Merge pull request #1362 from Neilpang/dev

sync

README.md

@@ -25,7 +25,7 @@ Twitter: [@neilpangxa](https://twitter.com/neilpangxa)
 
 # [中文说明](https://github.com/Neilpang/acme.sh/wiki/%E8%AF%B4%E6%98%8E)
 
-# Who are using **acme.sh**
+# Who:
 - [FreeBSD.org](https://blog.crashed.org/letsencrypt-in-freebsd-org/)
 - [ruby-china.org](https://ruby-china.org/topics/31983)
 - [Proxmox](https://pve.proxmox.com/wiki/HTTPS_Certificate_Configuration_(Version_4.x_and_newer))
@@ -76,6 +76,7 @@ https://github.com/Neilpang/acmetest
 - Apache mode
 - Nginx mode
 - DNS mode
+- [DNS alias mode](https://github.com/Neilpang/acme.sh/wiki/DNS-alias-mode)
 - [Stateless mode](https://github.com/Neilpang/acme.sh/wiki/Stateless-Mode)
 
 
@@ -204,6 +205,8 @@ Install/copy the cert/key to the production Apache or Nginx path.
 The cert will be renewed every **60** days by default (which is configurable). Once the cert is renewed, the Apache/Nginx service will be reloaded automatically by the command: `service apache2 force-reload` or `service nginx force-reload`.
 
 
+**Please take care:  The reloadcmd is very important. The cert can be automatically renewed, but, without a correct 'reloadcmd' the cert may not be flushed to your server(like nginx or apache), then your website will not be able to show renewed cert in 60 days.**
+
 # 4. Use Standalone server to issue cert
 
 **(requires you to be root/sudoer or have permission to listen on port 80 (TCP))**
@@ -324,6 +327,7 @@ You don't have to do anything manually!
 1. selectel.com(selectel.ru) DNS API
 1. zonomi.com DNS API
 1. DreamHost.com API
+1. DirectAdmin API
 
 
 And: 

acme.sh

@@ -47,6 +47,7 @@ DEFAULT_DNS_SLEEP=120
 NO_VALUE="no"
 
 W_TLS="tls"
+DNS_ALIAS_PREFIX="="
 
 MODE_STATELESS="stateless"
 
@@ -62,6 +63,7 @@ END_CSR="-----END CERTIFICATE REQUEST-----"
 BEGIN_CERT="-----BEGIN CERTIFICATE-----"
 END_CERT="-----END CERTIFICATE-----"
 
+CONTENT_TYPE_JSON="application/jose+json"
 RENEW_SKIP=2
 
 ECC_SEP="_"
@@ -105,6 +107,8 @@ _PREPARE_LINK="https://github.com/Neilpang/acme.sh/wiki/Install-preparations"
 
 _STATELESS_WIKI="https://github.com/Neilpang/acme.sh/wiki/Stateless-Mode"
 
+_DNS_ALIAS_WIKI="https://github.com/Neilpang/acme.sh/wiki/DNS-alias-mode"
+
 _DNS_MANUAL_ERR="The dns manual mode can not renew automatically, you must issue it again manually. You'd better use the other modes instead."
 
 _DNS_MANUAL_WARN="It seems that you are using dns manual mode. please take care: $_DNS_MANUAL_ERR"
@@ -845,6 +849,16 @@ _dbase64() {
   fi
 }
 
+#file
+_checkcert() {
+  _cf="$1"
+  if [ "$DEBUG" ]; then
+    openssl x509 -noout -text -in "$_cf"
+  else
+    openssl x509 -noout -text -in "$_cf" >/dev/null 2>&1
+  fi
+}
+
 #Usage: hashalg  [outputhex]
 #Output Base64-encoded digest
 _digest() {
@@ -1588,12 +1602,13 @@ _inithttp() {
 
 }
 
-# body  url [needbase64] [POST|PUT]
+# body  url [needbase64] [POST|PUT] [ContentType]
 _post() {
   body="$1"
   _post_url="$2"
   needbase64="$3"
   httpmethod="$4"
+  _postContentType="$5"
 
   if [ -z "$httpmethod" ]; then
     httpmethod="POST"
@@ -1609,6 +1624,9 @@ _post() {
     if [ "$HTTPS_INSECURE" ]; then
       _CURL="$_CURL --insecure  "
     fi
+    if [ "$_postContentType" ]; then
+      _CURL="$_CURL -H \"Content-Type: $_postContentType\" "
+    fi
     _debug "_CURL" "$_CURL"
     if [ "$needbase64" ]; then
       response="$($_CURL --user-agent "$USER_AGENT" -X $httpmethod -H "$_H1" -H "$_H2" -H "$_H3" -H "$_H4" -H "$_H5" --data "$body" "$_post_url" | _base64)"
@@ -1631,15 +1649,31 @@ _post() {
     _debug "_WGET" "$_WGET"
     if [ "$needbase64" ]; then
       if [ "$httpmethod" = "POST" ]; then
-        response="$($_WGET -S -O - --user-agent="$USER_AGENT" --header "$_H5" --header "$_H4" --header "$_H3" --header "$_H2" --header "$_H1" --post-data="$body" "$_post_url" 2>"$HTTP_HEADER" | _base64)"
+        if [ "$_postContentType" ]; then
+          response="$($_WGET -S -O - --user-agent="$USER_AGENT" --header "$_H5" --header "$_H4" --header "$_H3" --header "$_H2" --header "$_H1" --header "Content-Type: $_postContentType" --post-data="$body" "$_post_url" 2>"$HTTP_HEADER" | _base64)"
+        else
+          response="$($_WGET -S -O - --user-agent="$USER_AGENT" --header "$_H5" --header "$_H4" --header "$_H3" --header "$_H2" --header "$_H1" --post-data="$body" "$_post_url" 2>"$HTTP_HEADER" | _base64)"
+        fi
       else
-        response="$($_WGET -S -O - --user-agent="$USER_AGENT" --header "$_H5" --header "$_H4" --header "$_H3" --header "$_H2" --header "$_H1" --method $httpmethod --body-data="$body" "$_post_url" 2>"$HTTP_HEADER" | _base64)"
+        if [ "$_postContentType" ]; then
+          response="$($_WGET -S -O - --user-agent="$USER_AGENT" --header "$_H5" --header "$_H4" --header "$_H3" --header "$_H2" --header "$_H1" --header "Content-Type: $_postContentType" --method $httpmethod --body-data="$body" "$_post_url" 2>"$HTTP_HEADER" | _base64)"
+        else
+          response="$($_WGET -S -O - --user-agent="$USER_AGENT" --header "$_H5" --header "$_H4" --header "$_H3" --header "$_H2" --header "$_H1" --method $httpmethod --body-data="$body" "$_post_url" 2>"$HTTP_HEADER" | _base64)"
+        fi
       fi
     else
       if [ "$httpmethod" = "POST" ]; then
-        response="$($_WGET -S -O - --user-agent="$USER_AGENT" --header "$_H5" --header "$_H4" --header "$_H3" --header "$_H2" --header "$_H1" --post-data="$body" "$_post_url" 2>"$HTTP_HEADER")"
+        if [ "$_postContentType" ]; then
+          response="$($_WGET -S -O - --user-agent="$USER_AGENT" --header "$_H5" --header "$_H4" --header "$_H3" --header "$_H2" --header "$_H1" --header "Content-Type: $_postContentType" --post-data="$body" "$_post_url" 2>"$HTTP_HEADER")"
+        else
+          response="$($_WGET -S -O - --user-agent="$USER_AGENT" --header "$_H5" --header "$_H4" --header "$_H3" --header "$_H2" --header "$_H1" --post-data="$body" "$_post_url" 2>"$HTTP_HEADER")"
+        fi
       else
-        response="$($_WGET -S -O - --user-agent="$USER_AGENT" --header "$_H5" --header "$_H4" --header "$_H3" --header "$_H2" --header "$_H1" --method $httpmethod --body-data="$body" "$_post_url" 2>"$HTTP_HEADER")"
+        if [ "$_postContentType" ]; then
+          response="$($_WGET -S -O - --user-agent="$USER_AGENT" --header "$_H5" --header "$_H4" --header "$_H3" --header "$_H2" --header "$_H1" --header "Content-Type: $_postContentType" --method $httpmethod --body-data="$body" "$_post_url" 2>"$HTTP_HEADER")"
+        else
+          response="$($_WGET -S -O - --user-agent="$USER_AGENT" --header "$_H5" --header "$_H4" --header "$_H3" --header "$_H2" --header "$_H1" --method $httpmethod --body-data="$body" "$_post_url" 2>"$HTTP_HEADER")"
+        fi
       fi
     fi
     _ret="$?"
@@ -1762,7 +1796,7 @@ _send_signed_request() {
       if [ "$ACME_NEW_NONCE" ]; then
         _debug2 "Get nonce. ACME_NEW_NONCE" "$ACME_NEW_NONCE"
         nonceurl="$ACME_NEW_NONCE"
-        if _post "" "$nonceurl" "" "HEAD"; then
+        if _post "" "$nonceurl" "" "HEAD" "$CONTENT_TYPE_JSON"; then
           _headers="$(cat "$HTTP_HEADER")"
         fi
       fi
@@ -1817,7 +1851,7 @@ _send_signed_request() {
     fi
     _debug3 body "$body"
 
-    response="$(_post "$body" "$url" "$needbase64")"
+    response="$(_post "$body" "$url" "$needbase64" "POST" "$CONTENT_TYPE_JSON")"
     _CACHED_NONCE=""
 
     if [ "$?" != "0" ]; then
@@ -1838,7 +1872,7 @@ _send_signed_request() {
 
     _body="$response"
     if [ "$needbase64" ]; then
-      _body="$(echo "$_body" | _dbase64)"
+      _body="$(echo "$_body" | _dbase64 | tr -d '\0')"
       _debug3 _body "$_body"
     fi
 
@@ -2007,15 +2041,19 @@ _startserver() {
     _NC="$_NC -6"
   fi
 
+  if [ "$DEBUG" ] && [ "$DEBUG" -gt "1" ]; then
+    _NC="$_NC -d -d -v"
+  fi
+
   SOCAT_OPTIONS=TCP-LISTEN:$Le_HTTPPort,crlf,reuseaddr,fork
 
   #Adding bind to local-address
   if [ "$ncaddr" ]; then
-    $SOCAT_OPTIONS="$SOCAT_OPTIONS,bind=${ncaddr}"
+    SOCAT_OPTIONS="$SOCAT_OPTIONS,bind=${ncaddr}"
   fi
 
-  _debug "_NC" "$_NC"
-  $_NC $SOCAT_OPTIONS SYSTEM:"sleep 0.5; echo HTTP/1.1 200 OK; echo ; echo  $content; echo;" &
+  _debug "_NC" "$_NC $SOCAT_OPTIONS"
+  $_NC $SOCAT_OPTIONS SYSTEM:"sleep 1; echo HTTP/1.0 200 OK; echo ; echo  $content; echo;" &
   serverproc="$!"
 }
 
@@ -2855,8 +2893,9 @@ _clearupdns() {
     _debug "skip dns."
     return
   fi
-
+  _info "Removing DNS records."
   ventries=$(echo "$vlist" | tr ',' ' ')
+  _alias_index=1
   for ventry in $ventries; do
     d=$(echo "$ventry" | cut -d "$sep" -f 1)
     keyauthorization=$(echo "$ventry" | cut -d "$sep" -f 2)
@@ -2870,7 +2909,7 @@ _clearupdns() {
     fi
 
     if [ "$vtype" != "$VTYPE_DNS" ]; then
-      _info "Skip $d for $vtype"
+      _debug "Skip $d for $vtype"
       continue
     fi
 
@@ -2898,7 +2937,19 @@ _clearupdns() {
       if _startswith "$_dns_root_d" "*."; then
         _dns_root_d="$(echo "$_dns_root_d" | sed 's/*.//')"
       fi
-      txtdomain="_acme-challenge.$_dns_root_d"
+
+      _d_alias="$(_getfield "$_challenge_alias" "$_alias_index")"
+      _alias_index="$(_math "$_alias_index" + 1)"
+      _debug "_d_alias" "$_d_alias"
+      if [ "$_d_alias" ]; then
+        if _startswith "$_d_alias" "$DNS_ALIAS_PREFIX"; then
+          txtdomain="$(echo "$_d_alias" | sed "s/$DNS_ALIAS_PREFIX//")"
+        else
+          txtdomain="_acme-challenge.$_d_alias"
+        fi
+      else
+        txtdomain="_acme-challenge.$_dns_root_d"
+      fi
 
       if ! $rmcommand "$txtdomain" "$txt"; then
         _err "Error removing txt for domain:$txtdomain"
@@ -3380,7 +3431,7 @@ issue() {
   _post_hook="${11}"
   _renew_hook="${12}"
   _local_addr="${13}"
-
+  _challenge_alias="${14}"
   #remove these later.
   if [ "$_web_roots" = "dns-cf" ]; then
     _web_roots="dns_cf"
@@ -3433,6 +3484,11 @@ issue() {
   else
     _cleardomainconf "Le_LocalAddress"
   fi
+  if [ "$_challenge_alias" ]; then
+    _savedomainconf "Le_ChallengeAlias" "$_challenge_alias"
+  else
+    _cleardomainconf "Le_ChallengeAlias"
+  fi
 
   Le_API="$ACME_DIRECTORY"
   _savedomainconf "Le_API" "$Le_API"
@@ -3654,6 +3710,7 @@ $_authorizations_map"
     #add entry
     dnsadded=""
     ventries=$(echo "$vlist" | tr "$dvsep" ' ')
+    _alias_index=1
     for ventry in $ventries; do
       d=$(echo "$ventry" | cut -d "$sep" -f 1)
       keyauthorization=$(echo "$ventry" | cut -d "$sep" -f 2)
@@ -3671,7 +3728,18 @@ $_authorizations_map"
         if _startswith "$_dns_root_d" "*."; then
           _dns_root_d="$(echo "$_dns_root_d" | sed 's/*.//')"
         fi
-        txtdomain="_acme-challenge.$_dns_root_d"
+        _d_alias="$(_getfield "$_challenge_alias" "$_alias_index")"
+        _alias_index="$(_math "$_alias_index" + 1)"
+        _debug "_d_alias" "$_d_alias"
+        if [ "$_d_alias" ]; then
+          if _startswith "$_d_alias" "$DNS_ALIAS_PREFIX"; then
+            txtdomain="$(echo "$_d_alias" | sed "s/$DNS_ALIAS_PREFIX//")"
+          else
+            txtdomain="_acme-challenge.$_d_alias"
+          fi
+        else
+          txtdomain="_acme-challenge.$_dns_root_d"
+        fi
         _debug txtdomain "$txtdomain"
         txt="$(printf "%s" "$keyauthorization" | _digest "sha256" | _url_replace)"
         _debug txt "$txt"
@@ -4031,6 +4099,13 @@ $_authorizations_map"
   _debug "Le_LinkCert" "$Le_LinkCert"
   _savedomainconf "Le_LinkCert" "$Le_LinkCert"
 
+  if [ -z "$Le_LinkCert" ] || ! _checkcert "$CERT_PATH"; then
+    response="$(echo "$response" | _dbase64 "multiline" | tr -d '\0' | _normalizeJson)"
+    _err "Sign failed: $(echo "$response" | _egrep_o '"detail":"[^"]*"')"
+    _on_issue_err "$_post_hook"
+    return 1
+  fi
+
   if [ "$Le_LinkCert" ]; then
     _info "$(__green "Cert success.")"
     cat "$CERT_PATH"
@@ -4041,26 +4116,18 @@ $_authorizations_map"
       _info "Your cert key is in $(__green " $CERT_KEY_PATH ")"
     fi
 
-    cp "$CERT_PATH" "$CERT_FULLCHAIN_PATH"
-
     if [ ! "$USER_PATH" ] || [ ! "$IN_CRON" ]; then
       USER_PATH="$PATH"
       _saveaccountconf "USER_PATH" "$USER_PATH"
     fi
   fi
 
-  if [ -z "$Le_LinkCert" ]; then
-    response="$(echo "$response" | _dbase64 "multiline" | _normalizeJson)"
-    _err "Sign failed: $(echo "$response" | _egrep_o '"detail":"[^"]*"')"
-    _on_issue_err "$_post_hook"
-    return 1
-  fi
-
   _cleardomainconf "Le_Vlist"
 
   if [ "$ACME_VERSION" = "2" ]; then
     _debug "v2 chain."
   else
+    cp "$CERT_PATH" "$CERT_FULLCHAIN_PATH"
     Le_LinkIssuer=$(grep -i '^Link' "$HTTP_HEADER" | _head_n 1 | cut -d " " -f 2 | cut -d ';' -f 1 | tr -d '<>')
 
     if [ "$Le_LinkIssuer" ]; then
@@ -4084,6 +4151,10 @@ $_authorizations_map"
             echo "$BEGIN_CERT" >"$CA_CERT_PATH"
             _base64 "multiline" <"$CA_CERT_PATH.der" >>"$CA_CERT_PATH"
             echo "$END_CERT" >>"$CA_CERT_PATH"
+            if !_checkcert "$CA_CERT_PATH"; then
+              _err "Can not get the ca cert."
+              break
+            fi
             cat "$CA_CERT_PATH" >>"$CERT_FULLCHAIN_PATH"
             rm -f "$CA_CERT_PATH.der"
             break
@@ -4224,7 +4295,7 @@ renew() {
   fi
 
   IS_RENEW="1"
-  issue "$Le_Webroot" "$Le_Domain" "$Le_Alt" "$Le_Keylength" "$Le_RealCertPath" "$Le_RealKeyPath" "$Le_RealCACertPath" "$Le_ReloadCmd" "$Le_RealFullChainPath" "$Le_PreHook" "$Le_PostHook" "$Le_RenewHook" "$Le_LocalAddress"
+  issue "$Le_Webroot" "$Le_Domain" "$Le_Alt" "$Le_Keylength" "$Le_RealCertPath" "$Le_RealKeyPath" "$Le_RealCACertPath" "$Le_ReloadCmd" "$Le_RealFullChainPath" "$Le_PreHook" "$Le_PostHook" "$Le_RenewHook" "$Le_LocalAddress" "$Le_ChallengeAlias"
   res="$?"
   if [ "$res" != "0" ]; then
     return "$res"
@@ -4288,6 +4359,17 @@ signcsr() {
     return 1
   fi
 
+  _real_cert="$3"
+  _real_key="$4"
+  _real_ca="$5"
+  _reload_cmd="$6"
+  _real_fullchain="$7"
+  _pre_hook="${8}"
+  _post_hook="${9}"
+  _renew_hook="${10}"
+  _local_addr="${11}"
+  _challenge_alias="${12}"
+
   _csrsubj=$(_readSubjectFromCSR "$_csrfile")
   if [ "$?" != "0" ]; then
     _err "Can not read subject from csr: $_csrfile"
@@ -4333,7 +4415,7 @@ signcsr() {
   _info "Copy csr to: $CSR_PATH"
   cp "$_csrfile" "$CSR_PATH"
 
-  issue "$_csrW" "$_csrsubj" "$_csrdomainlist" "$_csrkeylength"
+  issue "$_csrW" "$_csrsubj" "$_csrdomainlist" "$_csrkeylength" "$_real_cert" "$_real_key" "$_real_ca" "$_reload_cmd" "$_real_fullchain" "$_pre_hook" "$_post_hook" "$_renew_hook" "$_local_addr" "$_challenge_alias"
 
 }
 
@@ -4601,31 +4683,29 @@ installcronjob() {
     return 1
   fi
 
-  _c_cron_param="--home \"$LE_WORKING_DIR\""
-  if [ "$_c_home" ]; then
-    _c_entry="--config-home \"$_c_home\""
-    _c_cron_param="--home \"$LE_WORKING_DIR\" $_c_entry"
-  fi
-  _debug "_c_cron_param" "$_c_cron_param"
   _info "Installing cron job"
-  if ! $_CRONTAB -l | grep -- "$PROJECT_ENTRY --cron $_c_cron_param >"; then
+  if ! $_CRONTAB -l | grep "$PROJECT_ENTRY --cron"; then
     if [ -f "$LE_WORKING_DIR/$PROJECT_ENTRY" ]; then
       lesh="\"$LE_WORKING_DIR\"/$PROJECT_ENTRY"
     else
       _err "Can not install cronjob, $PROJECT_ENTRY not found."
       return 1
     fi
+
+    if [ "$_c_home" ]; then
+      _c_entry="--config-home \"$_c_home\" "
+    fi
     _t=$(_time)
     random_minute=$(_math $_t % 60)
     if _exists uname && uname -a | grep SunOS >/dev/null; then
       $_CRONTAB -l | {
         cat
-        echo "$random_minute 0 * * * $lesh --cron $_c_cron_param > /dev/null"
+        echo "$random_minute 0 * * * $lesh --cron --home \"$LE_WORKING_DIR\" $_c_entry> /dev/null"
       } | $_CRONTAB --
     else
       $_CRONTAB -l | {
         cat
-        echo "$random_minute 0 * * * $lesh --cron $_c_cron_param > /dev/null"
+        echo "$random_minute 0 * * * $lesh --cron --home \"$LE_WORKING_DIR\" $_c_entry> /dev/null"
       } | $_CRONTAB -
     fi
   fi
@@ -4638,7 +4718,6 @@ installcronjob() {
 }
 
 uninstallcronjob() {
-  _c_home="$1"
   _CRONTAB="crontab"
   if ! _exists "$_CRONTAB" && _exists "fcrontab"; then
     _CRONTAB="fcrontab"
@@ -4647,20 +4726,13 @@ uninstallcronjob() {
   if ! _exists "$_CRONTAB"; then
     return
   fi
-  _c_cron_param="--home \"$LE_WORKING_DIR\""
-  if [ "$_c_home" ]; then
-    _c_entry="--config-home \"$_c_home\""
-    _c_cron_param="--home \"$LE_WORKING_DIR\" $_c_entry"
-  fi
-  _debug "_c_cron_param" "$_c_cron_param"
   _info "Removing cron job"
-  cr="$($_CRONTAB -l | grep "$PROJECT_ENTRY --cron $_c_cron_param >")"
-  _debug "cr" "$cr"
+  cr="$($_CRONTAB -l | grep "$PROJECT_ENTRY --cron")"
   if [ "$cr" ]; then
     if _exists uname && uname -a | grep solaris >/dev/null; then
-      $_CRONTAB -l | grep -v "$PROJECT_ENTRY --cron $_c_cron_param >" | $_CRONTAB --
+      $_CRONTAB -l | sed "/$PROJECT_ENTRY --cron/d" | $_CRONTAB --
     else
-      $_CRONTAB -l | grep -v "$PROJECT_ENTRY --cron $_c_cron_param >" | $_CRONTAB -
+      $_CRONTAB -l | sed "/$PROJECT_ENTRY --cron/d" | $_CRONTAB -
     fi
     LE_WORKING_DIR="$(echo "$cr" | cut -d ' ' -f 9 | tr -d '"')"
     _info LE_WORKING_DIR "$LE_WORKING_DIR"
@@ -5079,7 +5151,7 @@ _installalias() {
 
 }
 
-# nocron confighome
+# nocron confighome noprofile
 install() {
 
   if [ -z "$LE_WORKING_DIR" ]; then
@@ -5088,6 +5160,7 @@ install() {
 
   _nocron="$1"
   _c_home="$2"
+  _noprofile="$3"
   if ! _initpath; then
     _err "Install failed."
     return 1
@@ -5153,7 +5226,7 @@ install() {
 
   _info "Installed to $LE_WORKING_DIR/$PROJECT_ENTRY"
 
-  if [ "$IN_CRON" != "1" ]; then
+  if [ "$IN_CRON" != "1" ] && [ -z "$_noprofile" ]; then
     _installalias "$_c_home"
   fi
 
@@ -5317,6 +5390,8 @@ Commands:
 
 Parameters:
   --domain, -d   domain.tld         Specifies a domain, used to issue, renew or revoke etc.
+  --challenge-alias domain.tld      The challenge domain alias for DNS alias mode: $_DNS_ALIAS_WIKI
+  --domain-alias domain.tld         The domain alias for DNS alias mode: $_DNS_ALIAS_WIKI
   --force, -f                       Used to force to install or force to renew a cert immediately.
   --staging, --test                 Use staging server, just for test.
   --debug                           Output debug info.
@@ -5324,7 +5399,6 @@ Parameters:
   --webroot, -w  /path/to/webroot   Specifies the web root folder for web root mode.
   --standalone                      Use standalone mode.
   --stateless                       Use stateless mode, see: $_STATELESS_WIKI
-  --tls                             Use standalone tls mode.
   --apache                          Use apache mode.
   --dns [dns_cf|dns_dp|dns_cx|/path/to/api/file]   Use dns mode or dns api.
   --dnssleep  [$DEFAULT_DNS_SLEEP]                  The time in seconds to wait for all the txt records to take effect in dns api mode. Default $DEFAULT_DNS_SLEEP seconds.
@@ -5354,7 +5428,6 @@ Parameters:
   --accountkey                      Specifies the account key path, Only valid for the '--install' command.
   --days                            Specifies the days to renew the cert when using '--issue' command. The max value is $MAX_RENEW days.
   --httpport                        Specifies the standalone listening port. Only valid if the server is behind a reverse proxy or load balancer.
-  --tlsport                         Specifies the standalone tls listening port. Only valid if the server is behind a reverse proxy or load balancer.
   --local-address                   Specifies the standalone/tls server listening address, in case you have multiple ip addresses.
   --listraw                         Only used for '--list' command, list the certs in raw format.
   --stopRenewOnError, -se           Only valid for '--renew-all' command. Stop if one cert has error in renewal.
@@ -5379,10 +5452,11 @@ Parameters:
   "
 }
 
-# nocron
+# nocron noprofile
 _installOnline() {
   _info "Installing from online archive."
   _nocron="$1"
+  _noprofile="$2"
   if [ ! "$BRANCH" ]; then
     BRANCH="master"
   fi
@@ -5403,7 +5477,7 @@ _installOnline() {
 
     cd "$PROJECT_NAME-$BRANCH"
     chmod +x $PROJECT_ENTRY
-    if ./$PROJECT_ENTRY install "$_nocron"; then
+    if ./$PROJECT_ENTRY install "$_nocron" "" "$_noprofile"; then
       _info "Install success!"
     fi
 
@@ -5419,7 +5493,7 @@ upgrade() {
     _initpath
     export LE_WORKING_DIR
     cd "$LE_WORKING_DIR"
-    _installOnline "nocron"
+    _installOnline "nocron" "noprofile"
   ); then
     _info "Upgrade success!"
     exit 0
@@ -5467,6 +5541,7 @@ _process() {
   _domain=""
   _altdomains="$NO_VALUE"
   _webroot=""
+  _challenge_alias=""
   _keylength=""
   _accountkeylength=""
   _cert_file=""
@@ -5656,6 +5731,16 @@ _process() {
         fi
         shift
         ;;
+      --challenge-alias)
+        cvalue="$2"
+        _challenge_alias="$_challenge_alias$cvalue,"
+        shift
+        ;;
+      --domain-alias)
+        cvalue="$DNS_ALIAS_PREFIX$2"
+        _challenge_alias="$_challenge_alias$cvalue,"
+        shift
+        ;;
       --standalone)
         wvalue="$NO_VALUE"
         if [ -z "$_webroot" ]; then
@@ -5693,14 +5778,6 @@ _process() {
           _webroot="$_webroot,$wvalue"
         fi
         ;;
-      --tls)
-        wvalue="$W_TLS"
-        if [ -z "$_webroot" ]; then
-          _webroot="$wvalue"
-        else
-          _webroot="$_webroot,$wvalue"
-        fi
-        ;;
       --dns)
         wvalue="dns"
         if [ "$2" ] && ! _startswith "$2" "-"; then
@@ -5796,12 +5873,6 @@ _process() {
         Le_HTTPPort="$_httpport"
         shift
         ;;
-      --tlsport)
-        _tlsport="$2"
-        Le_TLSPort="$_tlsport"
-        shift
-        ;;
-
       --listraw)
         _listraw="raw"
         ;;
@@ -5977,13 +6048,13 @@ _process() {
     uninstall) uninstall "$_nocron" ;;
     upgrade) upgrade ;;
     issue)
-      issue "$_webroot" "$_domain" "$_altdomains" "$_keylength" "$_cert_file" "$_key_file" "$_ca_file" "$_reloadcmd" "$_fullchain_file" "$_pre_hook" "$_post_hook" "$_renew_hook" "$_local_address"
+      issue "$_webroot" "$_domain" "$_altdomains" "$_keylength" "$_cert_file" "$_key_file" "$_ca_file" "$_reloadcmd" "$_fullchain_file" "$_pre_hook" "$_post_hook" "$_renew_hook" "$_local_address" "$_challenge_alias"
       ;;
     deploy)
       deploy "$_domain" "$_deploy_hook" "$_ecc"
       ;;
     signcsr)
-      signcsr "$_csr" "$_webroot"
+      signcsr "$_csr" "$_webroot" "$_cert_file" "$_key_file" "$_ca_file" "$_reloadcmd" "$_fullchain_file" "$_pre_hook" "$_post_hook" "$_renew_hook" "$_local_address" "$_challenge_alias"
       ;;
     showcsr)
       showcsr "$_csr" "$_domain"
@@ -6019,7 +6090,7 @@ _process() {
       list "$_listraw"
       ;;
     installcronjob) installcronjob "$_confighome" ;;
-    uninstallcronjob) uninstallcronjob "$_confighome" ;;
+    uninstallcronjob) uninstallcronjob ;;
     cron) cron ;;
     toPkcs)
       toPkcs "$_domain" "$_password" "$_ecc"

deploy/README.md

@@ -31,7 +31,146 @@ acme.sh --deploy -d ftp.example.com --deploy-hook kong
 
 ## 3. Deploy the cert to remote server through SSH access
 
-(TODO)
+The ssh deploy plugin allows you to deploy certificates to a remote host
+using SSH command to connect to the remote server.  The ssh plugin is invoked
+with the following command...
+
+```sh
+acme.sh --deploy -d example.com --deploy-hook ssh
+```
+Prior to running this for the first time you must tell the plugin where
+and how to deploy the certificates.  This is done by exporting the following
+environment variables.  This is not required for subsequent runs as the
+values are stored by acme.sh in the domain configuration files.
+
+Required...
+```
+export DEPLOY_SSH_USER=username
+```
+Optional...
+```
+export DEPLOY_SSH_CMD=custom ssh command
+export DEPLOY_SSH_SERVER=url or ip address of remote host
+export DEPLOY_SSH_KEYFILE=filename for private key
+export DEPLOY_SSH_CERTFILE=filename for certificate file
+export DEPLOY_SSH_CAFILE=filename for intermediate CA file
+export DEPLOY_SSH_FULLCHAIN=filename for fullchain file
+export DEPLOY_SSH_REMOTE_CMD=command to execute on remote host
+export DEPLOY_SSH_BACKUP=yes or no
+```
+
+**DEPLOY_SSH_USER**
+Username at the remote host that SSH will login with. Note that
+SSH must be able to login to remote host without a password... SSH Keys
+must have been exchanged with the remote host. Validate and test that you
+can login to USER@URL from the host running acme.sh before using this script.
+
+The USER@URL at the remote server must also have has permissions to write to
+the target location of the certificate files and to execute any commands
+(e.g. to stop/start services).
+
+**DEPLOY_SSH_CMD**
+You can customize the ssh command used to connect to the remote host. For example
+if you need to connect to a specific port at the remote server you can set this
+to, for example, "ssh -p 22" or to use `sshpass` to provide password inline
+instead of exchanging ssh keys (this is not recommended, using keys is
+more secure).
+
+**DEPLOY_SSH_SERVER**
+URL or IP Address of the remote server.  If not provided then the domain
+name provided on the acme.sh --deploy command line is used.
+
+**DEPLOY_SSH_KEYFILE**
+Target filename for the private key issued by LetsEncrypt.
+
+**DEPLOY_SSH_CERTFILE**
+Target filename for the certificate issued by LetsEncrypt.
+If this is the same as the previous filename (for keyfile) then it is
+appended to the same file.
+
+**DEPLOY_SSH_CAFILE**
+Target filename for the CA intermediate certificate issued by LetsEncrypt.
+If this is the same as a previous filename (for keyfile or certfile) then
+it is appended to the same file.
+
+**DEPLOY_SSH_FULLCHAIN**
+Target filename for the fullchain certificate issued by LetsEncrypt.
+If this is the same as a previous filename (for keyfile, certfile or
+cafile) then it is appended to the same file.
+
+**DEPLOY_SSH_REMOTE_CMD**
+Command to execute on the remote server after copying any certificates.  This
+could be any additional command required for example to stop and restart
+the service.
+
+**DEPLOY_SSH_BACKUP**
+Before writing a certificate file to the remote server the existing
+certificate will be copied to a backup directory on the remote server.
+These are placed in a hidden directory in the home directory of the SSH
+user
+```sh
+~/.acme_ssh_deploy/[domain name]-backup-[timestamp]
+```
+Any backups older than 180 days will be deleted when new certificates
+are deployed.  This defaults to "yes" set to "no" to disable backup.
+
+###Examples using SSH deploy
+The following example illustrates deploying certificates to a QNAP NAS
+(tested with QTS version 4.2.3)
+
+```sh
+export DEPLOY_SSH_USER="admin"
+export DEPLOY_SSH_KEYFILE="/etc/stunnel/stunnel.pem"
+export DEPLOY_SSH_CERTFILE="/etc/stunnel/stunnel.pem"
+export DEPLOY_SSH_CAFILE="/etc/stunnel/uca.pem"
+export DEPLOY_SSH_REMOTE_CMD="/etc/init.d/stunnel.sh restart"
+
+acme.sh --deploy -d qnap.example.com --deploy-hook ssh
+```
+Note how in this example both the private key and certificate point to
+the same file.  This will result in the certificate being appended
+to the same file as the private key... a common requirement of several
+services.
+
+The next example illustrates deploying certificates to a Unifi
+Controller (tested with version 5.4.11).
+
+```sh
+export DEPLOY_SSH_USER="root"
+export DEPLOY_SSH_KEYFILE="/var/lib/unifi/unifi.example.com.key"
+export DEPLOY_SSH_FULLCHAIN="/var/lib/unifi/unifi.example.com.cer"
+export DEPLOY_SSH_REMOTE_CMD="openssl pkcs12 -export \
+   -inkey /var/lib/unifi/unifi.example.com.key \
+   -in /var/lib/unifi/unifi.example.com.cer \
+   -out /var/lib/unifi/unifi.example.com.p12 \
+   -name ubnt -password pass:temppass \
+ && keytool -importkeystore -deststorepass aircontrolenterprise \
+   -destkeypass aircontrolenterprise \
+   -destkeystore /var/lib/unifi/keystore \
+   -srckeystore /var/lib/unifi/unifi.example.com.p12 \
+   -srcstoretype PKCS12 -srcstorepass temppass -alias ubnt -noprompt \
+ && service unifi restart"
+
+acme.sh --deploy -d unifi.example.com --deploy-hook ssh
+```
+In this example we execute several commands on the remote host
+after the certificate files have been copied... to generate a pkcs12 file
+compatible with Unifi, to import it into the Unifi keystore and then finally
+to restart the service.
+
+Note also that once the certificate is imported
+into the keystore the individual certificate files are no longer
+required. We could if we desired delete those files immediately. If we
+do that then we should disable backup at the remote host (as there are
+no files to backup -- they were erased during deployment). For example...
+```sh
+export DEPLOY_SSH_BACKUP=no
+# modify the end of the remote command...
+&& rm /var/lib/unifi/unifi.example.com.key \
+      /var/lib/unifi/unifi.example.com.cer \
+      /var/lib/unifi/unifi.example.com.p12 \
+&& service unifi restart
+```
 
 ## 4. Deploy the cert to local vsftpd server
 
@@ -94,7 +233,7 @@ DEPLOY_CPANEL_USER is required only if you run the script as root and it should
 export DEPLOY_CPANEL_USER=username
 acme.sh  --deploy  -d example.com  --deploy-hook cpanel_uapi
 ```
-Please note, that the cpanel_uapi hook will deploy only the first domain when your certificate will automatically renew. Therefore you should issue a separete certificate for each domain. 
+Please note, that the cpanel_uapi hook will deploy only the first domain when your certificate will automatically renew. Therefore you should issue a separate certificate for each domain. 
 
 ## 8. Deploy the cert to your FRITZ!Box router
 

deploy/ssh.sh

@@ -0,0 +1,205 @@
+#!/usr/bin/env sh
+
+# Script to deploy certificates to remote server by SSH
+# Note that SSH must be able to login to remote host without a password...
+# SSH Keys must have been exchanged with the remote host.  Validate and
+# test that you can login to USER@SERVER from the host running acme.sh before
+# using this script.
+#
+# The following variables exported from environment will be used.
+# If not set then values previously saved in domain.conf file are used.
+#
+# Only a username is required.  All others are optional.
+#
+# The following examples are for QNAP NAS running QTS 4.2 
+# export DEPLOY_SSH_CMD=""  # defaults to ssh
+# export DEPLOY_SSH_USER="admin"  # required
+# export DEPLOY_SSH_SERVER="qnap"  # defaults to domain name
+# export DEPLOY_SSH_KEYFILE="/etc/stunnel/stunnel.pem"
+# export DEPLOY_SSH_CERTFILE="/etc/stunnel/stunnel.pem"
+# export DEPLOY_SSH_CAFILE="/etc/stunnel/uca.pem"
+# export DEPLOY_SSH_FULLCHAIN=""
+# export DEPLOY_SSH_REMOTE_CMD="/etc/init.d/stunnel.sh restart"
+# export DEPLOY_SSH_BACKUP=""  # yes or no, default to yes
+#
+########  Public functions #####################
+
+#domain keyfile certfile cafile fullchain
+ssh_deploy() {
+  _cdomain="$1"
+  _ckey="$2"
+  _ccert="$3"
+  _cca="$4"
+  _cfullchain="$5"
+  _cmdstr=""
+  _homedir='~'
+  _backupprefix="$_homedir/.acme_ssh_deploy/$_cdomain-backup"
+  _backupdir="$_backupprefix-$(_utc_date | tr ' ' '-')"
+
+  if [ -f "$DOMAIN_CONF" ]; then
+    # shellcheck disable=SC1090
+    . "$DOMAIN_CONF"
+  fi
+
+  _debug _cdomain "$_cdomain"
+  _debug _ckey "$_ckey"
+  _debug _ccert "$_ccert"
+  _debug _cca "$_cca"
+  _debug _cfullchain "$_cfullchain"
+
+  # USER is required to login by SSH to remote host.
+  if [ -z "$DEPLOY_SSH_USER" ]; then
+    if [ -z "$Le_Deploy_ssh_user" ]; then
+      _err "DEPLOY_SSH_USER not defined."
+      return 1
+    fi
+  else
+    Le_Deploy_ssh_user="$DEPLOY_SSH_USER"
+    _savedomainconf Le_Deploy_ssh_user "$Le_Deploy_ssh_user"
+  fi
+
+  # SERVER is optional. If not provided then use _cdomain
+  if [ -n "$DEPLOY_SSH_SERVER" ]; then
+    Le_Deploy_ssh_server="$DEPLOY_SSH_SERVER"
+    _savedomainconf Le_Deploy_ssh_server "$Le_Deploy_ssh_server"
+  elif [ -z "$Le_Deploy_ssh_server" ]; then
+    Le_Deploy_ssh_server="$_cdomain"
+  fi
+
+  # CMD is optional. If not provided then use ssh
+  if [ -n "$DEPLOY_SSH_CMD" ]; then
+    Le_Deploy_ssh_cmd="$DEPLOY_SSH_CMD"
+    _savedomainconf Le_Deploy_ssh_cmd "$Le_Deploy_ssh_cmd"
+  elif [ -z "$Le_Deploy_ssh_cmd" ]; then
+    Le_Deploy_ssh_cmd="ssh"
+  fi
+
+  # BACKUP is optional. If not provided then default to yes
+  if [ "$DEPLOY_SSH_BACKUP" = "no" ]; then
+    Le_Deploy_ssh_backup="no"
+  elif [ -z "$Le_Deploy_ssh_backup" ]; then
+    Le_Deploy_ssh_backup="yes"
+  fi
+  _savedomainconf Le_Deploy_ssh_backup "$Le_Deploy_ssh_backup"
+
+  _info "Deploy certificates to remote server $Le_Deploy_ssh_user@$Le_Deploy_ssh_server"
+
+  # KEYFILE is optional.
+  # If provided then private key will be copied to provided filename.
+  if [ -n "$DEPLOY_SSH_KEYFILE" ]; then
+    Le_Deploy_ssh_keyfile="$DEPLOY_SSH_KEYFILE"
+    _savedomainconf Le_Deploy_ssh_keyfile "$Le_Deploy_ssh_keyfile"
+  fi
+  if [ -n "$Le_Deploy_ssh_keyfile" ]; then
+    if [ "$Le_Deploy_ssh_backup" = "yes" ]; then
+      # backup file we are about to overwrite.
+      _cmdstr="$_cmdstr cp $Le_Deploy_ssh_keyfile $_backupdir >/dev/null;"
+    fi
+    # copy new certificate into file.
+    _cmdstr="$_cmdstr echo \"$(cat "$_ckey")\" > $Le_Deploy_ssh_keyfile;"
+    _info "will copy private key to remote file $Le_Deploy_ssh_keyfile"
+  fi
+
+  # CERTFILE is optional.
+  # If provided then private key will be copied or appended to provided filename.
+  if [ -n "$DEPLOY_SSH_CERTFILE" ]; then
+    Le_Deploy_ssh_certfile="$DEPLOY_SSH_CERTFILE"
+    _savedomainconf Le_Deploy_ssh_certfile "$Le_Deploy_ssh_certfile"
+  fi
+  if [ -n "$Le_Deploy_ssh_certfile" ]; then
+    _pipe=">"
+    if [ "$Le_Deploy_ssh_certfile" = "$Le_Deploy_ssh_keyfile" ]; then
+      # if filename is same as previous file then append.
+      _pipe=">>"
+    elif [ "$Le_Deploy_ssh_backup" = "yes" ]; then
+      # backup file we are about to overwrite.
+      _cmdstr="$_cmdstr cp $Le_Deploy_ssh_certfile $_backupdir >/dev/null;"
+    fi
+    # copy new certificate into file.
+    _cmdstr="$_cmdstr echo \"$(cat "$_ccert")\" $_pipe $Le_Deploy_ssh_certfile;"
+    _info "will copy certificate to remote file $Le_Deploy_ssh_certfile"
+  fi
+
+  # CAFILE is optional.
+  # If provided then CA intermediate certificate will be copied or appended to provided filename.
+  if [ -n "$DEPLOY_SSH_CAFILE" ]; then
+    Le_Deploy_ssh_cafile="$DEPLOY_SSH_CAFILE"
+    _savedomainconf Le_Deploy_ssh_cafile "$Le_Deploy_ssh_cafile"
+  fi
+  if [ -n "$Le_Deploy_ssh_cafile" ]; then
+    _pipe=">"
+    if [ "$Le_Deploy_ssh_cafile" = "$Le_Deploy_ssh_keyfile" ] \
+      || [ "$Le_Deploy_ssh_cafile" = "$Le_Deploy_ssh_certfile" ]; then
+      # if filename is same as previous file then append.
+      _pipe=">>"
+    elif [ "$Le_Deploy_ssh_backup" = "yes" ]; then
+      # backup file we are about to overwrite.
+      _cmdstr="$_cmdstr cp $Le_Deploy_ssh_cafile $_backupdir >/dev/null;"
+    fi
+    # copy new certificate into file.
+    _cmdstr="$_cmdstr echo \"$(cat "$_cca")\" $_pipe $Le_Deploy_ssh_cafile;"
+    _info "will copy CA file to remote file $Le_Deploy_ssh_cafile"
+  fi
+
+  # FULLCHAIN is optional.
+  # If provided then fullchain certificate will be copied or appended to provided filename.
+  if [ -n "$DEPLOY_SSH_FULLCHAIN" ]; then
+    Le_Deploy_ssh_fullchain="$DEPLOY_SSH_FULLCHAIN"
+    _savedomainconf Le_Deploy_ssh_fullchain "$Le_Deploy_ssh_fullchain"
+  fi
+  if [ -n "$Le_Deploy_ssh_fullchain" ]; then
+    _pipe=">"
+    if [ "$Le_Deploy_ssh_fullchain" = "$Le_Deploy_ssh_keyfile" ] \
+      || [ "$Le_Deploy_ssh_fullchain" = "$Le_Deploy_ssh_certfile" ] \
+      || [ "$Le_Deploy_ssh_fullchain" = "$Le_Deploy_ssh_cafile" ]; then
+      # if filename is same as previous file then append.
+      _pipe=">>"
+    elif [ "$Le_Deploy_ssh_backup" = "yes" ]; then
+      # backup file we are about to overwrite.
+      _cmdstr="$_cmdstr cp $Le_Deploy_ssh_fullchain $_backupdir >/dev/null;"
+    fi
+    # copy new certificate into file.
+    _cmdstr="$_cmdstr echo \"$(cat "$_cfullchain")\" $_pipe $Le_Deploy_ssh_fullchain;"
+    _info "will copy fullchain to remote file $Le_Deploy_ssh_fullchain"
+  fi
+
+  # REMOTE_CMD is optional.
+  # If provided then this command will be executed on remote host.
+  if [ -n "$DEPLOY_SSH_REMOTE_CMD" ]; then
+    Le_Deploy_ssh_remote_cmd="$DEPLOY_SSH_REMOTE_CMD"
+    _savedomainconf Le_Deploy_ssh_remote_cmd "$Le_Deploy_ssh_remote_cmd"
+  fi
+  if [ -n "$Le_Deploy_ssh_remote_cmd" ]; then
+    _cmdstr="$_cmdstr $Le_Deploy_ssh_remote_cmd;"
+    _info "Will execute remote command $Le_Deploy_ssh_remote_cmd"
+  fi
+
+  if [ -z "$_cmdstr" ]; then
+    _err "No remote commands to excute. Failed to deploy certificates to remote server"
+    return 1
+  elif [ "$Le_Deploy_ssh_backup" = "yes" ]; then
+    # run cleanup on the backup directory, erase all older
+    # than 180 days (15552000 seconds).
+    _cmdstr="{ now=\"\$(date -u +%s)\"; for fn in $_backupprefix*; \
+do if [ -d \"\$fn\" ] && [ \"\$(expr \$now - \$(date -ur \$fn +%s) )\" -ge \"15552000\" ]; \
+then rm -rf \"\$fn\"; echo \"Backup \$fn deleted as older than 180 days\"; fi; done; }; $_cmdstr"
+    # Alternate version of above... _cmdstr="find $_backupprefix* -type d -mtime +180 2>/dev/null | xargs rm -rf; $_cmdstr"
+    # Create our backup directory for overwritten cert files.
+    _cmdstr="mkdir -p $_backupdir; $_cmdstr"
+    _info "Backup of old certificate files will be placed in remote directory $_backupdir"
+    _info "Backup directories erased after 180 days."
+  fi
+
+  _debug "Remote commands to execute: $_cmdstr"
+  _info "Submitting sequence of commands to remote server by ssh"
+  # quotations in bash cmd below intended.  Squash travis spellcheck error
+  # shellcheck disable=SC2029
+  $Le_Deploy_ssh_cmd -T "$Le_Deploy_ssh_user@$Le_Deploy_ssh_server" sh -c "'$_cmdstr'"
+  _ret="$?"
+
+  if [ "$_ret" != "0" ]; then
+    _err "Error code $_ret returned from $Le_Deploy_ssh_cmd"
+  fi
+
+  return $_ret
+}

deploy/strongswan.sh

@@ -22,6 +22,8 @@ strongswan_deploy() {
     _ipsec=/usr/sbin/ipsec
   elif [ -x /usr/sbin/strongswan ]; then
     _ipsec=/usr/sbin/strongswan
+  elif [ -x /usr/local/sbin/ipsec ]; then
+    _ipsec=/usr/local/sbin/ipsec
   else
     _err "no strongswan or ipsec command is detected"
     return 1

deploy/vault_cli.sh

@@ -0,0 +1,56 @@
+#!/usr/bin/env sh
+
+# Here is a script to deploy cert to hashicorp vault
+# (https://www.vaultproject.io/)
+# 
+# it requires the vault binary to be available in PATH, and the following
+# environment variables:
+# 
+# VAULT_PREFIX - this contains the prefix path in vault
+# VAULT_ADDR - vault requires this to find your vault server
+#
+# additionally, you need to ensure that VAULT_TOKEN is avialable or
+# `vault auth` has applied the appropriate authorization for the vault binary
+# to access the vault server
+
+#returns 0 means success, otherwise error.
+
+########  Public functions #####################
+
+#domain keyfile certfile cafile fullchain
+vault_cli_deploy() {
+
+  _cdomain="$1"
+  _ckey="$2"
+  _ccert="$3"
+  _cca="$4"
+  _cfullchain="$5"
+
+  _debug _cdomain "$_cdomain"
+  _debug _ckey "$_ckey"
+  _debug _ccert "$_ccert"
+  _debug _cca "$_cca"
+  _debug _cfullchain "$_cfullchain"
+
+  # validate required env vars
+  if [ -z "$VAULT_PREFIX" ]; then
+    _err "VAULT_PREFIX needs to be defined (contains prefix path in vault)"
+    return 1
+  fi
+
+  if [ -z "$VAULT_ADDR" ]; then
+    _err "VAULT_ADDR needs to be defined (contains vault connection address)"
+    return 1
+  fi
+
+  VAULT_CMD=$(which vault)
+  if [ ! $? ]; then
+    _err "cannot find vault binary!"
+    return 1
+  fi
+
+  $VAULT_CMD write "${VAULT_PREFIX}/${_cdomain}/cert.pem" value=@"$_ccert" || return 1
+  $VAULT_CMD write "${VAULT_PREFIX}/${_cdomain}/cert.key" value=@"$_ckey" || return 1
+  $VAULT_CMD write "${VAULT_PREFIX}/${_cdomain}/fullchain.pem" value=@"$_cfullchain" || return 1
+
+}

dnsapi/README.md

@@ -354,7 +354,7 @@ acme.sh --issue --dns dns_gandi_livedns -d example.com -d www.example.com
 First, generate a TSIG key for updating the zone.
 
 ```
-keymgr tsig generate acme_key algorithm hmac-sha512 > /etc/knot/acme.key
+keymgr tsig generate -t acme_key hmac-sha512 > /etc/knot/acme.key
 ```
 
 Include this key in your knot configuration file.
@@ -757,6 +757,34 @@ acme.sh --issue --dns dns_dreamhost -d example.com -d www.example.com
 The 'DH_API_KEY' will be saved in `~/.acme.sh/account.conf` and will
 be reused when needed.
 
+## 41. Use DirectAdmin API
+The DirectAdmin interface has it's own Let's encrypt functionality, but this
+script can be used to generate certificates for names which are not hosted on
+DirectAdmin
+
+User must provide login data and URL to the DirectAdmin incl. port.
+You can create an user which only has access to
+
+- CMD_API_DNS_CONTROL
+- CMD_API_SHOW_DOMAINS
+
+By using the Login Keys function.
+See also https://www.directadmin.com/api.php and https://www.directadmin.com/features.php?id=1298
+
+```
+export DA_Api="https://remoteUser:remotePassword@da.domain.tld:8443"
+export DA_Api_Insecure=1
+```
+Set `DA_Api_Insecure` to 1 for insecure and 0 for secure -> difference is whether ssl cert is checked for validity (0) or whether it is just accepted (1)
+
+Ok, let's issue a cert now:
+```
+acme.sh --issue --dns dns_da -d example.com -d www.example.com
+```
+
+The `DA_Api` and `DA_Api_Insecure` will be saved in `~/.acme.sh/account.conf` and will be reused when needed.
+
+
 # Use custom API
 
 If your API is not supported yet, you can write your own DNS API.

dnsapi/dns_aws.sh

@@ -21,6 +21,11 @@ dns_aws_add() {
 
   AWS_ACCESS_KEY_ID="${AWS_ACCESS_KEY_ID:-$(_readaccountconf_mutable AWS_ACCESS_KEY_ID)}"
   AWS_SECRET_ACCESS_KEY="${AWS_SECRET_ACCESS_KEY:-$(_readaccountconf_mutable AWS_SECRET_ACCESS_KEY)}"
+
+  if [ -z "$AWS_ACCESS_KEY_ID" ] || [ -z "$AWS_SECRET_ACCESS_KEY" ]; then
+    _use_container_role || _use_instance_role
+  fi
+
   if [ -z "$AWS_ACCESS_KEY_ID" ] || [ -z "$AWS_SECRET_ACCESS_KEY" ]; then
     AWS_ACCESS_KEY_ID=""
     AWS_SECRET_ACCESS_KEY=""
@@ -29,9 +34,11 @@ dns_aws_add() {
     return 1
   fi
 
-  #save for future use
-  _saveaccountconf_mutable AWS_ACCESS_KEY_ID "$AWS_ACCESS_KEY_ID"
-  _saveaccountconf_mutable AWS_SECRET_ACCESS_KEY "$AWS_SECRET_ACCESS_KEY"
+  #save for future use, unless using a role which will be fetched as needed
+  if [ -z "$_using_role" ]; then
+    _saveaccountconf_mutable AWS_ACCESS_KEY_ID "$AWS_ACCESS_KEY_ID"
+    _saveaccountconf_mutable AWS_SECRET_ACCESS_KEY "$AWS_SECRET_ACCESS_KEY"
+  fi
 
   _debug "First detect the root zone"
   if ! _get_root "$fulldomain"; then
@@ -78,6 +85,11 @@ dns_aws_rm() {
 
   AWS_ACCESS_KEY_ID="${AWS_ACCESS_KEY_ID:-$(_readaccountconf_mutable AWS_ACCESS_KEY_ID)}"
   AWS_SECRET_ACCESS_KEY="${AWS_SECRET_ACCESS_KEY:-$(_readaccountconf_mutable AWS_SECRET_ACCESS_KEY)}"
+
+  if [ -z "$AWS_ACCESS_KEY_ID" ] || [ -z "$AWS_SECRET_ACCESS_KEY" ]; then
+    _use_container_role || _use_instance_role
+  fi
+
   _debug "First detect the root zone"
   if ! _get_root "$fulldomain"; then
     _err "invalid domain"
@@ -162,6 +174,55 @@ _get_root() {
   return 1
 }
 
+_use_container_role() {
+  # automatically set if running inside ECS
+  if [ -z "$AWS_CONTAINER_CREDENTIALS_RELATIVE_URI" ]; then
+    _debug "No ECS environment variable detected"
+    return 1
+  fi
+  _use_metadata "169.254.170.2$AWS_CONTAINER_CREDENTIALS_RELATIVE_URI"
+}
+
+_use_instance_role() {
+  _url="http://169.254.169.254/latest/meta-data/iam/security-credentials/"
+  _debug "_url" "$_url"
+  if ! _get "$_url" true 1 | _head_n 1 | grep -Fq 200; then
+    _debug "Unable to fetch IAM role from instance metadata"
+    return 1
+  fi
+  _aws_role=$(_get "$_url" "" 1)
+  _debug "_aws_role" "$_aws_role"
+  _use_metadata "$_url$_aws_role"
+}
+
+_use_metadata() {
+  _aws_creds="$(
+    _get "$1" "" 1 \
+      | _normalizeJson \
+      | tr '{,}' '\n' \
+      | while read -r _line; do
+        _key="$(echo "${_line%%:*}" | tr -d '"')"
+        _value="${_line#*:}"
+        _debug3 "_key" "$_key"
+        _secure_debug3 "_value" "$_value"
+        case "$_key" in
+          AccessKeyId) echo "AWS_ACCESS_KEY_ID=$_value" ;;
+          SecretAccessKey) echo "AWS_SECRET_ACCESS_KEY=$_value" ;;
+          Token) echo "AWS_SESSION_TOKEN=$_value" ;;
+        esac
+      done \
+        | paste -sd' ' -
+  )"
+  _secure_debug "_aws_creds" "$_aws_creds"
+
+  if [ -z "$_aws_creds" ]; then
+    return 1
+  fi
+
+  eval "$_aws_creds"
+  _using_role=true
+}
+
 #method uri qstr data
 aws_rest() {
   mtd="$1"

dnsapi/dns_azure.sh

@@ -1,5 +1,7 @@
 #!/usr/bin/env sh
 
+WIKI="https://github.com/Neilpang/acme.sh/wiki/How-to-use-Azure-DNS"
+
 ########  Public functions #####################
 
 # Usage: add  _acme-challenge.www.domain.com   "XKrxpRBosdIKFzxW_CT3KLZNf6q0HG9i01zxXp5CPBs"
@@ -69,12 +71,36 @@ dns_azure_add() {
 
   acmeRecordURI="https://management.azure.com$(printf '%s' "$_domain_id" | sed 's/\\//g')/TXT/$_sub_domain?api-version=2017-09-01"
   _debug "$acmeRecordURI"
-  body="{\"properties\": {\"TTL\": 3600, \"TXTRecords\": [{\"value\": [\"$txtvalue\"]}]}}"
+  # Get existing TXT record
+  _azure_rest GET "$acmeRecordURI" "" "$accesstoken"
+  values="{\"value\":[\"$txtvalue\"]}"
+  timestamp="$(_time)"
+  if [ "$_code" = "200" ]; then
+    vlist="$(echo "$response" | _egrep_o "\"value\"\s*:\s*\[\s*\"[^\"]*\"\s*]" | cut -d : -f 2 | tr -d "[]\"")"
+    _debug "existing TXT found"
+    _debug "$vlist"
+    existingts="$(echo "$response" | _egrep_o "\"acmetscheck\"\s*:\s*\"[^\"]*\"" | _head_n 1 | cut -d : -f 2 | tr -d "\"")"
+    if [ -z "$existingts" ]; then
+      # the record was not created by acme.sh. Copy the exisiting entires
+      existingts=$timestamp
+    fi
+    _diff="$(_math "$timestamp - $existingts")"
+    _debug "existing txt age: $_diff"
+    # only use recently added records and discard if older than 2 hours because they are probably orphaned
+    if [ "$_diff" -lt 7200 ]; then
+      _debug "existing txt value: $vlist"
+      for v in $vlist; do
+        values="$values ,{\"value\":[\"$v\"]}"
+      done
+    fi
+  fi
+  # Add the txtvalue TXT Record
+  body="{\"properties\":{\"metadata\":{\"acmetscheck\":\"$timestamp\"},\"TTL\":10, \"TXTRecords\":[$values]}}"
   _azure_rest PUT "$acmeRecordURI" "$body" "$accesstoken"
   if [ "$_code" = "200" ] || [ "$_code" = '201' ]; then
-    _info "validation record added"
+    _info "validation value added"
   else
-    _err "error adding validation record ($_code)"
+    _err "error adding validation value ($_code)"
     return 1
   fi
 }
@@ -141,13 +167,38 @@ dns_azure_rm() {
 
   acmeRecordURI="https://management.azure.com$(printf '%s' "$_domain_id" | sed 's/\\//g')/TXT/$_sub_domain?api-version=2017-09-01"
   _debug "$acmeRecordURI"
-  body="{\"properties\": {\"TTL\": 3600, \"TXTRecords\": [{\"value\": [\"$txtvalue\"]}]}}"
-  _azure_rest DELETE "$acmeRecordURI" "" "$accesstoken"
-  if [ "$_code" = "200" ] || [ "$_code" = '204' ]; then
-    _info "validation record removed"
-  else
-    _err "error removing validation record ($_code)"
-    return 1
+  # Get existing TXT record
+  _azure_rest GET "$acmeRecordURI" "" "$accesstoken"
+  timestamp="$(_time)"
+  if [ "$_code" = "200" ]; then
+    vlist="$(echo "$response" | _egrep_o "\"value\"\s*:\s*\[\s*\"[^\"]*\"\s*]" | cut -d : -f 2 | tr -d "[]\"" | grep -v "$txtvalue")"
+    values=""
+    comma=""
+    for v in $vlist; do
+      values="$values$comma{\"value\":[\"$v\"]}"
+      comma=","
+    done
+    if [ -z "$values" ]; then
+      # No values left remove record
+      _debug "removing validation record completely $acmeRecordURI"
+      _azure_rest DELETE "$acmeRecordURI" "" "$accesstoken"
+      if [ "$_code" = "200" ] || [ "$_code" = '204' ]; then
+        _info "validation record removed"
+      else
+        _err "error removing validation record ($_code)"
+        return 1
+      fi
+    else
+      # Remove only txtvalue from the TXT Record
+      body="{\"properties\":{\"metadata\":{\"acmetscheck\":\"$timestamp\"},\"TTL\":10, \"TXTRecords\":[$values]}}"
+      _azure_rest PUT "$acmeRecordURI" "$body" "$accesstoken"
+      if [ "$_code" = "200" ] || [ "$_code" = '201' ]; then
+        _info "validation value removed"
+      else
+        _err "error removing validation value ($_code)"
+        return 1
+      fi
+    fi
   fi
 }
 
@@ -159,52 +210,92 @@ _azure_rest() {
   data="$3"
   accesstoken="$4"
 
-  export _H1="authorization: Bearer $accesstoken"
-  export _H2="accept: application/json"
-  export _H3="Content-Type: application/json"
-
-  _debug "$ep"
-  if [ "$m" != "GET" ]; then
-    _debug data "$data"
-    response="$(_post "$data" "$ep" "" "$m")"
-  else
-    response="$(_get "$ep")"
-  fi
-  _debug2 response "$response"
-
-  _code="$(grep "^HTTP" "$HTTP_HEADER" | _tail_n 1 | cut -d " " -f 2 | tr -d "\r\n")"
-  _debug2 "http response code $_code"
-
-  if [ "$?" != "0" ]; then
-    _err "error $ep"
+  MAX_REQUEST_RETRY_TIMES=5
+  _request_retry_times=0
+  while [ "${_request_retry_times}" -lt "$MAX_REQUEST_RETRY_TIMES" ]; do
+    _debug3 _request_retry_times "$_request_retry_times"
+    export _H1="authorization: Bearer $accesstoken"
+    export _H2="accept: application/json"
+    export _H3="Content-Type: application/json"
+    # clear headers from previous request to avoid getting wrong http code on timeouts
+    :>"$HTTP_HEADER"
+    _debug "$ep"
+    if [ "$m" != "GET" ]; then
+      _secure_debug2 "data $data"
+      response="$(_post "$data" "$ep" "" "$m")"
+    else
+      response="$(_get "$ep")"
+    fi
+    _secure_debug2 "response $response"
+    _code="$(grep "^HTTP" "$HTTP_HEADER" | _tail_n 1 | cut -d " " -f 2 | tr -d "\r\n")"
+    _debug "http response code $_code"
+    if [ "$_code" = "401" ]; then
+      # we have an invalid access token set to expired
+      _saveaccountconf_mutable AZUREDNS_TOKENVALIDTO "0"
+      _err "access denied make sure your Azure settings are correct. See $WIKI"
+      return 1
+    fi
+    # See https://docs.microsoft.com/en-us/azure/architecture/best-practices/retry-service-specific#general-rest-and-retry-guidelines for retryable HTTP codes
+    if [ "$?" != "0" ] || [ -z "$_code" ] || [ "$_code" = "408" ] || [ "$_code" = "500" ] || [ "$_code" = "503" ] || [ "$_code" = "504" ]; then
+      _request_retry_times="$(_math "$_request_retry_times" + 1)"
+      _info "REST call error $_code retrying $ep in $_request_retry_times s"
+      _sleep "$_request_retry_times"
+      continue
+    fi
+    break
+  done
+  if [ "$_request_retry_times" = "$MAX_REQUEST_RETRY_TIMES" ]; then
+    _err "Error Azure REST called was retried $MAX_REQUEST_RETRY_TIMES times."
+    _err "Calling $ep failed."
     return 1
   fi
+  response="$(echo "$response" | _normalizeJson)"
   return 0
 }
 
 ## Ref: https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-protocols-oauth-service-to-service#request-an-access-token
 _azure_getaccess_token() {
-  TENANTID=$1
+  tenantID=$1
   clientID=$2
   clientSecret=$3
 
+  accesstoken="${AZUREDNS_BEARERTOKEN:-$(_readaccountconf_mutable AZUREDNS_BEARERTOKEN)}"
+  expires_on="${AZUREDNS_TOKENVALIDTO:-$(_readaccountconf_mutable AZUREDNS_TOKENVALIDTO)}"
+
+  # can we reuse the bearer token?
+  if [ -n "$accesstoken" ] && [ -n "$expires_on" ]; then
+    if [ "$(_time)" -lt "$expires_on" ]; then
+      # brearer token is still valid - reuse it
+      _debug "reusing bearer token"
+      printf "%s" "$accesstoken"
+      return 0
+    else
+      _debug "bearer token expired"
+    fi
+  fi
+  _debug "getting new bearer token"
+
   export _H1="accept: application/json"
   export _H2="Content-Type: application/x-www-form-urlencoded"
 
   body="resource=$(printf "%s" 'https://management.core.windows.net/' | _url_encode)&client_id=$(printf "%s" "$clientID" | _url_encode)&client_secret=$(printf "%s" "$clientSecret" | _url_encode)&grant_type=client_credentials"
-  _debug data "$body"
-  response="$(_post "$body" "https://login.windows.net/$TENANTID/oauth2/token" "" "POST")"
+  _secure_debug2 "data $body"
+  response="$(_post "$body" "https://login.microsoftonline.com/$tenantID/oauth2/token" "" "POST")"
+  _secure_debug2 "response $response"
+  response="$(echo "$response" | _normalizeJson)"
   accesstoken=$(echo "$response" | _egrep_o "\"access_token\":\"[^\"]*\"" | _head_n 1 | cut -d : -f 2 | tr -d \")
-  _debug2 "response $response"
+  expires_on=$(echo "$response" | _egrep_o "\"expires_on\":\"[^\"]*\"" | _head_n 1 | cut -d : -f 2 | tr -d \")
 
   if [ -z "$accesstoken" ]; then
-    _err "no acccess token received"
+    _err "no acccess token received. Check your Azure settings see $WIKI"
     return 1
   fi
   if [ "$?" != "0" ]; then
     _err "error $response"
     return 1
   fi
+  _saveaccountconf_mutable AZUREDNS_BEARERTOKEN "$accesstoken"
+  _saveaccountconf_mutable AZUREDNS_TOKENVALIDTO "$expires_on"
   printf "%s" "$accesstoken"
   return 0
 }
@@ -222,7 +313,6 @@ _get_root() {
   ## Per https://docs.microsoft.com/en-us/azure/azure-subscription-service-limits#dns-limits you are limited to 100 Zone/subscriptions anyways
   ##
   _azure_rest GET "https://management.azure.com/subscriptions/$subscriptionId/providers/Microsoft.Network/dnszones?api-version=2017-09-01" "" "$accesstoken"
-
   # Find matching domain name is Json response
   while true; do
     h=$(printf "%s" "$domain" | cut -d . -f $i-100)

dnsapi/dns_cloudns.sh

@@ -26,30 +26,18 @@ dns_cloudns_add() {
 
   host="$(echo "$1" | sed "s/\.$zone\$//")"
   record=$2
-  record_id=$(_dns_cloudns_get_record_id "$zone" "$host")
 
   _debug zone "$zone"
   _debug host "$host"
   _debug record "$record"
-  _debug record_id "$record_id"
 
-  if [ -z "$record_id" ]; then
-    _info "Adding the TXT record for $1"
-    _dns_cloudns_http_api_call "dns/add-record.json" "domain-name=$zone&record-type=TXT&host=$host&record=$record&ttl=60"
-    if ! _contains "$response" "\"status\":\"Success\""; then
-      _err "Record cannot be added."
-      return 1
-    fi
-    _info "Added."
-  else
-    _info "Updating the TXT record for $1"
-    _dns_cloudns_http_api_call "dns/mod-record.json" "domain-name=$zone&record-id=$record_id&record-type=TXT&host=$host&record=$record&ttl=60"
-    if ! _contains "$response" "\"status\":\"Success\""; then
-      _err "The TXT record for $1 cannot be updated."
-      return 1
-    fi
-    _info "Updated."
+  _info "Adding the TXT record for $1"
+  _dns_cloudns_http_api_call "dns/add-record.json" "domain-name=$zone&record-type=TXT&host=$host&record=$record&ttl=60"
+  if ! _contains "$response" "\"status\":\"Success\""; then
+    _err "Record cannot be added."
+    return 1
   fi
+  _info "Added."
 
   return 0
 }
@@ -72,22 +60,32 @@ dns_cloudns_rm() {
 
   host="$(echo "$1" | sed "s/\.$zone\$//")"
   record=$2
-  record_id=$(_dns_cloudns_get_record_id "$zone" "$host")
 
-  _debug zone "$zone"
-  _debug host "$host"
-  _debug record "$record"
-  _debug record_id "$record_id"
-
-  if [ ! -z "$record_id" ]; then
-    _info "Deleting the TXT record for $1"
-    _dns_cloudns_http_api_call "dns/delete-record.json" "domain-name=$zone&record-id=$record_id"
-    if ! _contains "$response" "\"status\":\"Success\""; then
-      _err "The TXT record for $1 cannot be deleted."
-      return 1
-    fi
-    _info "Deleted."
+  _dns_cloudns_http_api_call "dns/records.json" "domain-name=$zone&host=$host&type=TXT"
+  if ! _contains "$response" "\"id\":"; then
+    return 1
   fi
+
+  for i in $(echo "$response" | tr '{' "\n" | grep "$record"); do
+    record_id=$(echo "$i" | tr ',' "\n" | grep -E '^"id"' | sed -re 's/^\"id\"\:\"([0-9]+)\"$/\1/g')
+
+    if [ ! -z "$record_id" ]; then
+      _debug zone "$zone"
+      _debug host "$host"
+      _debug record "$record"
+      _debug record_id "$record_id"
+
+      _info "Deleting the TXT record for $1"
+      _dns_cloudns_http_api_call "dns/delete-record.json" "domain-name=$zone&record-id=$record_id"
+
+      if ! _contains "$response" "\"status\":\"Success\""; then
+        _err "The TXT record for $1 cannot be deleted."
+      else
+        _info "Deleted."
+      fi
+    fi
+  done
+
   return 0
 }
 
@@ -126,7 +124,7 @@ _dns_cloudns_init_check() {
     return 1
   fi
 
-  #save the api id and password to the account conf file.
+  # save the api id and password to the account conf file.
   _saveaccountconf_mutable CLOUDNS_AUTH_ID "$CLOUDNS_AUTH_ID"
   _saveaccountconf_mutable CLOUDNS_SUB_AUTH_ID "$CLOUDNS_SUB_AUTH_ID"
   _saveaccountconf_mutable CLOUDNS_AUTH_PASSWORD "$CLOUDNS_AUTH_PASSWORD"
@@ -159,15 +157,6 @@ _dns_cloudns_get_zone_name() {
   return 1
 }
 
-_dns_cloudns_get_record_id() {
-  _dns_cloudns_http_api_call "dns/records.json" "domain-name=$1&host=$2&type=TXT"
-  if _contains "$response" "\"id\":"; then
-    echo "$response" | cut -d '"' -f 2
-    return 0
-  fi
-  return 1
-}
-
 _dns_cloudns_http_api_call() {
   method=$1
 
@@ -189,7 +178,7 @@ _dns_cloudns_http_api_call() {
 
   response="$(_get "$CLOUDNS_API/$method?$data")"
 
-  _debug2 response "$response"
+  _debug response "$response"
 
   return 0
 }

dnsapi/dns_da.sh

@@ -0,0 +1,184 @@
+#!/usr/bin/env sh
+# -*- mode: sh; tab-width: 2; indent-tabs-mode: s; coding: utf-8 -*-
+# vim: et ts=2 sw=2
+#
+# DirectAdmin 1.41.0 API
+# The DirectAdmin interface has it's own Let's encrypt functionality, but this
+# script can be used to generate certificates for names which are not hosted on
+# DirectAdmin
+#
+# User must provide login data and URL to DirectAdmin incl. port.
+# You can create login key, by using the Login Keys function
+# ( https://da.example.com:8443/CMD_LOGIN_KEYS ), which only has access to 
+# - CMD_API_DNS_CONTROL
+# - CMD_API_SHOW_DOMAINS
+#
+# See also https://www.directadmin.com/api.php and
+# https://www.directadmin.com/features.php?id=1298
+#
+# Report bugs to https://github.com/TigerP/acme.sh/issues
+#
+# Values to export:
+# export DA_Api="https://remoteUser:remotePassword@da.example.com:8443"
+# export DA_Api_Insecure=1
+#
+# Set DA_Api_Insecure to 1 for insecure and 0 for secure -> difference is
+# whether ssl cert is checked for validity (0) or whether it is just accepted
+# (1)
+#
+########  Public functions #####################
+
+# Usage: dns_myapi_add  _acme-challenge.www.example.com  "XKrxpRBosdIKFzxW_CT3KLZNf6q0HG9i01zxXp5CPBs"
+# Used to add txt record
+dns_da_add() {
+  fulldomain="${1}"
+  txtvalue="${2}"
+  _debug "Calling: dns_da_add() '${fulldomain}' '${txtvalue}'"
+  _DA_credentials && _DA_getDomainInfo && _DA_addTxt
+}
+
+# Usage: dns_da_rm  _acme-challenge.www.example.com  "XKrxpRBosdIKFzxW_CT3KLZNf6q0HG9i01zxXp5CPBs"
+# Used to remove the txt record after validation
+dns_da_rm() {
+  fulldomain="${1}"
+  txtvalue="${2}"
+  _debug "Calling: dns_da_rm() '${fulldomain}' '${txtvalue}'"
+  _DA_credentials && _DA_getDomainInfo && _DA_rmTxt
+}
+
+####################  Private functions below ##################################
+# Usage: _DA_credentials
+# It will check if the needed settings are available
+_DA_credentials() {
+  DA_Api="${DA_Api:-$(_readaccountconf_mutable DA_Api)}"
+  DA_Api_Insecure="${DA_Api_Insecure:-$(_readaccountconf_mutable DA_Api_Insecure)}"
+  if [ -z "${DA_Api}" ] || [ -z "${DA_Api_Insecure}" ]; then
+    DA_Api=""
+    DA_Api_Insecure=""
+    _err "You haven't specified the DirectAdmin Login data, URL and whether you want check the DirectAdmin SSL cert. Please try again."
+    return 1
+  else
+    _saveaccountconf_mutable DA_Api "${DA_Api}"
+    _saveaccountconf_mutable DA_Api_Insecure "${DA_Api_Insecure}"
+    # Set whether curl should use secure or insecure mode
+    export HTTPS_INSECURE="${DA_Api_Insecure}"
+  fi
+}
+
+# Usage: _get_root _acme-challenge.www.example.com
+# Split the full domain to a domain and subdomain
+#returns
+# _sub_domain=_acme-challenge.www
+# _domain=example.com
+_get_root() {
+  domain=$1
+  i=2
+  p=1
+  # Get a list of all the domains
+  # response will contain "list[]=example.com&list[]=example.org"
+  _da_api CMD_API_SHOW_DOMAINS "" "${domain}"
+  while true; do
+    h=$(printf "%s" "$domain" | cut -d . -f $i-100)
+    _debug h "$h"
+    if [ -z "$h" ]; then
+      # not valid
+      _debug "The given domain $h is not valid"
+      return 1
+    fi
+    if _contains "$response" "$h" >/dev/null; then
+      _sub_domain=$(printf "%s" "$domain" | cut -d . -f 1-$p)
+      _domain=$h
+      return 0
+    fi
+    p=$i
+    i=$(_math "$i" + 1)
+  done
+  _debug "Stop on 100"
+  return 1
+}
+
+# Usage: _da_api CMD_API_* data example.com
+# Use the DirectAdmin API and check the result
+# returns
+#  response="error=0&text=Result text&details="
+_da_api() {
+  cmd=$1
+  data=$2
+  domain=$3
+  _debug "$domain; $data"
+  response="$(_post "$data" "$DA_Api/$cmd" "" "POST")"
+
+  if [ "$?" != "0" ]; then
+    _err "error $cmd"
+    return 1
+  fi
+  _debug response "$response"
+
+  case "${cmd}" in
+    CMD_API_DNS_CONTROL)
+      # Parse the result in general
+      # error=0&text=Records Deleted&details=
+      # error=1&text=Cannot View Dns Record&details=No domain provided
+      err_field="$(_getfield "$response" 1 '&')"
+      txt_field="$(_getfield "$response" 2 '&')"
+      details_field="$(_getfield "$response" 3 '&')"
+      error="$(_getfield "$err_field" 2 '=')"
+      text="$(_getfield "$txt_field" 2 '=')"
+      details="$(_getfield "$details_field" 2 '=')"
+      _debug "error: ${error}, text: ${text}, details: ${details}"
+      if [ "$error" != "0" ]; then
+        _err "error $response"
+        return 1
+      fi
+      ;;
+    CMD_API_SHOW_DOMAINS) ;;
+  esac
+  return 0
+}
+
+# Usage: _DA_getDomainInfo
+# Get the root zone if possible
+_DA_getDomainInfo() {
+  _debug "First detect the root zone"
+  if ! _get_root "$fulldomain"; then
+    _err "invalid domain"
+    return 1
+  else
+    _debug "The root domain: $_domain"
+    _debug "The sub domain: $_sub_domain"
+  fi
+  return 0
+}
+
+# Usage: _DA_addTxt
+# Use the API to add a record
+_DA_addTxt() {
+  curData="domain=${_domain}&action=add&type=TXT&name=${_sub_domain}&value=\"${txtvalue}\""
+  _debug "Calling _DA_addTxt: '${curData}' '${DA_Api}/CMD_API_DNS_CONTROL'"
+  _da_api CMD_API_DNS_CONTROL "${curData}" "${_domain}"
+  _debug "Result of _DA_addTxt: '$response'"
+  if _contains "${response}" 'error=0'; then
+    _debug "Add TXT succeeded"
+    return 0
+  fi
+  _debug "Add TXT failed"
+  return 1
+}
+
+# Usage: _DA_rmTxt
+# Use the API to remove a record
+_DA_rmTxt() {
+  curData="domain=${_domain}&action=select&txtrecs0=name=${_sub_domain}&value=\"${txtvalue}\""
+  _debug "Calling _DA_rmTxt: '${curData}' '${DA_Api}/CMD_API_DNS_CONTROL'"
+  if _da_api CMD_API_DNS_CONTROL "${curData}" "${_domain}"; then
+    _debug "Result of _DA_rmTxt: '$response'"
+  else
+    _err "Result of _DA_rmTxt: '$response'"
+  fi
+  if _contains "${response}" 'error=0'; then
+    _debug "RM TXT succeeded"
+    return 0
+  fi
+  _debug "RM TXT failed"
+  return 1
+}

dnsapi/dns_freedns.sh

@@ -53,8 +53,9 @@ dns_freedns_add() {
   i="$(_math "$i" - 1)"
   sub_domain="$(echo "$fulldomain" | cut -d. -f -"$i")"
 
-  _debug top_domain "$top_domain"
-  _debug sub_domain "$sub_domain"
+  _debug "top_domain: $top_domain"
+  _debug "sub_domain: $sub_domain"
+
   # Sometimes FreeDNS does not return the subdomain page but rather
   # returns a page regarding becoming a premium member.  This usually
   # happens after a period of inactivity.  Immediately trying again
@@ -63,6 +64,7 @@ dns_freedns_add() {
   attempts=2
   while [ "$attempts" -gt "0" ]; do
     attempts="$(_math "$attempts" - 1)"
+
     htmlpage="$(_freedns_retrieve_subdomain_page "$FREEDNS_COOKIE")"
     if [ "$?" != "0" ]; then
       if [ "$using_cached_cookies" = "true" ]; then
@@ -71,10 +73,9 @@ dns_freedns_add() {
       fi
       return 1
     fi
-    _debug2 htmlpage "$htmlpage"
 
     subdomain_csv="$(echo "$htmlpage" | tr -d "\n\r" | _egrep_o '<form .*</form>' | sed 's/<tr>/@<tr>/g' | tr '@' '\n' | grep edit.php | grep "$top_domain")"
-    _debug2 subdomain_csv "$subdomain_csv"
+    _debug3 "subdomain_csv: $subdomain_csv"
 
     # The above beauty ends with striping out rows that do not have an
     # href to edit.php and do not have the top domain we are looking for.
@@ -85,55 +86,25 @@ dns_freedns_add() {
     lines="$(echo "$subdomain_csv" | wc -l)"
     i=0
     found=0
+    DNSdomainid=""
     while [ "$i" -lt "$lines" ]; do
       i="$(_math "$i" + 1)"
       line="$(echo "$subdomain_csv" | sed -n "${i}p")"
-      _debug2 line "$line"
+      _debug2 "line: $line"
       if [ $found = 0 ] && _contains "$line" "<td>$top_domain</td>"; then
         # this line will contain DNSdomainid for the top_domain
         DNSdomainid="$(echo "$line" | _egrep_o "edit_domain_id *= *.*>" | cut -d = -f 2 | cut -d '>' -f 1)"
-        _debug2 DNSdomainid "$DNSdomainid"
+        _debug2 "DNSdomainid: $DNSdomainid"
         found=1
-      else
-        # lines contain DNS records for all subdomains
-        DNSname="$(echo "$line" | _egrep_o 'edit.php.*</a>' | cut -d '>' -f 2 | cut -d '<' -f 1)"
-        _debug2 DNSname "$DNSname"
-        DNStype="$(echo "$line" | sed 's/<td/@<td/g' | tr '@' '\n' | sed -n '4p' | cut -d '>' -f 2 | cut -d '<' -f 1)"
-        _debug2 DNStype "$DNStype"
-        if [ "$DNSname" = "$fulldomain" ] && [ "$DNStype" = "TXT" ]; then
-          DNSdataid="$(echo "$line" | _egrep_o 'data_id=.*' | cut -d = -f 2 | cut -d '>' -f 1)"
-          # Now get current value for the TXT record.  This method may
-          # not produce accurate results as the value field is truncated
-          # on this webpage. To get full value we would need to load
-          # another page. However we don't really need this so long as
-          # there is only one TXT record for the acme challenge subdomain.
-          DNSvalue="$(echo "$line" | sed 's/<td/@<td/g' | tr '@' '\n' | sed -n '5p' | cut -d '>' -f 2 | cut -d '<' -f 1)"
-          _debug2 DNSvalue "$DNSvalue"
-          if [ $found != 0 ]; then
-            break
-            # we are breaking out of the loop at the first match of DNS name
-            # and DNS type (if we are past finding the domainid). This assumes
-            # that there is only ever one TXT record for the LetsEncrypt/acme
-            # challenge subdomain.  This seems to be a reasonable assumption
-            # as the acme client deletes the TXT record on successful validation.
-          fi
-        else
-          DNSname=""
-          DNStype=""
-        fi
+        break
       fi
     done
 
-    _debug "DNSname: $DNSname DNStype: $DNStype DNSdomainid: $DNSdomainid DNSdataid: $DNSdataid"
-    _debug "DNSvalue: $DNSvalue"
-
     if [ -z "$DNSdomainid" ]; then
       # If domain ID is empty then something went wrong (top level
       # domain not found at FreeDNS).
       if [ "$attempts" = "0" ]; then
         # exhausted maximum retry attempts
-        _debug "$htmlpage"
-        _debug "$subdomain_csv"
         _err "Domain $top_domain not found at FreeDNS"
         return 1
       fi
@@ -145,33 +116,10 @@ dns_freedns_add() {
     _info "Retry loading subdomain page ($attempts attempts remaining)"
   done
 
-  if [ -z "$DNSdataid" ]; then
-    # If data ID is empty then specific subdomain does not exist yet, need
-    # to create it this should always be the case as the acme client
-    # deletes the entry after domain is validated.
-    _freedns_add_txt_record "$FREEDNS_COOKIE" "$DNSdomainid" "$sub_domain" "$txtvalue"
-    return $?
-  else
-    if [ "$txtvalue" = "$DNSvalue" ]; then
-      # if value in TXT record matches value requested then DNS record
-      # does not need to be updated. But...
-      # Testing value match fails.  Website is truncating the value field.
-      # So for now we will always go down the else path.  Though in theory
-      # should never come here anyway as the acme client deletes
-      # the TXT record on successful validation, so we should not even
-      # have found a TXT record !!
-      _info "No update necessary for $fulldomain at FreeDNS"
-      return 0
-    else
-      # Delete the old TXT record (with the wrong value)
-      if _freedns_delete_txt_record "$FREEDNS_COOKIE" "$DNSdataid"; then
-        # And add in new TXT record with the value provided
-        _freedns_add_txt_record "$FREEDNS_COOKIE" "$DNSdomainid" "$sub_domain" "$txtvalue"
-      fi
-      return $?
-    fi
-  fi
-  return 0
+  # Add in new TXT record with the value provided
+  _debug "Adding TXT record for $fulldomain, $txtvalue"
+  _freedns_add_txt_record "$FREEDNS_COOKIE" "$DNSdomainid" "$sub_domain" "$txtvalue"
+  return $?
 }
 
 #Usage: fulldomain txtvalue
@@ -205,7 +153,7 @@ dns_freedns_rm() {
     fi
 
     subdomain_csv="$(echo "$htmlpage" | tr -d "\n\r" | _egrep_o '<form .*</form>' | sed 's/<tr>/@<tr>/g' | tr '@' '\n' | grep edit.php | grep "$fulldomain")"
-    _debug2 subdomain_csv "$subdomain_csv"
+    _debug3 "subdomain_csv: $subdomain_csv"
 
     # The above beauty ends with striping out rows that do not have an
     # href to edit.php and do not have the domain name we are looking for.
@@ -216,35 +164,51 @@ dns_freedns_rm() {
     lines="$(echo "$subdomain_csv" | wc -l)"
     i=0
     found=0
+    DNSdataid=""
     while [ "$i" -lt "$lines" ]; do
       i="$(_math "$i" + 1)"
       line="$(echo "$subdomain_csv" | sed -n "${i}p")"
-      _debug2 line "$line"
+      _debug3 "line: $line"
       DNSname="$(echo "$line" | _egrep_o 'edit.php.*</a>' | cut -d '>' -f 2 | cut -d '<' -f 1)"
-      _debug2 DNSname "$DNSname"
-      DNStype="$(echo "$line" | sed 's/<td/@<td/g' | tr '@' '\n' | sed -n '4p' | cut -d '>' -f 2 | cut -d '<' -f 1)"
-      _debug2 DNStype "$DNStype"
-      if [ "$DNSname" = "$fulldomain" ] && [ "$DNStype" = "TXT" ]; then
-        DNSdataid="$(echo "$line" | _egrep_o 'data_id=.*' | cut -d = -f 2 | cut -d '>' -f 1)"
-        _debug2 DNSdataid "$DNSdataid"
-        DNSvalue="$(echo "$line" | sed 's/<td/@<td/g' | tr '@' '\n' | sed -n '5p' | cut -d '>' -f 2 | cut -d '<' -f 1)"
-        _debug2 DNSvalue "$DNSvalue"
-        #     if [ "$DNSvalue" = "$txtvalue" ]; then
-        # Testing value match fails.  Website is truncating the value
-        # field. So for now we will assume that there is only one TXT
-        # field for the sub domain and just delete it. Currently this
-        # is a safe assumption.
-        _freedns_delete_txt_record "$FREEDNS_COOKIE" "$DNSdataid"
-        return $?
-        #     fi
+      _debug2 "DNSname: $DNSname"
+      if [ "$DNSname" = "$fulldomain" ]; then
+        DNStype="$(echo "$line" | sed 's/<td/@<td/g' | tr '@' '\n' | sed -n '4p' | cut -d '>' -f 2 | cut -d '<' -f 1)"
+        _debug2 "DNStype: $DNStype"
+        if [ "$DNStype" = "TXT" ]; then
+          DNSdataid="$(echo "$line" | _egrep_o 'data_id=.*' | cut -d = -f 2 | cut -d '>' -f 1)"
+          _debug2 "DNSdataid: $DNSdataid"
+          DNSvalue="$(echo "$line" | sed 's/<td/@<td/g' | tr '@' '\n' | sed -n '5p' | cut -d '>' -f 2 | cut -d '<' -f 1)"
+          if _startswith "$DNSvalue" "&quot;"; then
+            # remove the quotation from the start
+            DNSvalue="$(echo "$DNSvalue" | cut -c 7-)"
+          fi
+          if _endswith "$DNSvalue" "..."; then
+            # value was truncated, remove the dot dot dot from the end
+            DNSvalue="$(echo "$DNSvalue" | sed 's/...$//')"
+          elif _endswith "$DNSvalue" "&quot;"; then
+            # else remove the closing quotation from the end
+            DNSvalue="$(echo "$DNSvalue" | sed 's/......$//')"
+          fi
+          _debug2 "DNSvalue: $DNSvalue"
+
+          if [ -n "$DNSdataid" ] && _startswith "$txtvalue" "$DNSvalue"; then
+            # Found a match. But note... Website is truncating the
+            # value field so we are only testing that part that is not 
+            # truncated.  This should be accurate enough.
+            _debug "Deleting TXT record for $fulldomain, $txtvalue"
+            _freedns_delete_txt_record "$FREEDNS_COOKIE" "$DNSdataid"
+            return $?
+          fi
+
+        fi
       fi
     done
   done
 
   # If we get this far we did not find a match (after two attempts)
   # Not necessarily an error, but log anyway.
-  _debug2 "$subdomain_csv"
-  _info "Cannot delete TXT record for $fulldomain/$txtvalue. Does not exist at FreeDNS"
+  _debug3 "$subdomain_csv"
+  _info "Cannot delete TXT record for $fulldomain, $txtvalue. Does not exist at FreeDNS"
   return 0
 }
 
@@ -272,7 +236,7 @@ _freedns_login() {
 
   # if cookies is not empty then logon successful
   if [ -z "$cookies" ]; then
-    _debug "$htmlpage"
+    _debug3 "htmlpage: $htmlpage"
     _err "FreeDNS login failed for user $username. Check $HTTP_HEADER file"
     return 1
   fi
@@ -301,7 +265,7 @@ _freedns_retrieve_subdomain_page() {
     return 1
   fi
 
-  _debug2 "$htmlpage"
+  _debug3 "htmlpage: $htmlpage"
 
   printf "%s" "$htmlpage"
   return 0
@@ -323,17 +287,17 @@ _freedns_add_txt_record() {
     _err "FreeDNS failed to add TXT record for $subdomain bad RC from _post"
     return 1
   elif ! grep "200 OK" "$HTTP_HEADER" >/dev/null; then
-    _debug "$htmlpage"
+    _debug3 "htmlpage: $htmlpage"
     _err "FreeDNS failed to add TXT record for $subdomain. Check $HTTP_HEADER file"
     return 1
   elif _contains "$htmlpage" "security code was incorrect"; then
-    _debug "$htmlpage"
+    _debug3 "htmlpage: $htmlpage"
     _err "FreeDNS failed to add TXT record for $subdomain as FreeDNS requested security code"
     _err "Note that you cannot use automatic DNS validation for FreeDNS public domains"
     return 1
   fi
 
-  _debug2 "$htmlpage"
+  _debug3 "htmlpage: $htmlpage"
   _info "Added acme challenge TXT record for $fulldomain at FreeDNS"
   return 0
 }
@@ -352,7 +316,7 @@ _freedns_delete_txt_record() {
     _err "FreeDNS failed to delete TXT record for $data_id bad RC from _get"
     return 1
   elif ! _contains "$htmlheader" "200 OK"; then
-    _debug "$htmlheader"
+    _debug2 "htmlheader: $htmlheader"
     _err "FreeDNS failed to delete TXT record $data_id"
     return 1
   fi

dnsapi/dns_he.sh

@@ -117,7 +117,7 @@ _find_zone() {
   _debug2 response "$response"
   _table="$(echo "$response" | tr -d "#" | sed "s/<table/#<table/g" | tr -d "\n" | tr "#" "\n" | grep 'id="domains_table"')"
   _debug2 _table "$_table"
-  _matches="$(echo "$_table" | sed "s/<tr/#<tr/g" | tr "#" "\n" | grep 'alt="edit"' | tr -d " " | sed "s/<td/#<td/g" | tr "#" "\n" | sed -n 3p)"
+  _matches="$(echo "$_table" | sed "s/<tr/#<tr/g" | tr "#" "\n" | grep 'alt="edit"' | tr -d " " | sed "s/<td/#<td/g" | tr "#" "\n" | grep 'hosted_dns_zoneid')"
   _debug2 _matches "$_matches"
   # Zone names and zone IDs are in same order
   _zone_ids=$(echo "$_matches" | _egrep_o "hosted_dns_zoneid=[0-9]*&" | cut -d = -f 2 | tr -d '&')

dnsapi/dns_lua.sh

@@ -8,7 +8,6 @@
 #LUA_Email="user@luadns.net"
 
 LUA_Api="https://api.luadns.com/v1"
-LUA_auth=$(printf "%s" "$LUA_Email:$LUA_Key" | _base64)
 
 ########  Public functions #####################
 
@@ -19,6 +18,8 @@ dns_lua_add() {
 
   LUA_Key="${LUA_Key:-$(_readaccountconf_mutable LUA_Key)}"
   LUA_Email="${LUA_Email:-$(_readaccountconf_mutable LUA_Email)}"
+  LUA_auth=$(printf "%s" "$LUA_Email:$LUA_Key" | _base64)
+
   if [ -z "$LUA_Key" ] || [ -z "$LUA_Email" ]; then
     LUA_Key=""
     LUA_Email=""
@@ -60,6 +61,7 @@ dns_lua_rm() {
 
   LUA_Key="${LUA_Key:-$(_readaccountconf_mutable LUA_Key)}"
   LUA_Email="${LUA_Email:-$(_readaccountconf_mutable LUA_Email)}"
+  LUA_auth=$(printf "%s" "$LUA_Email:$LUA_Key" | _base64)
   _debug "First detect the root zone"
   if ! _get_root "$fulldomain"; then
     _err "invalid domain"

dnsapi/dns_me.sh

@@ -43,34 +43,16 @@ dns_me_add() {
     return 1
   fi
 
-  count=$(printf "%s\n" "$response" | _egrep_o "\"totalRecords\":[^,]*" | cut -d : -f 2)
-  _debug count "$count"
-  if [ "$count" = "0" ]; then
-    _info "Adding record"
-    if _me_rest POST "$_domain_id/records/" "{\"type\":\"TXT\",\"name\":\"$_sub_domain\",\"value\":\"$txtvalue\",\"gtdLocation\":\"DEFAULT\",\"ttl\":120}"; then
-      if printf -- "%s" "$response" | grep \"id\": >/dev/null; then
-        _info "Added"
-        #todo: check if the record takes effect
-        return 0
-      else
-        _err "Add txt record error."
-        return 1
-      fi
-    fi
-    _err "Add txt record error."
-  else
-    _info "Updating record"
-    record_id=$(printf "%s\n" "$response" | _egrep_o "\"id\":[^,]*" | cut -d : -f 2 | head -n 1)
-    _debug "record_id" "$record_id"
-
-    _me_rest PUT "$_domain_id/records/$record_id/" "{\"id\":\"$record_id\",\"type\":\"TXT\",\"name\":\"$_sub_domain\",\"value\":\"$txtvalue\",\"gtdLocation\":\"DEFAULT\",\"ttl\":120}"
-    if [ "$?" = "0" ]; then
-      _info "Updated"
+  _info "Adding record"
+  if _me_rest POST "$_domain_id/records/" "{\"type\":\"TXT\",\"name\":\"$_sub_domain\",\"value\":\"$txtvalue\",\"gtdLocation\":\"DEFAULT\",\"ttl\":120}"; then
+    if printf -- "%s" "$response" | grep \"id\": >/dev/null; then
+      _info "Added"
       #todo: check if the record takes effect
       return 0
+    else
+      _err "Add txt record error."
+      return 1
     fi
-    _err "Update error"
-    return 1
   fi
 
 }
@@ -96,7 +78,7 @@ dns_me_rm() {
   if [ "$count" = "0" ]; then
     _info "Don't need to remove."
   else
-    record_id=$(printf "%s\n" "$response" | _egrep_o "\"id\":[^,]*" | cut -d : -f 2 | head -n 1)
+    record_id=$(printf "%s\n" "$response" | _egrep_o ",\"value\":\"..$txtvalue..\",\"id\":[^,]*" | cut -d : -f 3 | head -n 1)
     _debug "record_id" "$record_id"
     if [ -z "$record_id" ]; then
       _err "Can not get record id to remove."
@@ -152,7 +134,7 @@ _me_rest() {
   data="$3"
   _debug "$ep"
 
-  cdate=$(date -u +"%a, %d %b %Y %T %Z")
+  cdate=$(LANG=C date -u +"%a, %d %b %Y %T %Z")
   hmac=$(printf "%s" "$cdate" | _hmac sha1 "$(printf "%s" "$ME_Secret" | _hex_dump | tr -d " ")" hex)
 
   export _H1="x-dnsme-apiKey: $ME_Key"

dnsapi/dns_namecom.sh

@@ -1,11 +1,12 @@
 #!/usr/bin/env sh
 
-#Author: RaidneII
+#Author: RaidenII
 #Created 06/28/2017
+#Updated 03/01/2018, rewrote to support name.com API v4
 #Utilize name.com API to finish dns-01 verifications.
 ########  Public functions #####################
 
-Namecom_API="https://api.name.com/api"
+Namecom_API="https://api.name.com/v4"
 
 #Usage: dns_namecom_add   _acme-challenge.www.domain.com   "XKrxpRBosdIKFzxW_CT3KLZNf6q0HG9i01zxXp5CPBs"
 dns_namecom_add() {
@@ -39,21 +40,18 @@ dns_namecom_add() {
   # Find domain in domain list.
   if ! _namecom_get_root "$fulldomain"; then
     _err "Unable to find domain specified."
-    _namecom_logout
     return 1
   fi
 
   # Add TXT record.
-  _namecom_addtxt_json="{\"hostname\":\"$_sub_domain\",\"type\":\"TXT\",\"content\":\"$txtvalue\",\"ttl\":\"300\",\"priority\":\"10\"}"
-  if _namecom_rest POST "dns/create/$_domain" "$_namecom_addtxt_json"; then
-    retcode=$(printf "%s\n" "$response" | _egrep_o "\"code\":100")
-    if [ "$retcode" ]; then
+  _namecom_addtxt_json="{\"host\":\"$_sub_domain\",\"type\":\"TXT\",\"answer\":\"$txtvalue\",\"ttl\":\"300\"}"
+  if _namecom_rest POST "domains/$_domain/records" "$_namecom_addtxt_json"; then
+    _retvalue=$(printf "%s\n" "$response" | _egrep_o "\"$_sub_domain\"")
+    if [ "$_retvalue" ]; then
       _info "Successfully added TXT record, ready for validation."
-      _namecom_logout
       return 0
     else
       _err "Unable to add the DNS record."
-      _namecom_logout
       return 1
     fi
   fi
@@ -72,37 +70,28 @@ dns_namecom_rm() {
   # Find domain in domain list.
   if ! _namecom_get_root "$fulldomain"; then
     _err "Unable to find domain specified."
-    _namecom_logout
     return 1
   fi
 
   # Get the record id.
-  if _namecom_rest GET "dns/list/$_domain"; then
-    retcode=$(printf "%s\n" "$response" | _egrep_o "\"code\":100")
-    if [ "$retcode" ]; then
-      _record_id=$(printf "%s\n" "$response" | _egrep_o "\"record_id\":\"[0-9]+\",\"name\":\"$fulldomain\",\"type\":\"TXT\"" | cut -d \" -f 4)
-      _debug record_id "$_record_id"
+  if _namecom_rest GET "domains/$_domain/records"; then
+    _record_id=$(printf "%s\n" "$response" | _egrep_o "\"id\":[0-9]+,\"domainName\":\"$_domain\",\"host\":\"$_sub_domain\",\"fqdn\":\"$fulldomain.\",\"type\":\"TXT\",\"answer\":\"$txtvalue\"" | cut -d \" -f 3 | _egrep_o [0-9]+)
+    _debug record_id "$_record_id"
+    if [ "$_record_id" ]; then
       _info "Successfully retrieved the record id for ACME challenge."
     else
       _err "Unable to retrieve the record id."
-      _namecom_logout
       return 1
     fi
   fi
 
   # Remove the DNS record using record id.
-  _namecom_rmtxt_json="{\"record_id\":\"$_record_id\"}"
-  if _namecom_rest POST "dns/delete/$_domain" "$_namecom_rmtxt_json"; then
-    retcode=$(printf "%s\n" "$response" | _egrep_o "\"code\":100")
-    if [ "$retcode" ]; then
-      _info "Successfully removed the TXT record."
-      _namecom_logout
-      return 0
-    else
-      _err "Unable to remove the DNS record."
-      _namecom_logout
-      return 1
-    fi
+  if _namecom_rest DELETE "domains/$_domain/records/$_record_id"; then
+    _info "Successfully removed the TXT record."
+    return 0
+  else
+    _err "Unable to delete record id."
+    return 1
   fi
 }
 
@@ -112,8 +101,9 @@ _namecom_rest() {
   param=$2
   data=$3
 
-  export _H1="Content-Type: application/json"
-  export _H2="Api-Session-Token: $sessionkey"
+  export _H1="Authorization: Basic $_namecom_auth"
+  export _H2="Content-Type: application/json"
+
   if [ "$method" != "GET" ]; then
     response="$(_post "$data" "$Namecom_API/$param" "" "$method")"
   else
@@ -130,20 +120,15 @@ _namecom_rest() {
 }
 
 _namecom_login() {
-  namecom_login_json="{\"username\":\"$Namecom_Username\",\"api_token\":\"$Namecom_Token\"}"
+  # Auth string
+  # Name.com API v4 uses http basic auth to authenticate
+  # need to convert the token for http auth
+  _namecom_auth=$(printf "%s:%s" "$Namecom_Username" "$Namecom_Token" | base64)
 
-  if _namecom_rest POST "login" "$namecom_login_json"; then
-    retcode=$(printf "%s\n" "$response" | _egrep_o "\"code\":100")
+  if _namecom_rest GET "hello"; then
+    retcode=$(printf "%s\n" "$response" | _egrep_o "\"username\"\:\"$Namecom_Username\"")
     if [ "$retcode" ]; then
-      _info "Successfully logged in. Fetching session token..."
-      sessionkey=$(printf "%s\n" "$response" | _egrep_o "\"session_token\":\".+" | cut -d \" -f 4)
-      if [ ! -z "$sessionkey" ]; then
-        _debug sessionkey "$sessionkey"
-        _info "Session key obtained."
-      else
-        _err "Unable to get session key."
-        return 1
-      fi
+      _info "Successfully logged in."
     else
       _err "Logging in failed."
       return 1
@@ -151,24 +136,12 @@ _namecom_login() {
   fi
 }
 
-_namecom_logout() {
-  if _namecom_rest GET "logout"; then
-    retcode=$(printf "%s\n" "$response" | _egrep_o "\"code\":100")
-    if [ "$retcode" ]; then
-      _info "Successfully logged out."
-    else
-      _err "Error logging out."
-      return 1
-    fi
-  fi
-}
-
 _namecom_get_root() {
   domain=$1
   i=2
   p=1
 
-  if ! _namecom_rest GET "domain/list"; then
+  if ! _namecom_rest GET "domains"; then
     return 1
   fi
 

dnsapi/dns_nsone.sh

@@ -59,10 +59,10 @@ dns_nsone_add() {
     _err "Add txt record error."
   else
     _info "Updating record"
-    record_id=$(printf "%s\n" "$response" | _egrep_o "\"domain\":\"$fulldomain.\",[^{]*\"type\":\"TXT\",\"id\":\"[^,]*\"" | _head_n 1 | cut -d: -f7 | cut -d, -f1)
-    _debug "record_id" "$record_id"
+    prev_txt=$(printf "%s\n" "$response" | _egrep_o "\"domain\":\"$fulldomain\",\"short_answers\":\[\"[^,]*\]" | _head_n 1 | cut -d: -f3 | cut -d, -f1)
+    _debug "prev_txt" "$prev_txt"
 
-    _nsone_rest POST "zones/$_domain/$fulldomain/TXT" "{\"answers\": [{\"answer\": [\"$txtvalue\"]}],\"type\": \"TXT\",\"domain\":\"$fulldomain\",\"zone\": \"$_domain\"}"
+    _nsone_rest POST "zones/$_domain/$fulldomain/TXT" "{\"answers\": [{\"answer\": [\"$txtvalue\"]},{\"answer\": $prev_txt}],\"type\": \"TXT\",\"domain\":\"$fulldomain\",\"zone\": \"$_domain\"}"
     if [ "$?" = "0" ] && _contains "$response" "$fulldomain"; then
       _info "Updated!"
       #todo: check if the record takes effect

dnsapi/dns_yandex.sh

@@ -16,7 +16,7 @@ dns_yandex_add() {
   _PDD_credentials || return 1
   export _H1="PddToken: $PDD_Token"
 
-  curDomain=$(_PDD_get_domain "$fulldomain")
+  _PDD_get_domain "$fulldomain"
   _debug "Found suitable domain in pdd: $curDomain"
   curData="domain=${curDomain}&type=TXT&subdomain=${curSubdomain}&ttl=360&content=${txtvalue}"
   curUri="https://pddimp.yandex.ru/api2/admin/dns/add"
@@ -33,7 +33,7 @@ dns_yandex_rm() {
   record_id=$(pdd_get_record_id "${fulldomain}")
   _debug "Result: $record_id"
 
-  curDomain=$(_PDD_get_domain "$fulldomain")
+  _PDD_get_domain "$fulldomain"
   _debug "Found suitable domain in pdd: $curDomain"
 
   curUri="https://pddimp.yandex.ru/api2/admin/dns/del"
@@ -72,8 +72,8 @@ _PDD_get_domain() {
       if [ "$d" = "$__t" ]; then
         p=$(_math $k - 1)
         curSubdomain="$(echo "$fulldomain" | cut -d . -f "1-$p")"
-        echo "$__t"
-        return
+        curDomain="$__t"
+        return 0
       fi
     done
     k=$(_math $k + 1)
@@ -96,7 +96,7 @@ _PDD_credentials() {
 pdd_get_record_id() {
   fulldomain="${1}"
 
-  curDomain=$(_PDD_get_domain "$fulldomain")
+  _PDD_get_domain "$fulldomain"
   _debug "Found suitable domain in pdd: $curDomain"
 
   curUri="https://pddimp.yandex.ru/api2/admin/dns/list?domain=${curDomain}"