
+    env:
+      TEST_DNS : ${{ secrets.TEST_DNS }}
+      TestingDomain: ${{ secrets.TestingDomain }}
+      TEST_DNS_NO_WILDCARD: ${{ secrets.TEST_DNS_NO_WILDCARD }}
+      TEST_DNS_NO_SUBDOMAIN: ${{ secrets.TEST_DNS_NO_SUBDOMAIN }}
+      TEST_DNS_SLEEP: ${{ secrets.TEST_DNS_SLEEP }}
+      CASE: le_test_dnsapi
+      TEST_LOCAL: 1
+      DEBUG: ${{ secrets.DEBUG }}
+      http_proxy: ${{ secrets.http_proxy }}
+      https_proxy: ${{ secrets.https_proxy }}
+      TokenName1: ${{ secrets.TokenName1}}
+      TokenName2: ${{ secrets.TokenName2}}
+      TokenName3: ${{ secrets.TokenName3}}
+      TokenName4: ${{ secrets.TokenName4}}
+      TokenName5: ${{ secrets.TokenName5}}
+    steps:
+    - uses: actions/checkout@v3
+    - name: Clone acmetest
+      run: cd .. && git clone --depth=1 https://github.com/acmesh-official/acmetest.git  && cp -r acme.sh acmetest/
+    - name: Set env file
+      run: |
+        cd ../acmetest
+        if [ "${{ secrets.TokenName1}}" ] ; then
+          echo "${{ secrets.TokenName1}}=${{ secrets.TokenValue1}}" >> docker.env
+        fi
+        if [ "${{ secrets.TokenName2}}" ] ; then
+          echo "${{ secrets.TokenName2}}=${{ secrets.TokenValue2}}" >> docker.env
+        fi
+        if [ "${{ secrets.TokenName3}}" ] ; then
+          echo "${{ secrets.TokenName3}}=${{ secrets.TokenValue3}}" >> docker.env
+        fi
+        if [ "${{ secrets.TokenName4}}" ] ; then
+          echo "${{ secrets.TokenName4}}=${{ secrets.TokenValue4}}" >> docker.env
+        fi
+        if [ "${{ secrets.TokenName5}}" ] ; then
+          echo "${{ secrets.TokenName5}}=${{ secrets.TokenValue5}}" >> docker.env
+        fi
+
+    - name: Run acmetest
+      run: cd ../acmetest && ./rundocker.sh  testall
+
+
+
+
+  MacOS:
+    runs-on: macos-latest
+    needs: Docker
+    env:
+      TEST_DNS : ${{ secrets.TEST_DNS }}
+      TestingDomain: ${{ secrets.TestingDomain }}
+      TEST_DNS_NO_WILDCARD: ${{ secrets.TEST_DNS_NO_WILDCARD }}
+      TEST_DNS_NO_SUBDOMAIN: ${{ secrets.TEST_DNS_NO_SUBDOMAIN }}
+      TEST_DNS_SLEEP: ${{ secrets.TEST_DNS_SLEEP }}
+      CASE: le_test_dnsapi
+      TEST_LOCAL: 1
+      DEBUG: ${{ secrets.DEBUG }}
+      http_proxy: ${{ secrets.http_proxy }}
+      https_proxy: ${{ secrets.https_proxy }}
+      TokenName1: ${{ secrets.TokenName1}}
+      TokenName2: ${{ secrets.TokenName2}}
+      TokenName3: ${{ secrets.TokenName3}}
+      TokenName4: ${{ secrets.TokenName4}}
+      TokenName5: ${{ secrets.TokenName5}}
+    steps:
+    - uses: actions/checkout@v3
+    - name: Install tools
+      run:  brew install socat
+    - name: Clone acmetest
+      run: cd .. && git clone --depth=1 https://github.com/acmesh-official/acmetest.git  && cp -r acme.sh acmetest/
+    - name: Run acmetest
+      run: |
+        if [ "${{ secrets.TokenName1}}" ] ; then
+          export ${{ secrets.TokenName1}}="${{ secrets.TokenValue1}}"
+        fi
+        if [ "${{ secrets.TokenName2}}" ] ; then
+          export ${{ secrets.TokenName2}}="${{ secrets.TokenValue2}}"
+        fi
+        if [ "${{ secrets.TokenName3}}" ] ; then
+          export ${{ secrets.TokenName3}}="${{ secrets.TokenValue3}}"
+        fi
+        if [ "${{ secrets.TokenName4}}" ] ; then
+          export ${{ secrets.TokenName4}}="${{ secrets.TokenValue4}}"
+        fi
+        if [ "${{ secrets.TokenName5}}" ] ; then
+          export ${{ secrets.TokenName5}}="${{ secrets.TokenValue5}}"
+        fi
+        cd ../acmetest
+        ./letest.sh
+
+
+
+
+  Windows:
+    runs-on: windows-latest
+    needs: MacOS
+    env:
+      TEST_DNS : ${{ secrets.TEST_DNS }}
+      TestingDomain: ${{ secrets.TestingDomain }}
+      TEST_DNS_NO_WILDCARD: ${{ secrets.TEST_DNS_NO_WILDCARD }}
+      TEST_DNS_NO_SUBDOMAIN: ${{ secrets.TEST_DNS_NO_SUBDOMAIN }}
+      TEST_DNS_SLEEP: ${{ secrets.TEST_DNS_SLEEP }}
+      CASE: le_test_dnsapi
+      TEST_LOCAL: 1
+      DEBUG: ${{ secrets.DEBUG }}
+      http_proxy: ${{ secrets.http_proxy }}
+      https_proxy: ${{ secrets.https_proxy }}
+      TokenName1: ${{ secrets.TokenName1}}
+      TokenName2: ${{ secrets.TokenName2}}
+      TokenName3: ${{ secrets.TokenName3}}
+      TokenName4: ${{ secrets.TokenName4}}
+      TokenName5: ${{ secrets.TokenName5}}
+    steps:
+    - name: Set git to use LF
+      run: |
+          git config --global core.autocrlf false
+    - uses: actions/checkout@v3
+    - name: Install cygwin base packages with chocolatey
+      run: |
+          choco config get cacheLocation
+          choco install --no-progress cygwin
+      shell: cmd
+    - name: Install cygwin additional packages
+      run: |
+          C:\tools\cygwin\cygwinsetup.exe -qgnNdO -R C:/tools/cygwin -s https://mirrors.kernel.org/sourceware/cygwin/ -P socat,curl,cron,unzip,git
+      shell: cmd
+    - name: Set ENV
+      shell: cmd
+      run: |
+          echo PATH=C:\tools\cygwin\bin;C:\tools\cygwin\usr\bin >> %GITHUB_ENV%
+    - name: Clone acmetest
+      run: cd .. && git clone --depth=1 https://github.com/acmesh-official/acmetest.git  && cp -r acme.sh acmetest/
+    - name: Run acmetest
+      shell: bash
+      run: |
+        if [ "${{ secrets.TokenName1}}" ] ; then
+          export ${{ secrets.TokenName1}}="${{ secrets.TokenValue1}}"
+        fi
+        if [ "${{ secrets.TokenName2}}" ] ; then
+          export ${{ secrets.TokenName2}}="${{ secrets.TokenValue2}}"
+        fi
+        if [ "${{ secrets.TokenName3}}" ] ; then
+          export ${{ secrets.TokenName3}}="${{ secrets.TokenValue3}}"
+        fi
+        if [ "${{ secrets.TokenName4}}" ] ; then
+          export ${{ secrets.TokenName4}}="${{ secrets.TokenValue4}}"
+        fi
+        if [ "${{ secrets.TokenName5}}" ] ; then
+          export ${{ secrets.TokenName5}}="${{ secrets.TokenValue5}}"
+        fi
+        cd ../acmetest
+        ./letest.sh
+
+
+
+  FreeBSD:
+    runs-on: macos-12
+    needs: Windows
+    env:
+      TEST_DNS : ${{ secrets.TEST_DNS }}
+      TestingDomain: ${{ secrets.TestingDomain }}
+      TEST_DNS_NO_WILDCARD: ${{ secrets.TEST_DNS_NO_WILDCARD }}
+      TEST_DNS_NO_SUBDOMAIN: ${{ secrets.TEST_DNS_NO_SUBDOMAIN }}
+      TEST_DNS_SLEEP: ${{ secrets.TEST_DNS_SLEEP }}
+      CASE: le_test_dnsapi
+      TEST_LOCAL: 1
+      DEBUG: ${{ secrets.DEBUG }}
+      http_proxy: ${{ secrets.http_proxy }}
+      https_proxy: ${{ secrets.https_proxy }}
+      TokenName1: ${{ secrets.TokenName1}}
+      TokenName2: ${{ secrets.TokenName2}}
+      TokenName3: ${{ secrets.TokenName3}}
+      TokenName4: ${{ secrets.TokenName4}}
+      TokenName5: ${{ secrets.TokenName5}}
+    steps:
+    - uses: actions/checkout@v3
+    - name: Clone acmetest
+      run: cd .. && git clone --depth=1 https://github.com/acmesh-official/acmetest.git  && cp -r acme.sh acmetest/
+    - uses: vmactions/freebsd-vm@v0
+      with:
+        envs: 'TEST_DNS TestingDomain TEST_DNS_NO_WILDCARD TEST_DNS_NO_SUBDOMAIN TEST_DNS_SLEEP CASE TEST_LOCAL DEBUG http_proxy https_proxy TokenName1 TokenName2 TokenName3 TokenName4 TokenName5 ${{ secrets.TokenName1}} ${{ secrets.TokenName2}} ${{ secrets.TokenName3}} ${{ secrets.TokenName4}} ${{ secrets.TokenName5}}'
+        prepare: pkg install -y socat curl
+        usesh: true
+        copyback: false
+        run: |
+          if [ "${{ secrets.TokenName1}}" ] ; then
+            export ${{ secrets.TokenName1}}="${{ secrets.TokenValue1}}"
+          fi
+          if [ "${{ secrets.TokenName2}}" ] ; then
+            export ${{ secrets.TokenName2}}="${{ secrets.TokenValue2}}"
+          fi
+          if [ "${{ secrets.TokenName3}}" ] ; then
+            export ${{ secrets.TokenName3}}="${{ secrets.TokenValue3}}"
+          fi
+          if [ "${{ secrets.TokenName4}}" ] ; then
+            export ${{ secrets.TokenName4}}="${{ secrets.TokenValue4}}"
+          fi
+          if [ "${{ secrets.TokenName5}}" ] ; then
+            export ${{ secrets.TokenName5}}="${{ secrets.TokenValue5}}"
+          fi
+          cd ../acmetest
+          ./letest.sh
+
+
+
+
+  OpenBSD:
+    runs-on: macos-12
+    needs: FreeBSD
+    env:
+      TEST_DNS : ${{ secrets.TEST_DNS }}
+      TestingDomain: ${{ secrets.TestingDomain }}
+      TEST_DNS_NO_WILDCARD: ${{ secrets.TEST_DNS_NO_WILDCARD }}
+      TEST_DNS_NO_SUBDOMAIN: ${{ secrets.TEST_DNS_NO_SUBDOMAIN }}
+      TEST_DNS_SLEEP: ${{ secrets.TEST_DNS_SLEEP }}
+      CASE: le_test_dnsapi
+      TEST_LOCAL: 1
+      DEBUG: ${{ secrets.DEBUG }}
+      http_proxy: ${{ secrets.http_proxy }}
+      https_proxy: ${{ secrets.https_proxy }}
+      TokenName1: ${{ secrets.TokenName1}}
+      TokenName2: ${{ secrets.TokenName2}}
+      TokenName3: ${{ secrets.TokenName3}}
+      TokenName4: ${{ secrets.TokenName4}}
+      TokenName5: ${{ secrets.TokenName5}}
+    steps:
+    - uses: actions/checkout@v3
+    - name: Clone acmetest
+      run: cd .. && git clone --depth=1 https://github.com/acmesh-official/acmetest.git  && cp -r acme.sh acmetest/
+    - uses: vmactions/openbsd-vm@v0
+      with:
+        envs: 'TEST_DNS TestingDomain TEST_DNS_NO_WILDCARD TEST_DNS_NO_SUBDOMAIN TEST_DNS_SLEEP CASE TEST_LOCAL DEBUG http_proxy https_proxy TokenName1 TokenName2 TokenName3 TokenName4 TokenName5 ${{ secrets.TokenName1}} ${{ secrets.TokenName2}} ${{ secrets.TokenName3}} ${{ secrets.TokenName4}} ${{ secrets.TokenName5}}'
+        prepare: pkg_add socat curl
+        usesh: true
+        copyback: false
+        run: |
+          if [ "${{ secrets.TokenName1}}" ] ; then
+            export ${{ secrets.TokenName1}}="${{ secrets.TokenValue1}}"
+          fi
+          if [ "${{ secrets.TokenName2}}" ] ; then
+            export ${{ secrets.TokenName2}}="${{ secrets.TokenValue2}}"
+          fi
+          if [ "${{ secrets.TokenName3}}" ] ; then
+            export ${{ secrets.TokenName3}}="${{ secrets.TokenValue3}}"
+          fi
+          if [ "${{ secrets.TokenName4}}" ] ; then
+            export ${{ secrets.TokenName4}}="${{ secrets.TokenValue4}}"
+          fi
+          if [ "${{ secrets.TokenName5}}" ] ; then
+            export ${{ secrets.TokenName5}}="${{ secrets.TokenValue5}}"
+          fi
+          cd ../acmetest
+          ./letest.sh
+
+
+
+
+  NetBSD:
+    runs-on: macos-12
+    needs: OpenBSD
+    env:
+      TEST_DNS : ${{ secrets.TEST_DNS }}
+      TestingDomain: ${{ secrets.TestingDomain }}
+      TEST_DNS_NO_WILDCARD: ${{ secrets.TEST_DNS_NO_WILDCARD }}
+      TEST_DNS_NO_SUBDOMAIN: ${{ secrets.TEST_DNS_NO_SUBDOMAIN }}
+      TEST_DNS_SLEEP: ${{ secrets.TEST_DNS_SLEEP }}
+      CASE: le_test_dnsapi
+      TEST_LOCAL: 1
+      DEBUG: ${{ secrets.DEBUG }}
+      http_proxy: ${{ secrets.http_proxy }}
+      https_proxy: ${{ secrets.https_proxy }}
+      TokenName1: ${{ secrets.TokenName1}}
+      TokenName2: ${{ secrets.TokenName2}}
+      TokenName3: ${{ secrets.TokenName3}}
+      TokenName4: ${{ secrets.TokenName4}}
+      TokenName5: ${{ secrets.TokenName5}}
+    steps:
+    - uses: actions/checkout@v3
+    - name: Clone acmetest
+      run: cd .. && git clone --depth=1 https://github.com/acmesh-official/acmetest.git  && cp -r acme.sh acmetest/
+    - uses: vmactions/netbsd-vm@v0
+      with:
+        envs: 'TEST_DNS TestingDomain TEST_DNS_NO_WILDCARD TEST_DNS_NO_SUBDOMAIN TEST_DNS_SLEEP CASE TEST_LOCAL DEBUG http_proxy https_proxy TokenName1 TokenName2 TokenName3 TokenName4 TokenName5 ${{ secrets.TokenName1}} ${{ secrets.TokenName2}} ${{ secrets.TokenName3}} ${{ secrets.TokenName4}} ${{ secrets.TokenName5}}'
+        prepare: |
+          pkg_add curl socat
+        usesh: true
+        copyback: false
+        run: |
+          if [ "${{ secrets.TokenName1}}" ] ; then
+            export ${{ secrets.TokenName1}}="${{ secrets.TokenValue1}}"
+          fi
+          if [ "${{ secrets.TokenName2}}" ] ; then
+            export ${{ secrets.TokenName2}}="${{ secrets.TokenValue2}}"
+          fi
+          if [ "${{ secrets.TokenName3}}" ] ; then
+            export ${{ secrets.TokenName3}}="${{ secrets.TokenValue3}}"
+          fi
+          if [ "${{ secrets.TokenName4}}" ] ; then
+            export ${{ secrets.TokenName4}}="${{ secrets.TokenValue4}}"
+          fi
+          if [ "${{ secrets.TokenName5}}" ] ; then
+            export ${{ secrets.TokenName5}}="${{ secrets.TokenValue5}}"
+          fi
+          cd ../acmetest
+          ./letest.sh
+
+
+
+
+  DragonFlyBSD:
+    runs-on: macos-12
+    needs: NetBSD
+    env:
+      TEST_DNS : ${{ secrets.TEST_DNS }}
+      TestingDomain: ${{ secrets.TestingDomain }}
+      TEST_DNS_NO_WILDCARD: ${{ secrets.TEST_DNS_NO_WILDCARD }}
+      TEST_DNS_NO_SUBDOMAIN: ${{ secrets.TEST_DNS_NO_SUBDOMAIN }}
+      TEST_DNS_SLEEP: ${{ secrets.TEST_DNS_SLEEP }}
+      CASE: le_test_dnsapi
+      TEST_LOCAL: 1
+      DEBUG: ${{ secrets.DEBUG }}
+      http_proxy: ${{ secrets.http_proxy }}
+      https_proxy: ${{ secrets.https_proxy }}
+      TokenName1: ${{ secrets.TokenName1}}
+      TokenName2: ${{ secrets.TokenName2}}
+      TokenName3: ${{ secrets.TokenName3}}
+      TokenName4: ${{ secrets.TokenName4}}
+      TokenName5: ${{ secrets.TokenName5}}
+    steps:
+    - uses: actions/checkout@v3
+    - name: Clone acmetest
+      run: cd .. && git clone --depth=1 https://github.com/acmesh-official/acmetest.git  && cp -r acme.sh acmetest/
+    - uses: vmactions/dragonflybsd-vm@v0
+      with:
+        envs: 'TEST_DNS TestingDomain TEST_DNS_NO_WILDCARD TEST_DNS_NO_SUBDOMAIN TEST_DNS_SLEEP CASE TEST_LOCAL DEBUG http_proxy https_proxy TokenName1 TokenName2 TokenName3 TokenName4 TokenName5 ${{ secrets.TokenName1}} ${{ secrets.TokenName2}} ${{ secrets.TokenName3}} ${{ secrets.TokenName4}} ${{ secrets.TokenName5}}'
+        prepare: |
+          pkg install -y curl socat libnghttp2
+        usesh: true
+        copyback: false
+        run: |
+          if [ "${{ secrets.TokenName1}}" ] ; then
+            export ${{ secrets.TokenName1}}="${{ secrets.TokenValue1}}"
+          fi
+          if [ "${{ secrets.TokenName2}}" ] ; then
+            export ${{ secrets.TokenName2}}="${{ secrets.TokenValue2}}"
+          fi
+          if [ "${{ secrets.TokenName3}}" ] ; then
+            export ${{ secrets.TokenName3}}="${{ secrets.TokenValue3}}"
+          fi
+          if [ "${{ secrets.TokenName4}}" ] ; then
+            export ${{ secrets.TokenName4}}="${{ secrets.TokenValue4}}"
+          fi
+          if [ "${{ secrets.TokenName5}}" ] ; then
+            export ${{ secrets.TokenName5}}="${{ secrets.TokenValue5}}"
+          fi
+          cd ../acmetest
+          ./letest.sh
+
+
+
+
+
+
+
+  Solaris:
+    runs-on: macos-12
+    needs: DragonFlyBSD
+    env:
+      TEST_DNS : ${{ secrets.TEST_DNS }}
+      TestingDomain: ${{ secrets.TestingDomain }}
+      TEST_DNS_NO_WILDCARD: ${{ secrets.TEST_DNS_NO_WILDCARD }}
+      TEST_DNS_NO_SUBDOMAIN: ${{ secrets.TEST_DNS_NO_SUBDOMAIN }}
+      TEST_DNS_SLEEP: ${{ secrets.TEST_DNS_SLEEP }}
+      CASE: le_test_dnsapi
+      TEST_LOCAL: 1
+      DEBUG: ${{ secrets.DEBUG }}
+      http_proxy: ${{ secrets.http_proxy }}
+      https_proxy: ${{ secrets.https_proxy }}
+      HTTPS_INSECURE: 1 # always set to 1 to ignore https error, since Solaris doesn't accept the expired ISRG X1 root
+      TokenName1: ${{ secrets.TokenName1}}
+      TokenName2: ${{ secrets.TokenName2}}
+      TokenName3: ${{ secrets.TokenName3}}
+      TokenName4: ${{ secrets.TokenName4}}
+      TokenName5: ${{ secrets.TokenName5}}
+    steps:
+    - uses: actions/checkout@v3
+    - name: Clone acmetest
+      run: cd .. && git clone --depth=1 https://github.com/acmesh-official/acmetest.git  && cp -r acme.sh acmetest/
+    - uses: vmactions/solaris-vm@v0
+      with:
+        envs: 'TEST_DNS TestingDomain TEST_DNS_NO_WILDCARD TEST_DNS_NO_SUBDOMAIN TEST_DNS_SLEEP CASE TEST_LOCAL DEBUG http_proxy https_proxy HTTPS_INSECURE TokenName1 TokenName2 TokenName3 TokenName4 TokenName5 ${{ secrets.TokenName1}} ${{ secrets.TokenName2}} ${{ secrets.TokenName3}} ${{ secrets.TokenName4}} ${{ secrets.TokenName5}}'
+        copyback: false
+        prepare: pkgutil -y -i socat
+        run: |
+          pkg set-mediator -v -I default@1.1 openssl
+          export PATH=/usr/gnu/bin:$PATH
+          if [ "${{ secrets.TokenName1}}" ] ; then
+            export ${{ secrets.TokenName1}}="${{ secrets.TokenValue1}}"
+          fi
+          if [ "${{ secrets.TokenName2}}" ] ; then
+            export ${{ secrets.TokenName2}}="${{ secrets.TokenValue2}}"
+          fi
+          if [ "${{ secrets.TokenName3}}" ] ; then
+            export ${{ secrets.TokenName3}}="${{ secrets.TokenValue3}}"
+          fi
+          if [ "${{ secrets.TokenName4}}" ] ; then
+            export ${{ secrets.TokenName4}}="${{ secrets.TokenValue4}}"
+          fi
+          if [ "${{ secrets.TokenName5}}" ] ; then
+            export ${{ secrets.TokenName5}}="${{ secrets.TokenValue5}}"
+          fi
+          cd ../acmetest
+          ./letest.sh
+
+
--- a/.github/workflows/DragonFlyBSD.yml
+++ b/.github/workflows/DragonFlyBSD.yml
@@ -0,0 +1,71 @@
+name: DragonFlyBSD
+on:
+  push:
+    branches:
+      - '*'
+    paths:
+      - '*.sh'
+      - '.github/workflows/DragonFlyBSD.yml'
+
+  pull_request:
+    branches:
+      - dev
+    paths:
+      - '*.sh'
+      - '.github/workflows/DragonFlyBSD.yml'
+
+concurrency: 
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+
+
+
+jobs:
+  DragonFlyBSD:
+    strategy:
+      matrix:
+        include:
+         - TEST_ACME_Server: "LetsEncrypt.org_test"
+           CA_ECDSA: ""
+           CA: ""
+           CA_EMAIL: ""
+           TEST_PREFERRED_CHAIN: (STAGING) Pretend Pear X1
+         #- TEST_ACME_Server: "ZeroSSL.com"
+         #  CA_ECDSA: "ZeroSSL ECC Domain Secure Site CA"
+         #  CA: "ZeroSSL RSA Domain Secure Site CA"
+         #  CA_EMAIL: "githubtest@acme.sh"
+         #  TEST_PREFERRED_CHAIN: ""
+    runs-on: macos-12
+    env:
+      TEST_LOCAL: 1
+      TEST_ACME_Server: ${{ matrix.TEST_ACME_Server }}
+      CA_ECDSA: ${{ matrix.CA_ECDSA }}
+      CA: ${{ matrix.CA }}
+      CA_EMAIL: ${{ matrix.CA_EMAIL }}
+      TEST_PREFERRED_CHAIN: ${{ matrix.TEST_PREFERRED_CHAIN }}
+    steps:
+    - uses: actions/checkout@v3
+    - uses: vmactions/cf-tunnel@v0
+      id: tunnel
+      with:
+        protocol: http
+        port: 8080
+    - name: Set envs
+      run: echo "TestingDomain=${{steps.tunnel.outputs.server}}" >> $GITHUB_ENV
+    - name: Clone acmetest
+      run: cd .. && git clone --depth=1 https://github.com/acmesh-official/acmetest.git  && cp -r acme.sh acmetest/
+    - uses: vmactions/dragonflybsd-vm@v0
+      with:
+        envs: 'TEST_LOCAL TestingDomain TEST_ACME_Server CA_ECDSA CA CA_EMAIL TEST_PREFERRED_CHAIN'
+        copyback: "false"
+        nat: |
+          "8080": "80"
+        prepare: |
+          pkg install -y curl socat libnghttp2
+        usesh: true
+        run: |
+          cd ../acmetest \
+          && ./letest.sh
+
+
--- a/.github/workflows/FreeBSD.yml
+++ b/.github/workflows/FreeBSD.yml
@@ -14,6 +14,11 @@ on:
      - '*.sh'
      - '.github/workflows/FreeBSD.yml'

+concurrency: 
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+

 jobs:
  FreeBSD:
@@ -25,12 +30,18 @@ jobs:
           CA: ""
           CA_EMAIL: ""
           TEST_PREFERRED_CHAIN: (STAGING) Pretend Pear X1
+         - TEST_ACME_Server: "LetsEncrypt.org_test"
+           CA_ECDSA: ""
+           CA: ""
+           CA_EMAIL: ""
+           TEST_PREFERRED_CHAIN: (STAGING) Pretend Pear X1
+           ACME_USE_WGET: 1
         #- TEST_ACME_Server: "ZeroSSL.com"
         #  CA_ECDSA: "ZeroSSL ECC Domain Secure Site CA"
         #  CA: "ZeroSSL RSA Domain Secure Site CA"
         #  CA_EMAIL: "githubtest@acme.sh"
         #  TEST_PREFERRED_CHAIN: ""
-    runs-on: macos-10.15
+    runs-on: macos-12
    env:
      TEST_LOCAL: 1
      TEST_ACME_Server: ${{ matrix.TEST_ACME_Server }}
@@ -38,9 +49,10 @@ jobs:
      CA: ${{ matrix.CA }}
      CA_EMAIL: ${{ matrix.CA_EMAIL }}
      TEST_PREFERRED_CHAIN: ${{ matrix.TEST_PREFERRED_CHAIN }}
+      ACME_USE_WGET: ${{ matrix.ACME_USE_WGET }}
    steps:
-    - uses: actions/checkout@v2
-    - uses: vmactions/cf-tunnel@v0.0.3
+    - uses: actions/checkout@v3
+    - uses: vmactions/cf-tunnel@v0
      id: tunnel
      with:
        protocol: http
@@ -48,14 +60,15 @@ jobs:
    - name: Set envs
      run: echo "TestingDomain=${{steps.tunnel.outputs.server}}" >> $GITHUB_ENV
    - name: Clone acmetest
-      run: cd .. && git clone https://github.com/acmesh-official/acmetest.git  && cp -r acme.sh acmetest/
-    - uses: vmactions/freebsd-vm@v0.1.5
+      run: cd .. && git clone --depth=1 https://github.com/acmesh-official/acmetest.git  && cp -r acme.sh acmetest/
+    - uses: vmactions/freebsd-vm@v0
      with:
-        envs: 'TEST_LOCAL TestingDomain TEST_ACME_Server CA_ECDSA CA CA_EMAIL TEST_PREFERRED_CHAIN'
+        envs: 'TEST_LOCAL TestingDomain TEST_ACME_Server CA_ECDSA CA CA_EMAIL TEST_PREFERRED_CHAIN ACME_USE_WGET'
        nat: |
          "8080": "80"
-        prepare: pkg install -y socat curl
+        prepare: pkg install -y socat curl wget
        usesh: true
+        copyback: false
        run: |
          cd ../acmetest \
          && ./letest.sh
--- a/.github/workflows/Linux.yml
+++ b/.github/workflows/Linux.yml
@@ -15,6 +15,12 @@ on:
      - '.github/workflows/Linux.yml'


+concurrency: 
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+
+

 jobs:
  Linux:
@@ -25,12 +31,13 @@ jobs:
    env:
      TEST_LOCAL: 1
      TEST_PREFERRED_CHAIN: (STAGING) Pretend Pear X1
+      TEST_ACME_Server: "LetsEncrypt.org_test"
    steps:
-    - uses: actions/checkout@v2
+    - uses: actions/checkout@v3
    - name: Clone acmetest
      run: |
          cd .. \
-          && git clone https://github.com/acmesh-official/acmetest.git \
+          && git clone --depth=1 https://github.com/acmesh-official/acmetest.git \
          && cp -r acme.sh acmetest/
    - name: Run acmetest
      run: |
--- a/.github/workflows/MacOS.yml
+++ b/.github/workflows/MacOS.yml
@@ -14,6 +14,11 @@ on:
      - '*.sh'
      - '.github/workflows/MacOS.yml'

+concurrency: 
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+

 jobs:
  MacOS:
@@ -39,13 +44,13 @@ jobs:
      CA_EMAIL: ${{ matrix.CA_EMAIL }}
      TEST_PREFERRED_CHAIN: ${{ matrix.TEST_PREFERRED_CHAIN }}
    steps:
-    - uses: actions/checkout@v2
+    - uses: actions/checkout@v3
    - name: Install tools
      run:  brew install socat
    - name: Clone acmetest
      run: |
          cd .. \
-          && git clone https://github.com/acmesh-official/acmetest.git \
+          && git clone --depth=1 https://github.com/acmesh-official/acmetest.git \
          && cp -r acme.sh acmetest/
    - name: Run acmetest
      run: |
--- a/.github/workflows/NetBSD.yml
+++ b/.github/workflows/NetBSD.yml
@@ -0,0 +1,71 @@
+name: NetBSD
+on:
+  push:
+    branches:
+      - '*'
+    paths:
+      - '*.sh'
+      - '.github/workflows/NetBSD.yml'
+
+  pull_request:
+    branches:
+      - dev
+    paths:
+      - '*.sh'
+      - '.github/workflows/NetBSD.yml'
+
+concurrency: 
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+
+
+
+jobs:
+  NetBSD:
+    strategy:
+      matrix:
+        include:
+         - TEST_ACME_Server: "LetsEncrypt.org_test"
+           CA_ECDSA: ""
+           CA: ""
+           CA_EMAIL: ""
+           TEST_PREFERRED_CHAIN: (STAGING) Pretend Pear X1
+         #- TEST_ACME_Server: "ZeroSSL.com"
+         #  CA_ECDSA: "ZeroSSL ECC Domain Secure Site CA"
+         #  CA: "ZeroSSL RSA Domain Secure Site CA"
+         #  CA_EMAIL: "githubtest@acme.sh"
+         #  TEST_PREFERRED_CHAIN: ""
+    runs-on: macos-12
+    env:
+      TEST_LOCAL: 1
+      TEST_ACME_Server: ${{ matrix.TEST_ACME_Server }}
+      CA_ECDSA: ${{ matrix.CA_ECDSA }}
+      CA: ${{ matrix.CA }}
+      CA_EMAIL: ${{ matrix.CA_EMAIL }}
+      TEST_PREFERRED_CHAIN: ${{ matrix.TEST_PREFERRED_CHAIN }}
+    steps:
+    - uses: actions/checkout@v3
+    - uses: vmactions/cf-tunnel@v0
+      id: tunnel
+      with:
+        protocol: http
+        port: 8080
+    - name: Set envs
+      run: echo "TestingDomain=${{steps.tunnel.outputs.server}}" >> $GITHUB_ENV
+    - name: Clone acmetest
+      run: cd .. && git clone --depth=1 https://github.com/acmesh-official/acmetest.git  && cp -r acme.sh acmetest/
+    - uses: vmactions/netbsd-vm@v0
+      with:
+        envs: 'TEST_LOCAL TestingDomain TEST_ACME_Server CA_ECDSA CA CA_EMAIL TEST_PREFERRED_CHAIN'
+        nat: |
+          "8080": "80"
+        prepare: |
+          pkg_add curl socat
+        usesh: true
+        copyback: false
+        run: |
+          cd ../acmetest \
+          && ./letest.sh
+
+
--- a/.github/workflows/OpenBSD.yml
+++ b/.github/workflows/OpenBSD.yml
@@ -0,0 +1,76 @@
+name: OpenBSD
+on:
+  push:
+    branches:
+      - '*'
+    paths:
+      - '*.sh'
+      - '.github/workflows/OpenBSD.yml'
+
+  pull_request:
+    branches:
+      - dev
+    paths:
+      - '*.sh'
+      - '.github/workflows/OpenBSD.yml'
+
+concurrency: 
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+
+
+jobs:
+  OpenBSD:
+    strategy:
+      matrix:
+        include:
+         - TEST_ACME_Server: "LetsEncrypt.org_test"
+           CA_ECDSA: ""
+           CA: ""
+           CA_EMAIL: ""
+           TEST_PREFERRED_CHAIN: (STAGING) Pretend Pear X1
+         - TEST_ACME_Server: "LetsEncrypt.org_test"
+           CA_ECDSA: ""
+           CA: ""
+           CA_EMAIL: ""
+           TEST_PREFERRED_CHAIN: (STAGING) Pretend Pear X1
+           ACME_USE_WGET: 1
+         #- TEST_ACME_Server: "ZeroSSL.com"
+         #  CA_ECDSA: "ZeroSSL ECC Domain Secure Site CA"
+         #  CA: "ZeroSSL RSA Domain Secure Site CA"
+         #  CA_EMAIL: "githubtest@acme.sh"
+         #  TEST_PREFERRED_CHAIN: ""
+    runs-on: macos-12
+    env:
+      TEST_LOCAL: 1
+      TEST_ACME_Server: ${{ matrix.TEST_ACME_Server }}
+      CA_ECDSA: ${{ matrix.CA_ECDSA }}
+      CA: ${{ matrix.CA }}
+      CA_EMAIL: ${{ matrix.CA_EMAIL }}
+      TEST_PREFERRED_CHAIN: ${{ matrix.TEST_PREFERRED_CHAIN }}
+      ACME_USE_WGET: ${{ matrix.ACME_USE_WGET }}
+    steps:
+    - uses: actions/checkout@v3
+    - uses: vmactions/cf-tunnel@v0
+      id: tunnel
+      with:
+        protocol: http
+        port: 8080
+    - name: Set envs
+      run: echo "TestingDomain=${{steps.tunnel.outputs.server}}" >> $GITHUB_ENV
+    - name: Clone acmetest
+      run: cd .. && git clone --depth=1 https://github.com/acmesh-official/acmetest.git  && cp -r acme.sh acmetest/
+    - uses: vmactions/openbsd-vm@v0
+      with:
+        envs: 'TEST_LOCAL TestingDomain TEST_ACME_Server CA_ECDSA CA CA_EMAIL TEST_PREFERRED_CHAIN ACME_USE_WGET'
+        nat: |
+          "8080": "80"
+        prepare: pkg_add socat curl wget libnghttp2
+        usesh: true
+        copyback: false
+        run: |
+          cd ../acmetest \
+          && ./letest.sh
+
+
--- a/.github/workflows/PebbleStrict.yml
+++ b/.github/workflows/PebbleStrict.yml
@@ -13,6 +13,13 @@ on:
      - '*.sh'
      - '.github/workflows/PebbleStrict.yml'

+
+concurrency: 
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+
+
 jobs:
  PebbleStrict:
    runs-on: ubuntu-latest
@@ -26,7 +33,7 @@ jobs:
      TEST_CA: "Pebble Intermediate CA"

    steps:
-    - uses: actions/checkout@v2
+    - uses: actions/checkout@v3
    - name: Install tools
      run: sudo apt-get install -y socat
    - name: Run Pebble
@@ -34,15 +41,15 @@ jobs:
    - name: Set up Pebble
      run: curl --request POST --data '{"ip":"10.30.50.1"}' http://localhost:8055/set-default-ipv4
    - name: Clone acmetest
-      run: cd .. && git clone https://github.com/acmesh-official/acmetest.git  && cp -r acme.sh acmetest/
+      run: cd .. && git clone --depth=1 https://github.com/acmesh-official/acmetest.git  && cp -r acme.sh acmetest/
    - name: Run acmetest
      run: cd ../acmetest && ./letest.sh

  PebbleStrict_IPCert:
    runs-on: ubuntu-latest
    env:
-      TestingDomain: 10.30.50.1
-      ACME_DIRECTORY: https://localhost:14000/dir
+      TestingDomain: 1.23.45.67
+      TEST_ACME_Server: https://localhost:14000/dir
      HTTPS_INSECURE: 1
      Le_HTTPPort: 5002
      Le_TLSPort: 5001
@@ -51,12 +58,15 @@ jobs:
      TEST_IPCERT: 1

    steps:
-    - uses: actions/checkout@v2
+    - uses: actions/checkout@v3
    - name: Install tools
      run: sudo apt-get install -y socat
    - name: Run Pebble
-      run: cd .. && curl https://raw.githubusercontent.com/letsencrypt/pebble/master/docker-compose.yml >docker-compose.yml && docker-compose up -d
+      run: |
+        docker run --rm -itd --name=pebble \
+        -e PEBBLE_VA_ALWAYS_VALID=1 \
+        -p 14000:14000 -p 15000:15000   letsencrypt/pebble:latest pebble -config /test/config/pebble-config.json -strict
    - name: Clone acmetest
-      run: cd .. && git clone https://github.com/acmesh-official/acmetest.git  && cp -r acme.sh acmetest/
+      run: cd .. && git clone --depth=1 https://github.com/acmesh-official/acmetest.git  && cp -r acme.sh acmetest/
    - name: Run acmetest
      run: cd ../acmetest && ./letest.sh
--- a/.github/workflows/Solaris.yml
+++ b/.github/workflows/Solaris.yml
@@ -15,6 +15,11 @@ on:
      - '.github/workflows/Solaris.yml'


+
+concurrency: 
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
 jobs:
  Solaris:
    strategy:
@@ -25,12 +30,18 @@ jobs:
           CA: ""
           CA_EMAIL: ""
           TEST_PREFERRED_CHAIN: (STAGING) Pretend Pear X1
+         - TEST_ACME_Server: "LetsEncrypt.org_test"
+           CA_ECDSA: ""
+           CA: ""
+           CA_EMAIL: ""
+           TEST_PREFERRED_CHAIN: (STAGING) Pretend Pear X1
+           ACME_USE_WGET: 1
         #- TEST_ACME_Server: "ZeroSSL.com"
         #  CA_ECDSA: "ZeroSSL ECC Domain Secure Site CA"
         #  CA: "ZeroSSL RSA Domain Secure Site CA"
         #  CA_EMAIL: "githubtest@acme.sh"
         #  TEST_PREFERRED_CHAIN: ""
-    runs-on: macos-10.15
+    runs-on: macos-12
    env:
      TEST_LOCAL: 1
      TEST_ACME_Server: ${{ matrix.TEST_ACME_Server }}
@@ -38,9 +49,10 @@ jobs:
      CA: ${{ matrix.CA }}
      CA_EMAIL: ${{ matrix.CA_EMAIL }}
      TEST_PREFERRED_CHAIN: ${{ matrix.TEST_PREFERRED_CHAIN }}
+      ACME_USE_WGET: ${{ matrix.ACME_USE_WGET }}
    steps:
-    - uses: actions/checkout@v2
-    - uses: vmactions/cf-tunnel@v0.0.3
+    - uses: actions/checkout@v3
+    - uses: vmactions/cf-tunnel@v0
      id: tunnel
      with:
        protocol: http
@@ -48,13 +60,14 @@ jobs:
    - name: Set envs
      run: echo "TestingDomain=${{steps.tunnel.outputs.server}}" >> $GITHUB_ENV
    - name: Clone acmetest
-      run: cd .. && git clone https://github.com/acmesh-official/acmetest.git  && cp -r acme.sh acmetest/
-    - uses: vmactions/solaris-vm@v0.0.5
+      run: cd .. && git clone --depth=1 https://github.com/acmesh-official/acmetest.git  && cp -r acme.sh acmetest/
+    - uses: vmactions/solaris-vm@v0
      with:
-        envs: 'TEST_LOCAL TestingDomain TEST_ACME_Server CA_ECDSA CA CA_EMAIL TEST_PREFERRED_CHAIN'
+        envs: 'TEST_LOCAL TestingDomain TEST_ACME_Server CA_ECDSA CA CA_EMAIL TEST_PREFERRED_CHAIN ACME_USE_WGET'
+        copyback: "false"
        nat: |
          "8080": "80"
-        prepare: pkgutil -y -i socat curl
+        prepare: pkgutil -y -i socat curl wget
        run: |
          cd ../acmetest \
          && ./letest.sh
--- a/.github/workflows/Ubuntu.yml
+++ b/.github/workflows/Ubuntu.yml
@@ -14,6 +14,11 @@ on:
      - '*.sh'
      - '.github/workflows/Ubuntu.yml'

+concurrency: 
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+

 jobs:
  Ubuntu:
@@ -25,6 +30,12 @@ jobs:
           CA: ""
           CA_EMAIL: ""
           TEST_PREFERRED_CHAIN: (STAGING) Pretend Pear X1
+         - TEST_ACME_Server: "LetsEncrypt.org_test"
+           CA_ECDSA: ""
+           CA: ""
+           CA_EMAIL: ""
+           TEST_PREFERRED_CHAIN: (STAGING) Pretend Pear X1
+           ACME_USE_WGET: 1
         - TEST_ACME_Server: "ZeroSSL.com"
           CA_ECDSA: "ZeroSSL ECC Domain Secure Site CA"
           CA: "ZeroSSL RSA Domain Secure Site CA"
@@ -57,10 +68,11 @@ jobs:
      NO_REVOKE: ${{ matrix.NO_REVOKE }}
      TEST_IPCERT: ${{ matrix.TEST_IPCERT }}
      TestingDomain: ${{ matrix.TestingDomain }}
+      ACME_USE_WGET: ${{ matrix.ACME_USE_WGET }}
    steps:
-    - uses: actions/checkout@v2
+    - uses: actions/checkout@v3
    - name: Install tools
-      run: sudo apt-get install -y socat
+      run: sudo apt-get install -y socat wget
    - name: Start StepCA
      if: ${{ matrix.TEST_ACME_Server=='https://localhost:9000/acme/acme/directory' }}
      run: |
@@ -68,15 +80,20 @@ jobs:
            -p 9000:9000 \
            -e "DOCKER_STEPCA_INIT_NAME=Smallstep" \
            -e "DOCKER_STEPCA_INIT_DNS_NAMES=localhost,$(hostname -f)" \
+            -e "DOCKER_STEPCA_INIT_REMOTE_MANAGEMENT=true" \
+            -e "DOCKER_STEPCA_INIT_PASSWORD=test" \
            --name stepca \
-            smallstep/step-ca \
-            && sleep 5 && docker exec  stepca step ca provisioner add acme --type ACME \
+            smallstep/step-ca:0.23.1
+
+            sleep 5
+            docker exec  stepca bash -c "echo test >test" \
+            && docker exec stepca step ca provisioner add acme --type ACME --admin-subject  step --admin-password-file=/home/step/test \
            && docker exec  stepca kill -1 1 \
            && docker exec  stepca cat /home/step/certs/root_ca.crt | sudo bash -c "cat - >>/etc/ssl/certs/ca-certificates.crt"
    - name: Clone acmetest
      run: |
          cd .. \
-          && git clone https://github.com/acmesh-official/acmetest.git \
+          && git clone --depth=1 https://github.com/acmesh-official/acmetest.git \
          && cp -r acme.sh acmetest/
    - name: Run acmetest
      run: |
--- a/.github/workflows/Windows.yml
+++ b/.github/workflows/Windows.yml
@@ -15,6 +15,11 @@ on:
      - '.github/workflows/Windows.yml'


+concurrency: 
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+
 jobs:
  Windows:
    strategy:
@@ -44,7 +49,7 @@ jobs:
    - name: Set git to use LF
      run: |
          git config --global core.autocrlf false
-    - uses: actions/checkout@v2
+    - uses: actions/checkout@v3
    - name: Install cygwin base packages with chocolatey
      run: |
          choco config get cacheLocation
@@ -52,7 +57,7 @@ jobs:
      shell: cmd
    - name: Install cygwin additional packages
      run: |
-          C:\tools\cygwin\cygwinsetup.exe -qgnNdO -R C:/tools/cygwin -s http://mirrors.kernel.org/sourceware/cygwin/ -P socat,curl,cron,unzip,git,xxd
+          C:\tools\cygwin\cygwinsetup.exe -qgnNdO -R C:/tools/cygwin -s https://mirrors.kernel.org/sourceware/cygwin/ -P socat,curl,cron,unzip,git,xxd
      shell: cmd
    - name: Set ENV
      shell: cmd
@@ -64,7 +69,7 @@ jobs:
          echo "PATH=%PATH%"
    - name: Clone acmetest
      shell: cmd
-      run: cd .. && git clone https://github.com/acmesh-official/acmetest.git  && cp -r acme.sh acmetest/
+      run: cd .. && git clone --depth=1 https://github.com/acmesh-official/acmetest.git  && cp -r acme.sh acmetest/
    - name: Run acmetest
      shell: cmd
      run: cd ../acmetest && bash.exe -c ./letest.sh
--- a/.github/workflows/dockerhub.yml
+++ b/.github/workflows/dockerhub.yml
@@ -11,7 +11,11 @@ on:
      - "Dockerfile"
      - '.github/workflows/dockerhub.yml'

-    
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+
 jobs:
  CheckToken:
    runs-on: ubuntu-latest
@@ -24,9 +28,9 @@ jobs:
        id: step_one
        run: |
          if [ "$DOCKER_PASSWORD" ] ; then
-            echo "::set-output name=hasToken::true"
+            echo "hasToken=true" >>$GITHUB_OUTPUT
          else
-            echo "::set-output name=hasToken::false"
+            echo "hasToken=false" >>$GITHUB_OUTPUT
          fi
      - name: Check the value
        run: echo ${{ steps.step_one.outputs.hasToken }}
@@ -37,11 +41,11 @@ jobs:
    if: "contains(needs.CheckToken.outputs.hasToken, 'true')"
    steps:
      - name: checkout code
-        uses: actions/checkout@v2
+        uses: actions/checkout@v3
      - name: Set up QEMU
-        uses: docker/setup-qemu-action@v1
+        uses: docker/setup-qemu-action@v2
      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v1
+        uses: docker/setup-buildx-action@v2
      - name: login to docker hub
        run: |
          echo "${{ secrets.DOCKER_PASSWORD }}" | docker login -u "${{ secrets.DOCKER_USERNAME }}" --password-stdin
--- a/.github/workflows/issue.yml
+++ b/.github/workflows/issue.yml
@@ -0,0 +1,19 @@
+name: "Update issues"
+on:
+  issues:
+    types: [opened]
+
+jobs:
+  comment:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/github-script@v6
+        with:
+          script: |
+            github.rest.issues.createComment({
+              issue_number: context.issue.number,
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              body: "Please upgrade to the latest code and try again first. Maybe it's already fixed.              ```acme.sh --upgrade```              If it's still not working, please provide the log with `--debug 2`, otherwise, nobody can help you."
+              
+            })
--- a/.github/workflows/pr_dns.yml
+++ b/.github/workflows/pr_dns.yml
@@ -0,0 +1,30 @@
+name: Check dns api
+
+on:
+  pull_request_target:
+    types:
+      - opened
+    branches:
+      - 'dev'
+    paths:
+      - 'dnsapi/*.sh'
+
+
+jobs:
+  welcome:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/github-script@v6
+        with:
+          script: |
+            await github.rest.issues.createComment({
+              issue_number: context.issue.number,
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              body: `**Welcome**
+                Please make sure you're read our [DNS API Dev Guide](../wiki/DNS-API-Dev-Guide) and [DNS-API-Test](../wiki/DNS-API-Test).
+                Then reply on this message, otherwise, your code will not be reviewed or merged.
+                We look forward to reviewing your Pull request shortly ✨
+                `
+            })
+
--- a/.github/workflows/pr_notify.yml
+++ b/.github/workflows/pr_notify.yml
@@ -0,0 +1,30 @@
+name: Check dns api
+
+on:
+  pull_request_target:
+    types:
+      - opened
+    branches:
+      - 'dev'
+    paths:
+      - 'notify/*.sh'
+
+
+jobs:
+  welcome:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/github-script@v6
+        with:
+          script: |
+            await github.rest.issues.createComment({
+              issue_number: context.issue.number,
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              body: `**Welcome**
+                Please make sure you're read our [Code-of-conduct](../wiki/Code-of-conduct) and  add the usage here: [notify](../wiki/notify).
+                Then reply on this message, otherwise, your code will not be reviewed or merged.
+                We look forward to reviewing your Pull request shortly ✨
+                `
+            })
+
--- a/.github/workflows/shellcheck.yml
+++ b/.github/workflows/shellcheck.yml
@@ -13,20 +13,25 @@ on:
      - '**.sh'
      - '.github/workflows/shellcheck.yml'

+concurrency: 
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+
 jobs:
  ShellCheck:
    runs-on: ubuntu-latest
    steps:
-    - uses: actions/checkout@v2
+    - uses: actions/checkout@v3
    - name: Install Shellcheck
      run: sudo apt-get install -y shellcheck
    - name: DoShellcheck
-      run: shellcheck -V  && shellcheck -e SC2181 **/*.sh && echo "shellcheck OK"
+      run: shellcheck -V  && shellcheck -e SC2181 -e SC2089 **/*.sh && echo "shellcheck OK"

  shfmt:
    runs-on: ubuntu-latest
    steps:
-    - uses: actions/checkout@v2
+    - uses: actions/checkout@v3
    - name: Install shfmt
      run: curl -sSL https://github.com/mvdan/sh/releases/download/v3.1.2/shfmt_v3.1.2_linux_amd64 -o ~/shfmt && chmod +x ~/shfmt
    - name: shfmt
--- a/13
+++ b/13
@@ -1,4 +1,4 @@
-FROM alpine:3.15
+FROM alpine:3.17

 RUN apk --no-cache add -f \
  openssl \
@@ -12,7 +12,8 @@ RUN apk --no-cache add -f \
  oath-toolkit-oathtool \
  tar \
  libidn \
-  jq
+  jq \
+  cronie

 ENV LE_CONFIG_HOME /acme.sh

@@ -25,7 +26,7 @@ COPY ./ /install_acme.sh/
 RUN cd /install_acme.sh && ([ -f /install_acme.sh/acme.sh ] && /install_acme.sh/acme.sh --install || curl https://get.acme.sh | sh) && rm -rf /install_acme.sh/


-RUN ln -s  /root/.acme.sh/acme.sh  /usr/local/bin/acme.sh && crontab -l | grep acme.sh | sed 's#> /dev/null##' | crontab -
+RUN ln -s /root/.acme.sh/acme.sh /usr/local/bin/acme.sh && crontab -l | grep acme.sh | sed 's#> /dev/null#> /proc/1/fd/1 2>/proc/1/fd/2#' | crontab -

 RUN for verb in help \
  version \
@@ -64,12 +65,10 @@ RUN for verb in help \

 RUN printf "%b" '#!'"/usr/bin/env sh\n \
 if [ \"\$1\" = \"daemon\" ];  then \n \
- trap \"echo stop && killall crond && exit 0\" SIGTERM SIGINT \n \
- crond && sleep infinity &\n \
- wait \n \
+ exec crond -n -s -m off \n \
 else \n \
 exec -- \"\$@\"\n \
-fi" >/entry.sh && chmod +x /entry.sh
+fi\n" >/entry.sh && chmod +x /entry.sh

 VOLUME /acme.sh

--- a/README.md
+++ b/README.md
@@ -1,10 +1,14 @@
 # An ACME Shell script: acme.sh 

 [![FreeBSD](https://github.com/acmesh-official/acme.sh/actions/workflows/FreeBSD.yml/badge.svg)](https://github.com/acmesh-official/acme.sh/actions/workflows/FreeBSD.yml)
+[![OpenBSD](https://github.com/acmesh-official/acme.sh/actions/workflows/OpenBSD.yml/badge.svg)](https://github.com/acmesh-official/acme.sh/actions/workflows/OpenBSD.yml)
+[![NetBSD](https://github.com/acmesh-official/acme.sh/actions/workflows/NetBSD.yml/badge.svg)](https://github.com/acmesh-official/acme.sh/actions/workflows/NetBSD.yml)
 [![MacOS](https://github.com/acmesh-official/acme.sh/actions/workflows/MacOS.yml/badge.svg)](https://github.com/acmesh-official/acme.sh/actions/workflows/MacOS.yml)
 [![Ubuntu](https://github.com/acmesh-official/acme.sh/actions/workflows/Ubuntu.yml/badge.svg)](https://github.com/acmesh-official/acme.sh/actions/workflows/Ubuntu.yml)
 [![Windows](https://github.com/acmesh-official/acme.sh/actions/workflows/Windows.yml/badge.svg)](https://github.com/acmesh-official/acme.sh/actions/workflows/Windows.yml)
 [![Solaris](https://github.com/acmesh-official/acme.sh/actions/workflows/Solaris.yml/badge.svg)](https://github.com/acmesh-official/acme.sh/actions/workflows/Solaris.yml)
+[![DragonFlyBSD](https://github.com/acmesh-official/acme.sh/actions/workflows/DragonFlyBSD.yml/badge.svg)](https://github.com/acmesh-official/acme.sh/actions/workflows/DragonFlyBSD.yml)
+

 ![Shellcheck](https://github.com/acmesh-official/acme.sh/workflows/Shellcheck/badge.svg)
 ![PebbleStrict](https://github.com/acmesh-official/acme.sh/workflows/PebbleStrict/badge.svg)
@@ -47,14 +51,12 @@ Twitter: [@neilpangxa](https://twitter.com/neilpangxa)
 - [ruby-china.org](https://ruby-china.org/topics/31983)
 - [Proxmox](https://pve.proxmox.com/wiki/Certificate_Management)
 - [pfsense](https://github.com/pfsense/FreeBSD-ports/pull/89)
- [webfaction](https://community.webfaction.com/questions/19988/using-letsencrypt)
 - [Loadbalancer.org](https://www.loadbalancer.org/blog/loadbalancer-org-with-lets-encrypt-quick-and-dirty)
 - [discourse.org](https://meta.discourse.org/t/setting-up-lets-encrypt/40709)
 - [Centminmod](https://centminmod.com/letsencrypt-acmetool-https.html)
 - [splynx](https://forum.splynx.com/t/free-ssl-cert-for-splynx-lets-encrypt/297)
- [archlinux](https://www.archlinux.org/packages/community/any/acme.sh)
 - [opnsense.org](https://github.com/opnsense/plugins/tree/master/security/acme-client/src/opnsense/scripts/OPNsense/AcmeClient)
- [CentOS Web Panel](http://centos-webpanel.com/)
+- [CentOS Web Panel](https://control-webpanel.com)
 - [lnmp.org](https://lnmp.org/)
 - [more...](https://github.com/acmesh-official/acme.sh/wiki/Blogs-and-tutorials)

@@ -68,21 +70,23 @@ Twitter: [@neilpangxa](https://twitter.com/neilpangxa)
 |4|[![Solaris](https://github.com/acmesh-official/acme.sh/actions/workflows/Solaris.yml/badge.svg)](https://github.com/acmesh-official/acme.sh/actions/workflows/Solaris.yml)|Solaris
 |5|[![Ubuntu](https://github.com/acmesh-official/acme.sh/actions/workflows/Ubuntu.yml/badge.svg)](https://github.com/acmesh-official/acme.sh/actions/workflows/Ubuntu.yml)| Ubuntu
 |6|NA|pfsense
-|7|NA|OpenBSD
-|8|[![Linux](https://github.com/acmesh-official/acme.sh/actions/workflows/Linux.yml/badge.svg)](https://github.com/acmesh-official/acme.sh/actions/workflows/Linux.yml)| Debian
-|9|[![Linux](https://github.com/acmesh-official/acme.sh/actions/workflows/Linux.yml/badge.svg)](https://github.com/acmesh-official/acme.sh/actions/workflows/Linux.yml)|CentOS
-|10|[![Linux](https://github.com/acmesh-official/acme.sh/actions/workflows/Linux.yml/badge.svg)](https://github.com/acmesh-official/acme.sh/actions/workflows/Linux.yml)|openSUSE
-|11|[![Linux](https://github.com/acmesh-official/acme.sh/actions/workflows/Linux.yml/badge.svg)](https://github.com/acmesh-official/acme.sh/actions/workflows/Linux.yml)|Alpine Linux (with curl)
-|12|[![Linux](https://github.com/acmesh-official/acme.sh/actions/workflows/Linux.yml/badge.svg)](https://github.com/acmesh-official/acme.sh/actions/workflows/Linux.yml)|Archlinux
-|13|[![Linux](https://github.com/acmesh-official/acme.sh/actions/workflows/Linux.yml/badge.svg)](https://github.com/acmesh-official/acme.sh/actions/workflows/Linux.yml)|fedora
-|14|[![Linux](https://github.com/acmesh-official/acme.sh/actions/workflows/Linux.yml/badge.svg)](https://github.com/acmesh-official/acme.sh/actions/workflows/Linux.yml)|Kali Linux
-|15|[![Linux](https://github.com/acmesh-official/acme.sh/actions/workflows/Linux.yml/badge.svg)](https://github.com/acmesh-official/acme.sh/actions/workflows/Linux.yml)|Oracle Linux
-|16|[![Linux](https://github.com/acmesh-official/acme.sh/actions/workflows/Linux.yml/badge.svg)](https://github.com/acmesh-official/acme.sh/actions/workflows/Linux.yml)|Mageia
-|17|[![Linux](https://github.com/acmesh-official/acme.sh/actions/workflows/Linux.yml/badge.svg)](https://github.com/acmesh-official/acme.sh/actions/workflows/Linux.yml)|Gentoo Linux
-|18|[![Linux](https://github.com/acmesh-official/acme.sh/actions/workflows/Linux.yml/badge.svg)](https://github.com/acmesh-official/acme.sh/actions/workflows/Linux.yml)|ClearLinux
-|19|-----| Cloud Linux  https://github.com/acmesh-official/acme.sh/issues/111
-|20|-----| OpenWRT: Tested and working. See [wiki page](https://github.com/acmesh-official/acme.sh/wiki/How-to-run-on-OpenWRT)
-|21|[![](https://acmesh-official.github.io/acmetest/status/proxmox.svg)](https://github.com/acmesh-official/letest#here-are-the-latest-status)| Proxmox: See Proxmox VE Wiki. Version [4.x, 5.0, 5.1](https://pve.proxmox.com/wiki/HTTPS_Certificate_Configuration_(Version_4.x,_5.0_and_5.1)#Let.27s_Encrypt_using_acme.sh), version [5.2 and up](https://pve.proxmox.com/wiki/Certificate_Management)
+|7|[![OpenBSD](https://github.com/acmesh-official/acme.sh/actions/workflows/OpenBSD.yml/badge.svg)](https://github.com/acmesh-official/acme.sh/actions/workflows/OpenBSD.yml)|OpenBSD
+|8|[![NetBSD](https://github.com/acmesh-official/acme.sh/actions/workflows/NetBSD.yml/badge.svg)](https://github.com/acmesh-official/acme.sh/actions/workflows/NetBSD.yml)|NetBSD
+|9|[![DragonFlyBSD](https://github.com/acmesh-official/acme.sh/actions/workflows/DragonFlyBSD.yml/badge.svg)](https://github.com/acmesh-official/acme.sh/actions/workflows/DragonFlyBSD.yml)|DragonFlyBSD
+|10|[![Linux](https://github.com/acmesh-official/acme.sh/actions/workflows/Linux.yml/badge.svg)](https://github.com/acmesh-official/acme.sh/actions/workflows/Linux.yml)| Debian
+|11|[![Linux](https://github.com/acmesh-official/acme.sh/actions/workflows/Linux.yml/badge.svg)](https://github.com/acmesh-official/acme.sh/actions/workflows/Linux.yml)|CentOS
+|12|[![Linux](https://github.com/acmesh-official/acme.sh/actions/workflows/Linux.yml/badge.svg)](https://github.com/acmesh-official/acme.sh/actions/workflows/Linux.yml)|openSUSE
+|13|[![Linux](https://github.com/acmesh-official/acme.sh/actions/workflows/Linux.yml/badge.svg)](https://github.com/acmesh-official/acme.sh/actions/workflows/Linux.yml)|Alpine Linux (with curl)
+|14|[![Linux](https://github.com/acmesh-official/acme.sh/actions/workflows/Linux.yml/badge.svg)](https://github.com/acmesh-official/acme.sh/actions/workflows/Linux.yml)|Archlinux
+|15|[![Linux](https://github.com/acmesh-official/acme.sh/actions/workflows/Linux.yml/badge.svg)](https://github.com/acmesh-official/acme.sh/actions/workflows/Linux.yml)|fedora
+|16|[![Linux](https://github.com/acmesh-official/acme.sh/actions/workflows/Linux.yml/badge.svg)](https://github.com/acmesh-official/acme.sh/actions/workflows/Linux.yml)|Kali Linux
+|17|[![Linux](https://github.com/acmesh-official/acme.sh/actions/workflows/Linux.yml/badge.svg)](https://github.com/acmesh-official/acme.sh/actions/workflows/Linux.yml)|Oracle Linux
+|18|[![Linux](https://github.com/acmesh-official/acme.sh/actions/workflows/Linux.yml/badge.svg)](https://github.com/acmesh-official/acme.sh/actions/workflows/Linux.yml)|Mageia
+|19|[![Linux](https://github.com/acmesh-official/acme.sh/actions/workflows/Linux.yml/badge.svg)](https://github.com/acmesh-official/acme.sh/actions/workflows/Linux.yml)|Gentoo Linux
+|10|[![Linux](https://github.com/acmesh-official/acme.sh/actions/workflows/Linux.yml/badge.svg)](https://github.com/acmesh-official/acme.sh/actions/workflows/Linux.yml)|ClearLinux
+|11|-----| Cloud Linux  https://github.com/acmesh-official/acme.sh/issues/111
+|22|-----| OpenWRT: Tested and working. See [wiki page](https://github.com/acmesh-official/acme.sh/wiki/How-to-run-on-OpenWRT)
+|23|[![](https://acmesh-official.github.io/acmetest/status/proxmox.svg)](https://github.com/acmesh-official/letest#here-are-the-latest-status)| Proxmox: See Proxmox VE Wiki. Version [4.x, 5.0, 5.1](https://pve.proxmox.com/wiki/HTTPS_Certificate_Configuration_(Version_4.x,_5.0_and_5.1)#Let.27s_Encrypt_using_acme.sh), version [5.2 and up](https://pve.proxmox.com/wiki/Certificate_Management)


 Check our [testing project](https://github.com/acmesh-official/acmetest):
@@ -355,10 +359,6 @@ Ok, it's done.

 # 10. Issue ECC certificates

-`Let's Encrypt` can now issue **ECDSA** certificates.
-
-And we support them too!
-
 Just set the `keylength` parameter with a prefix `ec-`.

 For example:
@@ -379,10 +379,12 @@ Please look at the `keylength` parameter above.

 Valid values are:

-1. **ec-256 (prime256v1, "ECDSA P-256")**
+1. **ec-256 (prime256v1, "ECDSA P-256", which is the default key type)**
 2. **ec-384 (secp384r1,  "ECDSA P-384")**
 3. **ec-521 (secp521r1,  "ECDSA P-521", which is not supported by Let's Encrypt yet.)**
-
+4. **2048   (RSA2048)**
+5. **3072   (RSA3072)**
+6. **4096   (RSA4096)**


 # 11. Issue Wildcard certificates
@@ -503,6 +505,8 @@ Support this project with your organization. Your logo will show up here with a
 <a href="https://opencollective.com/acmesh/organization/8/website"><img src="https://opencollective.com/acmesh/organization/8/avatar.svg"></a>
 <a href="https://opencollective.com/acmesh/organization/9/website"><img src="https://opencollective.com/acmesh/organization/9/avatar.svg"></a>

+
+
 # 19. License & Others

 License is GPLv3
--- a/acme.sh
+++ b/acme.sh
--- a/deploy/cpanel_uapi.sh
+++ b/deploy/cpanel_uapi.sh
@@ -3,18 +3,29 @@
 # Uses command line uapi.  --user option is needed only if run as root.
 # Returns 0 when success.
 #
+# Configure DEPLOY_CPANEL_AUTO_<...> options to enable or restrict automatic
+# detection of deployment targets through UAPI (if not set, defaults below are used.)
+# - ENABLED : 'true' for multi-site / wildcard capability; otherwise single-site mode.
+# - NOMATCH : 'true' to allow deployment to sites that do not match the certificate.
+# - INCLUDE : Comma-separated list - sites must match this field.
+# - EXCLUDE : Comma-separated list - sites must NOT match this field.
+# INCLUDE/EXCLUDE both support non-lexical, glob-style matches using '*'
+#
 # Please note that I am no longer using Github. If you want to report an issue
 # or contact me, visit https://forum.webseodesigners.com/web-design-seo-and-hosting-f16/
 #
 # Written by Santeri Kannisto <santeri.kannisto@webseodesigners.com>
 # Public domain, 2017-2018
-
-#export DEPLOY_CPANEL_USER=myusername
+#
+# export DEPLOY_CPANEL_USER=myusername
+# export DEPLOY_CPANEL_AUTO_ENABLED='true'
+# export DEPLOY_CPANEL_AUTO_NOMATCH='false'
+# export DEPLOY_CPANEL_AUTO_INCLUDE='*'
+# export DEPLOY_CPANEL_AUTO_EXCLUDE=''

 ########  Public functions #####################

 #domain keyfile certfile cafile fullchain
-
 cpanel_uapi_deploy() {
  _cdomain="$1"
  _ckey="$2"
@@ -22,6 +33,9 @@ cpanel_uapi_deploy() {
  _cca="$4"
  _cfullchain="$5"

+  # re-declare vars inherited from acme.sh but not passed to make ShellCheck happy
+  : "${Le_Alt:=""}"
+
  _debug _cdomain "$_cdomain"
  _debug _ckey "$_ckey"
  _debug _ccert "$_ccert"
@@ -32,31 +46,166 @@ cpanel_uapi_deploy() {
    _err "The command uapi is not found."
    return 1
  fi
+
+  # declare useful constants
+  uapi_error_response='status: 0'
+
  # read cert and key files and urlencode both
  _cert=$(_url_encode <"$_ccert")
  _key=$(_url_encode <"$_ckey")

-  _debug _cert "$_cert"
-  _debug _key "$_key"
+  _debug2 _cert "$_cert"
+  _debug2 _key "$_key"

  if [ "$(id -u)" = 0 ]; then
-    if [ -z "$DEPLOY_CPANEL_USER" ]; then
+    _getdeployconf DEPLOY_CPANEL_USER
+    # fallback to _readdomainconf for old installs
+    if [ -z "${DEPLOY_CPANEL_USER:=$(_readdomainconf DEPLOY_CPANEL_USER)}" ]; then
      _err "It seems that you are root, please define the target user name: export DEPLOY_CPANEL_USER=username"
      return 1
    fi
-    _savedomainconf DEPLOY_CPANEL_USER "$DEPLOY_CPANEL_USER"
-    _response=$(uapi --user="$DEPLOY_CPANEL_USER" SSL install_ssl domain="$_cdomain" cert="$_cert" key="$_key")
-  else
-    _response=$(uapi SSL install_ssl domain="$_cdomain" cert="$_cert" key="$_key")
-  fi
-  error_response="status: 0"
-  if test "${_response#*$error_response}" != "$_response"; then
-    _err "Error in deploying certificate:"
-    _err "$_response"
-    return 1
+    _debug DEPLOY_CPANEL_USER "$DEPLOY_CPANEL_USER"
+    _savedeployconf DEPLOY_CPANEL_USER "$DEPLOY_CPANEL_USER"
+
+    _uapi_user="$DEPLOY_CPANEL_USER"
  fi

-  _debug response "$_response"
-  _info "Certificate successfully deployed"
-  return 0
+  # Load all AUTO envars and set defaults - see above for usage
+  __cpanel_initautoparam ENABLED 'true'
+  __cpanel_initautoparam NOMATCH 'false'
+  __cpanel_initautoparam INCLUDE '*'
+  __cpanel_initautoparam EXCLUDE ''
+
+  # Auto mode
+  if [ "$DEPLOY_CPANEL_AUTO_ENABLED" = "true" ]; then
+    # call API for site config
+    _response=$(uapi DomainInfo list_domains)
+    # exit if error in response
+    if [ -z "$_response" ] || [ "${_response#*"$uapi_error_response"}" != "$_response" ]; then
+      _err "Error in deploying certificate - cannot retrieve sitelist:"
+      _err "\n$_response"
+      return 1
+    fi
+
+    # parse response to create site list
+    sitelist=$(__cpanel_parse_response "$_response")
+    _debug "UAPI sites found: $sitelist"
+
+    # filter sitelist using configured domains
+    # skip if NOMATCH is "true"
+    if [ "$DEPLOY_CPANEL_AUTO_NOMATCH" = "true" ]; then
+      _debug "DEPLOY_CPANEL_AUTO_NOMATCH is true"
+      _info "UAPI nomatch mode is enabled - Will not validate sites are valid for the certificate"
+    else
+      _debug "DEPLOY_CPANEL_AUTO_NOMATCH is false"
+      d="$(echo "${Le_Alt}," | sed -e "s/^$_cdomain,//" -e "s/,$_cdomain,/,/")"
+      d="$(echo "$_cdomain,$d" | tr ',' '\n' | sed -e 's/\./\\./g' -e 's/\*/\[\^\.\]\*/g')"
+      sitelist="$(echo "$sitelist" | grep -ix "$d")"
+      _debug2 "Matched UAPI sites: $sitelist"
+    fi
+
+    # filter sites that do not match $DEPLOY_CPANEL_AUTO_INCLUDE
+    _info "Applying sitelist filter DEPLOY_CPANEL_AUTO_INCLUDE: $DEPLOY_CPANEL_AUTO_INCLUDE"
+    sitelist="$(echo "$sitelist" | grep -ix "$(echo "$DEPLOY_CPANEL_AUTO_INCLUDE" | tr ',' '\n' | sed -e 's/\./\\./g' -e 's/\*/\.\*/g')")"
+    _debug2 "Remaining sites: $sitelist"
+
+    # filter sites that match $DEPLOY_CPANEL_AUTO_EXCLUDE
+    _info "Applying sitelist filter DEPLOY_CPANEL_AUTO_EXCLUDE: $DEPLOY_CPANEL_AUTO_EXCLUDE"
+    sitelist="$(echo "$sitelist" | grep -vix "$(echo "$DEPLOY_CPANEL_AUTO_EXCLUDE" | tr ',' '\n' | sed -e 's/\./\\./g' -e 's/\*/\.\*/g')")"
+    _debug2 "Remaining sites: $sitelist"
+
+    # counter for success / failure check
+    successes=0
+    if [ -n "$sitelist" ]; then
+      sitetotal="$(echo "$sitelist" | wc -l)"
+      _debug "$sitetotal sites to deploy"
+    else
+      sitetotal=0
+      _debug "No sites to deploy"
+    fi
+
+    # for each site: call uapi to publish cert and log result. Only return failure if all fail
+    for site in $sitelist; do
+      # call uapi to publish cert, check response for errors and log them.
+      if [ -n "$_uapi_user" ]; then
+        _response=$(uapi --user="$_uapi_user" SSL install_ssl domain="$site" cert="$_cert" key="$_key")
+      else
+        _response=$(uapi SSL install_ssl domain="$site" cert="$_cert" key="$_key")
+      fi
+      if [ "${_response#*"$uapi_error_response"}" != "$_response" ]; then
+        _err "Error in deploying certificate to $site:"
+        _err "$_response"
+      else
+        successes=$((successes + 1))
+        _debug "$_response"
+        _info "Succcessfully deployed to $site"
+      fi
+    done
+
+    # Raise error if all updates fail
+    if [ "$sitetotal" -gt 0 ] && [ "$successes" -eq 0 ]; then
+      _err "Could not deploy to any of $sitetotal sites via UAPI"
+      _debug "successes: $successes, sitetotal: $sitetotal"
+      return 1
+    fi
+
+    _info "Successfully deployed certificate to $successes of $sitetotal sites via UAPI"
+    return 0
+  else
+    # "classic" mode - will only try to deploy to the primary domain; will not check UAPI first
+    if [ -n "$_uapi_user" ]; then
+      _response=$(uapi --user="$_uapi_user" SSL install_ssl domain="$_cdomain" cert="$_cert" key="$_key")
+    else
+      _response=$(uapi SSL install_ssl domain="$_cdomain" cert="$_cert" key="$_key")
+    fi
+
+    if [ "${_response#*"$uapi_error_response"}" != "$_response" ]; then
+      _err "Error in deploying certificate:"
+      _err "$_response"
+      return 1
+    fi
+
+    _debug response "$_response"
+    _info "Certificate successfully deployed"
+    return 0
+  fi
+}
+
+########  Private functions #####################
+
+# Internal utility to process YML from UAPI - looks at main_domain, sub_domains, addon domains and parked domains
+#[response]
+__cpanel_parse_response() {
+  if [ $# -gt 0 ]; then resp="$*"; else resp="$(cat)"; fi
+
+  echo "$resp" |
+    sed -En \
+      -e 's/\r$//' \
+      -e 's/^( *)([_.[:alnum:]]+) *: *(.*)/\1,\2,\3/p' \
+      -e 's/^( *)- (.*)/\1,-,\2/p' |
+    awk -F, '{
+      level = length($1)/2;
+      section[level] = $2;
+      for (i in section) {if (i > level) {delete section[i]}}
+      if (length($3) > 0) {
+        prefix="";
+        for (i=0; i < level; i++)
+          { prefix = (prefix)(section[i])("/") }
+        printf("%s%s=%s\n", prefix, $2, $3);
+      }
+    }' |
+    sed -En -e 's/^result\/data\/(main_domain|sub_domains\/-|addon_domains\/-|parked_domains\/-)=(.*)$/\2/p'
+}
+
+# Load parameter by prefix+name - fallback to default if not set, and save to config
+#pname pdefault
+__cpanel_initautoparam() {
+  pname="$1"
+  pdefault="$2"
+  pkey="DEPLOY_CPANEL_AUTO_$pname"
+
+  _getdeployconf "$pkey"
+  [ -n "$(eval echo "\"\$$pkey\"")" ] || eval "$pkey=\"$pdefault\""
+  _debug2 "$pkey" "$(eval echo "\"\$$pkey\"")"
+  _savedeployconf "$pkey" "$(eval echo "\"\$$pkey\"")"
 }
--- a/deploy/docker.sh
+++ b/deploy/docker.sh
@@ -273,16 +273,27 @@ _check_curl_version() {
  _minor="$(_getfield "$_cversion" 2 '.')"
  _debug2 "_minor" "$_minor"

-  if [ "$_major$_minor" -lt "740" ]; then
+  if [ "$_major" -ge "8" ]; then
+    #ok
+    return 0
+  fi
+  if [ "$_major" = "7" ]; then
+    if [ "$_minor" -lt "40" ]; then
+      _err "curl v$_cversion doesn't support unit socket"
+      _err "Please upgrade to curl 7.40 or later."
+      return 1
+    fi
+    if [ "$_minor" -lt "50" ]; then
+      _debug "Use short host name"
+      export _CURL_NO_HOST=1
+    else
+      export _CURL_NO_HOST=
+    fi
+    return 0
+  else
    _err "curl v$_cversion doesn't support unit socket"
    _err "Please upgrade to curl 7.40 or later."
    return 1
  fi
-  if [ "$_major$_minor" -lt "750" ]; then
-    _debug "Use short host name"
-    export _CURL_NO_HOST=1
-  else
-    export _CURL_NO_HOST=
-  fi
-  return 0
+
 }
--- a/deploy/gcore_cdn.sh
+++ b/deploy/gcore_cdn.sh
@@ -1,10 +1,11 @@
 #!/usr/bin/env sh

-# Here is the script to deploy the cert to G-Core CDN service (https://gcorelabs.com/ru/) using the G-Core Labs API (https://docs.gcorelabs.com/cdn/).
+# Here is the script to deploy the cert to G-Core CDN service (https://gcore.com/) using the G-Core Labs API (https://apidocs.gcore.com/cdn).
 # Returns 0 when success.
 #
 # Written by temoffey <temofffey@gmail.com>
 # Public domain, 2019
+# Update by DreamOfIce <admin@dreamofice.cn> in 2023

 #export DEPLOY_GCORE_CDN_USERNAME=myusername
 #export DEPLOY_GCORE_CDN_PASSWORD=mypassword
@@ -56,7 +57,7 @@ gcore_cdn_deploy() {
  _request="{\"username\":\"$Le_Deploy_gcore_cdn_username\",\"password\":\"$Le_Deploy_gcore_cdn_password\"}"
  _debug _request "$_request"
  export _H1="Content-Type:application/json"
-  _response=$(_post "$_request" "https://api.gcdn.co/auth/jwt/login")
+  _response=$(_post "$_request" "https://api.gcore.com/auth/jwt/login")
  _debug _response "$_response"
  _regex=".*\"access\":\"\([-._0-9A-Za-z]*\)\".*$"
  _debug _regex "$_regex"
@@ -69,8 +70,8 @@ gcore_cdn_deploy() {
  fi

  _info "Find CDN resource with cname $_cdomain"
-  export _H2="Authorization:Token $_token"
-  _response=$(_get "https://api.gcdn.co/resources")
+  export _H2="Authorization:Bearer $_token"
+  _response=$(_get "https://api.gcore.com/cdn/resources")
  _debug _response "$_response"
  _regex="\"primary_resource\":null},"
  _debug _regex "$_regex"
@@ -102,7 +103,7 @@ gcore_cdn_deploy() {
  _date=$(date "+%d.%m.%Y %H:%M:%S")
  _request="{\"name\":\"$_cdomain ($_date)\",\"sslCertificate\":\"$_fullchain\",\"sslPrivateKey\":\"$_key\"}"
  _debug _request "$_request"
-  _response=$(_post "$_request" "https://api.gcdn.co/sslData")
+  _response=$(_post "$_request" "https://api.gcore.com/cdn/sslData")
  _debug _response "$_response"
  _regex=".*\"id\":\([0-9]*\).*$"
  _debug _regex "$_regex"
@@ -117,7 +118,7 @@ gcore_cdn_deploy() {
  _info "Update CDN resource"
  _request="{\"originGroup\":$_originGroup,\"sslData\":$_sslDataAdd}"
  _debug _request "$_request"
-  _response=$(_post "$_request" "https://api.gcdn.co/resources/$_resourceId" '' "PUT")
+  _response=$(_post "$_request" "https://api.gcore.com/cdn/resources/$_resourceId" '' "PUT")
  _debug _response "$_response"
  _regex=".*\"sslData\":\([0-9]*\).*$"
  _debug _regex "$_regex"
@@ -133,7 +134,7 @@ gcore_cdn_deploy() {
    _info "Not found old SSL certificate"
  else
    _info "Delete old SSL certificate"
-    _response=$(_post '' "https://api.gcdn.co/sslData/$_sslDataOld" '' "DELETE")
+    _response=$(_post '' "https://api.gcore.com/cdn/sslData/$_sslDataOld" '' "DELETE")
    _debug _response "$_response"
  fi

--- a/deploy/gitlab.sh
+++ b/deploy/gitlab.sh
@@ -67,7 +67,7 @@ gitlab_deploy() {

  error_response="error"

-  if test "${_response#*$error_response}" != "$_response"; then
+  if test "${_response#*"$error_response"}" != "$_response"; then
    _err "Error in deploying certificate:"
    _err "$_response"
    return 1
--- a/deploy/mailcow.sh
+++ b/deploy/mailcow.sh
@@ -44,30 +44,20 @@ mailcow_deploy() {
    return 1
  fi

-  # ECC or RSA
-  length=$(_readdomainconf Le_Keylength)
-  if _isEccKey "$length"; then
-    _info "ECC key type detected"
-    _cert_name_prefix="ecdsa-"
-  else
-    _info "RSA key type detected"
-    _cert_name_prefix=""
-  fi
-
  _info "Copying key and cert"
-  _real_key="$_ssl_path/${_cert_name_prefix}key.pem"
+  _real_key="$_ssl_path/key.pem"
  if ! cat "$_ckey" >"$_real_key"; then
    _err "Error: write key file to: $_real_key"
    return 1
  fi

-  _real_fullchain="$_ssl_path/${_cert_name_prefix}cert.pem"
+  _real_fullchain="$_ssl_path/cert.pem"
  if ! cat "$_cfullchain" >"$_real_fullchain"; then
    _err "Error: write cert file to: $_real_fullchain"
    return 1
  fi

-  DEFAULT_MAILCOW_RELOAD="docker restart \$(docker ps --quiet --filter name=nginx-mailcow --filter name=dovecot-mailcow)"
+  DEFAULT_MAILCOW_RELOAD="docker restart \$(docker ps --quiet --filter name=nginx-mailcow --filter name=dovecot-mailcow --filter name=postfix-mailcow)"
  _reload="${DEPLOY_MAILCOW_RELOAD:-$DEFAULT_MAILCOW_RELOAD}"

  _info "Run reload: $_reload"
--- a/deploy/panos.sh
+++ b/deploy/panos.sh
@@ -7,11 +7,15 @@
 #
 # Firewall admin with superuser and IP address is required.
 #
-# export PANOS_USER=""  # required
-# export PANOS_PASS=""  # required
-# export PANOS_HOST=""  # required
+# REQURED:
+#     export PANOS_HOST=""
+#     export PANOS_USER=""    #User *MUST* have Commit and Import Permissions in XML API for Admin Role
+#     export PANOS_PASS=""
+#
+# The script will automatically generate a new API key if
+# no key is found, or if a saved key has expired or is invalid.

-# This function is to parse the XML
+# This function is to parse the XML response from the firewall
 parse_response() {
  type=$2
  if [ "$type" = 'keygen' ]; then
@@ -23,25 +27,46 @@ parse_response() {
      message="PAN-OS Key could not be set."
    fi
  else
-    status=$(echo "$1" | sed 's/^.*"\([a-z]*\)".*/\1/g')
-    message=$(echo "$1" | sed 's/^.*<result>\(.*\)<\/result.*/\1/g')
+    status=$(echo "$1" | tr -d '\n' | sed 's/^.*"\([a-z]*\)".*/\1/g')
+    message=$(echo "$1" | tr -d '\n' | sed 's/.*\(<result>\|<msg>\|<line>\)\([^<]*\).*/\2/g')
+    _debug "Firewall message:  $message"
+    if [ "$type" = 'keytest' ] && [ "$status" != "success" ]; then
+      _debug "****  API Key has EXPIRED or is INVALID ****"
+      unset _panos_key
+    fi
  fi
  return 0
 }

+#This function is used to deploy to the firewall
 deployer() {
  content=""
-  type=$1 # Types are keygen, cert, key, commit
-  _debug "**** Deploying $type *****"
+  type=$1 # Types are keytest, keygen, cert, key, commit
  panos_url="https://$_panos_host/api/"
+
+  #Test API Key by performing a lookup
+  if [ "$type" = 'keytest' ]; then
+    _debug "**** Testing saved API Key ****"
+    _H1="Content-Type: application/x-www-form-urlencoded"
+    # Get Version Info to test key
+    content="type=version&key=$_panos_key"
+    ## Exclude all scopes for the empty commit
+    #_exclude_scope="<policy-and-objects>exclude</policy-and-objects><device-and-network>exclude</device-and-network><shared-object>exclude</shared-object>"
+    #content="type=commit&action=partial&key=$_panos_key&cmd=<commit><partial>$_exclude_scope<admin><member>acmekeytest</member></admin></partial></commit>"
+  fi
+
+  # Generate API Key
  if [ "$type" = 'keygen' ]; then
+    _debug "**** Generating new API Key ****"
    _H1="Content-Type: application/x-www-form-urlencoded"
    content="type=keygen&user=$_panos_user&password=$_panos_pass"
    # content="$content${nl}--$delim${nl}Content-Disposition: form-data; type=\"keygen\"; user=\"$_panos_user\"; password=\"$_panos_pass\"${nl}Content-Type: application/octet-stream${nl}${nl}"
  fi

+  # Deploy Cert or Key
  if [ "$type" = 'cert' ] || [ "$type" = 'key' ]; then
-    #Generate DEIM
+    _debug "**** Deploying $type ****"
+    #Generate DELIM
    delim="-----MultipartDelimiter$(date "+%s%N")"
    nl="\015\012"
    #Set Header
@@ -61,7 +86,7 @@ deployer() {
      content="$content${nl}--$delim${nl}Content-Disposition: form-data; name=\"key\"\r\n\r\n$_panos_key"
      content="$content${nl}--$delim${nl}Content-Disposition: form-data; name=\"format\"\r\n\r\npem"
      content="$content${nl}--$delim${nl}Content-Disposition: form-data; name=\"passphrase\"\r\n\r\n123456"
-      content="$content${nl}--$delim${nl}Content-Disposition: form-data; name=\"file\"; filename=\"$(basename "$_ckey")\"${nl}Content-Type: application/octet-stream${nl}${nl}$(cat "$_ckey")"
+      content="$content${nl}--$delim${nl}Content-Disposition: form-data; name=\"file\"; filename=\"$(basename "$_cdomain.key")\"${nl}Content-Type: application/octet-stream${nl}${nl}$(cat "$_ckey")"
    fi
    #Close multipart
    content="$content${nl}--$delim--${nl}${nl}"
@@ -69,16 +94,25 @@ deployer() {
    content=$(printf %b "$content")
  fi

+  # Commit changes
  if [ "$type" = 'commit' ]; then
+    _debug "**** Committing changes ****"
    export _H1="Content-Type: application/x-www-form-urlencoded"
-    cmd=$(printf "%s" "<commit><partial><$_panos_user></$_panos_user></partial></commit>" | _url_encode)
-    content="type=commit&key=$_panos_key&cmd=$cmd"
+    #Check for force commit - will commit ALL uncommited changes to the firewall. Use with caution!
+    if [ "$FORCE" ]; then
+      _debug "Force switch detected.  Committing ALL changes to the firewall."
+      cmd=$(printf "%s" "<commit><partial><force><admin><member>$_panos_user</member></admin></force></partial></commit>" | _url_encode)
+    else
+      _exclude_scope="<policy-and-objects>exclude</policy-and-objects><device-and-network>exclude</device-and-network>"
+      cmd=$(printf "%s" "<commit><partial>$_exclude_scope<admin><member>$_panos_user</member></admin></partial></commit>" | _url_encode)
+    fi
+    content="type=commit&action=partial&key=$_panos_key&cmd=$cmd"
  fi
+
  response=$(_post "$content" "$panos_url" "" "POST")
  parse_response "$response" "$type"
  # Saving response to variables
  response_status=$status
-  #DEBUG
  _debug response_status "$response_status"
  if [ "$response_status" = "success" ]; then
    _debug "Successfully deployed $type"
@@ -92,43 +126,85 @@ deployer() {

 # This is the main function that will call the other functions to deploy everything.
 panos_deploy() {
-  _cdomain="$1"
+  _cdomain=$(echo "$1" | sed 's/*/WILDCARD_/g') #Wildcard Safe Filename
  _ckey="$2"
  _cfullchain="$5"
-  # PANOS ENV VAR check
-  if [ -z "$PANOS_USER" ] || [ -z "$PANOS_PASS" ] || [ -z "$PANOS_HOST" ]; then
-    _debug "No ENV variables found lets check for saved variables"
-    _getdeployconf PANOS_USER
-    _getdeployconf PANOS_PASS
-    _getdeployconf PANOS_HOST
-    _panos_user=$PANOS_USER
-    _panos_pass=$PANOS_PASS
-    _panos_host=$PANOS_HOST
-    if [ -z "$_panos_user" ] && [ -z "$_panos_pass" ] && [ -z "$_panos_host" ]; then
-      _err "No host, user and pass found.. If this is the first time deploying please set PANOS_HOST, PANOS_USER and PANOS_PASS in environment variables. Delete them after you have succesfully deployed certs."
-      return 1
-    else
-      _debug "Using saved env variables."
-    fi
-  else
-    _debug "Detected ENV variables to be saved to the deploy conf."
-    # Encrypt and save user
-    _savedeployconf PANOS_USER "$PANOS_USER" 1
-    _savedeployconf PANOS_PASS "$PANOS_PASS" 1
-    _savedeployconf PANOS_HOST "$PANOS_HOST" 1
-    _panos_user="$PANOS_USER"
-    _panos_pass="$PANOS_PASS"
-    _panos_host="$PANOS_HOST"
+
+  # VALID FILE CHECK
+  if [ ! -f "$_ckey" ] || [ ! -f "$_cfullchain" ]; then
+    _err "Unable to find a valid key and/or cert.  If this is an ECDSA/ECC cert, use the --ecc flag when deploying."
+    return 1
  fi
-  _debug "Let's use username and pass to generate token."
-  if [ -z "$_panos_user" ] || [ -z "$_panos_pass" ] || [ -z "$_panos_host" ]; then
-    _err "Please pass username and password and host as env variables PANOS_USER, PANOS_PASS and PANOS_HOST"
+
+  # PANOS_HOST
+  if [ "$PANOS_HOST" ]; then
+    _debug "Detected ENV variable PANOS_HOST. Saving to file."
+    _savedeployconf PANOS_HOST "$PANOS_HOST" 1
+  else
+    _debug "Attempting to load variable PANOS_HOST from file."
+    _getdeployconf PANOS_HOST
+  fi
+
+  # PANOS USER
+  if [ "$PANOS_USER" ]; then
+    _debug "Detected ENV variable PANOS_USER. Saving to file."
+    _savedeployconf PANOS_USER "$PANOS_USER" 1
+  else
+    _debug "Attempting to load variable PANOS_USER from file."
+    _getdeployconf PANOS_USER
+  fi
+
+  # PANOS_PASS
+  if [ "$PANOS_PASS" ]; then
+    _debug "Detected ENV variable PANOS_PASS. Saving to file."
+    _savedeployconf PANOS_PASS "$PANOS_PASS" 1
+  else
+    _debug "Attempting to load variable PANOS_PASS from file."
+    _getdeployconf PANOS_PASS
+  fi
+
+  # PANOS_KEY
+  _getdeployconf PANOS_KEY
+  if [ "$PANOS_KEY" ]; then
+    _debug "Detected saved key."
+    _panos_key=$PANOS_KEY
+  else
+    _debug "No key detected"
+    unset _panos_key
+  fi
+
+  #Store variables
+  _panos_host=$PANOS_HOST
+  _panos_user=$PANOS_USER
+  _panos_pass=$PANOS_PASS
+
+  #Test API Key if found.  If the key is invalid, the variable _panos_key will be unset.
+  if [ "$_panos_host" ] && [ "$_panos_key" ]; then
+    _debug "**** Testing API KEY ****"
+    deployer keytest
+  fi
+
+  # Check for valid variables
+  if [ -z "$_panos_host" ]; then
+    _err "No host found. If this is your first time deploying, please set PANOS_HOST in ENV variables. You can delete it after you have successfully deployed the certs."
+    return 1
+  elif [ -z "$_panos_user" ]; then
+    _err "No user found. If this is your first time deploying, please set PANOS_USER in ENV variables. You can delete it after you have successfully deployed the certs."
+    return 1
+  elif [ -z "$_panos_pass" ]; then
+    _err "No password found. If this is your first time deploying, please set PANOS_PASS in ENV variables. You can delete it after you have successfully deployed the certs."
    return 1
  else
-    _debug "Getting PANOS KEY"
-    deployer keygen
+    # Generate a new API key if no valid API key is found
    if [ -z "$_panos_key" ]; then
-      _err "Missing apikey."
+      _debug "**** Generating new PANOS API KEY ****"
+      deployer keygen
+      _savedeployconf PANOS_KEY "$_panos_key" 1
+    fi
+
+    # Confirm that a valid key was generated
+    if [ -z "$_panos_key" ]; then
+      _err "Unable to generate an API key.  The user and pass may be invalid or not authorized to generate a new key.  Please check the PANOS_USER and PANOS_PASS credentials and try again"
      return 1
    else
      deployer cert
--- a/deploy/proxmoxve.sh
+++ b/deploy/proxmoxve.sh
@@ -0,0 +1,132 @@
+#!/usr/bin/env sh
+
+# Deploy certificates to a proxmox virtual environment node using the API.
+#
+# Environment variables that can be set are:
+# `DEPLOY_PROXMOXVE_SERVER`: The hostname of the proxmox ve node. Defaults to
+#                            _cdomain.
+# `DEPLOY_PROXMOXVE_SERVER_PORT`: The port number the management interface is on.
+#                                 Defaults to 8006.
+# `DEPLOY_PROXMOXVE_NODE_NAME`: The name of the node we'll be connecting to.
+#                               Defaults to the host portion of the server
+#                               domain name.
+# `DEPLOY_PROXMOXVE_USER`: The user we'll connect as. Defaults to root.
+# `DEPLOY_PROXMOXVE_USER_REALM`: The authentication realm the user authenticates
+#                                with. Defaults to pam.
+# `DEPLOY_PROXMOXVE_API_TOKEN_NAME`: The name of the API token created for the
+#                                    user account. Defaults to acme.
+# `DEPLOY_PROXMOXVE_API_TOKEN_KEY`: The API token. Required.
+
+proxmoxve_deploy() {
+  _cdomain="$1"
+  _ckey="$2"
+  _ccert="$3"
+  _cca="$4"
+  _cfullchain="$5"
+
+  _debug _cdomain "$_cdomain"
+  _debug2 _ckey "$_ckey"
+  _debug _ccert "$_ccert"
+  _debug _cca "$_cca"
+  _debug _cfullchain "$_cfullchain"
+
+  # "Sane" defaults.
+  _getdeployconf DEPLOY_PROXMOXVE_SERVER
+  if [ -z "$DEPLOY_PROXMOXVE_SERVER" ]; then
+    _target_hostname="$_cdomain"
+  else
+    _target_hostname="$DEPLOY_PROXMOXVE_SERVER"
+    _savedeployconf DEPLOY_PROXMOXVE_SERVER "$DEPLOY_PROXMOXVE_SERVER"
+  fi
+  _debug2 DEPLOY_PROXMOXVE_SERVER "$_target_hostname"
+
+  _getdeployconf DEPLOY_PROXMOXVE_SERVER_PORT
+  if [ -z "$DEPLOY_PROXMOXVE_SERVER_PORT" ]; then
+    _target_port="8006"
+  else
+    _target_port="$DEPLOY_PROXMOXVE_SERVER_PORT"
+    _savedeployconf DEPLOY_PROXMOXVE_SERVER_PORT "$DEPLOY_PROXMOXVE_SERVER_PORT"
+  fi
+  _debug2 DEPLOY_PROXMOXVE_SERVER_PORT "$_target_port"
+
+  _getdeployconf DEPLOY_PROXMOXVE_NODE_NAME
+  if [ -z "$DEPLOY_PROXMOXVE_NODE_NAME" ]; then
+    _node_name=$(echo "$_target_hostname" | cut -d. -f1)
+  else
+    _node_name="$DEPLOY_PROXMOXVE_NODE_NAME"
+    _savedeployconf DEPLOY_PROXMOXVE_NODE_NAME "$DEPLOY_PROXMOXVE_NODE_NAME"
+  fi
+  _debug2 DEPLOY_PROXMOXVE_NODE_NAME "$_node_name"
+
+  # Complete URL.
+  _target_url="https://${_target_hostname}:${_target_port}/api2/json/nodes/${_node_name}/certificates/custom"
+  _debug TARGET_URL "$_target_url"
+
+  # More "sane" defaults.
+  _getdeployconf DEPLOY_PROXMOXVE_USER
+  if [ -z "$DEPLOY_PROXMOXVE_USER" ]; then
+    _proxmoxve_user="root"
+  else
+    _proxmoxve_user="$DEPLOY_PROXMOXVE_USER"
+    _savedeployconf DEPLOY_PROXMOXVE_USER "$DEPLOY_PROXMOXVE_USER"
+  fi
+  _debug2 DEPLOY_PROXMOXVE_USER "$_proxmoxve_user"
+
+  _getdeployconf DEPLOY_PROXMOXVE_USER_REALM
+  if [ -z "$DEPLOY_PROXMOXVE_USER_REALM" ]; then
+    _proxmoxve_user_realm="pam"
+  else
+    _proxmoxve_user_realm="$DEPLOY_PROXMOXVE_USER_REALM"
+    _savedeployconf DEPLOY_PROXMOXVE_USER_REALM "$DEPLOY_PROXMOXVE_USER_REALM"
+  fi
+  _debug2 DEPLOY_PROXMOXVE_USER_REALM "$_proxmoxve_user_realm"
+
+  _getdeployconf DEPLOY_PROXMOXVE_API_TOKEN_NAME
+  if [ -z "$DEPLOY_PROXMOXVE_API_TOKEN_NAME" ]; then
+    _proxmoxve_api_token_name="acme"
+  else
+    _proxmoxve_api_token_name="$DEPLOY_PROXMOXVE_API_TOKEN_NAME"
+    _savedeployconf DEPLOY_PROXMOXVE_API_TOKEN_NAME "$DEPLOY_PROXMOXVE_API_TOKEN_NAME"
+  fi
+  _debug2 DEPLOY_PROXMOXVE_API_TOKEN_NAME "$_proxmoxve_api_token_name"
+
+  # This is required.
+  _getdeployconf DEPLOY_PROXMOXVE_API_TOKEN_KEY
+  if [ -z "$DEPLOY_PROXMOXVE_API_TOKEN_KEY" ]; then
+    _err "API key not provided."
+    return 1
+  else
+    _proxmoxve_api_token_key="$DEPLOY_PROXMOXVE_API_TOKEN_KEY"
+    _savedeployconf DEPLOY_PROXMOXVE_API_TOKEN_KEY "$DEPLOY_PROXMOXVE_API_TOKEN_KEY"
+  fi
+  _debug2 DEPLOY_PROXMOXVE_API_TOKEN_KEY _proxmoxve_api_token_key
+
+  # PVE API Token header value. Used in "Authorization: PVEAPIToken".
+  _proxmoxve_header_api_token="${_proxmoxve_user}@${_proxmoxve_user_realm}!${_proxmoxve_api_token_name}=${_proxmoxve_api_token_key}"
+  _debug2 "Auth Header" _proxmoxve_header_api_token
+
+  # Ugly. I hate putting heredocs inside functions because heredocs don't
+  # account for whitespace correctly but it _does_ work and is several times
+  # cleaner than anything else I had here.
+  #
+  # This dumps the json payload to a variable that should be passable to the
+  # _psot function.
+  _json_payload=$(
+    cat <<HEREDOC
+{
+  "certificates": "$(tr '\n' ':' <"$_cfullchain" | sed 's/:/\\n/g')",
+  "key": "$(tr '\n' ':' <"$_ckey" | sed 's/:/\\n/g')",
+  "node":"$_node_name",
+  "restart":"1",
+  "force":"1"
+}
+HEREDOC
+  )
+  _debug2 Payload "$_json_payload"
+
+  # Push certificates to server.
+  export _HTTPS_INSECURE=1
+  export _H1="Authorization: PVEAPIToken=${_proxmoxve_header_api_token}"
+  _post "$_json_payload" "$_target_url" "" POST "application/json"
+
+}
--- a/deploy/qiniu.sh
+++ b/deploy/qiniu.sh
@@ -53,7 +53,7 @@ qiniu_deploy() {
  sslcert_access_token="$(_make_access_token "$sslcert_path")"
  _debug sslcert_access_token "$sslcert_access_token"
  export _H1="Authorization: QBox $sslcert_access_token"
-  sslcert_response=$(_post "$sslcerl_body" "$QINIU_API_BASE$sslcert_path" 0 "POST" "application/json" | _dbase64 "multiline")
+  sslcert_response=$(_post "$sslcerl_body" "$QINIU_API_BASE$sslcert_path" 0 "POST" "application/json" | _dbase64)

  if ! _contains "$sslcert_response" "certID"; then
    _err "Error in creating certificate:"
@@ -75,7 +75,7 @@ qiniu_deploy() {
    update_access_token="$(_make_access_token "$update_path")"
    _debug update_access_token "$update_access_token"
    export _H1="Authorization: QBox $update_access_token"
-    update_response=$(_post "$update_body" "$QINIU_API_BASE$update_path" 0 "PUT" "application/json" | _dbase64 "multiline")
+    update_response=$(_post "$update_body" "$QINIU_API_BASE$update_path" 0 "PUT" "application/json" | _dbase64)

    if _contains "$update_response" "error"; then
      _err "Error in updating domain $domain httpsconf:"
--- a/deploy/ssh.sh
+++ b/deploy/ssh.sh
@@ -14,7 +14,7 @@
 # The following examples are for QNAP NAS running QTS 4.2
 # export DEPLOY_SSH_CMD=""  # defaults to "ssh -T"
 # export DEPLOY_SSH_USER="admin"  # required
-# export DEPLOY_SSH_SERVER="qnap"  # defaults to domain name
+# export DEPLOY_SSH_SERVER="host1 host2:8022 192.168.0.1:9022"  # defaults to domain name, support multiple servers with optional port
 # export DEPLOY_SSH_KEYFILE="/etc/stunnel/stunnel.pem"
 # export DEPLOY_SSH_CERTFILE="/etc/stunnel/stunnel.pem"
 # export DEPLOY_SSH_CAFILE="/etc/stunnel/uca.pem"
@@ -23,6 +23,8 @@
 # export DEPLOY_SSH_BACKUP=""  # yes or no, default to yes or previously saved value
 # export DEPLOY_SSH_BACKUP_PATH=".acme_ssh_deploy"  # path on remote system. Defaults to .acme_ssh_deploy
 # export DEPLOY_SSH_MULTI_CALL=""  # yes or no, default to no or previously saved value
+# export DEPLOY_SSH_USE_SCP="" yes or no, default to no
+# export DEPLOY_SSH_SCP_CMD="" defaults to "scp -q"
 #
 ########  Public functions #####################

@@ -42,72 +44,134 @@ ssh_deploy() {
  _debug _cfullchain "$_cfullchain"

  # USER is required to login by SSH to remote host.
+  _migratedeployconf Le_Deploy_ssh_user DEPLOY_SSH_USER
  _getdeployconf DEPLOY_SSH_USER
  _debug2 DEPLOY_SSH_USER "$DEPLOY_SSH_USER"
  if [ -z "$DEPLOY_SSH_USER" ]; then
-    if [ -z "$Le_Deploy_ssh_user" ]; then
-      _err "DEPLOY_SSH_USER not defined."
-      return 1
-    fi
-  else
-    Le_Deploy_ssh_user="$DEPLOY_SSH_USER"
-    _savedomainconf Le_Deploy_ssh_user "$Le_Deploy_ssh_user"
+    _err "DEPLOY_SSH_USER not defined."
+    return 1
  fi
+  _savedeployconf DEPLOY_SSH_USER "$DEPLOY_SSH_USER"

  # SERVER is optional. If not provided then use _cdomain
+  _migratedeployconf Le_Deploy_ssh_server DEPLOY_SSH_SERVER
  _getdeployconf DEPLOY_SSH_SERVER
  _debug2 DEPLOY_SSH_SERVER "$DEPLOY_SSH_SERVER"
-  if [ -n "$DEPLOY_SSH_SERVER" ]; then
-    Le_Deploy_ssh_server="$DEPLOY_SSH_SERVER"
-    _savedomainconf Le_Deploy_ssh_server "$Le_Deploy_ssh_server"
-  elif [ -z "$Le_Deploy_ssh_server" ]; then
-    Le_Deploy_ssh_server="$_cdomain"
+  if [ -z "$DEPLOY_SSH_SERVER" ]; then
+    DEPLOY_SSH_SERVER="$_cdomain"
  fi
+  _savedeployconf DEPLOY_SSH_SERVER "$DEPLOY_SSH_SERVER"

  # CMD is optional. If not provided then use ssh
+  _migratedeployconf Le_Deploy_ssh_cmd DEPLOY_SSH_CMD
  _getdeployconf DEPLOY_SSH_CMD
  _debug2 DEPLOY_SSH_CMD "$DEPLOY_SSH_CMD"
-  if [ -n "$DEPLOY_SSH_CMD" ]; then
-    Le_Deploy_ssh_cmd="$DEPLOY_SSH_CMD"
-    _savedomainconf Le_Deploy_ssh_cmd "$Le_Deploy_ssh_cmd"
-  elif [ -z "$Le_Deploy_ssh_cmd" ]; then
-    Le_Deploy_ssh_cmd="ssh -T"
+  if [ -z "$DEPLOY_SSH_CMD" ]; then
+    DEPLOY_SSH_CMD="ssh -T"
  fi
+  _savedeployconf DEPLOY_SSH_CMD "$DEPLOY_SSH_CMD"

  # BACKUP is optional. If not provided then default to previously saved value or yes.
+  _migratedeployconf Le_Deploy_ssh_backup DEPLOY_SSH_BACKUP
  _getdeployconf DEPLOY_SSH_BACKUP
  _debug2 DEPLOY_SSH_BACKUP "$DEPLOY_SSH_BACKUP"
-  if [ "$DEPLOY_SSH_BACKUP" = "no" ]; then
-    Le_Deploy_ssh_backup="no"
-  elif [ -z "$Le_Deploy_ssh_backup" ] || [ "$DEPLOY_SSH_BACKUP" = "yes" ]; then
-    Le_Deploy_ssh_backup="yes"
+  if [ -z "$DEPLOY_SSH_BACKUP" ]; then
+    DEPLOY_SSH_BACKUP="yes"
  fi
-  _savedomainconf Le_Deploy_ssh_backup "$Le_Deploy_ssh_backup"
+  _savedeployconf DEPLOY_SSH_BACKUP "$DEPLOY_SSH_BACKUP"

  # BACKUP_PATH is optional. If not provided then default to previously saved value or .acme_ssh_deploy
+  _migratedeployconf Le_Deploy_ssh_backup_path DEPLOY_SSH_BACKUP_PATH
  _getdeployconf DEPLOY_SSH_BACKUP_PATH
  _debug2 DEPLOY_SSH_BACKUP_PATH "$DEPLOY_SSH_BACKUP_PATH"
-  if [ -n "$DEPLOY_SSH_BACKUP_PATH" ]; then
-    Le_Deploy_ssh_backup_path="$DEPLOY_SSH_BACKUP_PATH"
-  elif [ -z "$Le_Deploy_ssh_backup_path" ]; then
-    Le_Deploy_ssh_backup_path=".acme_ssh_deploy"
+  if [ -z "$DEPLOY_SSH_BACKUP_PATH" ]; then
+    DEPLOY_SSH_BACKUP_PATH=".acme_ssh_deploy"
  fi
-  _savedomainconf Le_Deploy_ssh_backup_path "$Le_Deploy_ssh_backup_path"
+  _savedeployconf DEPLOY_SSH_BACKUP_PATH "$DEPLOY_SSH_BACKUP_PATH"

  # MULTI_CALL is optional. If not provided then default to previously saved
  # value (which may be undefined... equivalent to "no").
+  _migratedeployconf Le_Deploy_ssh_multi_call DEPLOY_SSH_MULTI_CALL
  _getdeployconf DEPLOY_SSH_MULTI_CALL
  _debug2 DEPLOY_SSH_MULTI_CALL "$DEPLOY_SSH_MULTI_CALL"
-  if [ "$DEPLOY_SSH_MULTI_CALL" = "yes" ]; then
-    Le_Deploy_ssh_multi_call="yes"
-    _savedomainconf Le_Deploy_ssh_multi_call "$Le_Deploy_ssh_multi_call"
-  elif [ "$DEPLOY_SSH_MULTI_CALL" = "no" ]; then
-    Le_Deploy_ssh_multi_call=""
-    _cleardomainconf Le_Deploy_ssh_multi_call
+  if [ -z "$DEPLOY_SSH_MULTI_CALL" ]; then
+    DEPLOY_SSH_MULTI_CALL="no"
+  fi
+  _savedeployconf DEPLOY_SSH_MULTI_CALL "$DEPLOY_SSH_MULTI_CALL"
+
+  # KEYFILE is optional.
+  # If provided then private key will be copied to provided filename.
+  _migratedeployconf Le_Deploy_ssh_keyfile DEPLOY_SSH_KEYFILE
+  _getdeployconf DEPLOY_SSH_KEYFILE
+  _debug2 DEPLOY_SSH_KEYFILE "$DEPLOY_SSH_KEYFILE"
+  if [ -n "$DEPLOY_SSH_KEYFILE" ]; then
+    _savedeployconf DEPLOY_SSH_KEYFILE "$DEPLOY_SSH_KEYFILE"
  fi

-  _deploy_ssh_servers=$Le_Deploy_ssh_server
-  for Le_Deploy_ssh_server in $_deploy_ssh_servers; do
+  # CERTFILE is optional.
+  # If provided then certificate will be copied or appended to provided filename.
+  _migratedeployconf Le_Deploy_ssh_certfile DEPLOY_SSH_CERTFILE
+  _getdeployconf DEPLOY_SSH_CERTFILE
+  _debug2 DEPLOY_SSH_CERTFILE "$DEPLOY_SSH_CERTFILE"
+  if [ -n "$DEPLOY_SSH_CERTFILE" ]; then
+    _savedeployconf DEPLOY_SSH_CERTFILE "$DEPLOY_SSH_CERTFILE"
+  fi
+
+  # CAFILE is optional.
+  # If provided then CA intermediate certificate will be copied or appended to provided filename.
+  _migratedeployconf Le_Deploy_ssh_cafile DEPLOY_SSH_CAFILE
+  _getdeployconf DEPLOY_SSH_CAFILE
+  _debug2 DEPLOY_SSH_CAFILE "$DEPLOY_SSH_CAFILE"
+  if [ -n "$DEPLOY_SSH_CAFILE" ]; then
+    _savedeployconf DEPLOY_SSH_CAFILE "$DEPLOY_SSH_CAFILE"
+  fi
+
+  # FULLCHAIN is optional.
+  # If provided then fullchain certificate will be copied or appended to provided filename.
+  _migratedeployconf Le_Deploy_ssh_fullchain DEPLOY_SSH_FULLCHAIN
+  _getdeployconf DEPLOY_SSH_FULLCHAIN
+  _debug2 DEPLOY_SSH_FULLCHAIN "$DEPLOY_SSH_FULLCHAIN"
+  if [ -n "$DEPLOY_SSH_FULLCHAIN" ]; then
+    _savedeployconf DEPLOY_SSH_FULLCHAIN "$DEPLOY_SSH_FULLCHAIN"
+  fi
+
+  # REMOTE_CMD is optional.
+  # If provided then this command will be executed on remote host.
+  _migratedeployconf Le_Deploy_ssh_remote_cmd DEPLOY_SSH_REMOTE_CMD
+  _getdeployconf DEPLOY_SSH_REMOTE_CMD
+  _debug2 DEPLOY_SSH_REMOTE_CMD "$DEPLOY_SSH_REMOTE_CMD"
+  if [ -n "$DEPLOY_SSH_REMOTE_CMD" ]; then
+    _savedeployconf DEPLOY_SSH_REMOTE_CMD "$DEPLOY_SSH_REMOTE_CMD"
+  fi
+
+  # USE_SCP is optional. If not provided then default to previously saved
+  # value (which may be undefined... equivalent to "no").
+  _getdeployconf DEPLOY_SSH_USE_SCP
+  _debug2 DEPLOY_SSH_USE_SCP "$DEPLOY_SSH_USE_SCP"
+  if [ -z "$DEPLOY_SSH_USE_SCP" ]; then
+    DEPLOY_SSH_USE_SCP="no"
+  fi
+  _savedeployconf DEPLOY_SSH_USE_SCP "$DEPLOY_SSH_USE_SCP"
+
+  # SCP_CMD is optional. If not provided then use scp
+  _getdeployconf DEPLOY_SSH_SCP_CMD
+  _debug2 DEPLOY_SSH_SCP_CMD "$DEPLOY_SSH_SCP_CMD"
+  if [ -z "$DEPLOY_SSH_SCP_CMD" ]; then
+    DEPLOY_SSH_SCP_CMD="scp -q"
+  fi
+  _savedeployconf DEPLOY_SSH_SCP_CMD "$DEPLOY_SSH_SCP_CMD"
+
+  if [ "$DEPLOY_SSH_USE_SCP" = "yes" ]; then
+    DEPLOY_SSH_MULTI_CALL="yes"
+    _info "Using scp as alternate method for copying files. Multicall Mode is implicit"
+  elif [ "$DEPLOY_SSH_MULTI_CALL" = "yes" ]; then
+    _info "Using MULTI_CALL mode... Required commands sent in multiple calls to remote host"
+  else
+    _info "Required commands batched and sent in single call to remote host"
+  fi
+
+  _deploy_ssh_servers="$DEPLOY_SSH_SERVER"
+  for DEPLOY_SSH_SERVER in $_deploy_ssh_servers; do
    _ssh_deploy
  done
 }
@@ -117,16 +181,25 @@ _ssh_deploy() {
  _cmdstr=""
  _backupprefix=""
  _backupdir=""
+  _local_cert_file=""
+  _local_ca_file=""
+  _local_full_file=""

-  _info "Deploy certificates to remote server $Le_Deploy_ssh_user@$Le_Deploy_ssh_server"
-  if [ "$Le_Deploy_ssh_multi_call" = "yes" ]; then
-    _info "Using MULTI_CALL mode... Required commands sent in multiple calls to remote host"
-  else
-    _info "Required commands batched and sent in single call to remote host"
-  fi
+  case $DEPLOY_SSH_SERVER in
+  *:*)
+    _host=${DEPLOY_SSH_SERVER%:*}
+    _port=${DEPLOY_SSH_SERVER##*:}
+    ;;
+  *)
+    _host=$DEPLOY_SSH_SERVER
+    _port=
+    ;;
+  esac

-  if [ "$Le_Deploy_ssh_backup" = "yes" ]; then
-    _backupprefix="$Le_Deploy_ssh_backup_path/$_cdomain-backup"
+  _info "Deploy certificates to remote server $DEPLOY_SSH_USER@$_host:$_port"
+
+  if [ "$DEPLOY_SSH_BACKUP" = "yes" ]; then
+    _backupprefix="$DEPLOY_SSH_BACKUP_PATH/$_cdomain-backup"
    _backupdir="$_backupprefix-$(_utc_date | tr ' ' '-')"
    # run cleanup on the backup directory, erase all older
    # than 180 days (15552000 seconds).
@@ -138,7 +211,7 @@ then rm -rf \"\$fn\"; echo \"Backup \$fn deleted as older than 180 days\"; fi; d
    _cmdstr="mkdir -p $_backupdir; $_cmdstr"
    _info "Backup of old certificate files will be placed in remote directory $_backupdir"
    _info "Backup directories erased after 180 days."
-    if [ "$Le_Deploy_ssh_multi_call" = "yes" ]; then
+    if [ "$DEPLOY_SSH_MULTI_CALL" = "yes" ]; then
      if ! _ssh_remote_cmd "$_cmdstr"; then
        return $_err_code
      fi
@@ -146,129 +219,184 @@ then rm -rf \"\$fn\"; echo \"Backup \$fn deleted as older than 180 days\"; fi; d
    fi
  fi

-  # KEYFILE is optional.
-  # If provided then private key will be copied to provided filename.
-  _getdeployconf DEPLOY_SSH_KEYFILE
-  _debug2 DEPLOY_SSH_KEYFILE "$DEPLOY_SSH_KEYFILE"
  if [ -n "$DEPLOY_SSH_KEYFILE" ]; then
-    Le_Deploy_ssh_keyfile="$DEPLOY_SSH_KEYFILE"
-    _savedomainconf Le_Deploy_ssh_keyfile "$Le_Deploy_ssh_keyfile"
-  fi
-  if [ -n "$Le_Deploy_ssh_keyfile" ]; then
-    if [ "$Le_Deploy_ssh_backup" = "yes" ]; then
+    if [ "$DEPLOY_SSH_BACKUP" = "yes" ]; then
      # backup file we are about to overwrite.
-      _cmdstr="$_cmdstr cp $Le_Deploy_ssh_keyfile $_backupdir >/dev/null;"
+      _cmdstr="$_cmdstr cp $DEPLOY_SSH_KEYFILE $_backupdir >/dev/null;"
+      if [ "$DEPLOY_SSH_MULTI_CALL" = "yes" ]; then
+        if ! _ssh_remote_cmd "$_cmdstr"; then
+          return $_err_code
+        fi
+        _cmdstr=""
+      fi
    fi
-    # copy new certificate into file.
-    _cmdstr="$_cmdstr echo \"$(cat "$_ckey")\" > $Le_Deploy_ssh_keyfile;"
-    _info "will copy private key to remote file $Le_Deploy_ssh_keyfile"
-    if [ "$Le_Deploy_ssh_multi_call" = "yes" ]; then
-      if ! _ssh_remote_cmd "$_cmdstr"; then
+
+    # copy new key into file.
+    if [ "$DEPLOY_SSH_USE_SCP" = "yes" ]; then
+      # scp the file
+      if ! _scp_remote_cmd "$_ckey" "$DEPLOY_SSH_KEYFILE"; then
        return $_err_code
      fi
-      _cmdstr=""
+    else
+      # ssh echo to the file
+      _cmdstr="$_cmdstr echo \"$(cat "$_ckey")\" > $DEPLOY_SSH_KEYFILE;"
+      _info "will copy private key to remote file $DEPLOY_SSH_KEYFILE"
+      if [ "$DEPLOY_SSH_MULTI_CALL" = "yes" ]; then
+        if ! _ssh_remote_cmd "$_cmdstr"; then
+          return $_err_code
+        fi
+        _cmdstr=""
+      fi
    fi
  fi

-  # CERTFILE is optional.
-  # If provided then certificate will be copied or appended to provided filename.
-  _getdeployconf DEPLOY_SSH_CERTFILE
-  _debug2 DEPLOY_SSH_CERTFILE "$DEPLOY_SSH_CERTFILE"
  if [ -n "$DEPLOY_SSH_CERTFILE" ]; then
-    Le_Deploy_ssh_certfile="$DEPLOY_SSH_CERTFILE"
-    _savedomainconf Le_Deploy_ssh_certfile "$Le_Deploy_ssh_certfile"
-  fi
-  if [ -n "$Le_Deploy_ssh_certfile" ]; then
    _pipe=">"
-    if [ "$Le_Deploy_ssh_certfile" = "$Le_Deploy_ssh_keyfile" ]; then
+    if [ "$DEPLOY_SSH_CERTFILE" = "$DEPLOY_SSH_KEYFILE" ]; then
      # if filename is same as previous file then append.
      _pipe=">>"
-    elif [ "$Le_Deploy_ssh_backup" = "yes" ]; then
+    elif [ "$DEPLOY_SSH_BACKUP" = "yes" ]; then
      # backup file we are about to overwrite.
-      _cmdstr="$_cmdstr cp $Le_Deploy_ssh_certfile $_backupdir >/dev/null;"
+      _cmdstr="$_cmdstr cp $DEPLOY_SSH_CERTFILE $_backupdir >/dev/null;"
+      if [ "$DEPLOY_SSH_MULTI_CALL" = "yes" ]; then
+        if ! _ssh_remote_cmd "$_cmdstr"; then
+          return $_err_code
+        fi
+        _cmdstr=""
+      fi
    fi
+
    # copy new certificate into file.
-    _cmdstr="$_cmdstr echo \"$(cat "$_ccert")\" $_pipe $Le_Deploy_ssh_certfile;"
-    _info "will copy certificate to remote file $Le_Deploy_ssh_certfile"
-    if [ "$Le_Deploy_ssh_multi_call" = "yes" ]; then
-      if ! _ssh_remote_cmd "$_cmdstr"; then
+    if [ "$DEPLOY_SSH_USE_SCP" = "yes" ]; then
+      # scp the file
+      _local_cert_file=$(_mktemp)
+      if [ "$DEPLOY_SSH_CERTFILE" = "$DEPLOY_SSH_KEYFILE" ]; then
+        cat "$_ckey" >>"$_local_cert_file"
+      fi
+      cat "$_ccert" >>"$_local_cert_file"
+      if ! _scp_remote_cmd "$_local_cert_file" "$DEPLOY_SSH_CERTFILE"; then
        return $_err_code
      fi
-      _cmdstr=""
+    else
+      # ssh echo to the file
+      _cmdstr="$_cmdstr echo \"$(cat "$_ccert")\" $_pipe $DEPLOY_SSH_CERTFILE;"
+      _info "will copy certificate to remote file $DEPLOY_SSH_CERTFILE"
+      if [ "$DEPLOY_SSH_MULTI_CALL" = "yes" ]; then
+        if ! _ssh_remote_cmd "$_cmdstr"; then
+          return $_err_code
+        fi
+        _cmdstr=""
+      fi
    fi
  fi

-  # CAFILE is optional.
-  # If provided then CA intermediate certificate will be copied or appended to provided filename.
-  _getdeployconf DEPLOY_SSH_CAFILE
-  _debug2 DEPLOY_SSH_CAFILE "$DEPLOY_SSH_CAFILE"
  if [ -n "$DEPLOY_SSH_CAFILE" ]; then
-    Le_Deploy_ssh_cafile="$DEPLOY_SSH_CAFILE"
-    _savedomainconf Le_Deploy_ssh_cafile "$Le_Deploy_ssh_cafile"
-  fi
-  if [ -n "$Le_Deploy_ssh_cafile" ]; then
    _pipe=">"
-    if [ "$Le_Deploy_ssh_cafile" = "$Le_Deploy_ssh_keyfile" ] ||
-      [ "$Le_Deploy_ssh_cafile" = "$Le_Deploy_ssh_certfile" ]; then
+    if [ "$DEPLOY_SSH_CAFILE" = "$DEPLOY_SSH_KEYFILE" ] ||
+      [ "$DEPLOY_SSH_CAFILE" = "$DEPLOY_SSH_CERTFILE" ]; then
      # if filename is same as previous file then append.
      _pipe=">>"
-    elif [ "$Le_Deploy_ssh_backup" = "yes" ]; then
+    elif [ "$DEPLOY_SSH_BACKUP" = "yes" ]; then
      # backup file we are about to overwrite.
-      _cmdstr="$_cmdstr cp $Le_Deploy_ssh_cafile $_backupdir >/dev/null;"
+      _cmdstr="$_cmdstr cp $DEPLOY_SSH_CAFILE $_backupdir >/dev/null;"
+      if [ "$DEPLOY_SSH_MULTI_CALL" = "yes" ]; then
+        if ! _ssh_remote_cmd "$_cmdstr"; then
+          return $_err_code
+        fi
+        _cmdstr=""
+      fi
    fi
+
    # copy new certificate into file.
-    _cmdstr="$_cmdstr echo \"$(cat "$_cca")\" $_pipe $Le_Deploy_ssh_cafile;"
-    _info "will copy CA file to remote file $Le_Deploy_ssh_cafile"
-    if [ "$Le_Deploy_ssh_multi_call" = "yes" ]; then
-      if ! _ssh_remote_cmd "$_cmdstr"; then
+    if [ "$DEPLOY_SSH_USE_SCP" = "yes" ]; then
+      # scp the file
+      _local_ca_file=$(_mktemp)
+      if [ "$DEPLOY_SSH_CAFILE" = "$DEPLOY_SSH_KEYFILE" ]; then
+        cat "$_ckey" >>"$_local_ca_file"
+      fi
+      if [ "$DEPLOY_SSH_CAFILE" = "$DEPLOY_SSH_CERTFILE" ]; then
+        cat "$_ccert" >>"$_local_ca_file"
+      fi
+      cat "$_cca" >>"$_local_ca_file"
+      if ! _scp_remote_cmd "$_local_ca_file" "$DEPLOY_SSH_CAFILE"; then
        return $_err_code
      fi
-      _cmdstr=""
+    else
+      # ssh echo to the file
+      _cmdstr="$_cmdstr echo \"$(cat "$_cca")\" $_pipe $DEPLOY_SSH_CAFILE;"
+      _info "will copy CA file to remote file $DEPLOY_SSH_CAFILE"
+      if [ "$DEPLOY_SSH_MULTI_CALL" = "yes" ]; then
+        if ! _ssh_remote_cmd "$_cmdstr"; then
+          return $_err_code
+        fi
+        _cmdstr=""
+      fi
    fi
  fi

-  # FULLCHAIN is optional.
-  # If provided then fullchain certificate will be copied or appended to provided filename.
-  _getdeployconf DEPLOY_SSH_FULLCHAIN
-  _debug2 DEPLOY_SSH_FULLCHAIN "$DEPLOY_SSH_FULLCHAIN"
  if [ -n "$DEPLOY_SSH_FULLCHAIN" ]; then
-    Le_Deploy_ssh_fullchain="$DEPLOY_SSH_FULLCHAIN"
-    _savedomainconf Le_Deploy_ssh_fullchain "$Le_Deploy_ssh_fullchain"
-  fi
-  if [ -n "$Le_Deploy_ssh_fullchain" ]; then
    _pipe=">"
-    if [ "$Le_Deploy_ssh_fullchain" = "$Le_Deploy_ssh_keyfile" ] ||
-      [ "$Le_Deploy_ssh_fullchain" = "$Le_Deploy_ssh_certfile" ] ||
-      [ "$Le_Deploy_ssh_fullchain" = "$Le_Deploy_ssh_cafile" ]; then
+    if [ "$DEPLOY_SSH_FULLCHAIN" = "$DEPLOY_SSH_KEYFILE" ] ||
+      [ "$DEPLOY_SSH_FULLCHAIN" = "$DEPLOY_SSH_CERTFILE" ] ||
+      [ "$DEPLOY_SSH_FULLCHAIN" = "$DEPLOY_SSH_CAFILE" ]; then
      # if filename is same as previous file then append.
      _pipe=">>"
-    elif [ "$Le_Deploy_ssh_backup" = "yes" ]; then
+    elif [ "$DEPLOY_SSH_BACKUP" = "yes" ]; then
      # backup file we are about to overwrite.
-      _cmdstr="$_cmdstr cp $Le_Deploy_ssh_fullchain $_backupdir >/dev/null;"
+      _cmdstr="$_cmdstr cp $DEPLOY_SSH_FULLCHAIN $_backupdir >/dev/null;"
+      if [ "$DEPLOY_SSH_FULLCHAIN" = "yes" ]; then
+        if ! _ssh_remote_cmd "$_cmdstr"; then
+          return $_err_code
+        fi
+        _cmdstr=""
+      fi
    fi
+
    # copy new certificate into file.
-    _cmdstr="$_cmdstr echo \"$(cat "$_cfullchain")\" $_pipe $Le_Deploy_ssh_fullchain;"
-    _info "will copy fullchain to remote file $Le_Deploy_ssh_fullchain"
-    if [ "$Le_Deploy_ssh_multi_call" = "yes" ]; then
-      if ! _ssh_remote_cmd "$_cmdstr"; then
+    if [ "$DEPLOY_SSH_USE_SCP" = "yes" ]; then
+      # scp the file
+      _local_full_file=$(_mktemp)
+      if [ "$DEPLOY_SSH_FULLCHAIN" = "$DEPLOY_SSH_KEYFILE" ]; then
+        cat "$_ckey" >>"$_local_full_file"
+      fi
+      if [ "$DEPLOY_SSH_FULLCHAIN" = "$DEPLOY_SSH_CERTFILE" ]; then
+        cat "$_ccert" >>"$_local_full_file"
+      fi
+      if [ "$DEPLOY_SSH_FULLCHAIN" = "$DEPLOY_SSH_CAFILE" ]; then
+        cat "$_cca" >>"$_local_full_file"
+      fi
+      cat "$_cfullchain" >>"$_local_full_file"
+      if ! _scp_remote_cmd "$_local_full_file" "$DEPLOY_SSH_FULLCHAIN"; then
        return $_err_code
      fi
-      _cmdstr=""
+    else
+      # ssh echo to the file
+      _cmdstr="$_cmdstr echo \"$(cat "$_cfullchain")\" $_pipe $DEPLOY_SSH_FULLCHAIN;"
+      _info "will copy fullchain to remote file $DEPLOY_SSH_FULLCHAIN"
+      if [ "$DEPLOY_SSH_MULTI_CALL" = "yes" ]; then
+        if ! _ssh_remote_cmd "$_cmdstr"; then
+          return $_err_code
+        fi
+        _cmdstr=""
+      fi
    fi
  fi

-  # REMOTE_CMD is optional.
-  # If provided then this command will be executed on remote host.
-  _getdeployconf DEPLOY_SSH_REMOTE_CMD
-  _debug2 DEPLOY_SSH_REMOTE_CMD "$DEPLOY_SSH_REMOTE_CMD"
-  if [ -n "$DEPLOY_SSH_REMOTE_CMD" ]; then
-    Le_Deploy_ssh_remote_cmd="$DEPLOY_SSH_REMOTE_CMD"
-    _savedomainconf Le_Deploy_ssh_remote_cmd "$Le_Deploy_ssh_remote_cmd"
+  # cleanup local files if any
+  if [ -f "$_local_cert_file" ]; then
+    rm -f "$_local_cert_file"
  fi
-  if [ -n "$Le_Deploy_ssh_remote_cmd" ]; then
-    _cmdstr="$_cmdstr $Le_Deploy_ssh_remote_cmd;"
-    _info "Will execute remote command $Le_Deploy_ssh_remote_cmd"
-    if [ "$Le_Deploy_ssh_multi_call" = "yes" ]; then
+  if [ -f "$_local_ca_file" ]; then
+    rm -f "$_local_ca_file"
+  fi
+  if [ -f "$_local_full_file" ]; then
+    rm -f "$_local_full_file"
+  fi
+
+  if [ -n "$DEPLOY_SSH_REMOTE_CMD" ]; then
+    _cmdstr="$_cmdstr $DEPLOY_SSH_REMOTE_CMD;"
+    _info "Will execute remote command $DEPLOY_SSH_REMOTE_CMD"
+    if [ "$DEPLOY_SSH_MULTI_CALL" = "yes" ]; then
      if ! _ssh_remote_cmd "$_cmdstr"; then
        return $_err_code
      fi
@@ -282,17 +410,25 @@ then rm -rf \"\$fn\"; echo \"Backup \$fn deleted as older than 180 days\"; fi; d
      return $_err_code
    fi
  fi
+  # cleanup in case all is ok
  return 0
 }

 #cmd
 _ssh_remote_cmd() {
  _cmd="$1"
+
+  _ssh_cmd="$DEPLOY_SSH_CMD"
+  if [ -n "$_port" ]; then
+    _ssh_cmd="$_ssh_cmd -p $_port"
+  fi
+
  _secure_debug "Remote commands to execute: $_cmd"
-  _info "Submitting sequence of commands to remote server by ssh"
+  _info "Submitting sequence of commands to remote server by $_ssh_cmd"
+
  # quotations in bash cmd below intended.  Squash travis spellcheck error
  # shellcheck disable=SC2029
-  $Le_Deploy_ssh_cmd "$Le_Deploy_ssh_user@$Le_Deploy_ssh_server" sh -c "'$_cmd'"
+  $_ssh_cmd "$DEPLOY_SSH_USER@$_host" sh -c "'$_cmd'"
  _err_code="$?"

  if [ "$_err_code" != "0" ]; then
@@ -301,3 +437,26 @@ _ssh_remote_cmd() {

  return $_err_code
 }
+
+# cmd scp
+_scp_remote_cmd() {
+  _src=$1
+  _dest=$2
+
+  _scp_cmd="$DEPLOY_SSH_SCP_CMD"
+  if [ -n "$_port" ]; then
+    _scp_cmd="$_scp_cmd -P $_port"
+  fi
+
+  _secure_debug "Remote copy source $_src to destination $_dest"
+  _info "Submitting secure copy by $_scp_cmd"
+
+  $_scp_cmd "$_src" "$DEPLOY_SSH_USER"@"$_host":"$_dest"
+  _err_code="$?"
+
+  if [ "$_err_code" != "0" ]; then
+    _err "Error code $_err_code returned from scp"
+  fi
+
+  return $_err_code
+}
--- a/deploy/synology_dsm.sh
+++ b/deploy/synology_dsm.sh
@@ -1,34 +1,35 @@
-#!/usr/bin/env sh
+#!/bin/bash

-# Here is a script to deploy cert to Synology DSM
-#
-# It requires following environment variables:
-#
-# SYNO_Username - Synology Username to login (must be an administrator)
-# SYNO_Password - Synology Password to login
-# SYNO_Certificate - Certificate description to target for replacement
-#
-# The following environmental variables may be set if you don't like their
-# default values:
-#
-# SYNO_Scheme - defaults to http
-# SYNO_Hostname - defaults to localhost
-# SYNO_Port - defaults to 5000
-# SYNO_DID - device ID to skip OTP - defaults to empty
-# SYNO_TOTP_SECRET - TOTP secret to generate OTP - defaults to empty
-#
+################################################################################
+# ACME.sh 3rd party deploy plugin for Synology DSM
+################################################################################
+# Authors: Brian Hartvigsen (creator), https://github.com/tresni
+#          Martin Arndt (contributor), https://troublezone.net/
+# Updated: 2023-07-03
+# Issues:  https://github.com/acmesh-official/acme.sh/issues/2727
+################################################################################
+# Usage:
+# 1. export SYNO_Username="adminUser"
+# 2. export SYNO_Password="adminPassword"
+# Optional exports (shown values are the defaults):
+# - export SYNO_Certificate="" to replace a specific certificate via description
+# - export SYNO_Scheme="http"
+# - export SYNO_Hostname="localhost"
+# - export SYNO_Port="5000"
+# - export SYNO_Device_Name="CertRenewal" - required for skipping 2FA-OTP
+# - export SYNO_Device_ID=""              - required for skipping 2FA-OTP
+# 3. acme.sh --deploy --deploy-hook synology_dsm -d example.com
+################################################################################
 # Dependencies:
-# -------------
-# - jq and curl
-# - oathtool (When using 2 Factor Authentication and SYNO_TOTP_SECRET is set)
-#
-#returns 0 means success, otherwise error.
-
-########  Public functions #####################
+# - jq & curl
+################################################################################
+# Return value:
+# 0 means success, otherwise error.
+################################################################################

+########## Public functions ####################################################
 #domain keyfile certfile cafile fullchain
 synology_dsm_deploy() {
-
  _cdomain="$1"
  _ckey="$2"
  _ccert="$3"
@@ -36,39 +37,46 @@ synology_dsm_deploy() {

  _debug _cdomain "$_cdomain"

-  # Get Username and Password, but don't save until we successfully authenticate
+  # Get username & password, but don't save until we authenticated successfully
  _getdeployconf SYNO_Username
  _getdeployconf SYNO_Password
  _getdeployconf SYNO_Create
  _getdeployconf SYNO_DID
  _getdeployconf SYNO_TOTP_SECRET
+  _getdeployconf SYNO_Device_Name
+  _getdeployconf SYNO_Device_ID
  if [ -z "${SYNO_Username:-}" ] || [ -z "${SYNO_Password:-}" ]; then
    _err "SYNO_Username & SYNO_Password must be set"
    return 1
  fi
+  if [ -n "${SYNO_Device_Name:-}" ] && [ -z "${SYNO_Device_ID:-}" ]; then
+    _err "SYNO_Device_Name set, but SYNO_Device_ID is empty"
+    return 1
+  fi
  _debug2 SYNO_Username "$SYNO_Username"
  _secure_debug2 SYNO_Password "$SYNO_Password"
+  _debug2 SYNO_Create "$SYNO_Create"
+  _debug2 SYNO_Device_Name "$SYNO_Device_Name"
+  _secure_debug2 SYNO_Device_ID "$SYNO_Device_ID"

-  # Optional scheme, hostname, and port for Synology DSM
+  # Optional scheme, hostname & port for Synology DSM
  _getdeployconf SYNO_Scheme
  _getdeployconf SYNO_Hostname
  _getdeployconf SYNO_Port

-  # default vaules for scheme, hostname, and port
-  # defaulting to localhost and http because it's localhost...
+  # Default values for scheme, hostname & port
+  # Defaulting to localhost & http, because it's localhost…
  [ -n "${SYNO_Scheme}" ] || SYNO_Scheme="http"
  [ -n "${SYNO_Hostname}" ] || SYNO_Hostname="localhost"
  [ -n "${SYNO_Port}" ] || SYNO_Port="5000"
-
  _savedeployconf SYNO_Scheme "$SYNO_Scheme"
  _savedeployconf SYNO_Hostname "$SYNO_Hostname"
  _savedeployconf SYNO_Port "$SYNO_Port"
-
  _debug2 SYNO_Scheme "$SYNO_Scheme"
  _debug2 SYNO_Hostname "$SYNO_Hostname"
  _debug2 SYNO_Port "$SYNO_Port"

-  # Get the certificate description, but don't save it until we verfiy it's real
+  # Get the certificate description, but don't save it until we verify it's real
  _getdeployconf SYNO_Certificate
  _debug SYNO_Certificate "${SYNO_Certificate:-}"

@@ -83,53 +91,81 @@ synology_dsm_deploy() {

  _debug "Getting API version"
  response=$(_get "$_base_url/webapi/query.cgi?api=SYNO.API.Info&version=1&method=query&query=SYNO.API.Auth")
+  api_path=$(echo "$response" | grep "SYNO.API.Auth" | sed -n 's/.*"path" *: *"\([^"]*\)".*/\1/p')
  api_version=$(echo "$response" | grep "SYNO.API.Auth" | sed -n 's/.*"maxVersion" *: *\([0-9]*\).*/\1/p')
  _debug3 response "$response"
+  _debug3 api_path "$api_path"
  _debug3 api_version "$api_version"

-  # Login, get the token from JSON and session id from cookie
+  # Login, get the session ID & SynoToken from JSON
  _info "Logging into $SYNO_Hostname:$SYNO_Port"
  encoded_username="$(printf "%s" "$SYNO_Username" | _url_encode)"
  encoded_password="$(printf "%s" "$SYNO_Password" | _url_encode)"

  otp_code=""
+  # START - DEPRECATED, only kept for legacy compatibility reasons
  if [ -n "$SYNO_TOTP_SECRET" ]; then
+    _info "WARNING: Usage of SYNO_TOTP_SECRET is deprecated!"
+    _info "         See synology_dsm.sh script or ACME.sh Wiki page for details:"
+    _info "         https://github.com/acmesh-official/acme.sh/wiki/Synology-NAS-Guide"
+    DEPRECATED_otp_code=""
    if _exists oathtool; then
-      otp_code="$(oathtool --base32 --totp "${SYNO_TOTP_SECRET}" 2>/dev/null)"
+      DEPRECATED_otp_code="$(oathtool --base32 --totp "${SYNO_TOTP_SECRET}" 2>/dev/null)"
    else
      _err "oathtool could not be found, install oathtool to use SYNO_TOTP_SECRET"
      return 1
    fi
+
+    if [ -n "$SYNO_DID" ]; then
+      _H1="Cookie: did=$SYNO_DID"
+      export _H1
+      _debug3 H1 "${_H1}"
+    fi
+
+    response=$(_post "method=login&account=$encoded_username&passwd=$encoded_password&api=SYNO.API.Auth&version=$api_version&enable_syno_token=yes&otp_code=$DEPRECATED_otp_code&device_name=certrenewal&device_id=$SYNO_DID" "$_base_url/webapi/auth.cgi?enable_syno_token=yes")
+    _debug3 response "$response"
+  # END - DEPRECATED, only kept for legacy compatibility reasons
+  # Get device ID if still empty first, otherwise log in right away
+  elif [ -z "${SYNO_Device_ID:-}" ]; then
+    printf "Enter OTP code for user '%s': " "$SYNO_Username"
+    read -r otp_code
+    if [ -z "${SYNO_Device_Name:-}" ]; then
+      printf "Enter device name or leave empty for default (CertRenewal): "
+      read -r SYNO_Device_Name
+      [ -n "${SYNO_Device_Name}" ] || SYNO_Device_Name="CertRenewal"
+    fi
+
+    response=$(_get "$_base_url/webapi/$api_path?api=SYNO.API.Auth&version=$api_version&method=login&format=sid&account=$encoded_username&passwd=$encoded_password&otp_code=$otp_code&enable_syno_token=yes&enable_device_token=yes&device_name=$SYNO_Device_Name")
+    _secure_debug3 response "$response"
+
+    id_property='device_id'
+    [ "${api_version}" -gt '6' ] || id_property='did'
+    SYNO_Device_ID=$(echo "$response" | grep "$id_property" | sed -n 's/.*"'$id_property'" *: *"\([^"]*\).*/\1/p')
+    _secure_debug2 SYNO_Device_ID "$SYNO_Device_ID"
+  else
+    response=$(_get "$_base_url/webapi/$api_path?api=SYNO.API.Auth&version=$api_version&method=login&format=sid&account=$encoded_username&passwd=$encoded_password&enable_syno_token=yes&device_name=$SYNO_Device_Name&device_id=$SYNO_Device_ID")
+    _debug3 response "$response"
  fi

-  if [ -n "$SYNO_DID" ]; then
-    _H1="Cookie: did=$SYNO_DID"
-    export _H1
-    _debug3 H1 "${_H1}"
-  fi
-
-  response=$(_post "method=login&account=$encoded_username&passwd=$encoded_password&api=SYNO.API.Auth&version=$api_version&enable_syno_token=yes&otp_code=$otp_code" "$_base_url/webapi/auth.cgi?enable_syno_token=yes")
+  sid=$(echo "$response" | grep "sid" | sed -n 's/.*"sid" *: *"\([^"]*\).*/\1/p')
  token=$(echo "$response" | grep "synotoken" | sed -n 's/.*"synotoken" *: *"\([^"]*\).*/\1/p')
-  _debug3 response "$response"
-  _debug token "$token"
-
-  if [ -z "$token" ]; then
-    _err "Unable to authenticate to $SYNO_Hostname:$SYNO_Port using $SYNO_Scheme."
-    _err "Check your username and password."
-    _err "If two-factor authentication is enabled for the user, set SYNO_TOTP_SECRET."
+  _debug "Session ID" "$sid"
+  _debug SynoToken "$token"
+  if [ -z "$SYNO_DID" ] && [ -z "$SYNO_Device_ID" ] || [ -z "$sid" ] || [ -z "$token" ]; then
+    _err "Unable to authenticate to $_base_url - check your username & password."
+    _err "If two-factor authentication is enabled for the user, set SYNO_Device_ID."
    return 1
  fi
-  sid=$(echo "$response" | grep "sid" | sed -n 's/.*"sid" *: *"\([^"]*\).*/\1/p')

  _H1="X-SYNO-TOKEN: $token"
  export _H1
  _debug2 H1 "${_H1}"

-  # Now that we know the username and password are good, save them
+  # Now that we know the username & password are good, save them
  _savedeployconf SYNO_Username "$SYNO_Username"
  _savedeployconf SYNO_Password "$SYNO_Password"
-  _savedeployconf SYNO_DID "$SYNO_DID"
-  _savedeployconf SYNO_TOTP_SECRET "$SYNO_TOTP_SECRET"
+  _savedeployconf SYNO_Device_Name "$SYNO_Device_Name"
+  _savedeployconf SYNO_Device_ID "$SYNO_Device_ID"

  _info "Getting certificates in Synology DSM"
  response=$(_post "api=SYNO.Core.Certificate.CRT&method=list&version=1&_sid=$sid" "$_base_url/webapi/entry.cgi")
@@ -140,11 +176,11 @@ synology_dsm_deploy() {
  _debug2 id "$id"

  if [ -z "$id" ] && [ -z "${SYNO_Create:-}" ]; then
-    _err "Unable to find certificate: $SYNO_Certificate and \$SYNO_Create is not set"
+    _err "Unable to find certificate: $SYNO_Certificate & \$SYNO_Create is not set"
    return 1
  fi

-  # we've verified this certificate description is a thing, so save it
+  # We've verified this certificate description is a thing, so save it
  _savedeployconf SYNO_Certificate "$SYNO_Certificate" "base64"

  _info "Generate form POST request"
@@ -156,10 +192,10 @@ synology_dsm_deploy() {
  content="$content${nl}--$delim${nl}Content-Disposition: form-data; name=\"id\"${nl}${nl}$id"
  content="$content${nl}--$delim${nl}Content-Disposition: form-data; name=\"desc\"${nl}${nl}${SYNO_Certificate}"
  if echo "$response" | sed -n "s/.*\"desc\":\"$escaped_certificate\",\([^{]*\).*/\1/p" | grep -- 'is_default":true' >/dev/null; then
-    _debug2 default "this is the default certificate"
+    _debug2 default "This is the default certificate"
    content="$content${nl}--$delim${nl}Content-Disposition: form-data; name=\"as_default\"${nl}${nl}true"
  else
-    _debug2 default "this is NOT the default certificate"
+    _debug2 default "This is NOT the default certificate"
  fi
  content="$content${nl}--$delim--${nl}"
  content="$(printf "%b_" "$content")"
@@ -171,13 +207,23 @@ synology_dsm_deploy() {

  if ! echo "$response" | grep '"error":' >/dev/null; then
    if echo "$response" | grep '"restart_httpd":true' >/dev/null; then
-      _info "http services were restarted"
+      _info "Restarting HTTP services succeeded"
    else
-      _info "http services were NOT restarted"
+      _info "Restarting HTTP services failed"
    fi
+
+    _logout
    return 0
  else
    _err "Unable to update certificate, error code $response"
+    _logout
    return 1
  fi
 }
+
+####################  Private functions below ##################################
+_logout() {
+  # Logout to not occupy a permanent session, e.g. in DSM's "Connected Users" widget
+  response=$(_get "$_base_url/webapi/entry.cgi?api=SYNO.API.Auth&version=$api_version&method=logout")
+  _debug3 response "$response"
+}
--- a/deploy/truenas.sh
+++ b/deploy/truenas.sh
@@ -184,6 +184,27 @@ truenas_deploy() {
    _info "S3 certificate is not configured or is not the same as TrueNAS web UI"
  fi

+  _info "Checking if any chart release Apps is using the same certificate as TrueNAS web UI. Tool 'jq' is required"
+  if _exists jq; then
+    _info "Query all chart release"
+    _release_list=$(_get "$_api_url/chart/release")
+    _related_name_list=$(printf "%s" "$_release_list" | jq -r "[.[] | {name,certId: .config.ingress?.main.tls[]?.scaleCert} | select(.certId==$_active_cert_id) | .name ] | unique")
+    _release_length=$(printf "%s" "$_related_name_list" | jq -r "length")
+    _info "Found $_release_length related chart release in list: $_related_name_list"
+    for i in $(seq 0 $((_release_length - 1))); do
+      _release_name=$(echo "$_related_name_list" | jq -r ".[$i]")
+      _info "Updating certificate from $_active_cert_id to $_cert_id for chart release: $_release_name"
+      #Read the chart release configuration
+      _chart_config=$(printf "%s" "$_release_list" | jq -r ".[] | select(.name==\"$_release_name\")")
+      #Replace the old certificate id with the new one in path .config.ingress.main.tls[].scaleCert. Then update .config.ingress
+      _updated_chart_config=$(printf "%s" "$_chart_config" | jq "(.config.ingress?.main.tls[]? | select(.scaleCert==$_active_cert_id) | .scaleCert  ) |= $_cert_id | .config.ingress ")
+      _update_chart_result="$(_post "{\"values\" : { \"ingress\" : $_updated_chart_config } }" "$_api_url/chart/release/id/$_release_name" "" "PUT" "application/json")"
+      _debug3 _update_chart_result "$_update_chart_result"
+    done
+  else
+    _info "Tool 'jq' does not exists, skip chart release checking"
+  fi
+
  _info "Deleting old certificate"
  _delete_result="$(_post "" "$_api_url/certificate/id/$_active_cert_id" "" "DELETE" "application/json")"

--- a/deploy/vault.sh
+++ b/deploy/vault.sh
@@ -7,13 +7,16 @@
 #
 # VAULT_PREFIX - this contains the prefix path in vault
 # VAULT_ADDR - vault requires this to find your vault server
+# VAULT_SAVE_TOKEN - set to anything if you want to save the token
+# VAULT_RENEW_TOKEN - set to anything if you want to renew the token to default TTL before deploying
+# VAULT_KV_V2 - set to anything if you are using v2 of the kv engine
 #
 # additionally, you need to ensure that VAULT_TOKEN is avialable
 # to access the vault server

 #returns 0 means success, otherwise error.

-########  Public functions #####################
+######## Public functions #####################

 #domain keyfile certfile cafile fullchain
 vault_deploy() {
@@ -45,6 +48,26 @@ vault_deploy() {
  fi
  _savedeployconf VAULT_ADDR "$VAULT_ADDR"

+  _getdeployconf VAULT_SAVE_TOKEN
+  _savedeployconf VAULT_SAVE_TOKEN "$VAULT_SAVE_TOKEN"
+
+  _getdeployconf VAULT_RENEW_TOKEN
+  _savedeployconf VAULT_RENEW_TOKEN "$VAULT_RENEW_TOKEN"
+
+  _getdeployconf VAULT_KV_V2
+  _savedeployconf VAULT_KV_V2 "$VAULT_KV_V2"
+
+  _getdeployconf VAULT_TOKEN
+  if [ -z "$VAULT_TOKEN" ]; then
+    _err "VAULT_TOKEN needs to be defined"
+    return 1
+  fi
+  if [ -n "$VAULT_SAVE_TOKEN" ]; then
+    _savedeployconf VAULT_TOKEN "$VAULT_TOKEN"
+  fi
+
+  _migratedeployconf FABIO VAULT_FABIO_MODE
+
  # JSON does not allow multiline strings.
  # So replacing new-lines with "\n" here
  _ckey=$(sed -z 's/\n/\\n/g' <"$2")
@@ -52,26 +75,56 @@ vault_deploy() {
  _cca=$(sed -z 's/\n/\\n/g' <"$4")
  _cfullchain=$(sed -z 's/\n/\\n/g' <"$5")

-  URL="$VAULT_ADDR/v1/$VAULT_PREFIX/$_cdomain"
  export _H1="X-Vault-Token: $VAULT_TOKEN"

-  if [ -n "$FABIO" ]; then
+  if [ -n "$VAULT_RENEW_TOKEN" ]; then
+    URL="$VAULT_ADDR/v1/auth/token/renew-self"
+    _info "Renew the Vault token to default TTL"
+    if ! _post "" "$URL" >/dev/null; then
+      _err "Failed to renew the Vault token"
+      return 1
+    fi
+  fi
+
+  URL="$VAULT_ADDR/v1/$VAULT_PREFIX/$_cdomain"
+
+  if [ -n "$VAULT_FABIO_MODE" ]; then
+    _info "Writing certificate and key to $URL in Fabio mode"
    if [ -n "$VAULT_KV_V2" ]; then
-      _post "{ \"data\": {\"cert\": \"$_cfullchain\", \"key\": \"$_ckey\"} }" "$URL"
+      _post "{ \"data\": {\"cert\": \"$_cfullchain\", \"key\": \"$_ckey\"} }" "$URL" >/dev/null || return 1
    else
-      _post "{\"cert\": \"$_cfullchain\", \"key\": \"$_ckey\"}" "$URL"
+      _post "{\"cert\": \"$_cfullchain\", \"key\": \"$_ckey\"}" "$URL" >/dev/null || return 1
    fi
  else
    if [ -n "$VAULT_KV_V2" ]; then
-      _post "{\"data\": {\"value\": \"$_ccert\"}}" "$URL/cert.pem"
-      _post "{\"data\": {\"value\": \"$_ckey\"}}" "$URL/cert.key"
-      _post "{\"data\": {\"value\": \"$_cca\"}}" "$URL/chain.pem"
-      _post "{\"data\": {\"value\": \"$_cfullchain\"}}" "$URL/fullchain.pem"
+      _info "Writing certificate to $URL/cert.pem"
+      _post "{\"data\": {\"value\": \"$_ccert\"}}" "$URL/cert.pem" >/dev/null || return 1
+      _info "Writing key to $URL/cert.key"
+      _post "{\"data\": {\"value\": \"$_ckey\"}}" "$URL/cert.key" >/dev/null || return 1
+      _info "Writing CA certificate to $URL/ca.pem"
+      _post "{\"data\": {\"value\": \"$_cca\"}}" "$URL/ca.pem" >/dev/null || return 1
+      _info "Writing full-chain certificate to $URL/fullchain.pem"
+      _post "{\"data\": {\"value\": \"$_cfullchain\"}}" "$URL/fullchain.pem" >/dev/null || return 1
    else
-      _post "{\"value\": \"$_ccert\"}" "$URL/cert.pem"
-      _post "{\"value\": \"$_ckey\"}" "$URL/cert.key"
-      _post "{\"value\": \"$_cca\"}" "$URL/chain.pem"
-      _post "{\"value\": \"$_cfullchain\"}" "$URL/fullchain.pem"
+      _info "Writing certificate to $URL/cert.pem"
+      _post "{\"value\": \"$_ccert\"}" "$URL/cert.pem" >/dev/null || return 1
+      _info "Writing key to $URL/cert.key"
+      _post "{\"value\": \"$_ckey\"}" "$URL/cert.key" >/dev/null || return 1
+      _info "Writing CA certificate to $URL/ca.pem"
+      _post "{\"value\": \"$_cca\"}" "$URL/ca.pem" >/dev/null || return 1
+      _info "Writing full-chain certificate to $URL/fullchain.pem"
+      _post "{\"value\": \"$_cfullchain\"}" "$URL/fullchain.pem" >/dev/null || return 1
+    fi
+
+    # To make it compatible with the wrong ca path `chain.pem` which was used in former versions
+    if _contains "$(_get "$URL/chain.pem")" "-----BEGIN CERTIFICATE-----"; then
+      _err "The CA certificate has moved from chain.pem to ca.pem, if you don't depend on chain.pem anymore, you can delete it to avoid this warning"
+      _info "Updating CA certificate to $URL/chain.pem for backward compatibility"
+      if [ -n "$VAULT_KV_V2" ]; then
+        _post "{\"data\": {\"value\": \"$_cca\"}}" "$URL/chain.pem" >/dev/null || return 1
+      else
+        _post "{\"value\": \"$_cca\"}" "$URL/chain.pem" >/dev/null || return 1
+      fi
    fi
  fi

--- a/deploy/vault_cli.sh
+++ b/deploy/vault_cli.sh
@@ -8,6 +8,8 @@
 #
 # VAULT_PREFIX - this contains the prefix path in vault
 # VAULT_ADDR - vault requires this to find your vault server
+# VAULT_SAVE_TOKEN - set to anything if you want to save the token
+# VAULT_RENEW_TOKEN - set to anything if you want to renew the token to default TTL before deploying
 #
 # additionally, you need to ensure that VAULT_TOKEN is avialable or
 # `vault auth` has applied the appropriate authorization for the vault binary
@@ -33,15 +35,36 @@ vault_cli_deploy() {
  _debug _cfullchain "$_cfullchain"

  # validate required env vars
+  _getdeployconf VAULT_PREFIX
  if [ -z "$VAULT_PREFIX" ]; then
    _err "VAULT_PREFIX needs to be defined (contains prefix path in vault)"
    return 1
  fi
+  _savedeployconf VAULT_PREFIX "$VAULT_PREFIX"

+  _getdeployconf VAULT_ADDR
  if [ -z "$VAULT_ADDR" ]; then
    _err "VAULT_ADDR needs to be defined (contains vault connection address)"
    return 1
  fi
+  _savedeployconf VAULT_ADDR "$VAULT_ADDR"
+
+  _getdeployconf VAULT_SAVE_TOKEN
+  _savedeployconf VAULT_SAVE_TOKEN "$VAULT_SAVE_TOKEN"
+
+  _getdeployconf VAULT_RENEW_TOKEN
+  _savedeployconf VAULT_RENEW_TOKEN "$VAULT_RENEW_TOKEN"
+
+  _getdeployconf VAULT_TOKEN
+  if [ -z "$VAULT_TOKEN" ]; then
+    _err "VAULT_TOKEN needs to be defined"
+    return 1
+  fi
+  if [ -n "$VAULT_SAVE_TOKEN" ]; then
+    _savedeployconf VAULT_TOKEN "$VAULT_TOKEN"
+  fi
+
+  _migratedeployconf FABIO VAULT_FABIO_MODE

  VAULT_CMD=$(command -v vault)
  if [ ! $? ]; then
@@ -49,13 +72,33 @@ vault_cli_deploy() {
    return 1
  fi

-  if [ -n "$FABIO" ]; then
+  if [ -n "$VAULT_RENEW_TOKEN" ]; then
+    _info "Renew the Vault token to default TTL"
+    if ! $VAULT_CMD token renew; then
+      _err "Failed to renew the Vault token"
+      return 1
+    fi
+  fi
+
+  if [ -n "$VAULT_FABIO_MODE" ]; then
+    _info "Writing certificate and key to ${VAULT_PREFIX}/${_cdomain} in Fabio mode"
    $VAULT_CMD kv put "${VAULT_PREFIX}/${_cdomain}" cert=@"$_cfullchain" key=@"$_ckey" || return 1
  else
+    _info "Writing certificate to ${VAULT_PREFIX}/${_cdomain}/cert.pem"
    $VAULT_CMD kv put "${VAULT_PREFIX}/${_cdomain}/cert.pem" value=@"$_ccert" || return 1
+    _info "Writing key to ${VAULT_PREFIX}/${_cdomain}/cert.key"
    $VAULT_CMD kv put "${VAULT_PREFIX}/${_cdomain}/cert.key" value=@"$_ckey" || return 1
-    $VAULT_CMD kv put "${VAULT_PREFIX}/${_cdomain}/chain.pem" value=@"$_cca" || return 1
+    _info "Writing CA certificate to ${VAULT_PREFIX}/${_cdomain}/ca.pem"
+    $VAULT_CMD kv put "${VAULT_PREFIX}/${_cdomain}/ca.pem" value=@"$_cca" || return 1
+    _info "Writing full-chain certificate to ${VAULT_PREFIX}/${_cdomain}/fullchain.pem"
    $VAULT_CMD kv put "${VAULT_PREFIX}/${_cdomain}/fullchain.pem" value=@"$_cfullchain" || return 1
+
+    # To make it compatible with the wrong ca path `chain.pem` which was used in former versions
+    if $VAULT_CMD kv get "${VAULT_PREFIX}/${_cdomain}/chain.pem" >/dev/null; then
+      _err "The CA certificate has moved from chain.pem to ca.pem, if you don't depend on chain.pem anymore, you can delete it to avoid this warning"
+      _info "Updating CA certificate to ${VAULT_PREFIX}/${_cdomain}/chain.pem for backward compatibility"
+      $VAULT_CMD kv put "${VAULT_PREFIX}/${_cdomain}/chain.pem" value=@"$_cca" || return 1
+    fi
  fi

 }
--- a/dnsapi/dns_1984hosting.sh
+++ b/dnsapi/dns_1984hosting.sh
@@ -1,46 +1,46 @@
 #!/usr/bin/env sh
-#This file name is "dns_1984hosting.sh"
-#So, here must be a method dns_1984hosting_add()
-#Which will be called by acme.sh to add the txt record to your api system.
-#returns 0 means success, otherwise error.
+# This file name is "dns_1984hosting.sh"
+# So, here must be a method dns_1984hosting_add()
+# Which will be called by acme.sh to add the txt record to your api system.
+# returns 0 means success, otherwise error.

-#Author: Adrian Fedoreanu
-#Report Bugs here: https://github.com/acmesh-official/acme.sh
+# Author: Adrian Fedoreanu
+# Report Bugs here: https://github.com/acmesh-official/acme.sh
 # or here... https://github.com/acmesh-official/acme.sh/issues/2851
-#
-########  Public functions #####################
+
+######## Public functions #####################

 # Export 1984HOSTING username and password in following variables
 #
 #  One984HOSTING_Username=username
 #  One984HOSTING_Password=password
 #
-# sessionid cookie is saved in ~/.acme.sh/account.conf
-# username/password need to be set only when changed.
+# username/password and csrftoken/sessionid cookies are saved in ~/.acme.sh/account.conf

-#Usage: dns_1984hosting_add   _acme-challenge.www.domain.com   "XKrxpRBosdIKFzxW_CT3KLZNf6q0HG9i01zxXp5CPBs"
+# Usage: dns_1984hosting_add   _acme-challenge.www.domain.com   "XKrxpRBosdIKFzxW_CT3KLZNf6q0HG9i01zxXp5CPBs"
+# Add a text record.
 dns_1984hosting_add() {
  fulldomain=$1
  txtvalue=$2

-  _info "Add TXT record using 1984Hosting"
+  _info "Add TXT record using 1984Hosting."
  _debug fulldomain "$fulldomain"
  _debug txtvalue "$txtvalue"

  if ! _1984hosting_login; then
-    _err "1984Hosting login failed for user $One984HOSTING_Username. Check $HTTP_HEADER file"
+    _err "1984Hosting login failed for user $One984HOSTING_Username. Check $HTTP_HEADER file."
    return 1
  fi

-  _debug "First detect the root zone"
+  _debug "First detect the root zone."
  if ! _get_root "$fulldomain"; then
-    _err "invalid domain" "$fulldomain"
+    _err "Invalid domain '$fulldomain'."
    return 1
  fi
  _debug _sub_domain "$_sub_domain"
  _debug _domain "$_domain"

-  _debug "Add TXT record $fulldomain with value '$txtvalue'"
+  _debug "Add TXT record $fulldomain with value '$txtvalue'."
  value="$(printf '%s' "$txtvalue" | _url_encode)"
  url="https://1984.hosting/domains/entry/"

@@ -53,93 +53,97 @@ dns_1984hosting_add() {
  _debug2 postdata "$postdata"

  _authpost "$postdata" "$url"
-  response="$(echo "$_response" | _normalizeJson)"
-  _debug2 response "$response"
-
-  if _contains "$response" '"haserrors": true'; then
-    _err "1984Hosting failed to add TXT record for $_sub_domain bad RC from _post"
+  if _contains "$_response" '"haserrors": true'; then
+    _err "1984Hosting failed to add TXT record for $_sub_domain bad RC from _post."
    return 1
-  elif _contains "$response" "html>"; then
-    _err "1984Hosting failed to add TXT record for $_sub_domain. Check $HTTP_HEADER file"
+  elif _contains "$_response" "html>"; then
+    _err "1984Hosting failed to add TXT record for $_sub_domain. Check $HTTP_HEADER file."
    return 1
-  elif _contains "$response" '"auth": false'; then
-    _err "1984Hosting failed to add TXT record for $_sub_domain. Invalid or expired cookie"
+  elif _contains "$_response" '"auth": false'; then
+    _err "1984Hosting failed to add TXT record for $_sub_domain. Invalid or expired cookie."
    return 1
  fi

-  _info "Added acme challenge TXT record for $fulldomain at 1984Hosting"
+  _info "Added acme challenge TXT record for $fulldomain at 1984Hosting."
  return 0
 }

-#Usage: fulldomain txtvalue
-#Remove the txt record after validation.
+# Usage: fulldomain txtvalue
+# Remove the txt record after validation.
 dns_1984hosting_rm() {
  fulldomain=$1
  txtvalue=$2

-  _info "Delete TXT record using 1984Hosting"
+  _info "Delete TXT record using 1984Hosting."
  _debug fulldomain "$fulldomain"
  _debug txtvalue "$txtvalue"

  if ! _1984hosting_login; then
-    _err "1984Hosting login failed for user $One984HOSTING_Username. Check $HTTP_HEADER file"
+    _err "1984Hosting login failed for user $One984HOSTING_Username. Check $HTTP_HEADER file."
    return 1
  fi

-  _debug "First detect the root zone"
+  _debug "First detect the root zone."
  if ! _get_root "$fulldomain"; then
-    _err "invalid domain" "$fulldomain"
+    _err "Invalid domain '$fulldomain'."
    return 1
  fi
  _debug _sub_domain "$_sub_domain"
  _debug _domain "$_domain"
-  _debug "Delete $fulldomain TXT record"
+  _debug "Delete $fulldomain TXT record."

  url="https://1984.hosting/domains"
  if ! _get_zone_id "$url" "$_domain"; then
-    _err "invalid zone" "$_domain"
+    _err "Invalid zone '$_domain'."
    return 1
  fi

  _htmlget "$url/$_zone_id" "$txtvalue"
-  _debug2 _response "$_response"
  entry_id="$(echo "$_response" | _egrep_o 'entry_[0-9]+' | sed 's/entry_//')"
  _debug2 entry_id "$entry_id"
  if [ -z "$entry_id" ]; then
-    _err "Error getting TXT entry_id for $1"
+    _err "Error getting TXT entry_id for $1."
    return 1
  fi

  _authpost "entry=$entry_id" "$url/delentry/"
-  response="$(echo "$_response" | _normalizeJson)"
-  _debug2 response "$response"
-
-  if ! _contains "$response" '"ok": true'; then
-    _err "1984Hosting failed to delete TXT record for $entry_id bad RC from _post"
+  if ! _contains "$_response" '"ok": true'; then
+    _err "1984Hosting failed to delete TXT record for $entry_id bad RC from _post."
    return 1
  fi

-  _info "Deleted acme challenge TXT record for $fulldomain at 1984Hosting"
+  _info "Deleted acme challenge TXT record for $fulldomain at 1984Hosting."
  return 0
 }

 ####################  Private functions below ##################################
-
-# usage: _1984hosting_login username password
-# returns 0 success
 _1984hosting_login() {
  if ! _check_credentials; then return 1; fi

  if _check_cookies; then
-    _debug "Already logged in"
+    _debug "Already logged in."
    return 0
  fi

-  _debug "Login to 1984Hosting as user $One984HOSTING_Username"
+  _debug "Login to 1984Hosting as user $One984HOSTING_Username."
  username=$(printf '%s' "$One984HOSTING_Username" | _url_encode)
  password=$(printf '%s' "$One984HOSTING_Password" | _url_encode)
  url="https://1984.hosting/accounts/checkuserauth/"

+  _get "https://1984.hosting/accounts/login/" | grep "csrfmiddlewaretoken"
+  csrftoken="$(grep -i '^set-cookie:' "$HTTP_HEADER" | _egrep_o 'csrftoken=[^;]*;' | tr -d ';')"
+  sessionid="$(grep -i '^set-cookie:' "$HTTP_HEADER" | _egrep_o 'sessionid=[^;]*;' | tr -d ';')"
+
+  if [ -z "$csrftoken" ] || [ -z "$sessionid" ]; then
+    _err "One or more cookies are empty: '$csrftoken', '$sessionid'."
+    return 1
+  fi
+
+  export _H1="Cookie: $csrftoken; $sessionid"
+  export _H2="Referer: https://1984.hosting/accounts/login/"
+  csrf_header=$(echo "$csrftoken" | sed 's/csrftoken=//' | _head_n 1)
+  export _H3="X-CSRFToken: $csrf_header"
+
  response="$(_post "username=$username&password=$password&otpkey=" $url)"
  response="$(echo "$response" | _normalizeJson)"
  _debug2 response "$response"
@@ -149,6 +153,8 @@ _1984hosting_login() {
    One984HOSTING_CSRFTOKEN_COOKIE="$(grep -i '^set-cookie:' "$HTTP_HEADER" | _egrep_o 'csrftoken=[^;]*;' | tr -d ';')"
    export One984HOSTING_SESSIONID_COOKIE
    export One984HOSTING_CSRFTOKEN_COOKIE
+    _saveaccountconf_mutable One984HOSTING_Username "$One984HOSTING_Username"
+    _saveaccountconf_mutable One984HOSTING_Password "$One984HOSTING_Password"
    _saveaccountconf_mutable One984HOSTING_SESSIONID_COOKIE "$One984HOSTING_SESSIONID_COOKIE"
    _saveaccountconf_mutable One984HOSTING_CSRFTOKEN_COOKIE "$One984HOSTING_CSRFTOKEN_COOKIE"
    return 0
@@ -157,9 +163,13 @@ _1984hosting_login() {
 }

 _check_credentials() {
+  One984HOSTING_Username="${One984HOSTING_Username:-$(_readaccountconf_mutable One984HOSTING_Username)}"
+  One984HOSTING_Password="${One984HOSTING_Password:-$(_readaccountconf_mutable One984HOSTING_Password)}"
  if [ -z "$One984HOSTING_Username" ] || [ -z "$One984HOSTING_Password" ]; then
    One984HOSTING_Username=""
    One984HOSTING_Password=""
+    _clearaccountconf_mutable One984HOSTING_Username
+    _clearaccountconf_mutable One984HOSTING_Password
    _err "You haven't specified 1984Hosting username or password yet."
    _err "Please export as One984HOSTING_Username / One984HOSTING_Password and try again."
    return 1
@@ -171,42 +181,43 @@ _check_cookies() {
  One984HOSTING_SESSIONID_COOKIE="${One984HOSTING_SESSIONID_COOKIE:-$(_readaccountconf_mutable One984HOSTING_SESSIONID_COOKIE)}"
  One984HOSTING_CSRFTOKEN_COOKIE="${One984HOSTING_CSRFTOKEN_COOKIE:-$(_readaccountconf_mutable One984HOSTING_CSRFTOKEN_COOKIE)}"
  if [ -z "$One984HOSTING_SESSIONID_COOKIE" ] || [ -z "$One984HOSTING_CSRFTOKEN_COOKIE" ]; then
-    _debug "No cached cookie(s) found"
+    _debug "No cached cookie(s) found."
    return 1
  fi

  _authget "https://1984.hosting/accounts/loginstatus/"
-  if _contains "$response" '"ok": true'; then
-    _debug "Cached cookies still valid"
+  if _contains "$_response" '"ok": true'; then
+    _debug "Cached cookies still valid."
    return 0
  fi
-  _debug "Cached cookies no longer valid"
+
+  _debug "Cached cookies no longer valid. Clearing cookies."
  One984HOSTING_SESSIONID_COOKIE=""
  One984HOSTING_CSRFTOKEN_COOKIE=""
-  _saveaccountconf_mutable One984HOSTING_SESSIONID_COOKIE "$One984HOSTING_SESSIONID_COOKIE"
-  _saveaccountconf_mutable One984HOSTING_CSRFTOKEN_COOKIE "$One984HOSTING_CSRFTOKEN_COOKIE"
+  _clearaccountconf_mutable One984HOSTING_SESSIONID_COOKIE
+  _clearaccountconf_mutable One984HOSTING_CSRFTOKEN_COOKIE
  return 1
 }

-#_acme-challenge.www.domain.com
-#returns
-# _sub_domain=_acme-challenge.www
-# _domain=domain.com
+# _acme-challenge.www.domain.com
+# Returns
+#  _sub_domain=_acme-challenge.www
+#  _domain=domain.com
 _get_root() {
  domain="$1"
  i=1
  p=1
  while true; do
-    h=$(printf "%s" "$domain" | cut -d . -f $i-100)
+    h=$(printf "%s" "$domain" | cut -d . -f "$i"-100)

+    # not valid
    if [ -z "$h" ]; then
-      #not valid
      return 1
    fi

    _authget "https://1984.hosting/domains/soacheck/?zone=$h&nameserver=ns0.1984.is."
    if _contains "$_response" "serial" && ! _contains "$_response" "null"; then
-      _sub_domain=$(printf "%s" "$domain" | cut -d . -f 1-$p)
+      _sub_domain=$(printf "%s" "$domain" | cut -d . -f 1-"$p")
      _domain="$h"
      return 0
    fi
@@ -216,46 +227,47 @@ _get_root() {
  return 1
 }

-#usage: _get_zone_id url domain.com
-#returns zone id for domain.com
+# Usage: _get_zone_id url domain.com
+# Returns zone id for domain.com
 _get_zone_id() {
  url=$1
  domain=$2
  _htmlget "$url" "$domain"
-  _debug2 _response "$_response"
  _zone_id="$(echo "$_response" | _egrep_o 'zone\/[0-9]+' | _head_n 1)"
  _debug2 _zone_id "$_zone_id"
  if [ -z "$_zone_id" ]; then
-    _err "Error getting _zone_id for $2"
+    _err "Error getting _zone_id for $2."
    return 1
  fi
  return 0
 }

-# add extra headers to request
+# Add extra headers to request
 _authget() {
-  export _H1="Cookie: $One984HOSTING_CSRFTOKEN_COOKIE;$One984HOSTING_SESSIONID_COOKIE"
+  export _H1="Cookie: $One984HOSTING_CSRFTOKEN_COOKIE; $One984HOSTING_SESSIONID_COOKIE"
  _response=$(_get "$1" | _normalizeJson)
  _debug2 _response "$_response"
 }

-# truncate huge HTML response
-# echo: Argument list too long
+# Truncate huge HTML response
+# Echo: Argument list too long
 _htmlget() {
-  export _H1="Cookie: $One984HOSTING_CSRFTOKEN_COOKIE;$One984HOSTING_SESSIONID_COOKIE"
+  export _H1="Cookie: $One984HOSTING_CSRFTOKEN_COOKIE; $One984HOSTING_SESSIONID_COOKIE"
  _response=$(_get "$1" | grep "$2")
  if _contains "$_response" "@$2"; then
    _response=$(echo "$_response" | grep -v "[@]" | _head_n 1)
  fi
+  _debug2 _response "$_response"
 }

-# add extra headers to request
+# Add extra headers to request
 _authpost() {
  url="https://1984.hosting/domains"
  _get_zone_id "$url" "$_domain"
  csrf_header="$(echo "$One984HOSTING_CSRFTOKEN_COOKIE" | _egrep_o "=[^=][0-9a-zA-Z]*" | tr -d "=")"
-  export _H1="Cookie: $One984HOSTING_CSRFTOKEN_COOKIE;$One984HOSTING_SESSIONID_COOKIE"
+  export _H1="Cookie: $One984HOSTING_CSRFTOKEN_COOKIE; $One984HOSTING_SESSIONID_COOKIE"
  export _H2="Referer: https://1984.hosting/domains/$_zone_id"
  export _H3="X-CSRFToken: $csrf_header"
-  _response=$(_post "$1" "$2")
+  _response="$(_post "$1" "$2" | _normalizeJson)"
+  _debug2 _response "$_response"
 }
--- a/dnsapi/dns_acmeproxy.sh
+++ b/dnsapi/dns_acmeproxy.sh
@@ -1,6 +1,6 @@
 #!/usr/bin/env sh

-## Acmeproxy DNS provider to be used with acmeproxy (http://github.com/mdbraber/acmeproxy)
+## Acmeproxy DNS provider to be used with acmeproxy (https://github.com/mdbraber/acmeproxy)
 ## API integration by Maarten den Braber
 ##
 ## Report any bugs via https://github.com/mdbraber/acme.sh
--- a/dnsapi/dns_ali.sh
+++ b/dnsapi/dns_ali.sh
@@ -117,7 +117,7 @@ _ali_urlencode() {
 _ali_nonce() {
  #_head_n 1 </dev/urandom | _digest "sha256" hex | cut -c 1-31
  #Not so good...
-  date +"%s%N"
+  date +"%s%N" | sed 's/%N//g'
 }

 _check_exist_query() {
--- a/dnsapi/dns_artfiles.sh
+++ b/dnsapi/dns_artfiles.sh
@@ -0,0 +1,180 @@
+#!/usr/bin/env sh
+
+################################################################################
+# ACME.sh 3rd party DNS API plugin for ArtFiles.de
+################################################################################
+# Author:   Martin Arndt, https://troublezone.net/
+# Released: 2022-02-27
+# Issues:   https://github.com/acmesh-official/acme.sh/issues/4718
+################################################################################
+# Usage:
+# 1. export AF_API_USERNAME='api12345678'
+# 2. export AF_API_PASSWORD='apiPassword'
+# 3. acme.sh --issue -d example.com --dns dns_artfiles
+################################################################################
+
+########## API configuration ###################################################
+
+AF_API_SUCCESS='status":"OK'
+AF_URL_DCP='https://dcp.c.artfiles.de/api/'
+AF_URL_DNS=${AF_URL_DCP}'dns/{*}_dns.html?domain='
+AF_URL_DOMAINS=${AF_URL_DCP}'domain/get_domains.html'
+
+########## Public functions ####################################################
+
+# Adds a new TXT record for given ACME challenge value & domain.
+# Usage: dns_artfiles_add _acme-challenge.www.example.com "ACME challenge value"
+dns_artfiles_add() {
+  domain="$1"
+  txtValue="$2"
+  _info 'Using ArtFiles.de DNS addition API…'
+  _debug 'Domain' "$domain"
+  _debug 'txtValue' "$txtValue"
+
+  _set_credentials
+  _saveaccountconf_mutable 'AF_API_USERNAME' "$AF_API_USERNAME"
+  _saveaccountconf_mutable 'AF_API_PASSWORD' "$AF_API_PASSWORD"
+
+  _set_headers
+  _get_zone "$domain"
+  _dns 'GET'
+  if ! _contains "$response" 'TXT'; then
+    _err 'Retrieving TXT records failed.'
+
+    return 1
+  fi
+
+  _clean_records
+  _dns 'SET' "$(printf -- '%s\n_acme-challenge "%s"' "$response" "$txtValue")"
+  if ! _contains "$response" "$AF_API_SUCCESS"; then
+    _err 'Adding ACME challenge value failed.'
+
+    return 1
+  fi
+}
+
+# Removes the existing TXT record for given ACME challenge value & domain.
+# Usage: dns_artfiles_rm _acme-challenge.www.example.com "ACME challenge value"
+dns_artfiles_rm() {
+  domain="$1"
+  txtValue="$2"
+  _info 'Using ArtFiles.de DNS removal API…'
+  _debug 'Domain' "$domain"
+  _debug 'txtValue' "$txtValue"
+
+  _set_credentials
+  _set_headers
+  _get_zone "$domain"
+  if ! _dns 'GET'; then
+    return 1
+  fi
+
+  if ! _contains "$response" "$txtValue"; then
+    _err 'Retrieved TXT records are missing given ACME challenge value.'
+
+    return 1
+  fi
+
+  _clean_records
+  response="$(printf -- '%s' "$response" | sed '/_acme-challenge "'"$txtValue"'"/d')"
+  _dns 'SET' "$response"
+  if ! _contains "$response" "$AF_API_SUCCESS"; then
+    _err 'Removing ACME challenge value failed.'
+
+    return 1
+  fi
+}
+
+########## Private functions ###################################################
+
+# Cleans awful TXT records response of ArtFiles's API & pretty prints it.
+# Usage: _clean_records
+_clean_records() {
+  _info 'Cleaning TXT records…'
+  # Extract TXT part, strip trailing quote sign (ACME.sh API guidelines forbid
+  # usage of SED's GNU extensions, hence couldn't omit it via regex), strip '\'
+  # from '\"' & turn '\n' into real LF characters.
+  # Yup, awful API to use - but that's all we got to get this working, so… ;)
+  _debug2 'Raw  ' "$response"
+  response="$(printf -- '%s' "$response" | sed 's/^.*TXT":"\([^}]*\).*$/\1/;s/,".*$//;s/.$//;s/\\"/"/g;s/\\n/\n/g')"
+  _debug2 'Clean' "$response"
+}
+
+# Executes an HTTP GET or POST request for getting or setting DNS records,
+# containing given payload upon POST.
+# Usage: _dns [GET | SET] [payload]
+_dns() {
+  _info 'Executing HTTP request…'
+  action="$1"
+  payload="$(printf -- '%s' "$2" | _url_encode)"
+  url="$(printf -- '%s%s' "$AF_URL_DNS" "$domain" | sed 's/{\*}/'"$(printf -- '%s' "$action" | _lower_case)"'/')"
+
+  if [ "$action" = 'SET' ]; then
+    _debug2 'Payload' "$payload"
+    response="$(_post '' "$url&TXT=$payload" '' 'POST' 'application/x-www-form-urlencoded')"
+  else
+    response="$(_get "$url" '' 10)"
+  fi
+
+  if ! _contains "$response" "$AF_API_SUCCESS"; then
+    _err "DNS API error: $response"
+
+    return 1
+  fi
+
+  _debug 'Response' "$response"
+
+  return 0
+}
+
+# Gets the root domain zone for given domain.
+# Usage: _get_zone _acme-challenge.www.example.com
+_get_zone() {
+  fqdn="$1"
+  domains="$(_get "$AF_URL_DOMAINS" '' 10)"
+  _info 'Getting domain zone…'
+  _debug2 'FQDN' "$fqdn"
+  _debug2 'Domains' "$domains"
+
+  while _contains "$fqdn" "."; do
+    if _contains "$domains" "$fqdn"; then
+      domain="$fqdn"
+      _info "Found root domain zone: $domain"
+      break
+    else
+      fqdn="${fqdn#*.}"
+      _debug2 'FQDN' "$fqdn"
+    fi
+  done
+
+  if [ "$domain" = "$fqdn" ]; then
+    return 0
+  fi
+
+  _err 'Couldn'\''t find root domain zone.'
+
+  return 1
+}
+
+# Sets the credentials for accessing ArtFiles's API
+# Usage: _set_credentials
+_set_credentials() {
+  _info 'Setting credentials…'
+  AF_API_USERNAME="${AF_API_USERNAME:-$(_readaccountconf_mutable AF_API_USERNAME)}"
+  AF_API_PASSWORD="${AF_API_PASSWORD:-$(_readaccountconf_mutable AF_API_PASSWORD)}"
+  if [ -z "$AF_API_USERNAME" ] || [ -z "$AF_API_PASSWORD" ]; then
+    _err 'Missing ArtFiles.de username and/or password.'
+    _err 'Please ensure both are set via export command & try again.'
+
+    return 1
+  fi
+}
+
+# Adds the HTTP Authorization & Content-Type headers to a follow-up request.
+# Usage: _set_headers
+_set_headers() {
+  _info 'Setting headers…'
+  encoded="$(printf -- '%s:%s' "$AF_API_USERNAME" "$AF_API_PASSWORD" | _base64)"
+  export _H1="Authorization: Basic $encoded"
+  export _H2='Content-Type: application/json'
+}
--- a/dnsapi/dns_arvan.sh
+++ b/dnsapi/dns_arvan.sh
@@ -1,10 +1,10 @@
 #!/usr/bin/env sh

-#Arvan_Token="Apikey xxxx"
+# Arvan_Token="Apikey xxxx"

-ARVAN_API_URL="https://napi.arvancloud.com/cdn/4.0/domains"
-#Author: Vahid Fardi
-#Report Bugs here: https://github.com/Neilpang/acme.sh
+ARVAN_API_URL="https://napi.arvancloud.ir/cdn/4.0/domains"
+# Author: Vahid Fardi
+# Report Bugs here: https://github.com/Neilpang/acme.sh
 #
 ########  Public functions #####################

@@ -18,7 +18,7 @@ dns_arvan_add() {

  if [ -z "$Arvan_Token" ]; then
    _err "You didn't specify \"Arvan_Token\" token yet."
-    _err "You can get yours from here https://npanel.arvancloud.com/profile/api-keys"
+    _err "You can get yours from here https://npanel.arvancloud.ir/profile/api-keys"
    return 1
  fi
  #save the api token to the account conf file.
@@ -40,7 +40,7 @@ dns_arvan_add() {
      _info "response id is $response"
      _info "Added, OK"
      return 0
-    elif _contains "$response" "Record Data is Duplicated"; then
+    elif _contains "$response" "Record Data is duplicate"; then
      _info "Already exists, OK"
      return 0
    else
@@ -141,6 +141,7 @@ _arvan_rest() {
    response="$(_post "$data" "$ARVAN_API_URL/$ep" "" "$mtd")"
  elif [ "$mtd" = "POST" ]; then
    export _H2="Content-Type: application/json"
+    export _H3="Accept: application/json"
    _debug data "$data"
    response="$(_post "$data" "$ARVAN_API_URL/$ep" "" "$mtd")"
  else
--- a/dnsapi/dns_aws.sh
+++ b/dnsapi/dns_aws.sh
@@ -152,34 +152,23 @@ dns_aws_rm() {

 _get_root() {
  domain=$1
-  i=2
+  i=1
  p=1

-  if aws_rest GET "2013-04-01/hostedzone"; then
-    while true; do
-      h=$(printf "%s" "$domain" | cut -d . -f $i-100)
-      _debug2 "Checking domain: $h"
-      if [ -z "$h" ]; then
-        if _contains "$response" "<IsTruncated>true</IsTruncated>" && _contains "$response" "<NextMarker>"; then
-          _debug "IsTruncated"
-          _nextMarker="$(echo "$response" | _egrep_o "<NextMarker>.*</NextMarker>" | cut -d '>' -f 2 | cut -d '<' -f 1)"
-          _debug "NextMarker" "$_nextMarker"
-          if aws_rest GET "2013-04-01/hostedzone" "marker=$_nextMarker"; then
-            _debug "Truncated request OK"
-            i=2
-            p=1
-            continue
-          else
-            _err "Truncated request error."
-          fi
-        fi
-        #not valid
-        _err "Invalid domain"
-        return 1
-      fi
+  # iterate over names (a.b.c.d -> b.c.d -> c.d -> d)
+  while true; do
+    h=$(printf "%s" "$domain" | cut -d . -f $i-100)
+    _debug "Checking domain: $h"
+    if [ -z "$h" ]; then
+      _error "invalid domain"
+      return 1
+    fi

+    # iterate over paginated result for list_hosted_zones
+    aws_rest GET "2013-04-01/hostedzone"
+    while true; do
      if _contains "$response" "<Name>$h.</Name>"; then
-        hostedzone="$(echo "$response" | sed 's/<HostedZone>/#&/g' | tr '#' '\n' | _egrep_o "<HostedZone><Id>[^<]*<.Id><Name>$h.<.Name>.*<PrivateZone>false<.PrivateZone>.*<.HostedZone>")"
+        hostedzone="$(echo "$response" | tr -d '\n' | sed 's/<HostedZone>/#&/g' | tr '#' '\n' | _egrep_o "<HostedZone><Id>[^<]*<.Id><Name>$h.<.Name>.*<PrivateZone>false<.PrivateZone>.*<.HostedZone>")"
        _debug hostedzone "$hostedzone"
        if [ "$hostedzone" ]; then
          _domain_id=$(printf "%s\n" "$hostedzone" | _egrep_o "<Id>.*<.Id>" | head -n 1 | _egrep_o ">.*<" | tr -d "<>")
@@ -192,10 +181,19 @@ _get_root() {
          return 1
        fi
      fi
-      p=$i
-      i=$(_math "$i" + 1)
+      if _contains "$response" "<IsTruncated>true</IsTruncated>" && _contains "$response" "<NextMarker>"; then
+        _debug "IsTruncated"
+        _nextMarker="$(echo "$response" | _egrep_o "<NextMarker>.*</NextMarker>" | cut -d '>' -f 2 | cut -d '<' -f 1)"
+        _debug "NextMarker" "$_nextMarker"
+      else
+        break
+      fi
+      _debug "Checking domain: $h - Next Page "
+      aws_rest GET "2013-04-01/hostedzone" "marker=$_nextMarker"
    done
-  fi
+    p=$i
+    i=$(_math "$i" + 1)
+  done
  return 1
 }

--- a/dnsapi/dns_bookmyname.sh
+++ b/dnsapi/dns_bookmyname.sh
@@ -0,0 +1,89 @@
+#!/usr/bin/env sh
+
+#Here is a sample custom api script.
+#This file name is "dns_bookmyname.sh"
+#So, here must be a method   dns_bookmyname_add()
+#Which will be called by acme.sh to add the txt record to your api system.
+#returns 0 means success, otherwise error.
+#
+#Author: Neilpang
+#Report Bugs here: https://github.com/acmesh-official/acme.sh
+#
+########  Public functions #####################
+
+# Please Read this guide first: https://github.com/acmesh-official/acme.sh/wiki/DNS-API-Dev-Guide
+
+# BookMyName urls:
+# https://BOOKMYNAME_USERNAME:BOOKMYNAME_PASSWORD@www.bookmyname.com/dyndns/?hostname=_acme-challenge.domain.tld&type=txt&ttl=300&do=add&value="XXXXXXXX"'
+# https://BOOKMYNAME_USERNAME:BOOKMYNAME_PASSWORD@www.bookmyname.com/dyndns/?hostname=_acme-challenge.domain.tld&type=txt&ttl=300&do=remove&value="XXXXXXXX"'
+
+# Output:
+#good: update done, cid 123456, domain id 456789, type txt, ip XXXXXXXX
+#good: remove done 1, cid 123456, domain id 456789, ttl 300, type txt, ip XXXXXXXX
+
+# Be careful, BMN DNS servers can be slow to pick up changes; using dnssleep is thus advised.
+
+# Usage:
+# export BOOKMYNAME_USERNAME="ABCDE-FREE"
+# export BOOKMYNAME_PASSWORD="MyPassword"
+# /usr/local/ssl/acme.sh/acme.sh --dns dns_bookmyname --dnssleep 600 --issue -d domain.tld
+
+#Usage: dns_bookmyname_add   _acme-challenge.www.domain.com   "XKrxpRBosdIKFzxW_CT3KLZNf6q0HG9i01zxXp5CPBs"
+dns_bookmyname_add() {
+  fulldomain=$1
+  txtvalue=$2
+  _info "Using bookmyname"
+  _debug fulldomain "$fulldomain"
+  _debug txtvalue "$txtvalue"
+
+  BOOKMYNAME_USERNAME="${BOOKMYNAME_USERNAME:-$(_readaccountconf_mutable BOOKMYNAME_USERNAME)}"
+  BOOKMYNAME_PASSWORD="${BOOKMYNAME_PASSWORD:-$(_readaccountconf_mutable BOOKMYNAME_PASSWORD)}"
+
+  if [ -z "$BOOKMYNAME_USERNAME" ] || [ -z "$BOOKMYNAME_PASSWORD" ]; then
+    BOOKMYNAME_USERNAME=""
+    BOOKMYNAME_PASSWORD=""
+    _err "You didn't specify BookMyName username and password yet."
+    _err "Please specify them and try again."
+    return 1
+  fi
+
+  #save the credentials to the account conf file.
+  _saveaccountconf_mutable BOOKMYNAME_USERNAME "$BOOKMYNAME_USERNAME"
+  _saveaccountconf_mutable BOOKMYNAME_PASSWORD "$BOOKMYNAME_PASSWORD"
+
+  uri="https://${BOOKMYNAME_USERNAME}:${BOOKMYNAME_PASSWORD}@www.bookmyname.com/dyndns/"
+  data="?hostname=${fulldomain}&type=TXT&ttl=300&do=add&value=${txtvalue}"
+  result="$(_get "${uri}${data}")"
+  _debug "Result: $result"
+
+  if ! _startswith "$result" 'good: update done, cid '; then
+    _err "Can't add $fulldomain"
+    return 1
+  fi
+
+}
+
+#Usage: fulldomain txtvalue
+#Remove the txt record after validation.
+dns_bookmyname_rm() {
+  fulldomain=$1
+  txtvalue=$2
+  _info "Using bookmyname"
+  _debug fulldomain "$fulldomain"
+  _debug txtvalue "$txtvalue"
+
+  BOOKMYNAME_USERNAME="${BOOKMYNAME_USERNAME:-$(_readaccountconf_mutable BOOKMYNAME_USERNAME)}"
+  BOOKMYNAME_PASSWORD="${BOOKMYNAME_PASSWORD:-$(_readaccountconf_mutable BOOKMYNAME_PASSWORD)}"
+
+  uri="https://${BOOKMYNAME_USERNAME}:${BOOKMYNAME_PASSWORD}@www.bookmyname.com/dyndns/"
+  data="?hostname=${fulldomain}&type=TXT&ttl=300&do=remove&value=${txtvalue}"
+  result="$(_get "${uri}${data}")"
+  _debug "Result: $result"
+
+  if ! _startswith "$result" 'good: remove done 1, cid '; then
+    _info "Can't remove $fulldomain"
+  fi
+
+}
+
+####################  Private functions below ##################################
--- a/dnsapi/dns_bunny.sh
+++ b/dnsapi/dns_bunny.sh
@@ -0,0 +1,248 @@
+#!/usr/bin/env sh
+
+## Will be called by acme.sh to add the TXT record via the Bunny DNS API.
+## returns 0 means success, otherwise error.
+
+## Author: nosilver4u <nosilver4u at ewww.io>
+## GitHub: https://github.com/nosilver4u/acme.sh
+
+##
+## Environment Variables Required:
+##
+## BUNNY_API_KEY="75310dc4-ca77-9ac3-9a19-f6355db573b49ce92ae1-2655-3ebd-61ac-3a3ae34834cc"
+##
+
+#####################  Public functions  #####################
+
+## Create the text record for validation.
+## Usage: fulldomain txtvalue
+## EG: "_acme-challenge.www.other.domain.com" "XKrxpRBosdq0HG9i01zxXp5CPBs"
+dns_bunny_add() {
+  fulldomain="$(echo "$1" | _lower_case)"
+  txtvalue=$2
+
+  BUNNY_API_KEY="${BUNNY_API_KEY:-$(_readaccountconf_mutable BUNNY_API_KEY)}"
+  # Check if API Key is set
+  if [ -z "$BUNNY_API_KEY" ]; then
+    BUNNY_API_KEY=""
+    _err "You did not specify Bunny.net API key."
+    _err "Please export BUNNY_API_KEY and try again."
+    return 1
+  fi
+
+  _info "Using Bunny.net dns validation - add record"
+  _debug fulldomain "$fulldomain"
+  _debug txtvalue "$txtvalue"
+
+  ## save the env vars (key and domain split location) for later automated use
+  _saveaccountconf_mutable BUNNY_API_KEY "$BUNNY_API_KEY"
+
+  ## split the domain for Bunny API
+  if ! _get_base_domain "$fulldomain"; then
+    _err "domain not found in your account for addition"
+    return 1
+  fi
+  _debug _sub_domain "$_sub_domain"
+  _debug _domain "$_domain"
+  _debug _domain_id "$_domain_id"
+
+  ## Set the header with our post type and auth key
+  export _H1="Accept: application/json"
+  export _H2="AccessKey: $BUNNY_API_KEY"
+  export _H3="Content-Type: application/json"
+  PURL="https://api.bunny.net/dnszone/$_domain_id/records"
+  PBODY='{"Id":'$_domain_id',"Type":3,"Name":"'$_sub_domain'","Value":"'$txtvalue'","ttl":120}'
+
+  _debug PURL "$PURL"
+  _debug PBODY "$PBODY"
+
+  ## the create request - POST
+  ## args: BODY, URL, [need64, httpmethod]
+  response="$(_post "$PBODY" "$PURL" "" "PUT")"
+
+  ## check response
+  if [ "$?" != "0" ]; then
+    _err "error in response: $response"
+    return 1
+  fi
+  _debug2 response "$response"
+
+  ## finished correctly
+  return 0
+}
+
+## Remove the txt record after validation.
+## Usage: fulldomain txtvalue
+## EG: "_acme-challenge.www.other.domain.com" "XKrxpRBosdq0HG9i01zxXp5CPBs"
+dns_bunny_rm() {
+  fulldomain="$(echo "$1" | _lower_case)"
+  txtvalue=$2
+
+  BUNNY_API_KEY="${BUNNY_API_KEY:-$(_readaccountconf_mutable BUNNY_API_KEY)}"
+  # Check if API Key Exists
+  if [ -z "$BUNNY_API_KEY" ]; then
+    BUNNY_API_KEY=""
+    _err "You did not specify Bunny.net API key."
+    _err "Please export BUNNY_API_KEY and try again."
+    return 1
+  fi
+
+  _info "Using Bunny.net dns validation - remove record"
+  _debug fulldomain "$fulldomain"
+  _debug txtvalue "$txtvalue"
+
+  ## split the domain for Bunny API
+  if ! _get_base_domain "$fulldomain"; then
+    _err "Domain not found in your account for TXT record removal"
+    return 1
+  fi
+  _debug _sub_domain "$_sub_domain"
+  _debug _domain "$_domain"
+  _debug _domain_id "$_domain_id"
+
+  ## Set the header with our post type and key auth key
+  export _H1="Accept: application/json"
+  export _H2="AccessKey: $BUNNY_API_KEY"
+  ## get URL for the list of DNS records
+  GURL="https://api.bunny.net/dnszone/$_domain_id"
+
+  ## 1) Get the domain/zone records
+  ## the fetch request - GET
+  ## args: URL, [onlyheader, timeout]
+  domain_list="$(_get "$GURL")"
+
+  ## check response
+  if [ "$?" != "0" ]; then
+    _err "error in domain_list response: $domain_list"
+    return 1
+  fi
+  _debug2 domain_list "$domain_list"
+
+  ## 2) search through records
+  ## check for what we are looking for: "Type":3,"Value":"$txtvalue","Name":"$_sub_domain"
+  record="$(echo "$domain_list" | _egrep_o "\"Id\"\s*\:\s*\"*[0-9]+\"*,\s*\"Type\"[^}]*\"Value\"\s*\:\s*\"$txtvalue\"[^}]*\"Name\"\s*\:\s*\"$_sub_domain\"")"
+
+  if [ -n "$record" ]; then
+
+    ## We found records
+    rec_ids="$(echo "$record" | _egrep_o "Id\"\s*\:\s*\"*[0-9]+" | _egrep_o "[0-9]+")"
+    _debug rec_ids "$rec_ids"
+    if [ -n "$rec_ids" ]; then
+      echo "$rec_ids" | while IFS= read -r rec_id; do
+        ## delete the record
+        ## delete URL for removing the one we dont want
+        DURL="https://api.bunny.net/dnszone/$_domain_id/records/$rec_id"
+
+        ## the removal request - DELETE
+        ## args: BODY, URL, [need64, httpmethod]
+        response="$(_post "" "$DURL" "" "DELETE")"
+
+        ## check response (sort of)
+        if [ "$?" != "0" ]; then
+          _err "error in remove response: $response"
+          return 1
+        fi
+        _debug2 response "$response"
+
+      done
+    fi
+  fi
+
+  ## finished correctly
+  return 0
+}
+
+#####################  Private functions below  #####################
+
+## Split the domain provided into the "base domain" and the "start prefix".
+## This function searches for the longest subdomain in your account
+## for the full domain given and splits it into the base domain (zone)
+## and the prefix/record to be added/removed
+## USAGE: fulldomain
+## EG: "_acme-challenge.two.three.four.domain.com"
+## returns
+## _sub_domain="_acme-challenge.two"
+## _domain="three.four.domain.com" *IF* zone "three.four.domain.com" exists
+## _domain_id=234
+## if only "domain.com" exists it will return
+## _sub_domain="_acme-challenge.two.three.four"
+## _domain="domain.com"
+## _domain_id=234
+_get_base_domain() {
+  # args
+  fulldomain="$(echo "$1" | _lower_case)"
+  _debug fulldomain "$fulldomain"
+
+  # domain max legal length = 253
+  MAX_DOM=255
+  page=1
+
+  ## get a list of domains for the account to check thru
+  ## Set the headers
+  export _H1="Accept: application/json"
+  export _H2="AccessKey: $BUNNY_API_KEY"
+  _debug BUNNY_API_KEY "$BUNNY_API_KEY"
+  ## get URL for the list of domains
+  ## may get: "links":{"pages":{"last":".../v2/domains/DOM/records?page=2","next":".../v2/domains/DOM/records?page=2"}}
+  DOMURL="https://api.bunny.net/dnszone"
+
+  ## while we dont have a matching domain we keep going
+  while [ -z "$found" ]; do
+    ## get the domain list (current page)
+    domain_list="$(_get "$DOMURL")"
+
+    ## check response
+    if [ "$?" != "0" ]; then
+      _err "error in domain_list response: $domain_list"
+      return 1
+    fi
+    _debug2 domain_list "$domain_list"
+
+    i=1
+    while [ $i -gt 0 ]; do
+      ## get next longest domain
+      _domain=$(printf "%s" "$fulldomain" | cut -d . -f "$i"-"$MAX_DOM")
+      ## check we got something back from our cut (or are we at the end)
+      if [ -z "$_domain" ]; then
+        break
+      fi
+      ## we got part of a domain back - grep it out
+      found="$(echo "$domain_list" | _egrep_o "\"Id\"\s*:\s*\"*[0-9]+\"*,\s*\"Domain\"\s*\:\s*\"$_domain\"")"
+      ## check if it exists
+      if [ -n "$found" ]; then
+        ## exists - exit loop returning the parts
+        sub_point=$(_math $i - 1)
+        _sub_domain=$(printf "%s" "$fulldomain" | cut -d . -f 1-"$sub_point")
+        _domain_id="$(echo "$found" | _egrep_o "Id\"\s*\:\s*\"*[0-9]+" | _egrep_o "[0-9]+")"
+        _debug _domain_id "$_domain_id"
+        _debug _domain "$_domain"
+        _debug _sub_domain "$_sub_domain"
+        found=""
+        return 0
+      fi
+      ## increment cut point $i
+      i=$(_math $i + 1)
+    done
+
+    if [ -z "$found" ]; then
+      page=$(_math $page + 1)
+      nextpage="https://api.bunny.net/dnszone?page=$page"
+      ## Find the next page if we don't have a match.
+      hasnextpage="$(echo "$domain_list" | _egrep_o "\"HasMoreItems\"\s*:\s*true")"
+      if [ -z "$hasnextpage" ]; then
+        _err "No record and no nextpage in Bunny.net domain search."
+        found=""
+        return 1
+      fi
+      _debug2 nextpage "$nextpage"
+      DOMURL="$nextpage"
+    fi
+
+  done
+
+  ## We went through the entire domain zone list and didn't find one that matched.
+  ## If we ever get here, something is broken in the code...
+  _err "Domain not found in Bunny.net account, but we should never get here!"
+  found=""
+  return 1
+}
--- a/dnsapi/dns_cf.sh
+++ b/dnsapi/dns_cf.sh
@@ -32,7 +32,8 @@ dns_cf_add() {
    else
      _saveaccountconf_mutable CF_Token "$CF_Token"
      _saveaccountconf_mutable CF_Account_ID "$CF_Account_ID"
-      _saveaccountconf_mutable CF_Zone_ID "$CF_Zone_ID"
+      _clearaccountconf_mutable CF_Zone_ID
+      _clearaccountconf CF_Zone_ID
    fi
  else
    if [ -z "$CF_Key" ] || [ -z "$CF_Email" ]; then
@@ -51,6 +52,14 @@ dns_cf_add() {
    #save the api key and email to the account conf file.
    _saveaccountconf_mutable CF_Key "$CF_Key"
    _saveaccountconf_mutable CF_Email "$CF_Email"
+
+    _clearaccountconf_mutable CF_Token
+    _clearaccountconf_mutable CF_Account_ID
+    _clearaccountconf_mutable CF_Zone_ID
+    _clearaccountconf CF_Token
+    _clearaccountconf CF_Account_ID
+    _clearaccountconf CF_Zone_ID
+
  fi

  _debug "First detect the root zone"
--- a/dnsapi/dns_cloudns.sh
+++ b/dnsapi/dns_cloudns.sh
@@ -78,7 +78,7 @@ dns_cloudns_rm() {
    return 1
  fi

-  for i in $(echo "$response" | tr '{' "\n" | grep "$record"); do
+  for i in $(echo "$response" | tr '{' "\n" | grep -- "$record"); do
    record_id=$(echo "$i" | tr ',' "\n" | grep -E '^"id"' | sed -re 's/^\"id\"\:\"([0-9]+)\"$/\1/g')

    if [ -n "$record_id" ]; then
--- a/dnsapi/dns_cpanel.sh
+++ b/dnsapi/dns_cpanel.sh
@@ -13,6 +13,7 @@
 # cPanel_Hostname=hostname
 #
 # Usage: add   _acme-challenge.www.domain.com   "XKrxpRBosdIKFzxW_CT3KLZNf6q0HG9i01zxXp5CPBs"
+
 # Used to add txt record
 dns_cpanel_add() {
  fulldomain=$1
@@ -120,7 +121,7 @@ _myget() {

 _get_root() {
  _myget 'json-api/cpanel?cpanel_jsonapi_apiversion=2&cpanel_jsonapi_module=ZoneEdit&cpanel_jsonapi_func=fetchzones'
-  _domains=$(echo "$_result" | sed 's/.*\(zones.*\[\).*/\1/' | cut -d':' -f2 | sed 's/"//g' | sed 's/{//g')
+  _domains=$(echo "$_result" | _egrep_o '"[a-z0-9\.\-]*":\["; cPanel first' | cut -d':' -f1 | sed 's/"//g' | sed 's/{//g')
  _debug "_result is: $_result"
  _debug "_domains is: $_domains"
  if [ -z "$_domains" ]; then
@@ -138,15 +139,15 @@ _get_root() {
 }

 _successful_update() {
-  if (echo "$_result" | grep -q 'newserial'); then return 0; fi
-  return 1
+  if (echo "$_result" | _egrep_o 'data":\[[^]]*]' | grep -q '"newserial":null'); then return 1; fi
+  return 0
 }

 _findentry() {
  _debug "In _findentry"
  #returns id of dns entry, if it exists
  _myget "json-api/cpanel?cpanel_jsonapi_apiversion=2&cpanel_jsonapi_module=ZoneEdit&cpanel_jsonapi_func=fetchzone_records&domain=$_domain"
-  _id=$(echo "$_result" | sed "s/.*\(line.*$fulldomain.*$txtvalue\).*/\1/" | cut -d ':' -f 2 | cut -d ',' -f 1)
+  _id=$(echo "$_result" | sed -e "s/},{/},\n{/g" | grep "$fulldomain" | grep "$txtvalue" | _egrep_o 'line":[0-9]+' | cut -d ':' -f 2)
  _debug "_result is: $_result"
  _debug "fulldomain. is $fulldomain."
  _debug "txtvalue is $txtvalue"
--- a/dnsapi/dns_cyon.sh
+++ b/dnsapi/dns_cyon.sh
@@ -44,7 +44,7 @@ dns_cyon_rm() {
 _cyon_load_credentials() {
  # Convert loaded password to/from base64 as needed.
  if [ "${CY_Password_B64}" ]; then
-    CY_Password="$(printf "%s" "${CY_Password_B64}" | _dbase64 "multiline")"
+    CY_Password="$(printf "%s" "${CY_Password_B64}" | _dbase64)"
  elif [ "${CY_Password}" ]; then
    CY_Password_B64="$(printf "%s" "${CY_Password}" | _base64)"
  fi
--- a/dnsapi/dns_dgon.sh
+++ b/dnsapi/dns_dgon.sh
@@ -192,6 +192,7 @@ _get_base_domain() {
  ## get URL for the list of domains
  ## may get: "links":{"pages":{"last":".../v2/domains/DOM/records?page=2","next":".../v2/domains/DOM/records?page=2"}}
  DOMURL="https://api.digitalocean.com/v2/domains"
+  found=""

  ## while we dont have a matching domain we keep going
  while [ -z "$found" ]; do
@@ -205,9 +206,7 @@ _get_base_domain() {
    fi
    _debug2 domain_list "$domain_list"

-    ## for each shortening of our $fulldomain, check if it exists in the $domain_list
-    ## can never start on 1 (aka whole $fulldomain) as $fulldomain starts with "_acme-challenge"
-    i=2
+    i=1
    while [ $i -gt 0 ]; do
      ## get next longest domain
      _domain=$(printf "%s" "$fulldomain" | cut -d . -f "$i"-"$MAX_DOM")
--- a/dnsapi/dns_dnsexit.sh
+++ b/dnsapi/dns_dnsexit.sh
@@ -0,0 +1,185 @@
+#!/usr/bin/env sh
+
+#use dns-01 at DNSExit.com
+
+#Author: Samuel Jimenez
+#Report Bugs here: https://github.com/acmesh-official/acme.sh
+
+#DNSEXIT_API_KEY=ABCDEFGHIJ0123456789abcdefghij
+#DNSEXIT_AUTH_USER=login@email.address
+#DNSEXIT_AUTH_PASS=aStrongPassword
+DNSEXIT_API_URL="https://api.dnsexit.com/dns/"
+DNSEXIT_HOSTS_URL="https://update.dnsexit.com/ipupdate/hosts.jsp"
+
+########  Public functions #####################
+#Usage: dns_dnsexit_add   _acme-challenge.*.domain.com   "XKrxpRBosdIKFzxW_CT3KLZNf6q0HG9i01zxXp5CPBs"
+dns_dnsexit_add() {
+  fulldomain=$1
+  txtvalue=$2
+  _info "Using DNSExit.com"
+  _debug fulldomain "$fulldomain"
+  _debug txtvalue "$txtvalue"
+
+  _debug 'Load account auth'
+  if ! get_account_info; then
+    return 1
+  fi
+
+  _debug 'First detect the root zone'
+  if ! _get_root "$fulldomain"; then
+    return 1
+  fi
+  _debug _sub_domain "$_sub_domain"
+  _debug _domain "$_domain"
+
+  if ! _dnsexit_rest "{\"domain\":\"$_domain\",\"add\":{\"type\":\"TXT\",\"name\":\"$_sub_domain\",\"content\":\"$txtvalue\",\"ttl\":0,\"overwrite\":false}}"; then
+    _err "$response"
+    return 1
+  fi
+
+  _debug2 _response "$response"
+  return 0
+}
+
+#Usage: fulldomain txtvalue
+#Remove the txt record after validation.
+dns_dnsexit_rm() {
+  fulldomain=$1
+  txtvalue=$2
+  _info "Using DNSExit.com"
+  _debug fulldomain "$fulldomain"
+  _debug txtvalue "$txtvalue"
+
+  _debug 'Load account auth'
+  if ! get_account_info; then
+    return 1
+  fi
+
+  _debug 'First detect the root zone'
+  if ! _get_root "$fulldomain"; then
+    _err "$response"
+    return 1
+  fi
+  _debug _sub_domain "$_sub_domain"
+  _debug _domain "$_domain"
+
+  if ! _dnsexit_rest "{\"domain\":\"$_domain\",\"delete\":{\"type\":\"TXT\",\"name\":\"$_sub_domain\",\"content\":\"$txtvalue\"}}"; then
+    _err "$response"
+    return 1
+  fi
+
+  _debug2 _response "$response"
+  return 0
+}
+
+####################  Private functions below ##################################
+#_acme-challenge.www.domain.com
+#returns
+# _sub_domain=_acme-challenge.www
+# _domain=domain.com
+_get_root() {
+  domain=$1
+  i=1
+  while true; do
+    _domain=$(printf "%s" "$domain" | cut -d . -f $i-100)
+    _debug h "$_domain"
+    if [ -z "$_domain" ]; then
+      return 1
+    fi
+
+    _debug login "$DNSEXIT_AUTH_USER"
+    _debug password "$DNSEXIT_AUTH_PASS"
+    _debug domain "$_domain"
+
+    _dnsexit_http "login=$DNSEXIT_AUTH_USER&password=$DNSEXIT_AUTH_PASS&domain=$_domain"
+
+    if _contains "$response" "0=$_domain"; then
+      _sub_domain="$(echo "$fulldomain" | sed "s/\\.$_domain\$//")"
+      return 0
+    else
+      _debug "Go to next level of $_domain"
+    fi
+    i=$(_math "$i" + 1)
+  done
+
+  return 1
+}
+
+_dnsexit_rest() {
+  m=POST
+  ep=""
+  data="$1"
+  _debug _dnsexit_rest "$ep"
+  _debug data "$data"
+
+  api_key_trimmed=$(echo "$DNSEXIT_API_KEY" | tr -d '"')
+
+  export _H1="apikey: $api_key_trimmed"
+  export _H2='Content-Type: application/json'
+
+  if [ "$m" != "GET" ]; then
+    _debug data "$data"
+    response="$(_post "$data" "$DNSEXIT_API_URL/$ep" "" "$m")"
+  else
+    response="$(_get "$DNSEXIT_API_URL/$ep")"
+  fi
+
+  if [ "$?" != "0" ]; then
+    _err "Error $ep"
+    return 1
+  fi
+
+  _debug2 response "$response"
+  return 0
+}
+
+_dnsexit_http() {
+  m=GET
+  param="$1"
+  _debug param "$param"
+  _debug get "$DNSEXIT_HOSTS_URL?$param"
+
+  response="$(_get "$DNSEXIT_HOSTS_URL?$param")"
+
+  _debug response "$response"
+
+  if [ "$?" != "0" ]; then
+    _err "Error $param"
+    return 1
+  fi
+
+  _debug2 response "$response"
+  return 0
+}
+
+get_account_info() {
+
+  DNSEXIT_API_KEY="${DNSEXIT_API_KEY:-$(_readaccountconf_mutable DNSEXIT_API_KEY)}"
+  if test -z "$DNSEXIT_API_KEY"; then
+    DNSEXIT_API_KEY=''
+    _err 'DNSEXIT_API_KEY was not exported'
+    return 1
+  fi
+
+  _saveaccountconf_mutable DNSEXIT_API_KEY "$DNSEXIT_API_KEY"
+
+  DNSEXIT_AUTH_USER="${DNSEXIT_AUTH_USER:-$(_readaccountconf_mutable DNSEXIT_AUTH_USER)}"
+  if test -z "$DNSEXIT_AUTH_USER"; then
+    DNSEXIT_AUTH_USER=""
+    _err 'DNSEXIT_AUTH_USER was not exported'
+    return 1
+  fi
+
+  _saveaccountconf_mutable DNSEXIT_AUTH_USER "$DNSEXIT_AUTH_USER"
+
+  DNSEXIT_AUTH_PASS="${DNSEXIT_AUTH_PASS:-$(_readaccountconf_mutable DNSEXIT_AUTH_PASS)}"
+  if test -z "$DNSEXIT_AUTH_PASS"; then
+    DNSEXIT_AUTH_PASS=""
+    _err 'DNSEXIT_AUTH_PASS was not exported'
+    return 1
+  fi
+
+  _saveaccountconf_mutable DNSEXIT_AUTH_PASS "$DNSEXIT_AUTH_PASS"
+
+  return 0
+}
--- a/dnsapi/dns_dnsservices.sh
+++ b/dnsapi/dns_dnsservices.sh
@@ -0,0 +1,248 @@
+#!/usr/bin/env sh
+
+#This file name is "dns_dnsservices.sh"
+#Script for Danish DNS registra and DNS hosting provider https://dns.services
+
+#Author: Bjarke Bruun <bbruun@gmail.com>
+#Report Bugs here: https://github.com/acmesh-official/acme.sh/issues/4152
+
+# Global variable to connect to the DNS.Services API
+DNSServices_API=https://dns.services/api
+
+########  Public functions #####################
+
+#Usage: dns_dnsservices_add  _acme-challenge.www.domain.com   "XKrxpRBosdIKFzxW_CT3KLZNf6q0HG9i01zxXp5CPBs"
+dns_dnsservices_add() {
+  fulldomain="$1"
+  txtvalue="$2"
+
+  _info "Using dns.services to create ACME DNS challenge"
+  _debug2 add_fulldomain "$fulldomain"
+  _debug2 add_txtvalue "$txtvalue"
+
+  # Read username/password from environment or .acme.sh/accounts.conf
+  DnsServices_Username="${DnsServices_Username:-$(_readaccountconf_mutable DnsServices_Username)}"
+  DnsServices_Password="${DnsServices_Password:-$(_readaccountconf_mutable DnsServices_Password)}"
+  if [ -z "$DnsServices_Username" ] || [ -z "$DnsServices_Password" ]; then
+    DnsServices_Username=""
+    DnsServices_Password=""
+    _err "You didn't specify dns.services api username and password yet."
+    _err "Set environment variables DnsServices_Username and DnsServices_Password"
+    return 1
+  fi
+
+  # Setup GET/POST/DELETE headers
+  _setup_headers
+
+  #save the credentials to the account conf file.
+  _saveaccountconf_mutable DnsServices_Username "$DnsServices_Username"
+  _saveaccountconf_mutable DnsServices_Password "$DnsServices_Password"
+
+  if ! _contains "$DnsServices_Username" "@"; then
+    _err "It seems that the username variable DnsServices_Username has not been set/left blank"
+    _err "or is not a valid email. Please correct and try again."
+    return 1
+  fi
+
+  if ! _get_root "${fulldomain}"; then
+    _err "Invalid domain ${fulldomain}"
+    return 1
+  fi
+
+  if ! createRecord "$fulldomain" "${txtvalue}"; then
+    _err "Error creating TXT record in domain $fulldomain in $rootZoneName"
+    return 1
+  fi
+
+  _debug2 challenge-created "Created $fulldomain"
+  return 0
+}
+
+#Usage: fulldomain txtvalue
+#Description: Remove the txt record after validation.
+dns_dnsservices_rm() {
+  fulldomain="$1"
+  txtvalue="$2"
+
+  _info "Using dns.services to remove DNS record $fulldomain TXT $txtvalue"
+  _debug rm_fulldomain "$fulldomain"
+  _debug rm_txtvalue "$txtvalue"
+
+  # Read username/password from environment or .acme.sh/accounts.conf
+  DnsServices_Username="${DnsServices_Username:-$(_readaccountconf_mutable DnsServices_Username)}"
+  DnsServices_Password="${DnsServices_Password:-$(_readaccountconf_mutable DnsServices_Password)}"
+  if [ -z "$DnsServices_Username" ] || [ -z "$DnsServices_Password" ]; then
+    DnsServices_Username=""
+    DnsServices_Password=""
+    _err "You didn't specify dns.services api username and password yet."
+    _err "Set environment variables DnsServices_Username and DnsServices_Password"
+    return 1
+  fi
+
+  # Setup GET/POST/DELETE headers
+  _setup_headers
+
+  if ! _get_root "${fulldomain}"; then
+    _err "Invalid domain ${fulldomain}"
+    return 1
+  fi
+
+  _debug2 rm_rootDomainInfo "found root domain $rootZoneName for $fulldomain"
+
+  if ! deleteRecord "${fulldomain}" "${txtvalue}"; then
+    _err "Error removing record: $fulldomain TXT ${txtvalue}"
+    return 1
+  fi
+
+  return 0
+}
+
+####################  Private functions below ##################################
+
+_setup_headers() {
+  # Set up API Headers for _get() and _post()
+  # The <function>_add or <function>_rm must have been called before to work
+
+  if [ -z "$DnsServices_Username" ] || [ -z "$DnsServices_Password" ]; then
+    _err "Could not setup BASIC authentication headers, they are missing"
+    return 1
+  fi
+
+  DnsServiceCredentials="$(printf "%s" "$DnsServices_Username:$DnsServices_Password" | _base64)"
+  export _H1="Authorization: Basic $DnsServiceCredentials"
+  export _H2="Content-Type: application/json"
+
+  # Just return if headers are set
+  return 0
+}
+
+_get_root() {
+  domain="$1"
+  _debug2 _get_root "Get the root domain of ${domain} for DNS API"
+
+  # Setup _get() and _post() headers
+  #_setup_headers
+
+  result=$(_H1="$_H1" _H2="$_H2" _get "$DNSServices_API/dns")
+  result2="$(printf "%s\n" "$result" | tr '[' '\n' | grep '"name"')"
+  result3="$(printf "%s\n" "$result2" | tr '}' '\n' | grep '"name"' | sed "s,^\,,,g" | sed "s,$,},g")"
+  useResult=""
+  _debug2 _get_root "Got the following root domain(s) $result"
+  _debug2 _get_root "- JSON: $result"
+
+  if [ "$(printf "%s\n" "$result" | tr '}' '\n' | grep -c '"name"')" -gt "1" ]; then
+    checkMultiZones="true"
+    _debug2 _get_root "- multiple zones found"
+  else
+    checkMultiZones="false"
+    _debug2 _get_root "- single zone found"
+  fi
+
+  # Find/isolate the root zone to work with in createRecord() and deleteRecord()
+  rootZone=""
+  if [ "$checkMultiZones" = "true" ]; then
+    #rootZone=$(for x in $(printf "%s" "${result3}" | tr ',' '\n' | sed -n 's/.*"name":"\(.*\)",.*/\1/p'); do if [ "$(echo "$domain" | grep "$x")" != "" ]; then echo "$x"; fi; done)
+    rootZone=$(for x in $(printf "%s\n" "${result3}" | tr ',' '\n' | grep name | cut -d'"' -f4); do if [ "$(echo "$domain" | grep "$x")" != "" ]; then echo "$x"; fi; done)
+    if [ "$rootZone" != "" ]; then
+      _debug2 _rootZone "- root zone for $domain is $rootZone"
+    else
+      _err "Could not find root zone for $domain, is it correctly typed?"
+      return 1
+    fi
+  else
+    rootZone=$(echo "$result" | tr '}' '\n' | _egrep_o '"name":"[^"]*' | cut -d'"' -f4)
+    _debug2 _get_root "- only found 1 domain in API: $rootZone"
+  fi
+
+  if [ -z "$rootZone" ]; then
+    _err "Could not find root domain for $domain - is it correctly typed?"
+    return 1
+  fi
+
+  # Make sure we use the correct API zone data
+  useResult="$(printf "%s\n" "${result3}" tr ',' '\n' | grep "$rootZone")"
+  _debug2 _useResult "useResult=$useResult"
+
+  # Setup variables used by other functions to communicate with DNS.Services API
+  #zoneInfo=$(printf "%s\n" "$useResult" | sed -E 's,.*(zones)(.*),\1\2,g' | sed -E 's,^(.*"name":")([^"]*)"(.*)$,\2,g')
+  zoneInfo=$(printf "%s\n" "$useResult" | tr ',' '\n' | grep '"name"' | cut -d'"' -f4)
+  rootZoneName="$rootZone"
+  subDomainName="$(printf "%s\n" "$domain" | sed "s,\.$rootZone,,g")"
+  subDomainNameClean="$(printf "%s\n" "$domain" | sed "s,_acme-challenge.,,g")"
+  rootZoneDomainID=$(printf "%s\n" "$useResult" | tr ',' '\n' | grep domain_id | cut -d'"' -f4)
+  rootZoneServiceID=$(printf "%s\n" "$useResult" | tr ',' '\n' | grep service_id | cut -d'"' -f4)
+
+  _debug2 _zoneInfo "Zone info from API  : $zoneInfo"
+  _debug2 _get_root "Root zone name      : $rootZoneName"
+  _debug2 _get_root "Root zone domain ID : $rootZoneDomainID"
+  _debug2 _get_root "Root zone service ID: $rootZoneServiceID"
+  _debug2 _get_root "Sub domain          : $subDomainName"
+
+  _debug _get_root "Found valid root domain $rootZone for $subDomainNameClean"
+  return 0
+}
+
+createRecord() {
+  fulldomain="$1"
+  txtvalue="$2"
+
+  # Get root domain information - needed for DNS.Services API communication
+  if [ -z "$rootZoneName" ] || [ -z "$rootZoneDomainID" ] || [ -z "$rootZoneServiceID" ]; then
+    _get_root "$fulldomain"
+  fi
+  if [ -z "$rootZoneName" ] || [ -z "$rootZoneDomainID" ] || [ -z "$rootZoneServiceID" ]; then
+    _err "Something happend - could not get the API zone information"
+    return 1
+  fi
+
+  _debug2 createRecord "CNAME TXT value is: $txtvalue"
+
+  # Prepare data to send to API
+  data="{\"name\":\"${fulldomain}\",\"type\":\"TXT\",\"content\":\"${txtvalue}\", \"ttl\":\"10\"}"
+
+  _debug2 createRecord "data to API: $data"
+  result=$(_post "$data" "$DNSServices_API/service/$rootZoneServiceID/dns/$rootZoneDomainID/records" "" "POST")
+  _debug2 createRecord "result from API: $result"
+
+  if [ "$(echo "$result" | _egrep_o "\"success\":true")" = "" ]; then
+    _err "Failed to create TXT record $fulldomain with content $txtvalue in zone $rootZoneName"
+    _err "$result"
+    return 1
+  fi
+
+  _info "Record \"$fulldomain TXT $txtvalue\" has been created"
+  return 0
+}
+
+deleteRecord() {
+  fulldomain="$1"
+  txtvalue="$2"
+
+  _log deleteRecord "Deleting $fulldomain TXT $txtvalue record"
+
+  if [ -z "$rootZoneName" ] || [ -z "$rootZoneDomainID" ] || [ -z "$rootZoneServiceID" ]; then
+    _get_root "$fulldomain"
+  fi
+
+  result="$(_H1="$_H1" _H2="$_H2" _get "$DNSServices_API/service/$rootZoneServiceID/dns/$rootZoneDomainID")"
+  #recordInfo="$(echo "$result" | sed -e 's/:{/:{\n/g' -e 's/},/\n},\n/g' | grep "${txtvalue}")"
+  #recordID="$(echo "$recordInfo" | sed -e 's/:{/:{\n/g' -e 's/},/\n},\n/g' | grep "${txtvalue}" | sed -E 's,.*(zones)(.*),\1\2,g' | sed -E 's,^(.*"id":")([^"]*)"(.*)$,\2,g')"
+  recordID="$(printf "%s\n" "$result" | tr '}' '\n' | grep -- "$txtvalue" | tr ',' '\n' | grep '"id"' | cut -d'"' -f4)"
+  _debug2 _recordID "recordID used for deletion of record: $recordID"
+
+  if [ -z "$recordID" ]; then
+    _info "Record $fulldomain TXT $txtvalue not found or already deleted"
+    return 0
+  else
+    _debug2 deleteRecord "Found recordID=$recordID"
+  fi
+
+  _debug2 deleteRecord "DELETE request $DNSServices_API/service/$rootZoneServiceID/dns/$rootZoneDomainID/records/$recordID"
+  _log "curl DELETE request $DNSServices_API/service/$rootZoneServiceID/dns/$rootZoneDomainID/records/$recordID"
+  result="$(_H1="$_H1" _H2="$_H2" _post "" "$DNSServices_API/service/$rootZoneServiceID/dns/$rootZoneDomainID/records/$recordID" "" "DELETE")"
+  _debug2 deleteRecord "API Delete result \"$result\""
+  _log "curl API Delete result \"$result\""
+
+  # Return OK regardless
+  return 0
+}
--- a/dnsapi/dns_dynv6.sh
+++ b/dnsapi/dns_dynv6.sh
@@ -94,8 +94,8 @@ _get_domain() {
  _your_hosts="$(echo "$_your_hosts" | awk '/\./ {print $1}')"
  for l in $_your_hosts; do
    #echo "host: $l"
-    if test "${_full_domain#*$l}" != "$_full_domain"; then
-      _record="${_full_domain%.$l}"
+    if test "${_full_domain#*"$l"}" != "$_full_domain"; then
+      _record=${_full_domain%."$l"}
      _host=$l
      _debug "The host is $_host and the record $_record"
      return 0
@@ -143,7 +143,7 @@ _dns_dynv6_add_http() {
    return 1
  fi
  _get_zone_name "$_zone_id"
-  record="${fulldomain%%.$_zone_name}"
+  record=${fulldomain%%."$_zone_name"}
  _set_record TXT "$record" "$txtvalue"
  if _contains "$response" "$txtvalue"; then
    _info "Successfully added record"
@@ -161,7 +161,7 @@ _dns_dynv6_rm_http() {
    return 1
  fi
  _get_zone_name "$_zone_id"
-  record="${fulldomain%%.$_zone_name}"
+  record=${fulldomain%%."$_zone_name"}
  _get_record_id "$_zone_id" "$record" "$txtvalue"
  _del_record "$_zone_id" "$_record_id"
  if [ -z "$response" ]; then
--- a/dnsapi/dns_edgedns.sh
+++ b/dnsapi/dns_edgedns.sh
@@ -176,6 +176,7 @@ _EDGEDNS_credentials() {
  _debug "GettingEdge DNS credentials"
  _log "$(printf "ACME DNSAPI Edge DNS version %s" ${ACME_EDGEDNS_VERSION})"
  args_missing=0
+  AKAMAI_ACCESS_TOKEN="${AKAMAI_ACCESS_TOKEN:-$(_readaccountconf_mutable AKAMAI_ACCESS_TOKEN)}"
  if [ -z "$AKAMAI_ACCESS_TOKEN" ]; then
    AKAMAI_ACCESS_TOKEN=""
    AKAMAI_CLIENT_TOKEN=""
@@ -184,6 +185,7 @@ _EDGEDNS_credentials() {
    _err "AKAMAI_ACCESS_TOKEN is missing"
    args_missing=1
  fi
+  AKAMAI_CLIENT_TOKEN="${AKAMAI_CLIENT_TOKEN:-$(_readaccountconf_mutable AKAMAI_CLIENT_TOKEN)}"
  if [ -z "$AKAMAI_CLIENT_TOKEN" ]; then
    AKAMAI_ACCESS_TOKEN=""
    AKAMAI_CLIENT_TOKEN=""
@@ -192,6 +194,7 @@ _EDGEDNS_credentials() {
    _err "AKAMAI_CLIENT_TOKEN is missing"
    args_missing=1
  fi
+  AKAMAI_HOST="${AKAMAI_HOST:-$(_readaccountconf_mutable AKAMAI_HOST)}"
  if [ -z "$AKAMAI_HOST" ]; then
    AKAMAI_ACCESS_TOKEN=""
    AKAMAI_CLIENT_TOKEN=""
@@ -200,6 +203,7 @@ _EDGEDNS_credentials() {
    _err "AKAMAI_HOST is missing"
    args_missing=1
  fi
+  AKAMAI_CLIENT_SECRET="${AKAMAI_CLIENT_SECRET:-$(_readaccountconf_mutable AKAMAI_CLIENT_SECRET)}"
  if [ -z "$AKAMAI_CLIENT_SECRET" ]; then
    AKAMAI_ACCESS_TOKEN=""
    AKAMAI_CLIENT_TOKEN=""
@@ -414,7 +418,7 @@ _edgedns_make_data_to_sign() {
  _secure_debug2 "hdr" "$hdr"
  _edgedns_make_content_hash
  path="$(echo "$_request_url_path" | tr -d "\n\r" | sed 's/https\?:\/\///')"
-  path="${path#*$AKAMAI_HOST}"
+  path=${path#*"$AKAMAI_HOST"}
  _debug "hier path" "$path"
  # dont expose headers to sign so use MT string
  _mdata="$(printf "%s\thttps\t%s\t%s\t%s\t%s\t%s" "$_request_method" "$AKAMAI_HOST" "$path" "" "$_hash" "$hdr")"
--- a/dnsapi/dns_gandi_livedns.sh
+++ b/dnsapi/dns_gandi_livedns.sh
@@ -1,7 +1,8 @@
 #!/usr/bin/env sh

 # Gandi LiveDNS v5 API
-# http://doc.livedns.gandi.net/
+# https://api.gandi.net/docs/livedns/
+# https://api.gandi.net/docs/authentication/ for token + apikey (deprecated) authentication
 # currently under beta
 #
 # Requires GANDI API KEY set in GANDI_LIVEDNS_KEY set as environment variable
@@ -19,13 +20,20 @@ dns_gandi_livedns_add() {
  fulldomain=$1
  txtvalue=$2

-  if [ -z "$GANDI_LIVEDNS_KEY" ]; then
-    _err "No API key specified for Gandi LiveDNS."
-    _err "Create your key and export it as GANDI_LIVEDNS_KEY"
+  if [ -z "$GANDI_LIVEDNS_KEY" ] && [ -z "$GANDI_LIVEDNS_TOKEN" ]; then
+    _err "No Token or API key (deprecated) specified for Gandi LiveDNS."
+    _err "Create your token or key and export it as GANDI_LIVEDNS_KEY or GANDI_LIVEDNS_TOKEN respectively"
    return 1
  fi

-  _saveaccountconf GANDI_LIVEDNS_KEY "$GANDI_LIVEDNS_KEY"
+  # Keep only one secret in configuration
+  if [ -n "$GANDI_LIVEDNS_TOKEN" ]; then
+    _saveaccountconf GANDI_LIVEDNS_TOKEN "$GANDI_LIVEDNS_TOKEN"
+    _clearaccountconf GANDI_LIVEDNS_KEY
+  elif [ -n "$GANDI_LIVEDNS_KEY" ]; then
+    _saveaccountconf GANDI_LIVEDNS_KEY "$GANDI_LIVEDNS_KEY"
+    _clearaccountconf GANDI_LIVEDNS_TOKEN
+  fi

  _debug "First detect the root zone"
  if ! _get_root "$fulldomain"; then
@@ -157,7 +165,12 @@ _gandi_livedns_rest() {
  _debug "$ep"

  export _H1="Content-Type: application/json"
-  export _H2="X-Api-Key: $GANDI_LIVEDNS_KEY"
+
+  if [ -n "$GANDI_LIVEDNS_TOKEN" ]; then
+    export _H2="Authorization: Bearer $GANDI_LIVEDNS_TOKEN"
+  else
+    export _H2="X-Api-Key: $GANDI_LIVEDNS_KEY"
+  fi

  if [ "$m" = "GET" ]; then
    response="$(_get "$GANDI_LIVEDNS_API/$ep")"
--- a/dnsapi/dns_gcloud.sh
+++ b/dnsapi/dns_gcloud.sh
@@ -39,7 +39,7 @@ dns_gcloud_rm() {
  _dns_gcloud_start_tr || return $?
  _dns_gcloud_get_rrdatas || return $?
  echo "$rrdatas" | _dns_gcloud_remove_rrs || return $?
-  echo "$rrdatas" | grep -F -v "\"$txtvalue\"" | _dns_gcloud_add_rrs || return $?
+  echo "$rrdatas" | grep -F -v -- "\"$txtvalue\"" | _dns_gcloud_add_rrs || return $?
  _dns_gcloud_execute_tr || return $?

  _info "$fulldomain record added"
@@ -98,7 +98,7 @@ _dns_gcloud_remove_rrs() {
    --ttl="$ttl" \
    --type=TXT \
    --zone="$managedZone" \
-    --transaction-file="$tr"; then
+    --transaction-file="$tr" --; then
    _debug tr "$(cat "$tr")"
    rm -r "$trd"
    _err "_dns_gcloud_remove_rrs: failed to remove RRs"
@@ -113,7 +113,7 @@ _dns_gcloud_add_rrs() {
    --ttl="$ttl" \
    --type=TXT \
    --zone="$managedZone" \
-    --transaction-file="$tr"; then
+    --transaction-file="$tr" --; then
    _debug tr "$(cat "$tr")"
    rm -r "$trd"
    _err "_dns_gcloud_add_rrs: failed to add RRs"
--- a/dnsapi/dns_gcore.sh
+++ b/dnsapi/dns_gcore.sh
@@ -0,0 +1,187 @@
+#!/usr/bin/env sh
+
+#
+#GCORE_Key='773$7b7adaf2a2b32bfb1b83787b4ff32a67eb178e3ada1af733e47b1411f2461f7f4fa7ed7138e2772a46124377bad7384b3bb8d87748f87b3f23db4b8bbe41b2bb'
+#
+
+GCORE_Api="https://api.gcorelabs.com/dns/v2"
+GCORE_Doc="https://apidocs.gcore.com/dns"
+
+########  Public functions #####################
+
+#Usage: add  _acme-challenge.www.domain.com   "XKrxpRBosdIKFzxW_CT3KLZNf6q0HG9i01zxXp5CPBs"
+dns_gcore_add() {
+  fulldomain=$1
+  txtvalue=$2
+
+  GCORE_Key="${GCORE_Key:-$(_readaccountconf_mutable GCORE_Key)}"
+
+  if [ -z "$GCORE_Key" ]; then
+    GCORE_Key=""
+    _err "You didn't specify a Gcore api key yet."
+    _err "You can get yours from here $GCORE_Doc"
+    return 1
+  fi
+
+  #save the api key to the account conf file.
+  _saveaccountconf_mutable GCORE_Key "$GCORE_Key"
+
+  _debug "First detect the zone name"
+  if ! _get_root "$fulldomain"; then
+    _err "invalid domain"
+    return 1
+  fi
+  _debug _zone_name "$_zone_name"
+  _debug _sub_domain "$_sub_domain"
+  _debug _domain "$_domain"
+
+  _debug "Getting txt records"
+  _gcore_rest GET "zones/$_zone_name/$fulldomain/TXT"
+  payload=""
+
+  if echo "$response" | grep "record is not found" >/dev/null; then
+    _info "Record doesn't exists"
+    payload="{\"resource_records\":[{\"content\":[\"$txtvalue\"],\"enabled\":true}],\"ttl\":120}"
+  elif echo "$response" | grep "$txtvalue" >/dev/null; then
+    _info "Already exists, OK"
+    return 0
+  elif echo "$response" | tr -d " " | grep \"name\":\""$fulldomain"\",\"type\":\"TXT\" >/dev/null; then
+    _info "Record with mismatch txtvalue, try update it"
+    payload=$(echo "$response" | tr -d " " | sed 's/"updated_at":[0-9]\+,//g' | sed 's/"meta":{}}]}/"meta":{}},{"content":['\""$txtvalue"\"'],"enabled":true}]}/')
+  fi
+
+  # For wildcard cert, the main root domain and the wildcard domain have the same txt subdomain name, so
+  # we can not use updating anymore.
+  #  count=$(printf "%s\n" "$response" | _egrep_o "\"count\":[^,]*" | cut -d : -f 2)
+  #  _debug count "$count"
+  #  if [ "$count" = "0" ]; then
+  _info "Adding record"
+  if _gcore_rest PUT "zones/$_zone_name/$fulldomain/TXT" "$payload"; then
+    if _contains "$response" "$txtvalue"; then
+      _info "Added, OK"
+      return 0
+    elif _contains "$response" "rrset is already exists"; then
+      _info "Already exists, OK"
+      return 0
+    else
+      _err "Add txt record error."
+      return 1
+    fi
+  fi
+  _err "Add txt record error."
+  return 1
+}
+
+#fulldomain txtvalue
+dns_gcore_rm() {
+  fulldomain=$1
+  txtvalue=$2
+
+  GCORE_Key="${GCORE_Key:-$(_readaccountconf_mutable GCORE_Key)}"
+
+  _debug "First detect the root zone"
+  if ! _get_root "$fulldomain"; then
+    _err "invalid domain"
+    return 1
+  fi
+  _debug _zone_name "$_zone_name"
+  _debug _sub_domain "$_sub_domain"
+  _debug _domain "$_domain"
+
+  _debug "Getting txt records"
+  _gcore_rest GET "zones/$_zone_name/$fulldomain/TXT"
+
+  if echo "$response" | grep "record is not found" >/dev/null; then
+    _info "No such txt recrod"
+    return 0
+  fi
+
+  if ! echo "$response" | tr -d " " | grep \"name\":\""$fulldomain"\",\"type\":\"TXT\" >/dev/null; then
+    _err "Error: $response"
+    return 1
+  fi
+
+  if ! echo "$response" | tr -d " " | grep \""$txtvalue"\" >/dev/null; then
+    _info "No such txt recrod"
+    return 0
+  fi
+
+  count="$(echo "$response" | grep -o "content" | wc -l)"
+
+  if [ "$count" = "1" ]; then
+    if ! _gcore_rest DELETE "zones/$_zone_name/$fulldomain/TXT"; then
+      _err "Delete record error. $response"
+      return 1
+    fi
+    return 0
+  fi
+
+  payload="$(echo "$response" | tr -d " " | sed 's/"updated_at":[0-9]\+,//g' | sed 's/{"id":[0-9]\+,"content":\["'"$txtvalue"'"\],"enabled":true,"meta":{}}//' | sed 's/\[,/\[/' | sed 's/,,/,/' | sed 's/,\]/\]/')"
+  if ! _gcore_rest PUT "zones/$_zone_name/$fulldomain/TXT" "$payload"; then
+    _err "Delete record error. $response"
+  fi
+}
+
+####################  Private functions below ##################################
+#_acme-challenge.sub.domain.com
+#returns
+# _sub_domain=_acme-challenge.sub or _acme-challenge
+# _domain=domain.com
+# _zone_name=domain.com or sub.domain.com
+_get_root() {
+  domain=$1
+  i=1
+  p=1
+
+  while true; do
+    h=$(printf "%s" "$domain" | cut -d . -f $i-100)
+    _debug h "$h"
+    if [ -z "$h" ]; then
+      #not valid
+      return 1
+    fi
+
+    if ! _gcore_rest GET "zones/$h"; then
+      return 1
+    fi
+
+    if _contains "$response" "\"name\":\"$h\""; then
+      _zone_name=$h
+      if [ "$_zone_name" ]; then
+        _sub_domain=$(printf "%s" "$domain" | cut -d . -f 1-$p)
+        _domain=$h
+        return 0
+      fi
+      return 1
+    fi
+    p=$i
+    i=$(_math "$i" + 1)
+  done
+  return 1
+}
+
+_gcore_rest() {
+  m=$1
+  ep="$2"
+  data="$3"
+  _debug "$ep"
+
+  key_trimmed=$(echo "$GCORE_Key" | tr -d '"')
+
+  export _H1="Content-Type: application/json"
+  export _H2="Authorization: APIKey $key_trimmed"
+
+  if [ "$m" != "GET" ]; then
+    _debug data "$data"
+    response="$(_post "$data" "$GCORE_Api/$ep" "" "$m")"
+  else
+    response="$(_get "$GCORE_Api/$ep")"
+  fi
+
+  if [ "$?" != "0" ]; then
+    _err "error $ep"
+    return 1
+  fi
+  _debug2 response "$response"
+  return 0
+}
--- a/dnsapi/dns_gd.sh
+++ b/dnsapi/dns_gd.sh
@@ -1,10 +1,12 @@
 #!/usr/bin/env sh

 #Godaddy domain api
+# Get API key and secret from https://developer.godaddy.com/
 #
-#GD_Key="sdfsdfsdfljlbjkljlkjsdfoiwje"
+# GD_Key="sdfsdfsdfljlbjkljlkjsdfoiwje"
+# GD_Secret="asdfsdfsfsdfsdfdfsdf"
 #
-#GD_Secret="asdfsdfsfsdfsdfdfsdf"
+# Ex.: acme.sh --issue --staging --dns dns_gd -d "*.s.example.com" -d "s.example.com"

 GD_Api="https://api.godaddy.com/v1"

@@ -20,8 +22,8 @@ dns_gd_add() {
  if [ -z "$GD_Key" ] || [ -z "$GD_Secret" ]; then
    GD_Key=""
    GD_Secret=""
-    _err "You don't specify godaddy api key and secret yet."
-    _err "Please create you key and try again."
+    _err "You didn't specify godaddy api key and secret yet."
+    _err "Please create your key and try again."
    return 1
  fi

@@ -44,14 +46,15 @@ dns_gd_add() {
  fi

  if _contains "$response" "$txtvalue"; then
-    _info "The record is existing, skip"
+    _info "This record already exists, skipping"
    return 0
  fi

  _add_data="{\"data\":\"$txtvalue\"}"
  for t in $(echo "$response" | tr '{' "\n" | grep "\"name\":\"$_sub_domain\"" | tr ',' "\n" | grep '"data"' | cut -d : -f 2); do
    _debug2 t "$t"
-    if [ "$t" ]; then
+    # ignore empty (previously removed) records, to prevent useless _acme-challenge TXT entries
+    if [ "$t" ] && [ "$t" != '""' ]; then
      _add_data="$_add_data,{\"data\":$t}"
    fi
  done
@@ -59,13 +62,25 @@ dns_gd_add() {

  _info "Adding record"
  if _gd_rest PUT "domains/$_domain/records/TXT/$_sub_domain" "[$_add_data]"; then
-    _info "Added, sleeping 10 seconds"
-    _sleep 10
-    #todo: check if the record takes effect
-    return 0
+    _debug "Checking updated records of '${fulldomain}'"
+
+    if ! _gd_rest GET "domains/$_domain/records/TXT/$_sub_domain"; then
+      _err "Validating TXT record for '${fulldomain}' with rest error [$?]." "$response"
+      return 1
+    fi
+
+    if ! _contains "$response" "$txtvalue"; then
+      _err "TXT record '${txtvalue}' for '${fulldomain}', value wasn't set!"
+      return 1
+    fi
+  else
+    _err "Add txt record error, value '${txtvalue}' for '${fulldomain}' was not set."
+    return 1
  fi
-  _err "Add txt record error."
-  return 1
+
+  _sleep 10
+  _info "Added TXT record '${txtvalue}' for '${fulldomain}'."
+  return 0
 }

 #fulldomain
@@ -107,11 +122,20 @@ dns_gd_rm() {
    fi
  done
  if [ -z "$_add_data" ]; then
-    _add_data="{\"data\":\"\"}"
+    # delete empty record
+    _debug "Delete last record for '${fulldomain}'"
+    if ! _gd_rest DELETE "domains/$_domain/records/TXT/$_sub_domain"; then
+      _err "Cannot delete empty TXT record for '$fulldomain'"
+      return 1
+    fi
+  else
+    # remove specific TXT value, keeping other entries
+    _debug2 _add_data "$_add_data"
+    if ! _gd_rest PUT "domains/$_domain/records/TXT/$_sub_domain" "[$_add_data]"; then
+      _err "Cannot update TXT record for '$fulldomain'"
+      return 1
+    fi
  fi
-  _debug2 _add_data "$_add_data"
-
-  _gd_rest PUT "domains/$_domain/records/TXT/$_sub_domain" "[$_add_data]"
 }

 ####################  Private functions below ##################################
@@ -156,15 +180,15 @@ _gd_rest() {
  export _H1="Authorization: sso-key $GD_Key:$GD_Secret"
  export _H2="Content-Type: application/json"

-  if [ "$data" ]; then
-    _debug data "$data"
+  if [ "$data" ] || [ "$m" = "DELETE" ]; then
+    _debug "data ($m): " "$data"
    response="$(_post "$data" "$GD_Api/$ep" "" "$m")"
  else
    response="$(_get "$GD_Api/$ep")"
  fi

  if [ "$?" != "0" ]; then
-    _err "error $ep"
+    _err "error on rest call ($m): $ep"
    return 1
  fi
  _debug2 response "$response"
--- a/dnsapi/dns_googledomains.sh
+++ b/dnsapi/dns_googledomains.sh
@@ -0,0 +1,173 @@
+#!/usr/bin/env sh
+
+# Author: Alex Leigh <leigh at alexleigh dot me>
+# Created: 2023-03-02
+
+#GOOGLEDOMAINS_ACCESS_TOKEN="xxxx"
+#GOOGLEDOMAINS_ZONE="xxxx"
+GOOGLEDOMAINS_API="https://acmedns.googleapis.com/v1/acmeChallengeSets"
+
+######## Public functions ########
+
+#Usage: dns_googledomains_add   _acme-challenge.www.domain.com   "XKrxpRBosdIKFzxW_CT3KLZNf6q0HG9i01zxXp5CPBs"
+dns_googledomains_add() {
+  fulldomain=$1
+  txtvalue=$2
+
+  _info "Invoking Google Domains ACME DNS API."
+
+  if ! _dns_googledomains_setup; then
+    return 1
+  fi
+
+  zone="$(_dns_googledomains_get_zone "$fulldomain")"
+  if [ -z "$zone" ]; then
+    _err "Could not find a Google Domains-managed zone containing the requested domain."
+    return 1
+  fi
+
+  _debug zone "$zone"
+  _debug txtvalue "$txtvalue"
+
+  _info "Adding TXT record for $fulldomain."
+  if _dns_googledomains_api "$zone" ":rotateChallenges" "{\"accessToken\":\"$GOOGLEDOMAINS_ACCESS_TOKEN\",\"recordsToAdd\":[{\"fqdn\":\"$fulldomain\",\"digest\":\"$txtvalue\"}],\"keepExpiredRecords\":true}"; then
+    if _contains "$response" "$txtvalue"; then
+      _info "TXT record added."
+      return 0
+    else
+      _err "Error adding TXT record."
+      return 1
+    fi
+  fi
+
+  _err "Error adding TXT record."
+  return 1
+}
+
+#Usage: dns_googledomains_rm   _acme-challenge.www.domain.com   "XKrxpRBosdIKFzxW_CT3KLZNf6q0HG9i01zxXp5CPBs"
+dns_googledomains_rm() {
+  fulldomain=$1
+  txtvalue=$2
+
+  _info "Invoking Google Domains ACME DNS API."
+
+  if ! _dns_googledomains_setup; then
+    return 1
+  fi
+
+  zone="$(_dns_googledomains_get_zone "$fulldomain")"
+  if [ -z "$zone" ]; then
+    _err "Could not find a Google Domains-managed domain based on request."
+    return 1
+  fi
+
+  _debug zone "$zone"
+  _debug txtvalue "$txtvalue"
+
+  _info "Removing TXT record for $fulldomain."
+  if _dns_googledomains_api "$zone" ":rotateChallenges" "{\"accessToken\":\"$GOOGLEDOMAINS_ACCESS_TOKEN\",\"recordsToRemove\":[{\"fqdn\":\"$fulldomain\",\"digest\":\"$txtvalue\"}],\"keepExpiredRecords\":true}"; then
+    if _contains "$response" "$txtvalue"; then
+      _err "Error removing TXT record."
+      return 1
+    else
+      _info "TXT record removed."
+      return 0
+    fi
+  fi
+
+  _err "Error removing TXT record."
+  return 1
+}
+
+######## Private functions ########
+
+_dns_googledomains_setup() {
+  if [ -n "$GOOGLEDOMAINS_SETUP_COMPLETED" ]; then
+    return 0
+  fi
+
+  GOOGLEDOMAINS_ACCESS_TOKEN="${GOOGLEDOMAINS_ACCESS_TOKEN:-$(_readaccountconf_mutable GOOGLEDOMAINS_ACCESS_TOKEN)}"
+  GOOGLEDOMAINS_ZONE="${GOOGLEDOMAINS_ZONE:-$(_readaccountconf_mutable GOOGLEDOMAINS_ZONE)}"
+
+  if [ -z "$GOOGLEDOMAINS_ACCESS_TOKEN" ]; then
+    GOOGLEDOMAINS_ACCESS_TOKEN=""
+    _err "Google Domains access token was not specified."
+    _err "Please visit Google Domains Security settings to provision an ACME DNS API access token."
+    return 1
+  fi
+
+  if [ "$GOOGLEDOMAINS_ZONE" ]; then
+    _savedomainconf GOOGLEDOMAINS_ACCESS_TOKEN "$GOOGLEDOMAINS_ACCESS_TOKEN"
+    _savedomainconf GOOGLEDOMAINS_ZONE "$GOOGLEDOMAINS_ZONE"
+  else
+    _saveaccountconf_mutable GOOGLEDOMAINS_ACCESS_TOKEN "$GOOGLEDOMAINS_ACCESS_TOKEN"
+    _clearaccountconf_mutable GOOGLEDOMAINS_ZONE
+    _clearaccountconf GOOGLEDOMAINS_ZONE
+  fi
+
+  _debug GOOGLEDOMAINS_ACCESS_TOKEN "$GOOGLEDOMAINS_ACCESS_TOKEN"
+  _debug GOOGLEDOMAINS_ZONE "$GOOGLEDOMAINS_ZONE"
+
+  GOOGLEDOMAINS_SETUP_COMPLETED=1
+  return 0
+}
+
+_dns_googledomains_get_zone() {
+  domain=$1
+
+  # Use zone directly if provided
+  if [ "$GOOGLEDOMAINS_ZONE" ]; then
+    if ! _dns_googledomains_api "$GOOGLEDOMAINS_ZONE"; then
+      return 1
+    fi
+
+    echo "$GOOGLEDOMAINS_ZONE"
+    return 0
+  fi
+
+  i=2
+  while true; do
+    curr=$(printf "%s" "$domain" | cut -d . -f $i-100)
+    _debug curr "$curr"
+
+    if [ -z "$curr" ]; then
+      return 1
+    fi
+
+    if _dns_googledomains_api "$curr"; then
+      echo "$curr"
+      return 0
+    fi
+
+    i=$(_math "$i" + 1)
+  done
+
+  return 1
+}
+
+_dns_googledomains_api() {
+  zone=$1
+  apimethod=$2
+  data="$3"
+
+  if [ -z "$data" ]; then
+    response="$(_get "$GOOGLEDOMAINS_API/$zone$apimethod")"
+  else
+    _debug data "$data"
+    export _H1="Content-Type: application/json"
+    response="$(_post "$data" "$GOOGLEDOMAINS_API/$zone$apimethod")"
+  fi
+
+  _debug response "$response"
+
+  if [ "$?" != "0" ]; then
+    _err "Error"
+    return 1
+  fi
+
+  if _contains "$response" "\"error\": {"; then
+    return 1
+  fi
+
+  return 0
+}
--- a/dnsapi/dns_huaweicloud.sh
+++ b/dnsapi/dns_huaweicloud.sh
@@ -2,7 +2,7 @@

 # HUAWEICLOUD_Username
 # HUAWEICLOUD_Password
-# HUAWEICLOUD_ProjectID
+# HUAWEICLOUD_DomainName

 iam_api="https://iam.myhuaweicloud.com"
 dns_api="https://dns.ap-southeast-1.myhuaweicloud.com" # Should work
@@ -14,6 +14,8 @@ dns_api="https://dns.ap-southeast-1.myhuaweicloud.com" # Should work
 #
 # Ref: https://support.huaweicloud.com/intl/zh-cn/api-dns/zh-cn_topic_0132421999.html
 #
+# About "DomainName" parameters see: https://support.huaweicloud.com/api-iam/iam_01_0006.html
+#

 dns_huaweicloud_add() {
  fulldomain=$1
@@ -21,16 +23,16 @@ dns_huaweicloud_add() {

  HUAWEICLOUD_Username="${HUAWEICLOUD_Username:-$(_readaccountconf_mutable HUAWEICLOUD_Username)}"
  HUAWEICLOUD_Password="${HUAWEICLOUD_Password:-$(_readaccountconf_mutable HUAWEICLOUD_Password)}"
-  HUAWEICLOUD_ProjectID="${HUAWEICLOUD_ProjectID:-$(_readaccountconf_mutable HUAWEICLOUD_ProjectID)}"
+  HUAWEICLOUD_DomainName="${HUAWEICLOUD_DomainName:-$(_readaccountconf_mutable HUAWEICLOUD_DomainName)}"

  # Check information
-  if [ -z "${HUAWEICLOUD_Username}" ] || [ -z "${HUAWEICLOUD_Password}" ] || [ -z "${HUAWEICLOUD_ProjectID}" ]; then
+  if [ -z "${HUAWEICLOUD_Username}" ] || [ -z "${HUAWEICLOUD_Password}" ] || [ -z "${HUAWEICLOUD_DomainName}" ]; then
    _err "Not enough information provided to dns_huaweicloud!"
    return 1
  fi

  unset token # Clear token
-  token="$(_get_token "${HUAWEICLOUD_Username}" "${HUAWEICLOUD_Password}" "${HUAWEICLOUD_ProjectID}")"
+  token="$(_get_token "${HUAWEICLOUD_Username}" "${HUAWEICLOUD_Password}" "${HUAWEICLOUD_DomainName}")"
  if [ -z "${token}" ]; then # Check token
    _err "dns_api(dns_huaweicloud): Error getting token."
    return 1
@@ -56,7 +58,7 @@ dns_huaweicloud_add() {
  # Do saving work if all succeeded
  _saveaccountconf_mutable HUAWEICLOUD_Username "${HUAWEICLOUD_Username}"
  _saveaccountconf_mutable HUAWEICLOUD_Password "${HUAWEICLOUD_Password}"
-  _saveaccountconf_mutable HUAWEICLOUD_ProjectID "${HUAWEICLOUD_ProjectID}"
+  _saveaccountconf_mutable HUAWEICLOUD_DomainName "${HUAWEICLOUD_DomainName}"
  return 0
 }

@@ -72,16 +74,16 @@ dns_huaweicloud_rm() {

  HUAWEICLOUD_Username="${HUAWEICLOUD_Username:-$(_readaccountconf_mutable HUAWEICLOUD_Username)}"
  HUAWEICLOUD_Password="${HUAWEICLOUD_Password:-$(_readaccountconf_mutable HUAWEICLOUD_Password)}"
-  HUAWEICLOUD_ProjectID="${HUAWEICLOUD_ProjectID:-$(_readaccountconf_mutable HUAWEICLOUD_ProjectID)}"
+  HUAWEICLOUD_DomainName="${HUAWEICLOUD_DomainName:-$(_readaccountconf_mutable HUAWEICLOUD_DomainName)}"

  # Check information
-  if [ -z "${HUAWEICLOUD_Username}" ] || [ -z "${HUAWEICLOUD_Password}" ] || [ -z "${HUAWEICLOUD_ProjectID}" ]; then
+  if [ -z "${HUAWEICLOUD_Username}" ] || [ -z "${HUAWEICLOUD_Password}" ] || [ -z "${HUAWEICLOUD_DomainName}" ]; then
    _err "Not enough information provided to dns_huaweicloud!"
    return 1
  fi

  unset token # Clear token
-  token="$(_get_token "${HUAWEICLOUD_Username}" "${HUAWEICLOUD_Password}" "${HUAWEICLOUD_ProjectID}")"
+  token="$(_get_token "${HUAWEICLOUD_Username}" "${HUAWEICLOUD_Password}" "${HUAWEICLOUD_DomainName}")"
  if [ -z "${token}" ]; then # Check token
    _err "dns_api(dns_huaweicloud): Error getting token."
    return 1
@@ -96,19 +98,59 @@ dns_huaweicloud_rm() {
  fi
  _debug "Zone ID is:" "${zoneid}"

-  # Remove all records
-  # Therotically HuaweiCloud does not allow more than one record set
-  # But remove them recurringly to increase robusty
-  while [ "${record_id}" != "0" ]; do
-    _debug "Removing Record"
-    _rm_record "${token}" "${zoneid}" "${record_id}"
-    record_id="$(_get_recordset_id "${token}" "${fulldomain}" "${zoneid}")"
-  done
+  record_id="$(_get_recordset_id "${token}" "${fulldomain}" "${zoneid}")"
+  _recursive_rm_record "${token}" "${fulldomain}" "${zoneid}" "${record_id}"
+  ret="$?"
+  if [ "${ret}" != "0" ]; then
+    _err "dns_api(dns_huaweicloud): Error removing record."
+    return 1
+  fi
+
  return 0
 }

 ###################  Private functions below ##################################

+# _recursive_rm_record
+# remove all records from the record set
+#
+# _token=$1
+# _domain=$2
+# _zoneid=$3
+# _record_id=$4
+#
+# Returns 0 on success
+_recursive_rm_record() {
+  _token=$1
+  _domain=$2
+  _zoneid=$3
+  _record_id=$4
+
+  # Most likely to have problems will huaweicloud side if more than 50 attempts but still cannot fully remove the record set
+  # Maybe can be removed manually in the dashboard
+  _retry_cnt=50
+
+  # Remove all records
+  # Therotically HuaweiCloud does not allow more than one record set
+  # But remove them recurringly to increase robusty
+
+  while [ "${_record_id}" != "0" ] && [ "${_retry_cnt}" != "0" ]; do
+    _debug "Removing Record"
+    _retry_cnt=$((_retry_cnt - 1))
+    _rm_record "${_token}" "${_zoneid}" "${_record_id}"
+    _record_id="$(_get_recordset_id "${_token}" "${_domain}" "${_zoneid}")"
+    _debug2 "Checking record exists: record_id=${_record_id}"
+  done
+
+  # Check if retry count is reached
+  if [ "${_retry_cnt}" = "0" ]; then
+    _debug "Failed to remove record after 50 attempts, please try removing it manually in the dashboard"
+    return 1
+  fi
+
+  return 0
+}
+
 # _get_zoneid
 #
 # _token=$1
@@ -122,7 +164,7 @@ _get_zoneid() {

  i=1
  while true; do
-    h=$(printf "%s" "${_domain_string}" | cut -d . -f $i-100)
+    h=$(printf "%s" "${_domain_string}" | cut -d . -f "$i"-100)
    if [ -z "$h" ]; then
      #not valid
      return 1
@@ -133,11 +175,11 @@ _get_zoneid() {
    if _contains "${response}" '"id"'; then
      zoneidlist=$(echo "${response}" | _egrep_o "\"id\": *\"[^\"]*\"" | cut -d : -f 2 | tr -d \" | tr -d " ")
      zonenamelist=$(echo "${response}" | _egrep_o "\"name\": *\"[^\"]*\"" | cut -d : -f 2 | tr -d \" | tr -d " ")
-      _debug2 "Return Zone ID(s):" "${zoneidlist}"
-      _debug2 "Return Zone Name(s):" "${zonenamelist}"
+      _debug2 "Returned Zone ID(s):" "${zoneidlist}"
+      _debug2 "Returned Zone Name(s):" "${zonenamelist}"
      zoneidnum=0
      zoneidcount=$(echo "${zoneidlist}" | grep -c '^')
-      _debug "Retund Zone ID(s) Count:" "${zoneidcount}"
+      _debug "Returned Zone ID(s) Count:" "${zoneidcount}"
      while [ "${zoneidnum}" -lt "${zoneidcount}" ]; do
        zoneidnum=$(_math "$zoneidnum" + 1)
        _zoneid=$(echo "${zoneidlist}" | sed -n "${zoneidnum}p")
@@ -204,8 +246,7 @@ _add_record() {
      \"type\": \"TXT\",
      \"ttl\": 1,
      \"records\": [
-        ${_exist_record},
-        \"\\\"${_txtvalue}\\\"\"
+        ${_exist_record},\"\\\"${_txtvalue}\\\"\"
      ]
    }"
  fi
@@ -213,19 +254,16 @@ _add_record() {
  _record_id="$(_get_recordset_id "${_token}" "${_domain}" "${zoneid}")"
  _debug "Record Set ID is:" "${_record_id}"

-  # Remove all records
-  while [ "${_record_id}" != "0" ]; do
-    _debug "Removing Record"
-    _rm_record "${_token}" "${zoneid}" "${_record_id}"
-    _record_id="$(_get_recordset_id "${_token}" "${_domain}" "${zoneid}")"
-  done
-
  # Add brand new records with all old and new records
  export _H2="Content-Type: application/json"
  export _H1="X-Auth-Token: ${_token}"

  _debug2 "${_post_body}"
-  _post "${_post_body}" "${dns_api}/v2/zones/${zoneid}/recordsets" >/dev/null
+  if [ -z "${_exist_record}" ]; then
+    _post "${_post_body}" "${dns_api}/v2/zones/${zoneid}/recordsets" >/dev/null
+  else
+    _post "${_post_body}" "${dns_api}/v2/zones/${zoneid}/recordsets/${_record_id}" false "PUT" >/dev/null
+  fi
  _code="$(grep "^HTTP" "$HTTP_HEADER" | _tail_n 1 | cut -d " " -f 2 | tr -d "\\r\\n")"
  if [ "$_code" != "202" ]; then
    _err "dns_huaweicloud: http code ${_code}"
@@ -253,7 +291,7 @@ _rm_record() {
 _get_token() {
  _username=$1
  _password=$2
-  _project=$3
+  _domain_name=$3

  _debug "Getting Token"
  body="{
@@ -267,14 +305,14 @@ _get_token() {
            \"name\": \"${_username}\",
            \"password\": \"${_password}\",
            \"domain\": {
-              \"name\": \"${_username}\"
+              \"name\": \"${_domain_name}\"
            }
          }
        }
      },
      \"scope\": {
        \"project\": {
-          \"id\": \"${_project}\"
+          \"name\": \"ap-southeast-1\"
        }
      }
    }
--- a/dnsapi/dns_infomaniak.sh
+++ b/dnsapi/dns_infomaniak.sh
@@ -76,7 +76,7 @@ dns_infomaniak_add() {
  domain_id=${zone_and_id#* }

  # extract first part of domain
-  key=${fulldomain%.$zone}
+  key=${fulldomain%."$zone"}

  _debug "zone:$zone id:$domain_id key:$key"

@@ -149,7 +149,7 @@ dns_infomaniak_rm() {
  domain_id=${zone_and_id#* }

  # extract first part of domain
-  key=${fulldomain%.$zone}
+  key=${fulldomain%."$zone"}

  _debug "zone:$zone id:$domain_id key:$key"

--- a/dnsapi/dns_inwx.sh
+++ b/dnsapi/dns_inwx.sh
@@ -194,7 +194,7 @@ _inwx_login() {

  response="$(_post "$xml_content" "$INWX_Api" "" "POST")"

-  INWX_Cookie=$(printf "Cookie: %s" "$(grep "domrobot=" "$HTTP_HEADER" | grep "^Set-Cookie:" | _tail_n 1 | _egrep_o 'domrobot=[^;]*;' | tr -d ';')")
+  INWX_Cookie=$(printf "Cookie: %s" "$(grep "domrobot=" "$HTTP_HEADER" | grep -i "^Set-Cookie:" | _tail_n 1 | _egrep_o 'domrobot=[^;]*;' | tr -d ';')")
  _H1=$INWX_Cookie
  export _H1
  export INWX_Cookie
--- a/dnsapi/dns_ionos.sh
+++ b/dnsapi/dns_ionos.sh
@@ -1,6 +1,6 @@
 #!/usr/bin/env sh

-# Supports IONOS DNS API Beta v1.0.0
+# Supports IONOS DNS API v1.0.1
 #
 # Usage:
 #   Export IONOS_PREFIX and IONOS_SECRET before calling acme.sh:
@@ -26,7 +26,7 @@ dns_ionos_add() {

  _body="[{\"name\":\"$_sub_domain.$_domain\",\"type\":\"TXT\",\"content\":\"$txtvalue\",\"ttl\":$IONOS_TXT_TTL,\"prio\":$IONOS_TXT_PRIO,\"disabled\":false}]"

-  if _ionos_rest POST "$IONOS_ROUTE_ZONES/$_zone_id/records" "$_body" && [ -z "$response" ]; then
+  if _ionos_rest POST "$IONOS_ROUTE_ZONES/$_zone_id/records" "$_body" && [ "$_code" = "201" ]; then
    _info "TXT record has been created successfully."
    return 0
  fi
@@ -47,7 +47,7 @@ dns_ionos_rm() {
    return 1
  fi

-  if _ionos_rest DELETE "$IONOS_ROUTE_ZONES/$_zone_id/records/$_record_id" && [ -z "$response" ]; then
+  if _ionos_rest DELETE "$IONOS_ROUTE_ZONES/$_zone_id/records/$_record_id" && [ "$_code" = "200" ]; then
    _info "TXT record has been deleted successfully."
    return 0
  fi
@@ -85,7 +85,7 @@ _get_root() {
  p=1

  if _ionos_rest GET "$IONOS_ROUTE_ZONES"; then
-    response="$(echo "$response" | tr -d "\n")"
+    _response="$(echo "$_response" | tr -d "\n")"

    while true; do
      h=$(printf "%s" "$domain" | cut -d . -f $i-100)
@@ -93,7 +93,7 @@ _get_root() {
        return 1
      fi

-      _zone="$(echo "$response" | _egrep_o "\"name\":\"$h\".*\}")"
+      _zone="$(echo "$_response" | _egrep_o "\"name\":\"$h\".*\}")"
      if [ "$_zone" ]; then
        _zone_id=$(printf "%s\n" "$_zone" | _egrep_o "\"id\":\"[a-fA-F0-9\-]*\"" | _head_n 1 | cut -d : -f 2 | tr -d '\"')
        if [ "$_zone_id" ]; then
@@ -120,9 +120,9 @@ _ionos_get_record() {
  txtrecord=$3

  if _ionos_rest GET "$IONOS_ROUTE_ZONES/$zone_id?recordName=$fulldomain&recordType=TXT"; then
-    response="$(echo "$response" | tr -d "\n")"
+    _response="$(echo "$_response" | tr -d "\n")"

-    _record="$(echo "$response" | _egrep_o "\"name\":\"$fulldomain\"[^\}]*\"type\":\"TXT\"[^\}]*\"content\":\"\\\\\"$txtrecord\\\\\"\".*\}")"
+    _record="$(echo "$_response" | _egrep_o "\"name\":\"$fulldomain\"[^\}]*\"type\":\"TXT\"[^\}]*\"content\":\"\\\\\"$txtrecord\\\\\"\".*\}")"
    if [ "$_record" ]; then
      _record_id=$(printf "%s\n" "$_record" | _egrep_o "\"id\":\"[a-fA-F0-9\-]*\"" | _head_n 1 | cut -d : -f 2 | tr -d '\"')

@@ -142,22 +142,30 @@ _ionos_rest() {

  export _H1="X-API-Key: $IONOS_API_KEY"

+  # clear headers
+  : >"$HTTP_HEADER"
+
  if [ "$method" != "GET" ]; then
    export _H2="Accept: application/json"
    export _H3="Content-Type: application/json"

-    response="$(_post "$data" "$IONOS_API$route" "" "$method" "application/json")"
+    _response="$(_post "$data" "$IONOS_API$route" "" "$method" "application/json")"
  else
    export _H2="Accept: */*"
    export _H3=
-    response="$(_get "$IONOS_API$route")"
+
+    _response="$(_get "$IONOS_API$route")"
  fi

+  _code="$(grep "^HTTP" "$HTTP_HEADER" | _tail_n 1 | cut -d " " -f 2 | tr -d "\\r\\n")"
+
  if [ "$?" != "0" ]; then
-    _err "Error $route: $response"
+    _err "Error $route: $_response"
    return 1
  fi
-  _debug2 "response" "$response"
+
+  _debug2 "_response" "$_response"
+  _debug2 "_code" "$_code"

  return 0
 }
--- a/dnsapi/dns_ipv64.sh
+++ b/dnsapi/dns_ipv64.sh
@@ -0,0 +1,157 @@
+#!/usr/bin/env sh
+
+#Created by Roman Lumetsberger, to use ipv64.net's API to add/remove text records
+#2022/11/29
+
+# Pass credentials before "acme.sh --issue --dns dns_ipv64 ..."
+# --
+# export IPv64_Token="aaaaaaaaaaaaaaaaaaaaaaaaaa"
+# --
+#
+
+IPv64_API="https://ipv64.net/api"
+
+########  Public functions ######################
+
+#Usage: dns_ipv64_add _acme-challenge.domain.ipv64.net "XKrxpRBosdIKFzxW_CT3KLZNf6q0HG9i01zxXp5CPBs"
+dns_ipv64_add() {
+  fulldomain=$1
+  txtvalue=$2
+
+  IPv64_Token="${IPv64_Token:-$(_readaccountconf_mutable IPv64_Token)}"
+  if [ -z "$IPv64_Token" ]; then
+    _err "You must export variable: IPv64_Token"
+    _err "The API Key for your IPv64 account is necessary."
+    _err "You can look it up in your IPv64 account."
+    return 1
+  fi
+
+  # Now save the credentials.
+  _saveaccountconf_mutable IPv64_Token "$IPv64_Token"
+
+  if ! _get_root "$fulldomain"; then
+    _err "invalid domain" "$fulldomain"
+    return 1
+  fi
+  _debug _sub_domain "$_sub_domain"
+  _debug _domain "$_domain"
+
+  # convert to lower case
+  _domain="$(echo "$_domain" | _lower_case)"
+  _sub_domain="$(echo "$_sub_domain" | _lower_case)"
+  # Now add the TXT record
+  _info "Trying to add TXT record"
+  if _ipv64_rest "POST" "add_record=$_domain&praefix=$_sub_domain&type=TXT&content=$txtvalue"; then
+    _info "TXT record has been successfully added."
+    return 0
+  else
+    _err "Errors happened during adding the TXT record, response=$_response"
+    return 1
+  fi
+
+}
+
+#Usage: fulldomain txtvalue
+#Usage: dns_ipv64_rm _acme-challenge.domain.ipv64.net "XKrxpRBosdIKFzxW_CT3KLZNf6q0HG9i01zxXp5CPBs"
+#Remove the txt record after validation.
+dns_ipv64_rm() {
+  fulldomain=$1
+  txtvalue=$2
+
+  IPv64_Token="${IPv64_Token:-$(_readaccountconf_mutable IPv64_Token)}"
+  if [ -z "$IPv64_Token" ]; then
+    _err "You must export variable: IPv64_Token"
+    _err "The API Key for your IPv64 account is necessary."
+    _err "You can look it up in your IPv64 account."
+    return 1
+  fi
+
+  if ! _get_root "$fulldomain"; then
+    _err "invalid domain" "$fulldomain"
+    return 1
+  fi
+  _debug _sub_domain "$_sub_domain"
+  _debug _domain "$_domain"
+
+  # convert to lower case
+  _domain="$(echo "$_domain" | _lower_case)"
+  _sub_domain="$(echo "$_sub_domain" | _lower_case)"
+  # Now delete the TXT record
+  _info "Trying to delete TXT record"
+  if _ipv64_rest "DELETE" "del_record=$_domain&praefix=$_sub_domain&type=TXT&content=$txtvalue"; then
+    _info "TXT record has been successfully deleted."
+    return 0
+  else
+    _err "Errors happened during deleting the TXT record, response=$_response"
+    return 1
+  fi
+
+}
+
+####################  Private functions below ##################################
+#_acme-challenge.www.domain.com
+#returns
+# _sub_domain=_acme-challenge.www
+# _domain=domain.com
+_get_root() {
+  domain="$1"
+  i=1
+  p=1
+
+  _ipv64_get "get_domains"
+  domain_data=$_response
+
+  while true; do
+    h=$(printf "%s" "$domain" | cut -d . -f "$i"-100)
+    if [ -z "$h" ]; then
+      #not valid
+      return 1
+    fi
+
+    #if _contains "$domain_data" "\""$h"\"\:"; then
+    if _contains "$domain_data" "\"""$h""\"\:"; then
+      _sub_domain=$(printf "%s" "$domain" | cut -d . -f 1-"$p")
+      _domain="$h"
+      return 0
+    fi
+    p=$i
+    i=$(_math "$i" + 1)
+  done
+  return 1
+}
+
+#send get request to api
+# $1 has to set the api-function
+_ipv64_get() {
+  url="$IPv64_API?$1"
+  export _H1="Authorization: Bearer $IPv64_Token"
+
+  _response=$(_get "$url")
+  _response="$(echo "$_response" | _normalizeJson)"
+
+  if _contains "$_response" "429 Too Many Requests"; then
+    _info "API throttled, sleeping to reset the limit"
+    _sleep 10
+    _response=$(_get "$url")
+    _response="$(echo "$_response" | _normalizeJson)"
+  fi
+}
+
+_ipv64_rest() {
+  url="$IPv64_API"
+  export _H1="Authorization: Bearer $IPv64_Token"
+  export _H2="Content-Type: application/x-www-form-urlencoded"
+  _response=$(_post "$2" "$url" "" "$1")
+
+  if _contains "$_response" "429 Too Many Requests"; then
+    _info "API throttled, sleeping to reset the limit"
+    _sleep 10
+    _response=$(_post "$2" "$url" "" "$1")
+  fi
+
+  if ! _contains "$_response" "\"info\":\"success\""; then
+    return 1
+  fi
+  _debug2 response "$_response"
+  return 0
+}
--- a/dnsapi/dns_ispconfig.sh
+++ b/dnsapi/dns_ispconfig.sh
@@ -32,6 +32,10 @@ dns_ispconfig_rm() {
 ####################  Private functions below ##################################

 _ISPC_credentials() {
+  ISPC_User="${ISPC_User:-$(_readaccountconf_mutable ISPC_User)}"
+  ISPC_Password="${ISPC_Password:-$(_readaccountconf_mutable ISPC_Password)}"
+  ISPC_Api="${ISPC_Api:-$(_readaccountconf_mutable ISPC_Api)}"
+  ISPC_Api_Insecure="${ISPC_Api_Insecure:-$(_readaccountconf_mutable ISPC_Api_Insecure)}"
  if [ -z "${ISPC_User}" ] || [ -z "${ISPC_Password}" ] || [ -z "${ISPC_Api}" ] || [ -z "${ISPC_Api_Insecure}" ]; then
    ISPC_User=""
    ISPC_Password=""
@@ -40,10 +44,10 @@ _ISPC_credentials() {
    _err "You haven't specified the ISPConfig Login data, URL and whether you want check the ISPC SSL cert. Please try again."
    return 1
  else
-    _saveaccountconf ISPC_User "${ISPC_User}"
-    _saveaccountconf ISPC_Password "${ISPC_Password}"
-    _saveaccountconf ISPC_Api "${ISPC_Api}"
-    _saveaccountconf ISPC_Api_Insecure "${ISPC_Api_Insecure}"
+    _saveaccountconf_mutable ISPC_User "${ISPC_User}"
+    _saveaccountconf_mutable ISPC_Password "${ISPC_Password}"
+    _saveaccountconf_mutable ISPC_Api "${ISPC_Api}"
+    _saveaccountconf_mutable ISPC_Api_Insecure "${ISPC_Api_Insecure}"
    # Set whether curl should use secure or insecure mode
    export HTTPS_INSECURE="${ISPC_Api_Insecure}"
  fi
--- a/dnsapi/dns_kappernet.sh
+++ b/dnsapi/dns_kappernet.sh
@@ -45,8 +45,8 @@ dns_kappernet_add() {
  if _kappernet_api GET "action=new&subject=$_domain&data=$data"; then

    if _contains "$response" "{\"OK\":true"; then
-      _info "Waiting 120 seconds for DNS to spread the new record"
-      _sleep 120
+      _info "Waiting 1 second for DNS to spread the new record"
+      _sleep 1
      return 0
    else
      _err "Error creating a TXT DNS Record: $fullhostname TXT $txtvalue"
--- a/dnsapi/dns_kas.sh
+++ b/dnsapi/dns_kas.sh
@@ -5,51 +5,81 @@
 # Environment variables:
 #
 #  - $KAS_Login (Kasserver API login name)
-#  - $KAS_Authtype (Kasserver API auth type. Default: sha1)
+#  - $KAS_Authtype (Kasserver API auth type. Default: plain)
 #  - $KAS_Authdata (Kasserver API auth data.)
 #
-# Author: Martin Kammerlander, Phlegx Systems OG <martin.kammerlander@phlegx.com>
-# Updated by: Marc-Oliver Lange <git@die-lang.es>
-# Credits: Inspired by dns_he.sh. Thanks a lot man!
-# Git repo: https://github.com/phlegx/acme.sh
-# TODO: Better Error handling
+# Last update: squared GmbH <github@squaredgmbh.de>
+# Credits:
+# - dns_he.sh. Thanks a lot man!
+# - Martin Kammerlander, Phlegx Systems OG <martin.kammerlander@phlegx.com>
+# - Marc-Oliver Lange <git@die-lang.es>
+# - https://github.com/o1oo11oo/kasapi.sh
 ########################################################################
-KAS_Api="https://kasapi.kasserver.com/dokumentation/formular.php"
+KAS_Api_GET="$(_get "https://kasapi.kasserver.com/soap/wsdl/KasApi.wsdl")"
+KAS_Api="$(echo "$KAS_Api_GET" | tr -d ' ' | grep -i "<soap:addresslocation=" | sed "s/='/\n/g" | grep -i "http" | sed "s/'\/>//g")"
+_info "[KAS] -> API URL $KAS_Api"
+
+KAS_Auth_GET="$(_get "https://kasapi.kasserver.com/soap/wsdl/KasAuth.wsdl")"
+KAS_Auth="$(echo "$KAS_Auth_GET" | tr -d ' ' | grep -i "<soap:addresslocation=" | sed "s/='/\n/g" | grep -i "http" | sed "s/'\/>//g")"
+_info "[KAS] -> AUTH URL $KAS_Auth"
+
+KAS_default_ratelimit=5 # TODO - Every response delivers a ratelimit (seconds) where KASAPI is blocking a request.
+
 ########  Public functions  #####################
 dns_kas_add() {
  _fulldomain=$1
  _txtvalue=$2
-  _info "Using DNS-01 All-inkl/Kasserver hook"
-  _info "Adding $_fulldomain DNS TXT entry on All-inkl/Kasserver"
-  _info "Check and Save Props"
+
+  _info "[KAS] -> Using DNS-01 All-inkl/Kasserver hook"
+  _info "[KAS] -> Check and Save Props"
  _check_and_save
-  _info "Checking Zone and Record_Name"
+
+  _info "[KAS] -> Adding $_fulldomain DNS TXT entry on all-inkl.com/Kasserver"
+  _info "[KAS] -> Retriving Credential Token"
+  _get_credential_token
+
+  _info "[KAS] -> Checking Zone and Record_Name"
  _get_zone_and_record_name "$_fulldomain"
-  _info "Getting Record ID"
+
+  _info "[KAS] -> Checking for existing Record entries"
  _get_record_id

-  _info "Creating TXT DNS record"
-  params="?kas_login=$KAS_Login"
-  params="$params&kas_auth_type=$KAS_Authtype"
-  params="$params&kas_auth_data=$KAS_Authdata"
-  params="$params&var1=record_name"
-  params="$params&wert1=$_record_name"
-  params="$params&var2=record_type"
-  params="$params&wert2=TXT"
-  params="$params&var3=record_data"
-  params="$params&wert3=$_txtvalue"
-  params="$params&var4=record_aux"
-  params="$params&wert4=0"
-  params="$params&kas_action=add_dns_settings"
-  params="$params&var5=zone_host"
-  params="$params&wert5=$_zone"
-  _debug2 "Wait for 10 seconds by default before calling KAS API."
-  _sleep 10
-  response="$(_get "$KAS_Api$params")"
-  _debug2 "response" "$response"
+  # If there is a record_id, delete the entry
+  if [ -n "$_record_id" ]; then
+    _info "[KAS] -> Existing records found. Now deleting old entries"
+    for i in $_record_id; do
+      _delete_RecordByID "$i"
+    done
+  else
+    _info "[KAS] -> No record found."
+  fi

-  if ! _contains "$response" "TRUE"; then
-    _err "An unkown error occurred, please check manually."
+  _info "[KAS] -> Creating TXT DNS record"
+  action="add_dns_settings"
+  kasReqParam="\"record_name\":\"$_record_name\""
+  kasReqParam="$kasReqParam,\"record_type\":\"TXT\""
+  kasReqParam="$kasReqParam,\"record_data\":\"$_txtvalue\""
+  kasReqParam="$kasReqParam,\"record_aux\":\"0\""
+  kasReqParam="$kasReqParam,\"zone_host\":\"$_zone\""
+  response="$(_callAPI "$action" "$kasReqParam")"
+  _debug2 "[KAS] -> Response" "$response"
+
+  if [ -z "$response" ]; then
+    _info "[KAS] -> Response was empty, please check manually."
+    return 1
+  elif _contains "$response" "<SOAP-ENV:Fault>"; then
+    faultstring="$(echo "$response" | tr -d '\n\r' | sed "s/<faultstring>/\n=> /g" | sed "s/<\/faultstring>/\n/g" | grep "=>" | sed "s/=> //g")"
+    case "${faultstring}" in
+    "record_already_exists")
+      _info "[KAS] -> The record already exists, which must not be a problem. Please check manually."
+      ;;
+    *)
+      _err "[KAS] -> An error =>$faultstring<= occurred, please check manually."
+      return 1
+      ;;
+    esac
+  elif ! _contains "$response" "<item><key xsi:type=\"xsd:string\">ReturnString</key><value xsi:type=\"xsd:string\">TRUE</value></item>"; then
+    _err "[KAS] -> An unknown error occurred, please check manually."
    return 1
  fi
  return 0
@@ -58,45 +88,62 @@ dns_kas_add() {
 dns_kas_rm() {
  _fulldomain=$1
  _txtvalue=$2
-  _info "Using DNS-01 All-inkl/Kasserver hook"
-  _info "Cleaning up after All-inkl/Kasserver hook"
-  _info "Removing $_fulldomain DNS TXT entry on All-inkl/Kasserver"

-  _info "Check and Save Props"
+  _info "[KAS] -> Using DNS-01 All-inkl/Kasserver hook"
+  _info "[KAS] -> Check and Save Props"
  _check_and_save
-  _info "Checking Zone and Record_Name"
+
+  _info "[KAS] -> Cleaning up after All-inkl/Kasserver hook"
+  _info "[KAS] -> Removing $_fulldomain DNS TXT entry on All-inkl/Kasserver"
+  _info "[KAS] -> Retriving Credential Token"
+  _get_credential_token
+
+  _info "[KAS] -> Checking Zone and Record_Name"
  _get_zone_and_record_name "$_fulldomain"
-  _info "Getting Record ID"
+
+  _info "[KAS] -> Getting Record ID"
  _get_record_id

+  _info "[KAS] -> Removing entries with ID: $_record_id"
  # If there is a record_id, delete the entry
  if [ -n "$_record_id" ]; then
-    params="?kas_login=$KAS_Login"
-    params="$params&kas_auth_type=$KAS_Authtype"
-    params="$params&kas_auth_data=$KAS_Authdata"
-    params="$params&kas_action=delete_dns_settings"
-
    for i in $_record_id; do
-      params2="$params&var1=record_id"
-      params2="$params2&wert1=$i"
-      _debug2 "Wait for 10 seconds by default before calling KAS API."
-      _sleep 10
-      response="$(_get "$KAS_Api$params2")"
-      _debug2 "response" "$response"
-      if ! _contains "$response" "TRUE"; then
-        _err "Either the txt record is not found or another error occurred, please check manually."
-        return 1
-      fi
+      _delete_RecordByID "$i"
    done
  else # Cannot delete or unkown error
-    _err "No record_id found that can be deleted. Please check manually."
-    return 1
+    _info "[KAS] -> No record_id found that can be deleted. Please check manually."
  fi
  return 0
 }

 ########################## PRIVATE FUNCTIONS ###########################
+# Delete Record ID
+_delete_RecordByID() {
+  recId=$1
+  action="delete_dns_settings"
+  kasReqParam="\"record_id\":\"$recId\""
+  response="$(_callAPI "$action" "$kasReqParam")"
+  _debug2 "[KAS] -> Response" "$response"

+  if [ -z "$response" ]; then
+    _info "[KAS] -> Response was empty, please check manually."
+    return 1
+  elif _contains "$response" "<SOAP-ENV:Fault>"; then
+    faultstring="$(echo "$response" | tr -d '\n\r' | sed "s/<faultstring>/\n=> /g" | sed "s/<\/faultstring>/\n/g" | grep "=>" | sed "s/=> //g")"
+    case "${faultstring}" in
+    "record_id_not_found")
+      _info "[KAS] -> The record was not found, which perhaps is not a problem. Please check manually."
+      ;;
+    *)
+      _err "[KAS] -> An error =>$faultstring<= occurred, please check manually."
+      return 1
+      ;;
+    esac
+  elif ! _contains "$response" "<item><key xsi:type=\"xsd:string\">ReturnString</key><value xsi:type=\"xsd:string\">TRUE</value></item>"; then
+    _err "[KAS] -> An unknown error occurred, please check manually."
+    return 1
+  fi
+}
 # Checks for the ENV variables and saves them
 _check_and_save() {
  KAS_Login="${KAS_Login:-$(_readaccountconf_mutable KAS_Login)}"
@@ -107,7 +154,7 @@ _check_and_save() {
    KAS_Login=
    KAS_Authtype=
    KAS_Authdata=
-    _err "No auth details provided. Please set user credentials using the \$KAS_Login, \$KAS_Authtype, and \$KAS_Authdata environment variables."
+    _err "[KAS] -> No auth details provided. Please set user credentials using the \$KAS_Login, \$KAS_Authtype, and \$KAS_Authdata environment variables."
    return 1
  fi
  _saveaccountconf_mutable KAS_Login "$KAS_Login"
@@ -119,50 +166,116 @@ _check_and_save() {
 # Gets back the base domain/zone and record name.
 # See: https://github.com/Neilpang/acme.sh/wiki/DNS-API-Dev-Guide
 _get_zone_and_record_name() {
-  params="?kas_login=$KAS_Login"
-  params="?kas_login=$KAS_Login"
-  params="$params&kas_auth_type=$KAS_Authtype"
-  params="$params&kas_auth_data=$KAS_Authdata"
-  params="$params&kas_action=get_domains"
+  action="get_domains"
+  response="$(_callAPI "$action")"
+  _debug2 "[KAS] -> Response" "$response"

-  _debug2 "Wait for 10 seconds by default before calling KAS API."
-  _sleep 10
-  response="$(_get "$KAS_Api$params")"
-  _debug2 "response" "$response"
-  _zonen="$(echo "$response" | tr -d "\n\r" | tr -d " " | tr '[]' '<>' | sed "s/=>Array/\n=> Array/g" | tr ' ' '\n' | grep "domain_name" | tr '<' '\n' | grep "domain_name" | sed "s/domain_name>=>//g")"
-  _domain="$1"
-  _temp_domain="$(echo "$1" | sed 's/\.$//')"
-  _rootzone="$_domain"
-  for i in $_zonen; do
-    l1=${#_rootzone}
+  if [ -z "$response" ]; then
+    _info "[KAS] -> Response was empty, please check manually."
+    return 1
+  elif _contains "$response" "<SOAP-ENV:Fault>"; then
+    faultstring="$(echo "$response" | tr -d '\n\r' | sed "s/<faultstring>/\n=> /g" | sed "s/<\/faultstring>/\n/g" | grep "=>" | sed "s/=> //g")"
+    _err "[KAS] -> Either no domains were found or another error =>$faultstring<= occurred, please check manually."
+    return 1
+  fi
+
+  zonen="$(echo "$response" | sed 's/<item>/\n/g' | sed -r 's/(.*<key xsi:type="xsd:string">domain_name<\/key><value xsi:type="xsd:string">)(.*)(<\/value.*)/\2/' | sed '/^</d')"
+  domain="$1"
+  temp_domain="$(echo "$1" | sed 's/\.$//')"
+  rootzone="$domain"
+  for i in $zonen; do
+    l1=${#rootzone}
    l2=${#i}
-    if _endswith "$_domain" "$i" && [ "$l1" -ge "$l2" ]; then
-      _rootzone="$i"
+    if _endswith "$domain" "$i" && [ "$l1" -ge "$l2" ]; then
+      rootzone="$i"
    fi
  done
-  _zone="${_rootzone}."
-  _temp_record_name="$(echo "$_temp_domain" | sed "s/$_rootzone//g")"
-  _record_name="$(echo "$_temp_record_name" | sed 's/\.$//')"
-  _debug2 "Zone:" "$_zone"
-  _debug2 "Domain:" "$_domain"
-  _debug2 "Record_Name:" "$_record_name"
+  _zone="${rootzone}."
+  temp_record_name="$(echo "$temp_domain" | sed "s/$rootzone//g")"
+  _record_name="$(echo "$temp_record_name" | sed 's/\.$//')"
+  _debug "[KAS] -> Zone:" "$_zone"
+  _debug "[KAS] -> Domain:" "$domain"
+  _debug "[KAS] -> Record_Name:" "$_record_name"
  return 0
 }

 # Retrieve the DNS record ID
 _get_record_id() {
-  params="?kas_login=$KAS_Login"
-  params="$params&kas_auth_type=$KAS_Authtype"
-  params="$params&kas_auth_data=$KAS_Authdata"
-  params="$params&kas_action=get_dns_settings"
-  params="$params&var1=zone_host"
-  params="$params&wert1=$_zone"
+  action="get_dns_settings"
+  kasReqParam="\"zone_host\":\"$_zone\""
+  response="$(_callAPI "$action" "$kasReqParam")"
+  _debug2 "[KAS] -> Response" "$response"

-  _debug2 "Wait for 10 seconds by default before calling KAS API."
-  _sleep 10
-  response="$(_get "$KAS_Api$params")"
-  _debug2 "response" "$response"
-  _record_id="$(echo "$response" | tr -d "\n\r" | tr -d " " | tr '[]' '<>' | sed "s/=>Array/\n=> Array/g" | tr ' ' '\n' | grep "=>$_record_name<" | grep '>TXT<' | tr '<' '\n' | grep record_id | sed "s/record_id>=>//g")"
-  _debug2 _record_id "$_record_id"
+  if [ -z "$response" ]; then
+    _info "[KAS] -> Response was empty, please check manually."
+    return 1
+  elif _contains "$response" "<SOAP-ENV:Fault>"; then
+    faultstring="$(echo "$response" | tr -d '\n\r' | sed "s/<faultstring>/\n=> /g" | sed "s/<\/faultstring>/\n/g" | grep "=>" | sed "s/=> //g")"
+    _err "[KAS] -> Either no domains were found or another error =>$faultstring<= occurred, please check manually."
+    return 1
+  fi
+
+  _record_id="$(echo "$response" | tr -d '\n\r' | sed "s/<item xsi:type=\"ns2:Map\">/\n/g" | grep -i "$_record_name" | grep -i ">TXT<" | sed "s/<item><key xsi:type=\"xsd:string\">record_id<\/key><value xsi:type=\"xsd:string\">/=>/g" | grep -i "$_txtvalue" | sed "s/<\/value><\/item>/\n/g" | grep "=>" | sed "s/=>//g")"
+  _debug "[KAS] -> Record Id: " "$_record_id"
  return 0
 }
+
+# Retrieve credential token
+_get_credential_token() {
+  baseParamAuth="\"kas_login\":\"$KAS_Login\""
+  baseParamAuth="$baseParamAuth,\"kas_auth_type\":\"$KAS_Authtype\""
+  baseParamAuth="$baseParamAuth,\"kas_auth_data\":\"$KAS_Authdata\""
+  baseParamAuth="$baseParamAuth,\"session_lifetime\":600"
+  baseParamAuth="$baseParamAuth,\"session_update_lifetime\":\"Y\""
+
+  data='<?xml version="1.0" encoding="UTF-8"?><SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ns1="urn:xmethodsKasApiAuthentication" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:SOAP-ENC="http://schemas.xmlsoap.org/soap/encoding/" SOAP-ENV:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><SOAP-ENV:Body><ns1:KasAuth><Params xsi:type="xsd:string">{'
+  data="$data$baseParamAuth}</Params></ns1:KasAuth></SOAP-ENV:Body></SOAP-ENV:Envelope>"
+
+  _debug "[KAS] -> Be friendly and wait $KAS_default_ratelimit seconds by default before calling KAS API."
+  _sleep $KAS_default_ratelimit
+
+  contentType="text/xml"
+  export _H1="SOAPAction: urn:xmethodsKasApiAuthentication#KasAuth"
+  response="$(_post "$data" "$KAS_Auth" "" "POST" "$contentType")"
+  _debug2 "[KAS] -> Response" "$response"
+
+  if [ -z "$response" ]; then
+    _info "[KAS] -> Response was empty, please check manually."
+    return 1
+  elif _contains "$response" "<SOAP-ENV:Fault>"; then
+    faultstring="$(echo "$response" | tr -d '\n\r' | sed "s/<faultstring>/\n=> /g" | sed "s/<\/faultstring>/\n/g" | grep "=>" | sed "s/=> //g")"
+    _err "[KAS] -> Could not retrieve login token or antoher error =>$faultstring<= occurred, please check manually."
+    return 1
+  fi
+
+  _credential_token="$(echo "$response" | tr '\n' ' ' | sed 's/.*return xsi:type="xsd:string">\(.*\)<\/return>/\1/' | sed 's/<\/ns1:KasAuthResponse\(.*\)Envelope>.*//')"
+  _debug "[KAS] -> Credential Token: " "$_credential_token"
+  return 0
+}
+
+_callAPI() {
+  kasaction=$1
+  kasReqParams=$2
+
+  baseParamAuth="\"kas_login\":\"$KAS_Login\""
+  baseParamAuth="$baseParamAuth,\"kas_auth_type\":\"session\""
+  baseParamAuth="$baseParamAuth,\"kas_auth_data\":\"$_credential_token\""
+
+  data='<?xml version="1.0" encoding="UTF-8"?><SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ns1="urn:xmethodsKasApi" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:SOAP-ENC="http://schemas.xmlsoap.org/soap/encoding/" SOAP-ENV:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><SOAP-ENV:Body><ns1:KasApi><Params xsi:type="xsd:string">{'
+  data="$data$baseParamAuth,\"kas_action\":\"$kasaction\""
+  if [ -n "$kasReqParams" ]; then
+    data="$data,\"KasRequestParams\":{$kasReqParams}"
+  fi
+  data="$data}</Params></ns1:KasApi></SOAP-ENV:Body></SOAP-ENV:Envelope>"
+
+  _debug2 "[KAS] -> Request" "$data"
+
+  _debug "[KAS] -> Be friendly and wait $KAS_default_ratelimit seconds by default before calling KAS API."
+  _sleep $KAS_default_ratelimit
+
+  contentType="text/xml"
+  export _H1="SOAPAction: urn:xmethodsKasApi#KasApi"
+  response="$(_post "$data" "$KAS_Api" "" "POST" "$contentType")"
+  _debug2 "[KAS] -> Response" "$response"
+  echo "$response"
+}
--- a/dnsapi/dns_kinghost.sh
+++ b/dnsapi/dns_kinghost.sh
@@ -2,7 +2,7 @@

 ############################################################
 # KingHost API support                                     #
-# http://api.kinghost.net/doc/                             #
+# https://api.kinghost.net/doc/                             #
 #                                                          #
 # Author: Felipe Keller Braz <felipebraz@kinghost.com.br>  #
 # Report Bugs here: https://github.com/kinghost/acme.sh    #
--- a/dnsapi/dns_la.sh
+++ b/dnsapi/dns_la.sh
@@ -0,0 +1,147 @@
+#!/usr/bin/env sh
+
+#LA_Id="test123"
+#LA_Key="d1j2fdo4dee3948"
+
+LA_Api="https://api.dns.la/api"
+
+########  Public functions #####################
+
+#Usage: dns_la_add  _acme-challenge.www.domain.com   "XKrxpRBosdIKFzxW_CT3KLZNf6q0HG9i01zxXp5CPBs"
+dns_la_add() {
+  fulldomain=$1
+  txtvalue=$2
+
+  LA_Id="${LA_Id:-$(_readaccountconf_mutable LA_Id)}"
+  LA_Key="${LA_Key:-$(_readaccountconf_mutable LA_Key)}"
+
+  if [ -z "$LA_Id" ] || [ -z "$LA_Key" ]; then
+    LA_Id=""
+    LA_Key=""
+    _err "You didn't specify a dnsla api id and key yet."
+    return 1
+  fi
+
+  #save the api key and email to the account conf file.
+  _saveaccountconf_mutable LA_Id "$LA_Id"
+  _saveaccountconf_mutable LA_Key "$LA_Key"
+
+  _debug "First detect the root zone"
+  if ! _get_root "$fulldomain"; then
+    _err "invalid domain"
+    return 1
+  fi
+  _debug _domain_id "$_domain_id"
+  _debug _sub_domain "$_sub_domain"
+  _debug _domain "$_domain"
+
+  _info "Adding record"
+  if _la_rest "record.ashx?cmd=create&apiid=$LA_Id&apipass=$LA_Key&rtype=json&domainid=$_domain_id&host=$_sub_domain&recordtype=TXT&recorddata=$txtvalue&recordline="; then
+    if _contains "$response" '"resultid":'; then
+      _info "Added, OK"
+      return 0
+    elif _contains "$response" '"code":532'; then
+      _info "Already exists, OK"
+      return 0
+    else
+      _err "Add txt record error."
+      return 1
+    fi
+  fi
+  _err "Add txt record error."
+  return 1
+
+}
+
+#fulldomain txtvalue
+dns_la_rm() {
+  fulldomain=$1
+  txtvalue=$2
+
+  LA_Id="${LA_Id:-$(_readaccountconf_mutable LA_Id)}"
+  LA_Key="${LA_Key:-$(_readaccountconf_mutable LA_Key)}"
+
+  _debug "First detect the root zone"
+  if ! _get_root "$fulldomain"; then
+    _err "invalid domain"
+    return 1
+  fi
+  _debug _domain_id "$_domain_id"
+  _debug _sub_domain "$_sub_domain"
+  _debug _domain "$_domain"
+
+  _debug "Getting txt records"
+  if ! _la_rest "record.ashx?cmd=listn&apiid=$LA_Id&apipass=$LA_Key&rtype=json&domainid=$_domain_id&domain=$_domain&host=$_sub_domain&recordtype=TXT&recorddata=$txtvalue"; then
+    _err "Error"
+    return 1
+  fi
+
+  if ! _contains "$response" '"recordid":'; then
+    _info "Don't need to remove."
+    return 0
+  fi
+
+  record_id=$(printf "%s" "$response" | grep '"recordid":' | cut -d : -f 2 | cut -d , -f 1 | tr -d '\r' | tr -d '\n')
+  _debug "record_id" "$record_id"
+  if [ -z "$record_id" ]; then
+    _err "Can not get record id to remove."
+    return 1
+  fi
+  if ! _la_rest "record.ashx?cmd=remove&apiid=$LA_Id&apipass=$LA_Key&rtype=json&domainid=$_domain_id&domain=$_domain&recordid=$record_id"; then
+    _err "Delete record error."
+    return 1
+  fi
+  _contains "$response" '"code":300'
+
+}
+
+####################  Private functions below ##################################
+#_acme-challenge.www.domain.com
+#returns
+# _sub_domain=_acme-challenge.www
+# _domain=domain.com
+# _domain_id=sdjkglgdfewsdfg
+_get_root() {
+  domain=$1
+  i=1
+  p=1
+
+  while true; do
+    h=$(printf "%s" "$domain" | cut -d . -f $i-100)
+    if [ -z "$h" ]; then
+      #not valid
+      return 1
+    fi
+
+    if ! _la_rest "domain.ashx?cmd=get&apiid=$LA_Id&apipass=$LA_Key&rtype=json&domain=$h"; then
+      return 1
+    fi
+
+    if _contains "$response" '"domainid":'; then
+      _domain_id=$(printf "%s" "$response" | grep '"domainid":' | cut -d : -f 2 | cut -d , -f 1 | tr -d '\r' | tr -d '\n')
+      if [ "$_domain_id" ]; then
+        _sub_domain=$(printf "%s" "$domain" | cut -d . -f 1-$p)
+        _domain="$h"
+        return 0
+      fi
+      return 1
+    fi
+    p="$i"
+    i=$(_math "$i" + 1)
+  done
+  return 1
+}
+
+#Usage:  URI
+_la_rest() {
+  url="$LA_Api/$1"
+  _debug "$url"
+
+  if ! response="$(_get "$url" | tr -d ' ' | tr "}" ",")"; then
+    _err "Error: $url"
+    return 1
+  fi
+
+  _debug2 response "$response"
+  return 0
+}
--- a/dnsapi/dns_leaseweb.sh
+++ b/dnsapi/dns_leaseweb.sh
@@ -3,10 +3,10 @@
 #Author: Rolph Haspers <r.haspers@global.leaseweb.com>
 #Utilize leaseweb.com API to finish dns-01 verifications.
 #Requires a Leaseweb API Key (export LSW_Key="Your Key")
-#See http://developer.leaseweb.com for more information.
+#See https://developer.leaseweb.com for more information.
 ########  Public functions #####################

-LSW_API="https://api.leaseweb.com/hosting/v2/domains/"
+LSW_API="https://api.leaseweb.com/hosting/v2/domains"

 #Usage: dns_leaseweb_add   _acme-challenge.www.domain.com
 dns_leaseweb_add() {
--- a/dnsapi/dns_loopia.sh
+++ b/dnsapi/dns_loopia.sh
@@ -107,7 +107,7 @@ _loopia_load_config() {
  fi

  if _contains "$LOOPIA_Password" "'" || _contains "$LOOPIA_Password" '"'; then
-    _err "Password contains quoute or double quoute and this is not supported by dns_loopia.sh"
+    _err "Password contains a quotation mark or double quotation marks and this is not supported by dns_loopia.sh"
    return 1
  fi

--- a/dnsapi/dns_miab.sh
+++ b/dnsapi/dns_miab.sh
@@ -163,6 +163,7 @@ _retrieve_miab_env() {
  _saveaccountconf_mutable MIAB_Username "$MIAB_Username"
  _saveaccountconf_mutable MIAB_Password "$MIAB_Password"
  _saveaccountconf_mutable MIAB_Server "$MIAB_Server"
+  return 0
 }

 #Useage: _miab_rest  "XKrxpRBosdIKFzxW_CT3KLZNf6q0HG9i01zxXp5CPBs"  "custom/_acme-challenge.www.domain.com/txt  "POST"
--- a/dnsapi/dns_mydnsjp.sh
+++ b/dnsapi/dns_mydnsjp.sh
@@ -150,7 +150,7 @@ _get_root() {
 _mydnsjp_retrieve_domain() {
  _debug "Login to MyDNS.JP"

-  response="$(_post "masterid=$MYDNSJP_MasterID&masterpwd=$MYDNSJP_Password" "$MYDNSJP_API/?MENU=100")"
+  response="$(_post "MENU=100&masterid=$MYDNSJP_MasterID&masterpwd=$MYDNSJP_Password" "$MYDNSJP_API/members/")"
  cookie="$(grep -i '^set-cookie:' "$HTTP_HEADER" | _head_n 1 | cut -d " " -f 2)"

  # If cookies is not empty then logon successful
@@ -159,22 +159,8 @@ _mydnsjp_retrieve_domain() {
    return 1
  fi

-  _debug "Retrieve DOMAIN INFO page"
-
-  export _H1="Cookie:${cookie}"
-
-  response="$(_get "$MYDNSJP_API/?MENU=300")"
-
-  if [ "$?" != "0" ]; then
-    _err "Fail to retrieve DOMAIN INFO."
-    return 1
-  fi
-
  _root_domain=$(echo "$response" | grep "DNSINFO\[domainname\]" | sed 's/^.*value="\([^"]*\)".*/\1/')

-  # Logout
-  response="$(_get "$MYDNSJP_API/?MENU=090")"
-
  _debug _root_domain "$_root_domain"

  if [ -z "$_root_domain" ]; then
--- a/dnsapi/dns_namecheap.sh
+++ b/dnsapi/dns_namecheap.sh
@@ -82,7 +82,7 @@ _get_root() {
    _debug "Failed domain lookup via domains.getList api call. Trying domain lookup via domains.dns.getHosts api."
    # The above "getList" api will only return hosts *owned* by the calling user. However, if the calling
    # user is not the owner, but still has administrative rights, we must query the getHosts api directly.
-    # See this comment and the official namecheap response: http://disq.us/p/1q6v9x9
+    # See this comment and the official namecheap response: https://disq.us/p/1q6v9x9
    if ! _get_root_by_getHosts "$fulldomain"; then
      return 1
    fi
@@ -259,7 +259,7 @@ _set_namecheap_TXT() {
  _debug hosts "$hosts"

  if [ -z "$hosts" ]; then
-    _error "Hosts not found"
+    _err "Hosts not found"
    return 1
  fi

@@ -313,7 +313,7 @@ _del_namecheap_TXT() {
  _debug hosts "$hosts"

  if [ -z "$hosts" ]; then
-    _error "Hosts not found"
+    _err "Hosts not found"
    return 1
  fi

--- a/dnsapi/dns_namesilo.sh
+++ b/dnsapi/dns_namesilo.sh
@@ -110,7 +110,7 @@ _get_root() {
      return 1
    fi

-    if _contains "$response" "<domain>$host"; then
+    if _contains "$response" ">$host</domain>"; then
      _sub_domain=$(printf "%s" "$domain" | cut -d . -f 1-$p)
      _domain="$host"
      return 0
--- a/dnsapi/dns_nanelo.sh
+++ b/dnsapi/dns_nanelo.sh
@@ -0,0 +1,59 @@
+#!/usr/bin/env sh
+
+# Official DNS API for Nanelo.com
+
+# Provide the required API Key like this:
+# NANELO_TOKEN="FmD408PdqT1E269gUK57"
+
+NANELO_API="https://api.nanelo.com/v1/"
+
+########  Public functions #####################
+
+# Usage: add  _acme-challenge.www.domain.com   "XKrxpRBosdIKFzxW_CT3KLZNf6q0HG9i01zxXp5CPBs"
+dns_nanelo_add() {
+  fulldomain=$1
+  txtvalue=$2
+
+  NANELO_TOKEN="${NANELO_TOKEN:-$(_readaccountconf_mutable NANELO_TOKEN)}"
+  if [ -z "$NANELO_TOKEN" ]; then
+    NANELO_TOKEN=""
+    _err "You didn't configure a Nanelo API Key yet."
+    _err "Please set NANELO_TOKEN and try again."
+    _err "Login to Nanelo.com and go to Settings > API Keys to get a Key"
+    return 1
+  fi
+  _saveaccountconf_mutable NANELO_TOKEN "$NANELO_TOKEN"
+
+  _info "Adding TXT record to ${fulldomain}"
+  response="$(_get "$NANELO_API$NANELO_TOKEN/dns/addrecord?type=TXT&ttl=60&name=${fulldomain}&value=${txtvalue}")"
+  if _contains "${response}" 'success'; then
+    return 0
+  fi
+  _err "Could not create resource record, please check the logs"
+  _err "${response}"
+  return 1
+}
+
+dns_nanelo_rm() {
+  fulldomain=$1
+  txtvalue=$2
+
+  NANELO_TOKEN="${NANELO_TOKEN:-$(_readaccountconf_mutable NANELO_TOKEN)}"
+  if [ -z "$NANELO_TOKEN" ]; then
+    NANELO_TOKEN=""
+    _err "You didn't configure a Nanelo API Key yet."
+    _err "Please set NANELO_TOKEN and try again."
+    _err "Login to Nanelo.com and go to Settings > API Keys to get a Key"
+    return 1
+  fi
+  _saveaccountconf_mutable NANELO_TOKEN "$NANELO_TOKEN"
+
+  _info "Deleting resource record $fulldomain"
+  response="$(_get "$NANELO_API$NANELO_TOKEN/dns/deleterecord?type=TXT&ttl=60&name=${fulldomain}&value=${txtvalue}")"
+  if _contains "${response}" 'success'; then
+    return 0
+  fi
+  _err "Could not delete resource record, please check the logs"
+  _err "${response}"
+  return 1
+}
--- a/dnsapi/dns_nederhost.sh
+++ b/dnsapi/dns_nederhost.sh
@@ -1,6 +1,6 @@
 #!/usr/bin/env sh

-#NederHost_Key="sdfgikogfdfghjklkjhgfcdcfghjk"
+#NederHost_Key="sdfgikogfdfghjklkjhgfcdcfghj"

 NederHost_Api="https://api.nederhost.nl/dns/v1"

@@ -112,12 +112,8 @@ _nederhost_rest() {
  export _H1="Authorization: Bearer $NederHost_Key"
  export _H2="Content-Type: application/json"

-  if [ "$m" != "GET" ]; then
-    _debug data "$data"
-    response="$(_post "$data" "$NederHost_Api/$ep" "" "$m")"
-  else
-    response="$(_get "$NederHost_Api/$ep")"
-  fi
+  _debug data "$data"
+  response="$(_post "$data" "$NederHost_Api/$ep" "" "$m")"

  _code="$(grep "^HTTP" "$HTTP_HEADER" | _tail_n 1 | cut -d " " -f 2 | tr -d "\\r\\n")"
  _debug "http response code $_code"
--- a/dnsapi/dns_netlify.sh
+++ b/dnsapi/dns_netlify.sh
@@ -18,15 +18,15 @@ dns_netlify_add() {
    NETLIFY_ACCESS_TOKEN=""
    _err "Please specify your Netlify Access Token and try again."
    return 1
+  else
+    _saveaccountconf_mutable NETLIFY_ACCESS_TOKEN "$NETLIFY_ACCESS_TOKEN"
  fi

  _info "Using Netlify"
  _debug fulldomain "$fulldomain"
  _debug txtvalue "$txtvalue"

-  _saveaccountconf_mutable NETLIFY_ACCESS_TOKEN "$NETLIFY_ACCESS_TOKEN"
-
-  if ! _get_root "$fulldomain" "$accesstoken"; then
+  if ! _get_root "$fulldomain"; then
    _err "invalid domain"
    return 1
  fi
@@ -62,9 +62,9 @@ dns_netlify_rm() {
  _debug txtdomain "$txtdomain"
  _debug txt "$txt"

-  _saveaccountconf_mutable NETLIFY_ACCESS_TOKEN "$NETLIFY_ACCESS_TOKEN"
+  NETLIFY_ACCESS_TOKEN="${NETLIFY_ACCESS_TOKEN:-$(_readaccountconf_mutable NETLIFY_ACCESS_TOKEN)}"

-  if ! _get_root "$txtdomain" "$accesstoken"; then
+  if ! _get_root "$txtdomain"; then
    _err "invalid domain"
    return 1
  fi
--- a/dnsapi/dns_oci.sh
+++ b/dnsapi/dns_oci.sh
@@ -159,7 +159,7 @@ _oci_config() {
  fi

  if [ "$(printf "%s\n" "$OCI_CLI_KEY" | wc -l)" -eq 1 ]; then
-    OCI_CLI_KEY=$(printf "%s" "$OCI_CLI_KEY" | _dbase64 multiline)
+    OCI_CLI_KEY=$(printf "%s" "$OCI_CLI_KEY" | _dbase64)
  fi

  return 0
@@ -265,6 +265,7 @@ _signed_request() {
    _response="$(_get "https://${_sig_host}${_sig_target}")"
  elif [ "$_curl_method" = "PATCH" ]; then
    export _H1="$_date_header"
+    # shellcheck disable=SC2090
    export _H2="$_sig_body_sha256"
    export _H3="$_sig_body_type"
    export _H4="$_sig_body_length"
--- a/dnsapi/dns_openstack.sh
+++ b/dnsapi/dns_openstack.sh
@@ -57,16 +57,16 @@ _dns_openstack_create_recordset() {

  if [ -z "$_recordset_id" ]; then
    _info "Creating a new recordset"
-    if ! _recordset_id=$(openstack recordset create -c id -f value --type TXT --record "$txtvalue" "$_zone_id" "$fulldomain."); then
+    if ! _recordset_id=$(openstack recordset create -c id -f value --type TXT --record="$txtvalue" "$_zone_id" "$fulldomain."); then
      _err "No recordset ID found after create"
      return 1
    fi
  else
    _info "Updating existing recordset"
-    # Build new list of --record <rec> args for update
-    _record_args="--record $txtvalue"
+    # Build new list of --record=<rec> args for update
+    _record_args="--record=$txtvalue"
    for _rec in $_records; do
-      _record_args="$_record_args --record $_rec"
+      _record_args="$_record_args --record=$_rec"
    done
    # shellcheck disable=SC2086
    if ! _recordset_id=$(openstack recordset set -c id -f value $_record_args "$_zone_id" "$fulldomain."); then
@@ -107,13 +107,13 @@ _dns_openstack_delete_recordset() {
    fi
  else
    _info "Found existing records, updating recordset"
-    # Build new list of --record <rec> args for update
+    # Build new list of --record=<rec> args for update
    _record_args=""
    for _rec in $_records; do
      if [ "$_rec" = "$txtvalue" ]; then
        continue
      fi
-      _record_args="$_record_args --record $_rec"
+      _record_args="$_record_args --record=$_rec"
    done
    # shellcheck disable=SC2086
    if ! openstack recordset set -c id -f value $_record_args "$_zone_id" "$fulldomain." >/dev/null; then
--- a/dnsapi/dns_opnsense.sh
+++ b/dnsapi/dns_opnsense.sh
@@ -137,7 +137,7 @@ _get_root() {
  domain=$1
  i=2
  p=1
-  if _opns_rest "GET" "/domain/get"; then
+  if _opns_rest "GET" "/domain/searchPrimaryDomain"; then
    _domain_response="$response"
  else
    return 1
@@ -150,7 +150,7 @@ _get_root() {
      return 1
    fi
    _debug h "$h"
-    id=$(echo "$_domain_response" | _egrep_o "\"[^\"]*\":{\"enabled\":\"1\",\"type\":{\"master\":{\"value\":\"master\",\"selected\":1},\"slave\":{\"value\":\"slave\",\"selected\":0}},\"masterip\":{\"[^\"]*\":{[^}]*}},\"transferkeyalgo\":{[^{]*{[^{]*{[^{]*{[^{]*{[^{]*{[^{]*{[^{]*{[^}]*}},\"transferkey\":\"[^\"]*\"(,\"allownotifyslave\":{\"\":{[^}]*}},|,)\"domainname\":\"${h}\"" | cut -d ':' -f 1 | cut -d '"' -f 2)
+    id=$(echo "$_domain_response" | _egrep_o "\"uuid\":\"[a-z0-9\-]*\",\"enabled\":\"1\",\"type\":\"primary\",\"domainname\":\"${h}\"" | cut -d ':' -f 2 | cut -d '"' -f 2)
    if [ -n "$id" ]; then
      _debug id "$id"
      _host=$(printf "%s" "$domain" | cut -d . -f 1-$p)
--- a/dnsapi/dns_ovh.sh
+++ b/dnsapi/dns_ovh.sh
@@ -14,6 +14,9 @@
 #'ovh-eu'
 OVH_EU='https://eu.api.ovh.com/1.0'

+#'ovh-us'
+OVH_US='https://api.us.ovhcloud.com/1.0'
+
 #'ovh-ca':
 OVH_CA='https://ca.api.ovh.com/1.0'

@@ -29,9 +32,6 @@ SYS_EU='https://eu.api.soyoustart.com/1.0'
 #'soyoustart-ca'
 SYS_CA='https://ca.api.soyoustart.com/1.0'

-#'runabove-ca'
-RAV_CA='https://api.runabove.com/1.0'
-
 wiki="https://github.com/acmesh-official/acme.sh/wiki/How-to-use-OVH-domain-api"

 ovh_success="https://github.com/acmesh-official/acme.sh/wiki/OVH-Success"
@@ -45,6 +45,10 @@ _ovh_get_api() {
    printf "%s" $OVH_EU
    return
    ;;
+  ovh-us | ovhus)
+    printf "%s" $OVH_US
+    return
+    ;;
  ovh-ca | ovhca)
    printf "%s" $OVH_CA
    return
@@ -65,14 +69,15 @@ _ovh_get_api() {
    printf "%s" $SYS_CA
    return
    ;;
-  runabove-ca | runaboveca)
-    printf "%s" $RAV_CA
+  # raw API url starts with https://
+  https*)
+    printf "%s" "$1"
    return
    ;;

  *)

-    _err "Unknown parameter : $1"
+    _err "Unknown endpoint : $1"
    return 1
    ;;
  esac
@@ -92,7 +97,7 @@ _initAuth() {

  if [ "$OVH_AK" != "$(_readaccountconf OVH_AK)" ]; then
    _info "It seems that your ovh key is changed, let's clear consumer key first."
-    _clearaccountconf OVH_CK
+    _clearaccountconf_mutable OVH_CK
  fi
  _saveaccountconf_mutable OVH_AK "$OVH_AK"
  _saveaccountconf_mutable OVH_AS "$OVH_AS"
@@ -118,13 +123,14 @@ _initAuth() {
    #return and wait for retry.
    return 1
  fi
+  _saveaccountconf_mutable OVH_CK "$OVH_CK"

  _info "Checking authentication"

  if ! _ovh_rest GET "domain" || _contains "$response" "INVALID_CREDENTIAL" || _contains "$response" "NOT_CREDENTIAL"; then
    _err "The consumer key is invalid: $OVH_CK"
    _err "Please retry to create a new one."
-    _clearaccountconf OVH_CK
+    _clearaccountconf_mutable OVH_CK
    return 1
  fi
  _info "Consumer key is ok."
@@ -235,8 +241,7 @@ _ovh_authentication() {
  _secure_debug consumerKey "$consumerKey"

  OVH_CK="$consumerKey"
-  _saveaccountconf OVH_CK "$OVH_CK"
-
+  _saveaccountconf_mutable OVH_CK "$OVH_CK"
  _info "Please open this link to do authentication: $(__green "$validationUrl")"

  _info "Here is a guide for you: $(__green "$wiki")"
--- a/dnsapi/dns_pleskxml.sh
+++ b/dnsapi/dns_pleskxml.sh
@@ -41,11 +41,15 @@ pleskxml_init_checks_done=0
 NEWLINE='\
 '

-pleskxml_tplt_get_domains="<packet><customer><get-domain-list><filter/></get-domain-list></customer></packet>"
+pleskxml_tplt_get_domains="<packet><webspace><get><filter/><dataset><gen_info/></dataset></get></webspace></packet>"
 # Get a list of domains that PLESK can manage, so we can check root domain + host for acme.sh
 # Also used to test credentials and URI.
 # No params.

+pleskxml_tplt_get_additional_domains="<packet><site><get><filter/><dataset><gen_info/></dataset></get></site></packet>"
+# Get a list of additional domains that PLESK can manage, so we can check root domain + host for acme.sh
+# No params.
+
 pleskxml_tplt_get_dns_records="<packet><dns><get_rec><filter><site-id>%s</site-id></filter></get_rec></dns></packet>"
 # Get all DNS records for a Plesk domain ID.
 # PARAM = Plesk domain id to query
@@ -145,22 +149,25 @@ dns_pleskxml_rm() {
  )"

  if [ -z "$reclist" ]; then
-    _err "No TXT records found for root domain ${root_domain_name} (Plesk domain ID ${root_domain_id}). Exiting."
+    _err "No TXT records found for root domain $fulldomain (Plesk domain ID ${root_domain_id}). Exiting."
    return 1
  fi

-  _debug "Got list of DNS TXT records for root domain '$root_domain_name':"
+  _debug "Got list of DNS TXT records for root Plesk domain ID ${root_domain_id} of root domain $fulldomain:"
  _debug "$reclist"

+  # Extracting the id of the TXT record for the full domain (NOT case-sensitive) and corresponding value
  recid="$(
    _value "$reclist" |
-      grep "<host>${fulldomain}.</host>" |
+      grep -i "<host>${fulldomain}.</host>" |
      grep "<value>${txtvalue}</value>" |
      sed 's/^.*<id>\([0-9]\{1,\}\)<\/id>.*$/\1/'
  )"

+  _debug "Got id from line: $recid"
+
  if ! _value "$recid" | grep '^[0-9]\{1,\}$' >/dev/null; then
-    _err "DNS records for root domain '${root_domain_name}' (Plesk ID ${root_domain_id}) + host '${sub_domain_name}' do not contain the TXT record '${txtvalue}'"
+    _err "DNS records for root domain '${fulldomain}.' (Plesk ID ${root_domain_id}) + host '${sub_domain_name}' do not contain the TXT record '${txtvalue}'"
    _err "Cannot delete TXT record. Exiting."
    return 1
  fi
@@ -251,9 +258,12 @@ _call_api() {

  # Detect any <status> that isn't "ok". None of the used calls should fail if the API is working correctly.
  # Also detect if there simply aren't any status lines (null result?) and report that, as well.
+  # Remove <data></data> structure from result string, since it might contain <status> values that are related to the status of the domain and not to the API request

-  statuslines_count_total="$(echo "$pleskxml_prettyprint_result" | grep -c '^ *<status>[^<]*</status> *$')"
-  statuslines_count_okay="$(echo "$pleskxml_prettyprint_result" | grep -c '^ *<status>ok</status> *$')"
+  statuslines_count_total="$(echo "$pleskxml_prettyprint_result" | sed '/<data>/,/<\/data>/d' | grep -c '^ *<status>[^<]*</status> *$')"
+  statuslines_count_okay="$(echo "$pleskxml_prettyprint_result" | sed '/<data>/,/<\/data>/d' | grep -c '^ *<status>ok</status> *$')"
+  _debug "statuslines_count_total=$statuslines_count_total."
+  _debug "statuslines_count_okay=$statuslines_count_okay."

  if [ -z "$statuslines_count_total" ]; then

@@ -369,16 +379,44 @@ _pleskxml_get_root_domain() {
    return 1
  fi

-  # Generate a crude list of domains known to this Plesk account.
+  # Generate a crude list of domains known to this Plesk account based on subscriptions.
  # We convert <ascii-name> tags to <name> so it'll flag on a hit with either <name> or <ascii-name> fields,
  # for non-Western character sets.
  # Output will be one line per known domain, containing 2 <name> tages and a single <id> tag
  # We don't actually need to check for type, name, *and* id, but it guarantees only usable lines are returned.

-  output="$(_api_response_split "$pleskxml_prettyprint_result" 'domain' '<type>domain</type>' | sed 's/<ascii-name>/<name>/g;s/<\/ascii-name>/<\/name>/g' | grep '<name>' | grep '<id>')"
+  output="$(_api_response_split "$pleskxml_prettyprint_result" 'result' '<status>ok</status>' | sed 's/<ascii-name>/<name>/g;s/<\/ascii-name>/<\/name>/g' | grep '<name>' | grep '<id>')"
+  debug_output="$(printf "%s" "$output" | sed -n 's:.*<name>\(.*\)</name>.*:\1:p')"

-  _debug 'Domains managed by Plesk server are (ignore the hacked output):'
-  _debug "$output"
+  _debug 'Domains managed by Plesk server are:'
+  _debug "$debug_output"
+
+  _debug "Querying Plesk server for list of additional managed domains..."
+
+  _call_api "$pleskxml_tplt_get_additional_domains"
+  if [ "$pleskxml_retcode" -ne 0 ]; then
+    return 1
+  fi
+
+  # Generate a crude list of additional domains known to this Plesk account based on sites.
+  # We convert <ascii-name> tags to <name> so it'll flag on a hit with either <name> or <ascii-name> fields,
+  # for non-Western character sets.
+  # Output will be one line per known domain, containing 2 <name> tages and a single <id> tag
+  # We don't actually need to check for type, name, *and* id, but it guarantees only usable lines are returned.
+
+  output_additional="$(_api_response_split "$pleskxml_prettyprint_result" 'result' '<status>ok</status>' | sed 's/<ascii-name>/<name>/g;s/<\/ascii-name>/<\/name>/g' | grep '<name>' | grep '<id>')"
+  debug_additional="$(printf "%s" "$output_additional" | sed -n 's:.*<name>\(.*\)</name>.*:\1:p')"
+
+  _debug 'Additional domains managed by Plesk server are:'
+  _debug "$debug_additional"
+
+  # Concate the two outputs together.
+
+  output="$(printf "%s" "$output $NEWLINE $output_additional")"
+  debug_output="$(printf "%s" "$output" | sed -n 's:.*<name>\(.*\)</name>.*:\1:p')"
+
+  _debug 'Domains (including additional) managed by Plesk server are:'
+  _debug "$debug_output"

  # loop and test if domain, or any parent domain, is managed by Plesk
  # Loop until we don't have any '.' in the string we're testing as a candidate Plesk-managed domain
--- a/dnsapi/dns_rage4.sh
+++ b/dnsapi/dns_rage4.sh
@@ -0,0 +1,115 @@
+#!/usr/bin/env sh
+
+#
+#RAGE4_TOKEN="sdfsdfsdfljlbjkljlkjsdfoiwje"
+#
+#RAGE4_USERNAME="xxxx@sss.com"
+
+RAGE4_Api="https://rage4.com/rapi/"
+
+########  Public functions #####################
+
+#Usage: add  _acme-challenge.www.domain.com   "XKrxpRBosdIKFzxW_CT3KLZNf6q0HG9i01zxXp5CPBs"
+dns_rage4_add() {
+  fulldomain=$1
+  txtvalue=$2
+
+  unquotedtxtvalue=$(echo "$txtvalue" | tr -d \")
+
+  RAGE4_USERNAME="${RAGE4_USERNAME:-$(_readaccountconf_mutable RAGE4_USERNAME)}"
+  RAGE4_TOKEN="${RAGE4_TOKEN:-$(_readaccountconf_mutable RAGE4_TOKEN)}"
+
+  if [ -z "$RAGE4_USERNAME" ] || [ -z "$RAGE4_TOKEN" ]; then
+    RAGE4_USERNAME=""
+    RAGE4_TOKEN=""
+    _err "You didn't specify a Rage4 api token and username yet."
+    return 1
+  fi
+
+  #save the api key and email to the account conf file.
+  _saveaccountconf_mutable RAGE4_USERNAME "$RAGE4_USERNAME"
+  _saveaccountconf_mutable RAGE4_TOKEN "$RAGE4_TOKEN"
+
+  _debug "First detect the root zone"
+  if ! _get_root "$fulldomain"; then
+    _err "invalid domain"
+    return 1
+  fi
+  _debug _domain_id "$_domain_id"
+
+  _rage4_rest "createrecord/?id=$_domain_id&name=$fulldomain&content=$unquotedtxtvalue&type=TXT&active=true&ttl=1"
+  return 0
+}
+
+#fulldomain txtvalue
+dns_rage4_rm() {
+  fulldomain=$1
+  txtvalue=$2
+
+  RAGE4_USERNAME="${RAGE4_USERNAME:-$(_readaccountconf_mutable RAGE4_USERNAME)}"
+  RAGE4_TOKEN="${RAGE4_TOKEN:-$(_readaccountconf_mutable RAGE4_TOKEN)}"
+
+  _debug "First detect the root zone"
+  if ! _get_root "$fulldomain"; then
+    _err "invalid domain"
+    return 1
+  fi
+  _debug _domain_id "$_domain_id"
+
+  _debug "Getting txt records"
+  _rage4_rest "getrecords/?id=${_domain_id}"
+
+  _record_id=$(echo "$response" | sed -rn 's/.*"id":([[:digit:]]+)[^\}]*'"$txtvalue"'.*/\1/p')
+  _rage4_rest "deleterecord/?id=${_record_id}"
+  return 0
+}
+
+####################  Private functions below ##################################
+#_acme-challenge.www.domain.com
+#returns
+# _domain=domain.com
+# _domain_id=sdjkglgdfewsdfg
+_get_root() {
+  domain=$1
+
+  if ! _rage4_rest "getdomains"; then
+    return 1
+  fi
+  _debug _get_root_domain "$domain"
+
+  for line in $(echo "$response" | tr '}' '\n'); do
+    __domain=$(echo "$line" | sed -rn 's/.*"name":"([^"]*)",.*/\1/p')
+    __domain_id=$(echo "$line" | sed -rn 's/.*"id":([^,]*),.*/\1/p')
+    if [ "$domain" != "${domain%"$__domain"*}" ]; then
+      _domain_id="$__domain_id"
+      break
+    fi
+  done
+
+  if [ -z "$_domain_id" ]; then
+    return 1
+  fi
+
+  return 0
+}
+
+_rage4_rest() {
+  ep="$1"
+  _debug "$ep"
+
+  username_trimmed=$(echo "$RAGE4_USERNAME" | tr -d '"')
+  token_trimmed=$(echo "$RAGE4_TOKEN" | tr -d '"')
+  auth=$(printf '%s:%s' "$username_trimmed" "$token_trimmed" | _base64)
+
+  export _H1="Content-Type: application/json"
+  export _H2="Authorization: Basic $auth"
+
+  response="$(_get "$RAGE4_Api$ep")"
+
+  if [ "$?" != "0" ]; then
+    _err "error $ep"
+    return 1
+  fi
+  _debug2 response "$response"
+  return 0
+}
--- a/dnsapi/dns_regru.sh
+++ b/dnsapi/dns_regru.sh
@@ -92,10 +92,10 @@ _get_root() {
  domains_list=$(echo "${response}" | grep dname | sed -r "s/.*dname=\"([^\"]+)\".*/\\1/g")

  for ITEM in ${domains_list}; do
-    IDN_ITEM="$(_idn "${ITEM}")"
+    IDN_ITEM=${ITEM}
    case "${domain}" in
    *${IDN_ITEM}*)
-      _domain=${IDN_ITEM}
+      _domain="$(_idn "${ITEM}")"
      _debug _domain "${_domain}"
      return 0
      ;;
--- a/dnsapi/dns_selectel.sh
+++ b/dnsapi/dns_selectel.sh
@@ -76,7 +76,7 @@ dns_selectel_rm() {
    return 1
  fi

-  _record_seg="$(echo "$response" | _egrep_o "\"content\" *: *\"$txtvalue\"[^}]*}")"
+  _record_seg="$(echo "$response" | _egrep_o "[^{]*\"content\" *: *\"$txtvalue\"[^}]*}")"
  _debug2 "_record_seg" "$_record_seg"
  if [ -z "$_record_seg" ]; then
    _err "can not find _record_seg"
@@ -120,7 +120,7 @@ _get_root() {
      return 1
    fi

-    if _contains "$response" "\"name\": \"$h\","; then
+    if _contains "$response" "\"name\" *: *\"$h\","; then
      _sub_domain=$(printf "%s" "$domain" | cut -d . -f 1-$p)
      _domain=$h
      _debug "Getting domain id for $h"
--- a/dnsapi/dns_selfhost.sh
+++ b/dnsapi/dns_selfhost.sh
@@ -0,0 +1,94 @@
+#!/usr/bin/env sh
+#
+#       Author: Marvin Edeler
+#       Report Bugs here: https://github.com/Marvo2011/acme.sh/issues/1
+#	Last Edit: 17.02.2022
+
+dns_selfhost_add() {
+  fulldomain=$1
+  txt=$2
+  _info "Calling acme-dns on selfhost"
+  _debug fulldomain "$fulldomain"
+  _debug txtvalue "$txt"
+
+  SELFHOSTDNS_UPDATE_URL="https://selfhost.de/cgi-bin/api.pl"
+
+  # Get values, but don't save until we successfully validated
+  SELFHOSTDNS_USERNAME="${SELFHOSTDNS_USERNAME:-$(_readaccountconf_mutable SELFHOSTDNS_USERNAME)}"
+  SELFHOSTDNS_PASSWORD="${SELFHOSTDNS_PASSWORD:-$(_readaccountconf_mutable SELFHOSTDNS_PASSWORD)}"
+  # These values are domain dependent, so read them from there
+  SELFHOSTDNS_MAP="${SELFHOSTDNS_MAP:-$(_readdomainconf SELFHOSTDNS_MAP)}"
+  # Selfhost api can't dynamically add TXT record,
+  # so we have to store the last used RID of the domain to support a second RID for wildcard domains
+  # (format: 'fulldomainA:lastRid fulldomainB:lastRid ...')
+  SELFHOSTDNS_MAP_LAST_USED_INTERNAL=$(_readdomainconf SELFHOSTDNS_MAP_LAST_USED_INTERNAL)
+
+  if [ -z "${SELFHOSTDNS_USERNAME:-}" ] || [ -z "${SELFHOSTDNS_PASSWORD:-}" ]; then
+    _err "SELFHOSTDNS_USERNAME and SELFHOSTDNS_PASSWORD must be set"
+    return 1
+  fi
+
+  # get the domain entry from SELFHOSTDNS_MAP
+  # only match full domains (at the beginning of the string or with a leading whitespace),
+  # e.g. don't match mytest.example.com or sub.test.example.com for test.example.com
+  # if the domain is defined multiple times only the last occurance will be matched
+  mapEntry=$(echo "$SELFHOSTDNS_MAP" | sed -n -E "s/(^|^.*[[:space:]])($fulldomain)(:[[:digit:]]+)([:]?[[:digit:]]*)(.*)/\2\3\4/p")
+  _debug2 mapEntry "$mapEntry"
+  if test -z "$mapEntry"; then
+    _err "SELFHOSTDNS_MAP must contain the fulldomain incl. prefix and at least one RID"
+    return 1
+  fi
+
+  # get the RIDs from the map entry
+  rid1=$(echo "$mapEntry" | cut -d: -f2)
+  rid2=$(echo "$mapEntry" | cut -d: -f3)
+
+  # read last used rid domain
+  lastUsedRidForDomainEntry=$(echo "$SELFHOSTDNS_MAP_LAST_USED_INTERNAL" | sed -n -E "s/(^|^.*[[:space:]])($fulldomain:[[:digit:]]+)(.*)/\2/p")
+  _debug2 lastUsedRidForDomainEntry "$lastUsedRidForDomainEntry"
+  lastUsedRidForDomain=$(echo "$lastUsedRidForDomainEntry" | cut -d: -f2)
+
+  rid="$rid1"
+  if [ "$lastUsedRidForDomain" = "$rid" ] && ! test -z "$rid2"; then
+    rid="$rid2"
+  fi
+
+  _info "Trying to add $txt on selfhost for rid: $rid"
+
+  data="?username=$SELFHOSTDNS_USERNAME&password=$SELFHOSTDNS_PASSWORD&rid=$rid&content=$txt"
+  response="$(_get "$SELFHOSTDNS_UPDATE_URL$data")"
+
+  if ! echo "$response" | grep "200 OK" >/dev/null; then
+    _err "Invalid response of acme-dns for selfhost"
+    return 1
+  fi
+
+  # write last used rid domain
+  newLastUsedRidForDomainEntry="$fulldomain:$rid"
+  if ! test -z "$lastUsedRidForDomainEntry"; then
+    # replace last used rid entry for domain
+    SELFHOSTDNS_MAP_LAST_USED_INTERNAL=$(echo "$SELFHOSTDNS_MAP_LAST_USED_INTERNAL" | sed -n -E "s/$lastUsedRidForDomainEntry/$newLastUsedRidForDomainEntry/p")
+  else
+    # add last used rid entry for domain
+    if test -z "$SELFHOSTDNS_MAP_LAST_USED_INTERNAL"; then
+      SELFHOSTDNS_MAP_LAST_USED_INTERNAL="$newLastUsedRidForDomainEntry"
+    else
+      SELFHOSTDNS_MAP_LAST_USED_INTERNAL="$SELFHOSTDNS_MAP_LAST_USED_INTERNAL $newLastUsedRidForDomainEntry"
+    fi
+  fi
+
+  # Now that we know the values are good, save them
+  _saveaccountconf_mutable SELFHOSTDNS_USERNAME "$SELFHOSTDNS_USERNAME"
+  _saveaccountconf_mutable SELFHOSTDNS_PASSWORD "$SELFHOSTDNS_PASSWORD"
+  # These values are domain dependent, so store them there
+  _savedomainconf SELFHOSTDNS_MAP "$SELFHOSTDNS_MAP"
+  _savedomainconf SELFHOSTDNS_MAP_LAST_USED_INTERNAL "$SELFHOSTDNS_MAP_LAST_USED_INTERNAL"
+}
+
+dns_selfhost_rm() {
+  fulldomain=$1
+  txt=$2
+  _debug fulldomain "$fulldomain"
+  _debug txtvalue "$txt"
+  _info "Creating and removing of records is not supported by selfhost API, will not delete anything."
+}
--- a/dnsapi/dns_servercow.sh
+++ b/dnsapi/dns_servercow.sh
@@ -53,7 +53,7 @@ dns_servercow_add() {
  if printf -- "%s" "$response" | grep "{\"name\":\"$_sub_domain\",\"ttl\":20,\"type\":\"TXT\"" >/dev/null; then
    _info "A txt record with the same name already exists."
    # trim the string on the left
-    txtvalue_old=${response#*{\"name\":\"$_sub_domain\",\"ttl\":20,\"type\":\"TXT\",\"content\":\"}
+    txtvalue_old=${response#*{\"name\":\""$_sub_domain"\",\"ttl\":20,\"type\":\"TXT\",\"content\":\"}
    # trim the string on the right
    txtvalue_old=${txtvalue_old%%\"*}

--- a/dnsapi/dns_tencent.sh
+++ b/dnsapi/dns_tencent.sh
@@ -0,0 +1,211 @@
+#!/usr/bin/env sh
+Tencent_API="https://dnspod.tencentcloudapi.com"
+
+#Tencent_SecretId="AKIDz81d2cd22cdcdc2dcd1cc1d1A"
+#Tencent_SecretKey="Gu5t9abcabcaabcbabcbbbcbcbbccbbcb"
+
+#Usage: dns_tencent_add   _acme-challenge.www.domain.com   "XKrxpRBosdIKFzxW_CT3KLZNf6q0HG9i01zxXp5CPBs"
+dns_tencent_add() {
+  fulldomain=$1
+  txtvalue=$2
+
+  Tencent_SecretId="${Tencent_SecretId:-$(_readaccountconf_mutable Tencent_SecretId)}"
+  Tencent_SecretKey="${Tencent_SecretKey:-$(_readaccountconf_mutable Tencent_SecretKey)}"
+  if [ -z "$Tencent_SecretId" ] || [ -z "$Tencent_SecretKey" ]; then
+    Tencent_SecretId=""
+    Tencent_SecretKey=""
+    _err "You don't specify tencent api SecretId and SecretKey yet."
+    return 1
+  fi
+
+  #save the api SecretId and SecretKey to the account conf file.
+  _saveaccountconf_mutable Tencent_SecretId "$Tencent_SecretId"
+  _saveaccountconf_mutable Tencent_SecretKey "$Tencent_SecretKey"
+
+  _debug "First detect the root zone"
+  if ! _get_root "$fulldomain"; then
+    return 1
+  fi
+
+  _debug "Add record"
+  _add_record_query "$_domain" "$_sub_domain" "$txtvalue" && _tencent_rest "CreateRecord"
+}
+
+dns_tencent_rm() {
+  fulldomain=$1
+  txtvalue=$2
+  Tencent_SecretId="${Tencent_SecretId:-$(_readaccountconf_mutable Tencent_SecretId)}"
+  Tencent_SecretKey="${Tencent_SecretKey:-$(_readaccountconf_mutable Tencent_SecretKey)}"
+
+  _debug "First detect the root zone"
+  if ! _get_root "$fulldomain"; then
+    return 1
+  fi
+
+  _debug "Get record list"
+  attempt=1
+  max_attempts=5
+  while [ -z "$record_id" ] && [ "$attempt" -le $max_attempts ]; do
+    _check_exist_query "$_domain" "$_sub_domain" "$txtvalue" && _tencent_rest "DescribeRecordFilterList"
+    record_id="$(echo "$response" | _egrep_o "\"RecordId\":\s*[0-9]+" | _egrep_o "[0-9]+")"
+    _debug2 record_id "$record_id"
+    if [ -z "$record_id" ]; then
+      _debug "Due to TencentCloud API synchronization delay, record not found, waiting 10 seconds and retrying"
+      _sleep 10
+      attempt=$(_math "$attempt + 1")
+    fi
+  done
+
+  record_id="$(echo "$response" | _egrep_o "\"RecordId\":\s*[0-9]+" | _egrep_o "[0-9]+")"
+  _debug2 record_id "$record_id"
+
+  if [ -z "$record_id" ]; then
+    _debug "record not found after $max_attempts attempts, skip"
+  else
+    _debug "Delete record"
+    _delete_record_query "$record_id" && _tencent_rest "DeleteRecord"
+  fi
+}
+
+####################  Private functions below ##################################
+
+_get_root() {
+  domain=$1
+  i=1
+  p=1
+  while true; do
+    h=$(printf "%s" "$domain" | cut -d . -f "$i"-100)
+    if [ -z "$h" ]; then
+      #not valid
+      return 1
+    fi
+
+    _describe_records_query "$h" "@"
+    if ! _tencent_rest "DescribeRecordList" "ignore"; then
+      return 1
+    fi
+
+    if _contains "$response" "\"TotalCount\":"; then
+      _sub_domain=$(printf "%s" "$domain" | cut -d . -f 1-"$p")
+      _debug _sub_domain "$_sub_domain"
+      _domain="$h"
+      _debug _domain "$_domain"
+      return 0
+    fi
+    p="$i"
+    i=$(_math "$i" + 1)
+  done
+  return 1
+}
+
+_tencent_rest() {
+  action=$1
+  service="dnspod"
+  payload="${query}"
+  timestamp=$(date -u +%s)
+
+  token=$(tencent_signature_v3 $service "$action" "$payload" "$timestamp")
+  version="2021-03-23"
+
+  if ! response="$(tencent_api_request $service $version "$action" "$payload" "$timestamp")"; then
+    _err "Error <$1>"
+    return 1
+  fi
+
+  _debug2 response "$response"
+  if [ -z "$2" ]; then
+    message="$(echo "$response" | _egrep_o "\"Message\":\"[^\"]*\"" | cut -d : -f 2 | tr -d \")"
+    if [ "$message" ]; then
+      _err "$message"
+      return 1
+    fi
+  fi
+}
+
+_add_record_query() {
+  query="{\"Domain\":\"$1\",\"SubDomain\":\"$2\",\"RecordType\":\"TXT\",\"RecordLineId\":\"0\",\"RecordLine\":\"0\",\"Value\":\"$3\",\"TTL\":600}"
+}
+
+_describe_records_query() {
+  query="{\"Domain\":\"$1\",\"Limit\":3000}"
+}
+
+_delete_record_query() {
+  query="{\"Domain\":\"$_domain\",\"RecordId\":$1}"
+}
+
+_check_exist_query() {
+  _domain="$1"
+  _subdomain="$2"
+  _value="$3"
+  query="{\"Domain\":\"$_domain\",\"SubDomain\":\"$_subdomain\",\"RecordValue\":\"$_value\"}"
+}
+
+# shell client for tencent cloud api v3 | @author: rehiy
+
+tencent_sha256() {
+  printf %b "$@" | _digest sha256 hex
+}
+
+tencent_hmac_sha256() {
+  k=$1
+  shift
+  hex_key=$(printf %b "$k" | _hex_dump | tr -d ' ')
+  printf %b "$@" | _hmac sha256 "$hex_key" hex
+}
+
+tencent_hmac_sha256_hexkey() {
+  k=$1
+  shift
+  printf %b "$@" | _hmac sha256 "$k" hex
+}
+
+tencent_signature_v3() {
+  service=$1
+  action=$(echo "$2" | _lower_case)
+  payload=${3:-'{}'}
+  timestamp=${4:-$(date +%s)}
+
+  domain="$service.tencentcloudapi.com"
+  secretId=${Tencent_SecretId:-'tencent-cloud-secret-id'}
+  secretKey=${Tencent_SecretKey:-'tencent-cloud-secret-key'}
+
+  algorithm='TC3-HMAC-SHA256'
+  date=$(date -u -d "@$timestamp" +%Y-%m-%d 2>/dev/null)
+  [ -z "$date" ] && date=$(date -u -r "$timestamp" +%Y-%m-%d)
+
+  canonicalUri='/'
+  canonicalQuery=''
+  canonicalHeaders="content-type:application/json\nhost:$domain\nx-tc-action:$action\n"
+
+  signedHeaders='content-type;host;x-tc-action'
+  canonicalRequest="POST\n$canonicalUri\n$canonicalQuery\n$canonicalHeaders\n$signedHeaders\n$(tencent_sha256 "$payload")"
+
+  credentialScope="$date/$service/tc3_request"
+  stringToSign="$algorithm\n$timestamp\n$credentialScope\n$(tencent_sha256 "$canonicalRequest")"
+
+  secretDate=$(tencent_hmac_sha256 "TC3$secretKey" "$date")
+  secretService=$(tencent_hmac_sha256_hexkey "$secretDate" "$service")
+  secretSigning=$(tencent_hmac_sha256_hexkey "$secretService" 'tc3_request')
+  signature=$(tencent_hmac_sha256_hexkey "$secretSigning" "$stringToSign")
+
+  echo "$algorithm Credential=$secretId/$credentialScope, SignedHeaders=$signedHeaders, Signature=$signature"
+}
+
+tencent_api_request() {
+  service=$1
+  version=$2
+  action=$3
+  payload=${4:-'{}'}
+  timestamp=${5:-$(date +%s)}
+
+  token=$(tencent_signature_v3 "$service" "$action" "$payload" "$timestamp")
+
+  _H1="Content-Type: application/json"
+  _H2="Authorization: $token"
+  _H3="X-TC-Version: $version"
+  _H4="X-TC-Timestamp: $timestamp"
+  _H5="X-TC-Action: $action"
+
+  _post "$payload" "$Tencent_API" "" "POST" "application/json"
+}
--- a/dnsapi/dns_transip.sh
+++ b/dnsapi/dns_transip.sh
@@ -1,7 +1,6 @@
 #!/usr/bin/env sh
 TRANSIP_Api_Url="https://api.transip.nl/v6"
 TRANSIP_Token_Read_Only="false"
-TRANSIP_Token_Global_Key="false"
 TRANSIP_Token_Expiration="30 minutes"
 # You can't reuse a label token, so we leave this empty normally
 TRANSIP_Token_Label=""
@@ -96,7 +95,11 @@ _transip_get_token() {
  nonce=$(echo "TRANSIP$(_time)" | _digest sha1 hex | cut -c 1-32)
  _debug nonce "$nonce"

-  data="{\"login\":\"${TRANSIP_Username}\",\"nonce\":\"${nonce}\",\"read_only\":\"${TRANSIP_Token_Read_Only}\",\"expiration_time\":\"${TRANSIP_Token_Expiration}\",\"label\":\"${TRANSIP_Token_Label}\",\"global_key\":\"${TRANSIP_Token_Global_Key}\"}"
+  # make IP whitelisting configurable
+  TRANSIP_Token_Global_Key="${TRANSIP_Token_Global_Key:-$(_readaccountconf_mutable TRANSIP_Token_Global_Key)}"
+  _saveaccountconf_mutable TRANSIP_Token_Global_Key "$TRANSIP_Token_Global_Key"
+
+  data="{\"login\":\"${TRANSIP_Username}\",\"nonce\":\"${nonce}\",\"read_only\":\"${TRANSIP_Token_Read_Only}\",\"expiration_time\":\"${TRANSIP_Token_Expiration}\",\"label\":\"${TRANSIP_Token_Label}\",\"global_key\":\"${TRANSIP_Token_Global_Key:-false}\"}"
  _debug data "$data"

  #_signature=$(printf "%s" "$data" | openssl dgst -sha512 -sign "$TRANSIP_Key_File" | _base64)
@@ -139,6 +142,18 @@ _transip_setup() {
  _saveaccountconf_mutable TRANSIP_Username "$TRANSIP_Username"
  _saveaccountconf_mutable TRANSIP_Key_File "$TRANSIP_Key_File"

+  # download key file if it's an URL
+  if _startswith "$TRANSIP_Key_File" "http"; then
+    _debug "download transip key file"
+    TRANSIP_Key_URL=$TRANSIP_Key_File
+    TRANSIP_Key_File="$(_mktemp)"
+    chmod 600 "$TRANSIP_Key_File"
+    if ! _get "$TRANSIP_Key_URL" >"$TRANSIP_Key_File"; then
+      _err "Error getting key file from : $TRANSIP_Key_URL"
+      return 1
+    fi
+  fi
+
  if [ -f "$TRANSIP_Key_File" ]; then
    if ! grep "BEGIN PRIVATE KEY" "$TRANSIP_Key_File" >/dev/null 2>&1; then
      _err "Key file doesn't seem to be a valid key: ${TRANSIP_Key_File}"
@@ -156,6 +171,12 @@ _transip_setup() {
    fi
  fi

+  if [ -n "${TRANSIP_Key_URL}" ]; then
+    _debug "delete transip key file"
+    rm "${TRANSIP_Key_File}"
+    TRANSIP_Key_File=$TRANSIP_Key_URL
+  fi
+
  _get_root "$fulldomain" || return 1

  return 0
--- a/dnsapi/dns_ultra.sh
+++ b/dnsapi/dns_ultra.sh
@@ -5,7 +5,8 @@
 #
 # ULTRA_PWD="some_password_goes_here"

-ULTRA_API="https://restapi.ultradns.com/v2/"
+ULTRA_API="https://api.ultradns.com/v3/"
+ULTRA_AUTH_API="https://api.ultradns.com/v2/"

 #Usage: add _acme-challenge.www.domain.com "some_long_string_of_characters_go_here_from_lets_encrypt"
 dns_ultra_add() {
@@ -121,7 +122,7 @@ _get_root() {
      return 1
    fi
    if _contains "${response}" "${h}." >/dev/null; then
-      _domain_id=$(echo "$response" | _egrep_o "${h}")
+      _domain_id=$(echo "$response" | _egrep_o "${h}" | head -1)
      if [ "$_domain_id" ]; then
        _sub_domain=$(printf "%s" "$domain" | cut -d . -f 1-$p)
        _domain="${h}"
@@ -142,23 +143,25 @@ _ultra_rest() {
  ep="$2"
  data="$3"
  _debug "$ep"
-  _debug TOKEN "${AUTH_TOKEN}"
+  if [ -z "$AUTH_TOKEN" ]; then
+    _ultra_login
+  fi
+  _debug TOKEN "$AUTH_TOKEN"

-  _ultra_login
  export _H1="Content-Type: application/json"
-  export _H2="Authorization: Bearer ${AUTH_TOKEN}"
+  export _H2="Authorization: Bearer $AUTH_TOKEN"

  if [ "$m" != "GET" ]; then
-    _debug data "${data}"
-    response="$(_post "${data}" "${ULTRA_API}"/"${ep}" "" "${m}")"
+    _debug data "$data"
+    response="$(_post "$data" "$ULTRA_API$ep" "" "$m")"
  else
-    response="$(_get "$ULTRA_API/$ep")"
+    response="$(_get "$ULTRA_API$ep")"
  fi
 }

 _ultra_login() {
  export _H1=""
  export _H2=""
-  AUTH_TOKEN=$(_post "grant_type=password&username=${ULTRA_USR}&password=${ULTRA_PWD}" "${ULTRA_API}authorization/token" | cut -d, -f3 | cut -d\" -f4)
+  AUTH_TOKEN=$(_post "grant_type=password&username=${ULTRA_USR}&password=${ULTRA_PWD}" "${ULTRA_AUTH_API}authorization/token" | cut -d, -f3 | cut -d\" -f4)
  export AUTH_TOKEN
 }
--- a/dnsapi/dns_variomedia.sh
+++ b/dnsapi/dns_variomedia.sh
@@ -69,7 +69,7 @@ dns_variomedia_rm() {
    return 1
  fi

-  _record_id="$(echo "$response" | cut -d '[' -f2 | cut -d']' -f1 | sed 's/},[ \t]*{/\},§\{/g' | tr § '\n' | grep "$_sub_domain" | grep "$txtvalue" | sed 's/^{//;s/}[,]?$//' | tr , '\n' | tr -d '\"' | grep ^id | cut -d : -f2 | tr -d ' ')"
+  _record_id="$(echo "$response" | sed -E 's/,"tags":\[[^]]*\]//g' | cut -d '[' -f2 | cut -d']' -f1 | sed 's/},[ \t]*{/\},§\{/g' | tr § '\n' | grep "$_sub_domain" | grep -- "$txtvalue" | sed 's/^{//;s/}[,]?$//' | tr , '\n' | tr -d '\"' | grep ^id | cut -d : -f2 | tr -d ' ')"
  _debug _record_id "$_record_id"
  if [ "$_record_id" ]; then
    _info "Successfully retrieved the record id for ACME challenge."
@@ -93,11 +93,11 @@ dns_variomedia_rm() {
 # _sub_domain=_acme-challenge.www
 # _domain=domain.com
 _get_root() {
-  fulldomain=$1
+  domain=$1
  i=1
+  p=1
  while true; do
-    h=$(printf "%s" "$fulldomain" | cut -d . -f $i-100)
-    _debug h "$h"
+    h=$(printf "%s" "$domain" | cut -d . -f $i-100)
    if [ -z "$h" ]; then
      return 1
    fi
@@ -106,17 +106,14 @@ _get_root() {
      return 1
    fi

-    if _startswith "$response" "\{\"data\":"; then
-      if _contains "$response" "\"id\":\"$h\""; then
-        _sub_domain="$(echo "$fulldomain" | sed "s/\\.$h\$//")"
-        _domain=$h
-        return 0
-      fi
+    if _contains "$response" "\"id\":\"$h\""; then
+      _sub_domain=$(printf "%s" "$domain" | cut -d '.' -f 1-$p)
+      _domain="$h"
+      return 0
    fi
+    p=$i
    i=$(_math "$i" + 1)
  done
-
-  _debug "root domain not found"
  return 1
 }

--- a/dnsapi/dns_vercel.sh
+++ b/dnsapi/dns_vercel.sh
@@ -0,0 +1,142 @@
+#!/usr/bin/env sh
+
+# Vercel DNS API
+#
+# This is your API token which can be acquired on the account page.
+# https://vercel.com/account/tokens
+#
+# VERCEL_TOKEN="sdfsdfsdfljlbjkljlkjsdfoiwje"
+
+VERCEL_API="https://api.vercel.com"
+
+#Usage: add _acme-challenge.www.domain.com "XKrxpRBosdIKFzxW_CT3KLZNf6q0HG9i01zxXp5CPBs"
+dns_vercel_add() {
+  fulldomain=$1
+  txtvalue=$2
+  _debug fulldomain "$fulldomain"
+  _debug txtvalue "$txtvalue"
+
+  VERCEL_TOKEN="${VERCEL_TOKEN:-$(_readaccountconf_mutable VERCEL_TOKEN)}"
+
+  if [ -z "$VERCEL_TOKEN" ]; then
+    VERCEL_TOKEN=""
+    _err "You have not set the Vercel API token yet."
+    _err "Please visit https://vercel.com/account/tokens to generate it."
+    return 1
+  fi
+
+  _saveaccountconf_mutable VERCEL_TOKEN "$VERCEL_TOKEN"
+
+  if ! _get_root "$fulldomain"; then
+    _err "invalid domain"
+    return 1
+  fi
+
+  _debug _sub_domain "$_sub_domain"
+  _debug _domain "$_domain"
+
+  _info "Adding record"
+  if _vercel_rest POST "v2/domains/$_domain/records" "{\"type\":\"TXT\",\"name\":\"$_sub_domain\",\"value\":\"$txtvalue\"}"; then
+    if printf -- "%s" "$response" | grep "\"uid\":\"" >/dev/null; then
+      _info "Added"
+      return 0
+    else
+      _err "Unexpected response while adding text record."
+      return 1
+    fi
+  fi
+  _err "Add txt record error."
+}
+
+dns_vercel_rm() {
+  fulldomain=$1
+  txtvalue=$2
+
+  if ! _get_root "$fulldomain"; then
+    _err "invalid domain"
+    return 1
+  fi
+
+  _vercel_rest GET "v2/domains/$_domain/records"
+
+  count=$(printf "%s\n" "$response" | _egrep_o "\"name\":\"$_sub_domain\",[^{]*\"type\":\"TXT\"" | wc -l | tr -d " ")
+
+  if [ "$count" = "0" ]; then
+    _info "Don't need to remove."
+  else
+    _record_id=$(printf "%s" "$response" | _egrep_o "\"id\":[^,]*,\"slug\":\"[^,]*\",\"name\":\"$_sub_domain\",[^{]*\"type\":\"TXT\",\"value\":\"$txtvalue\"" | cut -d: -f2 | cut -d, -f1 | tr -d '"')
+
+    if [ "$_record_id" ]; then
+      echo "$_record_id" | while read -r item; do
+        if _vercel_rest DELETE "v2/domains/$_domain/records/$item"; then
+          _info "removed record" "$item"
+          return 0
+        else
+          _err "failed to remove record" "$item"
+          return 1
+        fi
+      done
+    fi
+  fi
+}
+
+####################  Private functions below ##################################
+#_acme-challenge.www.domain.com
+#returns
+# _sub_domain=_acme-challenge.www
+# _domain=domain.com
+_get_root() {
+  domain="$1"
+  ep="$2"
+  i=1
+  p=1
+  while true; do
+    h=$(printf "%s" "$domain" | cut -d . -f $i-100)
+    if [ -z "$h" ]; then
+      #not valid
+      return 1
+    fi
+
+    if ! _vercel_rest GET "v4/domains/$h"; then
+      return 1
+    fi
+
+    if _contains "$response" "\"name\":\"$h\"" >/dev/null; then
+      _sub_domain=$(printf "%s" "$domain" | cut -d . -f 1-$p)
+      _domain=$h
+      return 0
+    fi
+    p=$i
+    i=$(_math "$i" + 1)
+  done
+  return 1
+}
+
+_vercel_rest() {
+  m="$1"
+  ep="$2"
+  data="$3"
+
+  path="$VERCEL_API/$ep"
+
+  export _H1="Content-Type: application/json"
+  export _H2="Authorization: Bearer $VERCEL_TOKEN"
+
+  if [ "$m" != "GET" ]; then
+    _secure_debug2 data "$data"
+    response="$(_post "$data" "$path" "" "$m")"
+  else
+    response="$(_get "$path")"
+  fi
+  _ret="$?"
+  _code="$(grep "^HTTP" "$HTTP_HEADER" | _tail_n 1 | cut -d " " -f 2 | tr -d "\\r\\n")"
+  _debug "http response code $_code"
+  _secure_debug2 response "$response"
+  if [ "$_ret" != "0" ]; then
+    _err "error $ep"
+    return 1
+  fi
+
+  response="$(printf "%s" "$response" | _normalizeJson)"
+  return 0
+}
--- a/dnsapi/dns_vultr.sh
+++ b/dnsapi/dns_vultr.sh
@@ -3,10 +3,10 @@
 #
 #VULTR_API_KEY=000011112222333344445555666677778888

-VULTR_Api="https://api.vultr.com/v1"
+VULTR_Api="https://api.vultr.com/v2"

 ########  Public functions #####################
-
+#
 #Usage: add  _acme-challenge.www.domain.com   "XKrxpRBosdIKFzxW_CT3KLZNf6q0HG9i01zxXp5CPBs"
 dns_vultr_add() {
  fulldomain=$1
@@ -31,14 +31,14 @@ dns_vultr_add() {
  _debug _domain "$_domain"

  _debug 'Getting txt records'
-  _vultr_rest GET "dns/records?domain=$_domain"
+  _vultr_rest GET "domains/$_domain/records"

  if printf "%s\n" "$response" | grep -- "\"type\":\"TXT\",\"name\":\"$fulldomain\"" >/dev/null; then
    _err 'Error'
    return 1
  fi

-  if ! _vultr_rest POST 'dns/create_record' "domain=$_domain&name=$_sub_domain&data=\"$txtvalue\"&type=TXT"; then
+  if ! _vultr_rest POST "domains/$_domain/records" "{\"name\":\"$_sub_domain\",\"data\":\"$txtvalue\",\"type\":\"TXT\"}"; then
    _err "$response"
    return 1
  fi
@@ -71,14 +71,14 @@ dns_vultr_rm() {
  _debug _domain "$_domain"

  _debug 'Getting txt records'
-  _vultr_rest GET "dns/records?domain=$_domain"
+  _vultr_rest GET "domains/$_domain/records"

  if printf "%s\n" "$response" | grep -- "\"type\":\"TXT\",\"name\":\"$fulldomain\"" >/dev/null; then
    _err 'Error'
    return 1
  fi

-  _record_id="$(echo "$response" | tr '{}' '\n' | grep '"TXT"' | grep -- "$txtvalue" | tr ',' '\n' | grep -i 'RECORDID' | cut -d : -f 2)"
+  _record_id="$(echo "$response" | tr '{}' '\n' | grep '"TXT"' | grep -- "$txtvalue" | tr ',' '\n' | grep -i 'id' | cut -d : -f 2 | tr -d '"')"
  _debug _record_id "$_record_id"
  if [ "$_record_id" ]; then
    _info "Successfully retrieved the record id for ACME challenge."
@@ -87,7 +87,7 @@ dns_vultr_rm() {
    return 0
  fi

-  if ! _vultr_rest POST 'dns/delete_record' "domain=$_domain&RECORDID=$_record_id"; then
+  if ! _vultr_rest DELETE "domains/$_domain/records/$_record_id"; then
    _err "$response"
    return 1
  fi
@@ -112,11 +112,11 @@ _get_root() {
      return 1
    fi

-    if ! _vultr_rest GET "dns/list"; then
+    if ! _vultr_rest GET "domains"; then
      return 1
    fi

-    if printf "%s\n" "$response" | grep '^\[.*\]' >/dev/null; then
+    if printf "%s\n" "$response" | grep -E '^\{.*\}' >/dev/null; then
      if _contains "$response" "\"domain\":\"$_domain\""; then
        _sub_domain="$(echo "$fulldomain" | sed "s/\\.$_domain\$//")"
        return 0
@@ -139,10 +139,10 @@ _vultr_rest() {
  data="$3"
  _debug "$ep"

-  api_key_trimmed=$(echo $VULTR_API_KEY | tr -d '"')
+  api_key_trimmed=$(echo "$VULTR_API_KEY" | tr -d '"')

-  export _H1="Api-Key: $api_key_trimmed"
-  export _H2='Content-Type: application/x-www-form-urlencoded'
+  export _H1="Authorization: Bearer $api_key_trimmed"
+  export _H2='Content-Type: application/json'

  if [ "$m" != "GET" ]; then
    _debug data "$data"
--- a/dnsapi/dns_world4you.sh
+++ b/dnsapi/dns_world4you.sh
@@ -12,7 +12,7 @@ RECORD=''

 # Usage: dns_world4you_add <fqdn> <value>
 dns_world4you_add() {
-  fqdn="$1"
+  fqdn=$(echo "$1" | _lower_case)
  value="$2"
  _info "Using world4you to add record"
  _debug fulldomain "$fqdn"
@@ -49,12 +49,12 @@ dns_world4you_add() {
  ret=$(_post "$body" "$WORLD4YOU_API/$paketnr/dns" '' POST 'application/x-www-form-urlencoded')
  _resethttp

-  if _contains "$(_head_n 3 <"$HTTP_HEADER")" '302'; then
+  if _contains "$(_head_n 1 <"$HTTP_HEADER")" '302'; then
    res=$(_get "$WORLD4YOU_API/$paketnr/dns")
    if _contains "$res" "successfully"; then
      return 0
    else
-      msg=$(echo "$res" | grep -A 15 'data-type="danger"' | grep "<h3[^>]*>[^<]" | sed 's/<[^>]*>\|^\s*//g')
+      msg=$(echo "$res" | grep -A 15 'data-type="danger"' | grep "<h3[^>]*>[^<]" | sed 's/<[^>]*>//g' | sed 's/^\s*//g')
      if [ "$msg" = '' ]; then
        _err "Unable to add record: Unknown error"
        echo "$ret" >'error-01.html'
@@ -66,15 +66,15 @@ dns_world4you_add() {
      return 1
    fi
  else
-    _err "$(_head_n 3 <"$HTTP_HEADER")"
-    _err "View $HTTP_HEADER for debugging"
+    msg=$(echo "$ret" | grep '"form-error-message"' | sed 's/^.*<div class="form-error-message">\([^<]*\)<\/div>.*$/\1/')
+    _err "Unable to add record: my.world4you.com: $msg"
    return 1
  fi
 }

 # Usage: dns_world4you_rm <fqdn> <value>
 dns_world4you_rm() {
-  fqdn="$1"
+  fqdn=$(echo "$1" | _lower_case)
  value="$2"
  _info "Using world4you to remove record"
  _debug fulldomain "$fqdn"
@@ -113,12 +113,12 @@ dns_world4you_rm() {
  ret=$(_post "$body" "$WORLD4YOU_API/$paketnr/dns/record/delete" '' POST 'application/x-www-form-urlencoded')
  _resethttp

-  if _contains "$(_head_n 3 <"$HTTP_HEADER")" '302'; then
+  if _contains "$(_head_n 1 <"$HTTP_HEADER")" '302'; then
    res=$(_get "$WORLD4YOU_API/$paketnr/dns")
    if _contains "$res" "successfully"; then
      return 0
    else
-      msg=$(echo "$res" | grep -A 15 'data-type="danger"' | grep "<h3[^>]*>[^<]" | sed 's/<[^>]*>\|^\s*//g')
+      msg=$(echo "$res" | grep -A 15 'data-type="danger"' | grep "<h3[^>]*>[^<]" | sed 's/<[^>]*>//g' | sed 's/^\s*//g')
      if [ "$msg" = '' ]; then
        _err "Unable to remove record: Unknown error"
        echo "$ret" >'error-01.html'
@@ -130,8 +130,8 @@ dns_world4you_rm() {
      return 1
    fi
  else
-    _err "$(_head_n 3 <"$HTTP_HEADER")"
-    _err "View $HTTP_HEADER for debugging"
+    msg=$(echo "$ret" | grep "form-error-message" | sed 's/^.*<div class="form-error-message">\([^<]*\)<\/div>.*$/\1/')
+    _err "Unable to remove record: my.world4you.com: $msg"
    return 1
  fi
 }
@@ -155,34 +155,47 @@ _login() {
  _saveaccountconf_mutable WORLD4YOU_USERNAME "$WORLD4YOU_USERNAME"
  _saveaccountconf_mutable WORLD4YOU_PASSWORD "$WORLD4YOU_PASSWORD"

+  _resethttp
+  export ACME_HTTP_NO_REDIRECTS=1
+  page=$(_get "$WORLD4YOU_API/login")
+  _resethttp
+
+  if _contains "$(_head_n 1 <"$HTTP_HEADER")" '302'; then
+    _info "Already logged in"
+    _parse_sessid
+    return 0
+  fi
+
  _info "Logging in..."

  username="$WORLD4YOU_USERNAME"
  password="$WORLD4YOU_PASSWORD"
-  csrf_token=$(_get "$WORLD4YOU_API/login" | grep '_csrf_token' | sed 's/^.*<input[^>]*value=\"\([^"]*\)\".*$/\1/')
-  sessid=$(grep 'W4YSESSID' <"$HTTP_HEADER" | sed 's/^.*W4YSESSID=\([^;]*\);.*$/\1/')
+  csrf_token=$(echo "$page" | grep '_csrf_token' | sed 's/^.*<input[^>]*value=\"\([^"]*\)\".*$/\1/')
+  _parse_sessid

  export _H1="Cookie: W4YSESSID=$sessid"
  export _H2="X-Requested-With: XMLHttpRequest"
  body="_username=$username&_password=$password&_csrf_token=$csrf_token"
  ret=$(_post "$body" "$WORLD4YOU_API/login" '' POST 'application/x-www-form-urlencoded')
  unset _H2
+
  _debug ret "$ret"
  if _contains "$ret" "\"success\":true"; then
    _info "Successfully logged in"
-    sessid=$(grep 'W4YSESSID' <"$HTTP_HEADER" | sed 's/^.*W4YSESSID=\([^;]*\);.*$/\1/')
+    _parse_sessid
  else
-    _err "Unable to log in: $(echo "$ret" | sed 's/^.*"message":"\([^\"]*\)".*$/\1/')"
+    msg=$(echo "$ret" | sed 's/^.*"message":"\([^\"]*\)".*$/\1/')
+    _err "Unable to log in: my.world4you.com: $msg"
    return 1
  fi
 }

-# Usage _get_paketnr <fqdn> <form>
+# Usage: _get_paketnr <fqdn> <form>
 _get_paketnr() {
  fqdn="$1"
  form="$2"

-  domains=$(echo "$form" | grep 'header-paket-domain' | sed 's/<[^>]*>//g' | sed 's/^.*>\([^>]*\)$/\1/')
+  domains=$(echo "$form" | grep '<ul class="nav header-paket-list">' | sed 's/<li/\n<li/g' | sed 's/<[^>]*>/ /g' | sed 's/^.*>\([^>]*\)$/\1/')
  domain=''
  for domain in $domains; do
    if _contains "$fqdn" "$domain\$"; then
@@ -197,6 +210,11 @@ _get_paketnr() {
  TLD="$domain"
  _debug domain "$domain"
  RECORD=$(echo "$fqdn" | cut -c"1-$((${#fqdn} - ${#TLD} - 1))")
-  PAKETNR=$(echo "$form" | grep "data-textfilter=\".* $domain " | _tail_n 1 | sed "s|.*$WORLD4YOU_API/\\([0-9]*\\)/.*|\\1|")
+  PAKETNR=$(echo "$domains" | grep "$domain" | sed 's/^[^,]*, *\([0-9]*\).*$/\1/')
  return 0
 }
+
+# Usage: _parse_sessid
+_parse_sessid() {
+  sessid=$(grep 'W4YSESSID' <"$HTTP_HEADER" | _tail_n 1 | sed 's/^.*W4YSESSID=\([^;]*\);.*$/\1/')
+}
--- a/dnsapi/dns_yc.sh
+++ b/dnsapi/dns_yc.sh
@@ -0,0 +1,264 @@
+#!/usr/bin/env sh
+
+#YC_Zone_ID="" # DNS Zone ID
+#YC_Folder_ID="" # YC Folder ID
+#YC_SA_ID="" # Service Account ID
+#YC_SA_Key_ID="" # Service Account IAM Key ID
+#YC_SA_Key_File_Path="/path/to/private.key" # Path to private.key use instead of YC_SA_Key_File_PEM_b64
+#YC_SA_Key_File_PEM_b64="" # Base64 content of private.key use instead of YC_SA_Key_File_Path
+YC_Api="https://dns.api.cloud.yandex.net/dns/v1"
+
+########  Public functions #####################
+
+#Usage: add  _acme-challenge.www.domain.com   "XKrxpRBosdIKFzxW_CT3KLZNf6q0HG9i01zxXp5CPBs"
+dns_yc_add() {
+  fulldomain="$(echo "$1". | _lower_case)" # Add dot at end of domain name
+  txtvalue=$2
+
+  YC_SA_Key_File_PEM_b64="${YC_SA_Key_File_PEM_b64:-$(_readaccountconf_mutable YC_SA_Key_File_PEM_b64)}"
+  YC_SA_Key_File_Path="${YC_SA_Key_File_Path:-$(_readaccountconf_mutable YC_SA_Key_File_Path)}"
+
+  if [ "$YC_SA_Key_File_PEM_b64" ]; then
+    echo "$YC_SA_Key_File_PEM_b64" | _dbase64 >private.key
+    YC_SA_Key_File="private.key"
+    _savedomainconf YC_SA_Key_File_PEM_b64 "$YC_SA_Key_File_PEM_b64"
+  else
+    YC_SA_Key_File="$YC_SA_Key_File_Path"
+    _savedomainconf YC_SA_Key_File_Path "$YC_SA_Key_File_Path"
+  fi
+
+  YC_Zone_ID="${YC_Zone_ID:-$(_readaccountconf_mutable YC_Zone_ID)}"
+  YC_Folder_ID="${YC_Folder_ID:-$(_readaccountconf_mutable YC_Folder_ID)}"
+  YC_SA_ID="${YC_SA_ID:-$(_readaccountconf_mutable YC_SA_ID)}"
+  YC_SA_Key_ID="${YC_SA_Key_ID:-$(_readaccountconf_mutable YC_SA_Key_ID)}"
+
+  if [ "$YC_SA_ID" ] && [ "$YC_SA_Key_ID" ] && [ "$YC_SA_Key_File" ]; then
+    if [ -f "$YC_SA_Key_File" ]; then
+      if _isRSA "$YC_SA_Key_File" >/dev/null 2>&1; then
+        if [ "$YC_Zone_ID" ]; then
+          _savedomainconf YC_Zone_ID "$YC_Zone_ID"
+          _savedomainconf YC_SA_ID "$YC_SA_ID"
+          _savedomainconf YC_SA_Key_ID "$YC_SA_Key_ID"
+        elif [ "$YC_Folder_ID" ]; then
+          _savedomainconf YC_Folder_ID "$YC_Folder_ID"
+          _saveaccountconf_mutable YC_SA_ID "$YC_SA_ID"
+          _saveaccountconf_mutable YC_SA_Key_ID "$YC_SA_Key_ID"
+          _clearaccountconf_mutable YC_Zone_ID
+          _clearaccountconf YC_Zone_ID
+        else
+          _err "You didn't specify a Yandex Cloud Zone ID or Folder ID yet."
+          return 1
+        fi
+      else
+        _err "YC_SA_Key_File not a RSA file(_isRSA function return false)."
+        return 1
+      fi
+    else
+      _err "YC_SA_Key_File not found in path $YC_SA_Key_File."
+      return 1
+    fi
+  else
+    _clearaccountconf YC_Zone_ID
+    _clearaccountconf YC_Folder_ID
+    _clearaccountconf YC_SA_ID
+    _clearaccountconf YC_SA_Key_ID
+    _clearaccountconf YC_SA_Key_File_PEM_b64
+    _clearaccountconf YC_SA_Key_File_Path
+    _err "You didn't specify a YC_SA_ID or YC_SA_Key_ID or YC_SA_Key_File."
+    return 1
+  fi
+
+  _debug "First detect the root zone"
+  if ! _get_root "$fulldomain"; then
+    _err "invalid domain"
+    return 1
+  fi
+  _debug _domain_id "$_domain_id"
+  _debug _sub_domain "$_sub_domain"
+  _debug _domain "$_domain"
+
+  _debug "Getting txt records"
+  if ! _yc_rest GET "zones/${_domain_id}:getRecordSet?type=TXT&name=$_sub_domain"; then
+    _err "Error: $response"
+    return 1
+  fi
+
+  _info "Adding record"
+  if _yc_rest POST "zones/$_domain_id:upsertRecordSets" "{\"merges\": [ { \"name\":\"$_sub_domain\",\"type\":\"TXT\",\"ttl\":\"120\",\"data\":[\"$txtvalue\"]}]}"; then
+    if _contains "$response" "\"done\": true"; then
+      _info "Added, OK"
+      return 0
+    else
+      _err "Add txt record error."
+      return 1
+    fi
+  fi
+  _err "Add txt record error."
+  return 1
+
+}
+
+#fulldomain txtvalue
+dns_yc_rm() {
+  fulldomain="$(echo "$1". | _lower_case)" # Add dot at end of domain name
+  txtvalue=$2
+
+  YC_Zone_ID="${YC_Zone_ID:-$(_readaccountconf_mutable YC_Zone_ID)}"
+  YC_Folder_ID="${YC_Folder_ID:-$(_readaccountconf_mutable YC_Folder_ID)}"
+  YC_SA_ID="${YC_SA_ID:-$(_readaccountconf_mutable YC_SA_ID)}"
+  YC_SA_Key_ID="${YC_SA_Key_ID:-$(_readaccountconf_mutable YC_SA_Key_ID)}"
+
+  _debug "First detect the root zone"
+  if ! _get_root "$fulldomain"; then
+    _err "invalid domain"
+    return 1
+  fi
+  _debug _domain_id "$_domain_id"
+  _debug _sub_domain "$_sub_domain"
+  _debug _domain "$_domain"
+
+  _debug "Getting txt records"
+  if _yc_rest GET "zones/${_domain_id}:getRecordSet?type=TXT&name=$_sub_domain"; then
+    exists_txtvalue=$(echo "$response" | _normalizeJson | _egrep_o "\"data\".*\][^,]*" | _egrep_o "[^:]*$")
+    _debug exists_txtvalue "$exists_txtvalue"
+  else
+    _err "Error: $response"
+    return 1
+  fi
+
+  if _yc_rest POST "zones/$_domain_id:updateRecordSets" "{\"deletions\": [ { \"name\":\"$_sub_domain\",\"type\":\"TXT\",\"ttl\":\"120\",\"data\":$exists_txtvalue}]}"; then
+    if _contains "$response" "\"done\": true"; then
+      _info "Delete, OK"
+      return 0
+    else
+      _err "Delete record error."
+      return 1
+    fi
+  fi
+  _err "Delete record error."
+  return 1
+}
+
+####################  Private functions below ##################################
+#_acme-challenge.www.domain.com
+#returns
+# _sub_domain=_acme-challenge.www
+# _domain=domain.com
+# _domain_id=sdjkglgdfewsdfg
+_get_root() {
+  domain=$1
+  i=1
+  p=1
+
+  # Use Zone ID directly if provided
+  if [ "$YC_Zone_ID" ]; then
+    if ! _yc_rest GET "zones/$YC_Zone_ID"; then
+      return 1
+    else
+      if echo "$response" | tr -d " " | _egrep_o "\"id\":\"$YC_Zone_ID\"" >/dev/null; then
+        _domain=$(echo "$response" | _egrep_o "\"zone\": *\"[^\"]*\"" | cut -d : -f 2 | tr -d \" | _head_n 1 | tr -d " ")
+        if [ "$_domain" ]; then
+          _cutlength=$((${#domain} - ${#_domain}))
+          _sub_domain=$(printf "%s" "$domain" | cut -c "1-$_cutlength")
+          _domain_id=$YC_Zone_ID
+          return 0
+        else
+          return 1
+        fi
+      else
+        return 1
+      fi
+    fi
+  fi
+
+  while true; do
+    h=$(printf "%s" "$domain" | cut -d . -f $i-100)
+    _debug h "$h"
+    if [ -z "$h" ]; then
+      #not valid
+      return 1
+    fi
+    if [ "$YC_Folder_ID" ]; then
+      if ! _yc_rest GET "zones?folderId=$YC_Folder_ID"; then
+        return 1
+      fi
+    else
+      echo "You didn't specify a Yandex Cloud Folder ID."
+      return 1
+    fi
+    if _contains "$response" "\"zone\": \"$h\""; then
+      _domain_id=$(echo "$response" | _normalizeJson | _egrep_o "[^{]*\"zone\":\"$h\"[^}]*" | _egrep_o "\"id\"[^,]*" | _egrep_o "[^:]*$" | tr -d '"')
+      _debug _domain_id "$_domain_id"
+      if [ "$_domain_id" ]; then
+        _sub_domain=$(printf "%s" "$domain" | cut -d . -f 1-$p)
+        _domain=$h
+        return 0
+      fi
+      return 1
+    fi
+    p=$i
+    i=$(_math "$i" + 1)
+  done
+  return 1
+}
+
+_yc_rest() {
+  m=$1
+  ep="$2"
+  data="$3"
+  _debug "$ep"
+
+  if [ ! "$YC_Token" ]; then
+    _debug "Login"
+    _yc_login
+  else
+    _debug "Token already exists. Skip Login."
+  fi
+
+  token_trimmed=$(echo "$YC_Token" | tr -d '"')
+
+  export _H1="Content-Type: application/json"
+  export _H2="Authorization: Bearer $token_trimmed"
+
+  if [ "$m" != "GET" ]; then
+    _debug data "$data"
+    response="$(_post "$data" "$YC_Api/$ep" "" "$m")"
+  else
+    response="$(_get "$YC_Api/$ep")"
+  fi
+
+  if [ "$?" != "0" ]; then
+    _err "error $ep"
+    return 1
+  fi
+  _debug2 response "$response"
+  return 0
+}
+
+_yc_login() {
+  header=$(echo "{\"typ\":\"JWT\",\"alg\":\"PS256\",\"kid\":\"$YC_SA_Key_ID\"}" | _normalizeJson | _base64 | _url_replace)
+  _debug header "$header"
+
+  _current_timestamp=$(_time)
+  _expire_timestamp=$(_math "$_current_timestamp" + 1200) # 20 minutes
+  payload=$(echo "{\"iss\":\"$YC_SA_ID\",\"aud\":\"https://iam.api.cloud.yandex.net/iam/v1/tokens\",\"iat\":$_current_timestamp,\"exp\":$_expire_timestamp}" | _normalizeJson | _base64 | _url_replace)
+  _debug payload "$payload"
+
+  #signature=$(printf "%s.%s" "$header" "$payload" | ${ACME_OPENSSL_BIN:-openssl} dgst -sign "$YC_SA_Key_File -sha256 -sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:-1" | _base64 | _url_replace )
+  _signature=$(printf "%s.%s" "$header" "$payload" | _sign "$YC_SA_Key_File" "sha256 -sigopt rsa_padding_mode:pss -sigopt rsa_pss_saltlen:-1" | _url_replace)
+  _debug2 _signature "$_signature"
+
+  rm -rf "$YC_SA_Key_File"
+
+  _jwt=$(printf "{\"jwt\": \"%s.%s.%s\"}" "$header" "$payload" "$_signature")
+  _debug2 _jwt "$_jwt"
+
+  export _H1="Content-Type: application/json"
+  _iam_response="$(_post "$_jwt" "https://iam.api.cloud.yandex.net/iam/v1/tokens" "" "POST")"
+  _debug3 _iam_response "$(echo "$_iam_response" | _normalizeJson)"
+
+  YC_Token="$(echo "$_iam_response" | _normalizeJson | _egrep_o "\"iamToken\"[^,]*" | _egrep_o "[^:]*$" | tr -d '"')"
+  _debug3 YC_Token
+
+  return 0
+}
--- a/notify/aws_ses.sh
+++ b/notify/aws_ses.sh
@@ -0,0 +1,226 @@
+#!/usr/bin/env sh
+
+#
+#AWS_ACCESS_KEY_ID="sdfsdfsdfljlbjkljlkjsdfoiwje"
+#
+#AWS_SECRET_ACCESS_KEY="xxxxxxx"
+#
+#AWS_SES_REGION="us-east-1"
+#
+#AWS_SES_TO="xxxx@xxx.com"
+#
+#AWS_SES_FROM="xxxx@cccc.com"
+#
+#AWS_SES_FROM_NAME="Something something"
+#This is the Amazon SES api wrapper for acme.sh
+AWS_WIKI="https://docs.aws.amazon.com/ses/latest/dg/send-email-api.html"
+
+aws_ses_send() {
+  _subject="$1"
+  _content="$2"
+  _statusCode="$3" #0: success, 1: error 2($RENEW_SKIP): skipped
+  _debug "_statusCode" "$_statusCode"
+
+  AWS_ACCESS_KEY_ID="${AWS_ACCESS_KEY_ID:-$(_readaccountconf_mutable AWS_ACCESS_KEY_ID)}"
+  AWS_SECRET_ACCESS_KEY="${AWS_SECRET_ACCESS_KEY:-$(_readaccountconf_mutable AWS_SECRET_ACCESS_KEY)}"
+  AWS_SES_REGION="${AWS_SES_REGION:-$(_readaccountconf_mutable AWS_SES_REGION)}"
+
+  if [ -z "$AWS_ACCESS_KEY_ID" ] || [ -z "$AWS_SECRET_ACCESS_KEY" ]; then
+    _use_container_role || _use_instance_role
+  fi
+
+  if [ -z "$AWS_ACCESS_KEY_ID" ] || [ -z "$AWS_SECRET_ACCESS_KEY" ]; then
+    AWS_ACCESS_KEY_ID=""
+    AWS_SECRET_ACCESS_KEY=""
+    _err "You haven't specified the aws SES api key id and and api key secret yet."
+    _err "Please create your key and try again. see $(__green $AWS_WIKI)"
+    return 1
+  fi
+
+  if [ -z "$AWS_SES_REGION" ]; then
+    AWS_SES_REGION=""
+    _err "You haven't specified the aws SES api region yet."
+    _err "Please specify your region and try again. see https://docs.aws.amazon.com/general/latest/gr/ses.html"
+    return 1
+  fi
+  _saveaccountconf_mutable AWS_SES_REGION "$AWS_SES_REGION"
+
+  #save for future use, unless using a role which will be fetched as needed
+  if [ -z "$_using_role" ]; then
+    _saveaccountconf_mutable AWS_ACCESS_KEY_ID "$AWS_ACCESS_KEY_ID"
+    _saveaccountconf_mutable AWS_SECRET_ACCESS_KEY "$AWS_SECRET_ACCESS_KEY"
+  fi
+
+  AWS_SES_TO="${AWS_SES_TO:-$(_readaccountconf_mutable AWS_SES_TO)}"
+  if [ -z "$AWS_SES_TO" ]; then
+    AWS_SES_TO=""
+    _err "You didn't specify an email to AWS_SES_TO receive messages."
+    return 1
+  fi
+  _saveaccountconf_mutable AWS_SES_TO "$AWS_SES_TO"
+
+  AWS_SES_FROM="${AWS_SES_FROM:-$(_readaccountconf_mutable AWS_SES_FROM)}"
+  if [ -z "$AWS_SES_FROM" ]; then
+    AWS_SES_FROM=""
+    _err "You didn't specify an email to AWS_SES_FROM receive messages."
+    return 1
+  fi
+  _saveaccountconf_mutable AWS_SES_FROM "$AWS_SES_FROM"
+
+  AWS_SES_FROM_NAME="${AWS_SES_FROM_NAME:-$(_readaccountconf_mutable AWS_SES_FROM_NAME)}"
+  _saveaccountconf_mutable AWS_SES_FROM_NAME "$AWS_SES_FROM_NAME"
+
+  AWS_SES_SENDFROM="$AWS_SES_FROM_NAME <$AWS_SES_FROM>"
+
+  AWS_SES_ACTION="Action=SendEmail"
+  AWS_SES_SOURCE="Source=$AWS_SES_SENDFROM"
+  AWS_SES_TO="Destination.ToAddresses.member.1=$AWS_SES_TO"
+  AWS_SES_SUBJECT="Message.Subject.Data=$_subject"
+  AWS_SES_MESSAGE="Message.Body.Text.Data=$_content"
+
+  _data="${AWS_SES_ACTION}&${AWS_SES_SOURCE}&${AWS_SES_TO}&${AWS_SES_SUBJECT}&${AWS_SES_MESSAGE}"
+
+  response="$(aws_rest POST "" "" "$_data")"
+}
+
+_use_metadata() {
+  _aws_creds="$(
+    _get "$1" "" 1 |
+      _normalizeJson |
+      tr '{,}' '\n' |
+      while read -r _line; do
+        _key="$(echo "${_line%%:*}" | tr -d '"')"
+        _value="${_line#*:}"
+        _debug3 "_key" "$_key"
+        _secure_debug3 "_value" "$_value"
+        case "$_key" in
+        AccessKeyId) echo "AWS_ACCESS_KEY_ID=$_value" ;;
+        SecretAccessKey) echo "AWS_SECRET_ACCESS_KEY=$_value" ;;
+        Token) echo "AWS_SESSION_TOKEN=$_value" ;;
+        esac
+      done |
+      paste -sd' ' -
+  )"
+  _secure_debug "_aws_creds" "$_aws_creds"
+
+  if [ -z "$_aws_creds" ]; then
+    return 1
+  fi
+
+  eval "$_aws_creds"
+  _using_role=true
+}
+
+#method uri qstr data
+aws_rest() {
+  mtd="$1"
+  ep="$2"
+  qsr="$3"
+  data="$4"
+
+  _debug mtd "$mtd"
+  _debug ep "$ep"
+  _debug qsr "$qsr"
+  _debug data "$data"
+
+  CanonicalURI="/$ep"
+  _debug2 CanonicalURI "$CanonicalURI"
+
+  CanonicalQueryString="$qsr"
+  _debug2 CanonicalQueryString "$CanonicalQueryString"
+
+  RequestDate="$(date -u +"%Y%m%dT%H%M%SZ")"
+  _debug2 RequestDate "$RequestDate"
+
+  #RequestDate="20161120T141056Z" ##############
+
+  export _H1="x-amz-date: $RequestDate"
+
+  aws_host="email.$AWS_SES_REGION.amazonaws.com"
+  CanonicalHeaders="host:$aws_host\nx-amz-date:$RequestDate\n"
+  SignedHeaders="host;x-amz-date"
+  if [ -n "$AWS_SESSION_TOKEN" ]; then
+    export _H3="x-amz-security-token: $AWS_SESSION_TOKEN"
+    CanonicalHeaders="${CanonicalHeaders}x-amz-security-token:$AWS_SESSION_TOKEN\n"
+    SignedHeaders="${SignedHeaders};x-amz-security-token"
+  fi
+  _debug2 CanonicalHeaders "$CanonicalHeaders"
+  _debug2 SignedHeaders "$SignedHeaders"
+
+  RequestPayload="$data"
+  _debug2 RequestPayload "$RequestPayload"
+
+  Hash="sha256"
+
+  CanonicalRequest="$mtd\n$CanonicalURI\n$CanonicalQueryString\n$CanonicalHeaders\n$SignedHeaders\n$(printf "%s" "$RequestPayload" | _digest "$Hash" hex)"
+  _debug2 CanonicalRequest "$CanonicalRequest"
+
+  HashedCanonicalRequest="$(printf "$CanonicalRequest%s" | _digest "$Hash" hex)"
+  _debug2 HashedCanonicalRequest "$HashedCanonicalRequest"
+
+  Algorithm="AWS4-HMAC-SHA256"
+  _debug2 Algorithm "$Algorithm"
+
+  RequestDateOnly="$(echo "$RequestDate" | cut -c 1-8)"
+  _debug2 RequestDateOnly "$RequestDateOnly"
+
+  Region="$AWS_SES_REGION"
+  Service="ses"
+
+  CredentialScope="$RequestDateOnly/$Region/$Service/aws4_request"
+  _debug2 CredentialScope "$CredentialScope"
+
+  StringToSign="$Algorithm\n$RequestDate\n$CredentialScope\n$HashedCanonicalRequest"
+
+  _debug2 StringToSign "$StringToSign"
+
+  kSecret="AWS4$AWS_SECRET_ACCESS_KEY"
+
+  #kSecret="wJalrXUtnFEMI/K7MDENG+bPxRfiCYEXAMPLEKEY" ############################
+
+  _secure_debug2 kSecret "$kSecret"
+
+  kSecretH="$(printf "%s" "$kSecret" | _hex_dump | tr -d " ")"
+  _secure_debug2 kSecretH "$kSecretH"
+
+  kDateH="$(printf "$RequestDateOnly%s" | _hmac "$Hash" "$kSecretH" hex)"
+  _debug2 kDateH "$kDateH"
+
+  kRegionH="$(printf "$Region%s" | _hmac "$Hash" "$kDateH" hex)"
+  _debug2 kRegionH "$kRegionH"
+
+  kServiceH="$(printf "$Service%s" | _hmac "$Hash" "$kRegionH" hex)"
+  _debug2 kServiceH "$kServiceH"
+
+  kSigningH="$(printf "%s" "aws4_request" | _hmac "$Hash" "$kServiceH" hex)"
+  _debug2 kSigningH "$kSigningH"
+
+  signature="$(printf "$StringToSign%s" | _hmac "$Hash" "$kSigningH" hex)"
+  _debug2 signature "$signature"
+
+  Authorization="$Algorithm Credential=$AWS_ACCESS_KEY_ID/$CredentialScope, SignedHeaders=$SignedHeaders, Signature=$signature"
+  _debug2 Authorization "$Authorization"
+
+  _H2="Authorization: $Authorization"
+  _debug _H2 "$_H2"
+
+  url="https://$aws_host/$ep"
+  if [ "$qsr" ]; then
+    url="https://$aws_host/$ep?$qsr"
+  fi
+
+  if [ "$mtd" = "GET" ]; then
+    response="$(_get "$url")"
+  else
+    response="$(_post "$data" "$url")"
+  fi
+
+  _ret="$?"
+  _debug2 response "$response"
+  if [ "$_ret" = "0" ]; then
+    if _contains "$response" "<ErrorResponse"; then
+      _err "Response error:$response"
+      return 1
+    fi
+  fi
+}
--- a/notify/callmebotWhatsApp.sh
+++ b/notify/callmebotWhatsApp.sh
@@ -0,0 +1,44 @@
+#!/usr/bin/env sh
+
+#Support CallMeBot Whatsapp webhooks
+
+#CALLMEBOT_YOUR_PHONE_NO=""
+#CALLMEBOT_API_KEY=""
+
+callmebotWhatsApp_send() {
+  _subject="$1"
+  _content="$2"
+  _statusCode="$3" #0: success, 1: error 2($RENEW_SKIP): skipped
+  _debug "_statusCode" "$_statusCode"
+
+  CALLMEBOT_YOUR_PHONE_NO="${CALLMEBOT_YOUR_PHONE_NO:-$(_readaccountconf_mutable CALLMEBOT_YOUR_PHONE_NO)}"
+  if [ -z "$CALLMEBOT_YOUR_PHONE_NO" ]; then
+    CALLMEBOT_YOUR_PHONE_NO=""
+    _err "You didn't specify a Slack webhook url CALLMEBOT_YOUR_PHONE_NO yet."
+    return 1
+  fi
+  _saveaccountconf_mutable CALLMEBOT_YOUR_PHONE_NO "$CALLMEBOT_YOUR_PHONE_NO"
+
+  CALLMEBOT_API_KEY="${CALLMEBOT_API_KEY:-$(_readaccountconf_mutable CALLMEBOT_API_KEY)}"
+  if [ "$CALLMEBOT_API_KEY" ]; then
+    _saveaccountconf_mutable CALLMEBOT_API_KEY "$CALLMEBOT_API_KEY"
+  fi
+
+  _waUrl="https://api.callmebot.com/whatsapp.php"
+
+  _Phone_No="$(printf "%s" "$CALLMEBOT_YOUR_PHONE_NO" | _url_encode)"
+  _apikey="$(printf "%s" "$CALLMEBOT_API_KEY" | _url_encode)"
+  _message="$(printf "*%s*\\n%s" "$_subject" "$_content" | _url_encode)"
+
+  _finalUrl="$_waUrl?phone=$_Phone_No&apikey=$_apikey&text=$_message"
+  response="$(_get "$_finalUrl")"
+
+  if [ "$?" = "0" ] && _contains ".<p><b>Message queued.</b> You will receive it in a few seconds."; then
+    _info "wa send success."
+    return 0
+  fi
+  _err "wa send error."
+  _debug "URL" "$_finalUrl"
+  _debug "Response" "$response"
+  return 1
+}
--- a/notify/slack_app.sh
+++ b/notify/slack_app.sh
@@ -0,0 +1,45 @@
+#!/usr/bin/env sh
+
+#Support Slack APP notifications
+
+#SLACK_APP_CHANNEL=""
+#SLACK_APP_TOKEN=""
+
+slack_app_send() {
+  _subject="$1"
+  _content="$2"
+  _statusCode="$3" #0: success, 1: error 2($RENEW_SKIP): skipped
+  _debug "_statusCode" "$_statusCode"
+
+  SLACK_APP_CHANNEL="${SLACK_APP_CHANNEL:-$(_readaccountconf_mutable SLACK_APP_CHANNEL)}"
+  if [ -n "$SLACK_APP_CHANNEL" ]; then
+    _saveaccountconf_mutable SLACK_APP_CHANNEL "$SLACK_APP_CHANNEL"
+  fi
+
+  SLACK_APP_TOKEN="${SLACK_APP_TOKEN:-$(_readaccountconf_mutable SLACK_APP_TOKEN)}"
+  if [ -n "$SLACK_APP_TOKEN" ]; then
+    _saveaccountconf_mutable SLACK_APP_TOKEN "$SLACK_APP_TOKEN"
+  fi
+
+  _content="$(printf "*%s*\n%s" "$_subject" "$_content" | _json_encode)"
+  _data="{\"text\": \"$_content\", "
+  if [ -n "$SLACK_APP_CHANNEL" ]; then
+    _data="$_data\"channel\": \"$SLACK_APP_CHANNEL\", "
+  fi
+  _data="$_data\"mrkdwn\": \"true\"}"
+
+  export _H1="Authorization: Bearer $SLACK_APP_TOKEN"
+
+  SLACK_APP_API_URL="https://slack.com/api/chat.postMessage"
+  if _post "$_data" "$SLACK_APP_API_URL" "" "POST" "application/json; charset=utf-8"; then
+    # shellcheck disable=SC2154
+    SLACK_APP_RESULT_OK=$(echo "$response" | _egrep_o 'ok" *: *true')
+    if [ "$?" = "0" ] && [ "$SLACK_APP_RESULT_OK" ]; then
+      _info "slack send success."
+      return 0
+    fi
+  fi
+  _err "slack send error."
+  _err "$response"
+  return 1
+}
--- a/notify/smtp.sh
+++ b/notify/smtp.sh
@@ -169,7 +169,7 @@ _clean_email_header() {
 # email
 _email_has_display_name() {
  _email="$1"
-  expr "$_email" : '^.*[<>"]' >/dev/null
+  echo "$_email" | grep -q -E '^.*[<>"]'
 }

 ##
@@ -249,7 +249,7 @@ _mime_encoded_word() {
  _text="$1"
  # (regex character ranges like [a-z] can be locale-dependent; enumerate ASCII chars to avoid that)
  _ascii='] $`"'"[!#%&'()*+,./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ~^_abcdefghijklmnopqrstuvwxyz{|}~-"
-  if expr "$_text" : "^.*[^$_ascii]" >/dev/null; then
+  if echo "$_text" | grep -q -E "^.*[^$_ascii]"; then
    # At least one non-ASCII char; convert entire thing to encoded word
    printf "%s" "=?UTF-8?B?$(printf "%s" "$_text" | _base64)?="
  else