Merge branch 'acmesh-official:master' into patch-1

.github/workflows/Linux.yml

@@ -26,7 +26,7 @@ jobs:
   Linux:
     strategy:
       matrix:
-        os: ["ubuntu:latest", "debian:latest", "almalinux:latest", "fedora:latest", "opensuse/leap:latest", "alpine:latest", "oraclelinux:8", "kalilinux/kali", "archlinux:latest", "mageia", "gentoo/stage3"]
+        os: ["ubuntu:latest", "debian:latest", "almalinux:latest", "fedora:latest", "opensuse/leap:latest", "alpine:latest", "oraclelinux:8", "kalilinux/kali", "archlinux:latest", "gentoo/stage3"]
     runs-on: ubuntu-latest
     env:
       TEST_LOCAL: 1

.github/workflows/PebbleStrict.yml

@@ -65,7 +65,7 @@ jobs:
       run: |
         docker run --rm -itd --name=pebble \
         -e PEBBLE_VA_ALWAYS_VALID=1 \
-        -p 14000:14000 -p 15000:15000   letsencrypt/pebble:latest pebble -config /test/config/pebble-config.json -strict
+        -p 14000:14000 -p 15000:15000   ghcr.io/letsencrypt/pebble:latest -config /test/config/pebble-config.json -strict
     - name: Clone acmetest
       run: cd .. && git clone --depth=1 https://github.com/acmesh-official/acmetest.git  && cp -r acme.sh acmetest/
     - name: Run acmetest

Dockerfile

@@ -1,4 +1,4 @@
-FROM alpine:3.21
+FROM alpine:3.22
 
 RUN apk --no-cache add -f \
   openssl \

README.md

@@ -98,9 +98,9 @@ https://github.com/acmesh-official/acmetest
 
 - [ZeroSSL.com CA](https://github.com/acmesh-official/acme.sh/wiki/ZeroSSL.com-CA)(default)
 - Letsencrypt.org CA
-- [BuyPass.com CA](https://github.com/acmesh-official/acme.sh/wiki/BuyPass.com-CA)
 - [SSL.com CA](https://github.com/acmesh-official/acme.sh/wiki/SSL.com-CA)
 - [Google.com Public CA](https://github.com/acmesh-official/acme.sh/wiki/Google-Public-CA)
+- [Actalis.com CA](https://github.com/acmesh-official/acme.sh/wiki/Actalis.com-CA)
 - [Pebble strict Mode](https://github.com/letsencrypt/pebble)
 - Any other [RFC8555](https://tools.ietf.org/html/rfc8555)-compliant CA
 

acme.sh

@@ -23,9 +23,6 @@ _SUB_FOLDERS="$_SUB_FOLDER_DNSAPI $_SUB_FOLDER_DEPLOY $_SUB_FOLDER_NOTIFY"
 CA_LETSENCRYPT_V2="https://acme-v02.api.letsencrypt.org/directory"
 CA_LETSENCRYPT_V2_TEST="https://acme-staging-v02.api.letsencrypt.org/directory"
 
-CA_BUYPASS="https://api.buypass.com/acme/directory"
-CA_BUYPASS_TEST="https://api.test4.buypass.no/acme/directory"
-
 CA_ZEROSSL="https://acme.zerossl.com/v2/DV90"
 _ZERO_EAB_ENDPOINT="https://api.zerossl.com/acme/eab-credentials-email"
 
@@ -35,6 +32,8 @@ CA_SSLCOM_ECC="https://acme.ssl.com/sslcom-dv-ecc"
 CA_GOOGLE="https://dv.acme-v02.api.pki.goog/directory"
 CA_GOOGLE_TEST="https://dv.acme-v02.test-api.pki.goog/directory"
 
+CA_ACTALIS="https://acme-api.actalis.com/acme/directory"
+
 DEFAULT_CA=$CA_ZEROSSL
 DEFAULT_STAGING_CA=$CA_LETSENCRYPT_V2_TEST
 
@@ -42,14 +41,13 @@ CA_NAMES="
 ZeroSSL.com,zerossl
 LetsEncrypt.org,letsencrypt
 LetsEncrypt.org_test,letsencrypt_test,letsencrypttest
-BuyPass.com,buypass
-BuyPass.com_test,buypass_test,buypasstest
 SSL.com,sslcom
 Google.com,google
 Google.com_test,googletest,google_test
+Actalis.com,actalis.com,actalis
 "
 
-CA_SERVERS="$CA_ZEROSSL,$CA_LETSENCRYPT_V2,$CA_LETSENCRYPT_V2_TEST,$CA_BUYPASS,$CA_BUYPASS_TEST,$CA_SSLCOM_RSA,$CA_GOOGLE,$CA_GOOGLE_TEST"
+CA_SERVERS="$CA_ZEROSSL,$CA_LETSENCRYPT_V2,$CA_LETSENCRYPT_V2_TEST,$CA_SSLCOM_RSA,$CA_GOOGLE,$CA_GOOGLE_TEST,$CA_ACTALIS"
 
 DEFAULT_USER_AGENT="$PROJECT_NAME/$VER ($PROJECT)"
 
@@ -180,6 +178,8 @@ _VALIDITY_WIKI="https://github.com/acmesh-official/acme.sh/wiki/Validity"
 
 _DNSCHECK_WIKI="https://github.com/acmesh-official/acme.sh/wiki/dnscheck"
 
+_PROFILESELECTION_WIKI="https://github.com/acmesh-official/acme.sh/wiki/Profile-selection"
+
 _DNS_MANUAL_ERR="The dns manual mode can not renew automatically, you must issue it again manually. You'd better use the other modes instead."
 
 _DNS_MANUAL_WARN="It seems that you are using dns manual mode. please take care: $_DNS_MANUAL_ERR"
@@ -436,14 +436,28 @@ _secure_debug3() {
   fi
 }
 
+__USE_TR_TAG=""
+if [ "$(echo "abc" | LANG=C tr a-z A-Z 2>/dev/null)" != "ABC" ]; then
+  __USE_TR_TAG="1"
+fi
+export __USE_TR_TAG
+
 _upper_case() {
-  # shellcheck disable=SC2018,SC2019
-  tr '[a-z]' '[A-Z]'
+  if [ "$__USE_TR_TAG" ]; then
+    LANG=C tr '[:lower:]' '[:upper:]'
+  else
+    # shellcheck disable=SC2018,SC2019
+    LANG=C tr '[a-z]' '[A-Z]'
+  fi
 }
 
 _lower_case() {
-  # shellcheck disable=SC2018,SC2019
-  tr '[A-Z]' '[a-z]'
+  if [ "$__USE_TR_TAG" ]; then
+    LANG=C tr '[:upper:]' '[:lower:]'
+  else
+    # shellcheck disable=SC2018,SC2019
+    LANG=C tr '[A-Z]' '[a-z]'
+  fi
 }
 
 _startswith() {
@@ -4420,6 +4434,7 @@ issue() {
   _preferred_chain="${15}"
   _valid_from="${16}"
   _valid_to="${17}"
+  _certificate_profile="${18}"
 
   if [ -z "$_ACME_IS_RENEW" ]; then
     _initpath "$_main_domain" "$_key_length"
@@ -4495,6 +4510,11 @@ issue() {
   else
     _cleardomainconf "Le_Preferred_Chain"
   fi
+  if [ "$_certificate_profile" ]; then
+    _savedomainconf "Le_Certificate_Profile" "$_certificate_profile"
+  else
+    _cleardomainconf "Le_Certificate_Profile"
+  fi
 
   Le_API="$ACME_DIRECTORY"
   _savedomainconf "Le_API" "$Le_API"
@@ -4627,6 +4647,9 @@ issue() {
     if [ "$_notAfter" ]; then
       _newOrderObj="$_newOrderObj,\"notAfter\": \"$_notAfter\""
     fi
+    if [ "$_certificate_profile" ]; then
+      _newOrderObj="$_newOrderObj,\"profile\": \"$_certificate_profile\""
+    fi
     _debug "STEP 1, Ordering a Certificate"
     if ! _send_signed_request "$ACME_NEW_ORDER" "$_newOrderObj}"; then
       _err "Error creating new order."
@@ -5464,10 +5487,6 @@ renew() {
     _info "Switching back to $CA_LETSENCRYPT_V2"
     Le_API="$CA_LETSENCRYPT_V2"
     ;;
-  "$CA_BUYPASS_TEST")
-    _info "Switching back to $CA_BUYPASS"
-    Le_API="$CA_BUYPASS"
-    ;;
   "$CA_GOOGLE_TEST")
     _info "Switching back to $CA_GOOGLE"
     Le_API="$CA_GOOGLE"
@@ -5509,6 +5528,7 @@ renew() {
   Le_PostHook="$(_readdomainconf Le_PostHook)"
   Le_RenewHook="$(_readdomainconf Le_RenewHook)"
   Le_Preferred_Chain="$(_readdomainconf Le_Preferred_Chain)"
+  Le_Certificate_Profile="$(_readdomainconf Le_Certificate_Profile)"
   # When renewing from an old version, the empty Le_Keylength means 2048.
   # Note, do not use DEFAULT_DOMAIN_KEY_LENGTH as that value may change over
   # time but an empty value implies 2048 specifically.
@@ -5523,7 +5543,7 @@ renew() {
       _cleardomainconf Le_OCSP_Staple
     fi
   fi
-  issue "$Le_Webroot" "$Le_Domain" "$Le_Alt" "$Le_Keylength" "$Le_RealCertPath" "$Le_RealKeyPath" "$Le_RealCACertPath" "$Le_ReloadCmd" "$Le_RealFullChainPath" "$Le_PreHook" "$Le_PostHook" "$Le_RenewHook" "$Le_LocalAddress" "$Le_ChallengeAlias" "$Le_Preferred_Chain" "$Le_Valid_From" "$Le_Valid_To"
+  issue "$Le_Webroot" "$Le_Domain" "$Le_Alt" "$Le_Keylength" "$Le_RealCertPath" "$Le_RealKeyPath" "$Le_RealCACertPath" "$Le_ReloadCmd" "$Le_RealFullChainPath" "$Le_PreHook" "$Le_PostHook" "$Le_RenewHook" "$Le_LocalAddress" "$Le_ChallengeAlias" "$Le_Preferred_Chain" "$Le_Valid_From" "$Le_Valid_To" "$Le_Certificate_Profile"
   res="$?"
   if [ "$res" != "0" ]; then
     return "$res"
@@ -5784,7 +5804,7 @@ list() {
   _sep="|"
   if [ "$_raw" ]; then
     if [ -z "$_domain" ]; then
-      printf "%s\n" "Main_Domain${_sep}KeyLength${_sep}SAN_Domains${_sep}CA${_sep}Created${_sep}Renew"
+      printf "%s\n" "Main_Domain${_sep}KeyLength${_sep}SAN_Domains${_sep}Profile${_sep}CA${_sep}Created${_sep}Renew"
     fi
     for di in "${CERT_HOME}"/*.*/; do
       d=$(basename "$di")
@@ -5799,7 +5819,7 @@ list() {
           . "$DOMAIN_CONF"
           _ca="$(_getCAShortName "$Le_API")"
           if [ -z "$_domain" ]; then
-            printf "%s\n" "$Le_Domain${_sep}\"$Le_Keylength\"${_sep}$Le_Alt${_sep}$_ca${_sep}$Le_CertCreateTimeStr${_sep}$Le_NextRenewTimeStr"
+            printf "%s\n" "$Le_Domain${_sep}\"$Le_Keylength\"${_sep}$Le_Alt${_sep}$Le_Certificate_Profile${_sep}$_ca${_sep}$Le_CertCreateTimeStr${_sep}$Le_NextRenewTimeStr"
           else
             if [ "$_domain" = "$d" ]; then
               cat "$DOMAIN_CONF"
@@ -5818,6 +5838,48 @@ list() {
 
 }
 
+list_profiles() {
+  _initpath
+  _initAPI
+
+  _l_server_url="$ACME_DIRECTORY"
+  _l_server_name="$(_getCAShortName "$_l_server_url")"
+  _info "Fetching profiles from $_l_server_name ($_l_server_url)..."
+
+  response=$(_get "$_l_server_url" "" 10)
+  if [ "$?" != "0" ]; then
+    _err "Failed to connect to CA directory: $_l_server_url"
+    return 1
+  fi
+
+  normalized_response=$(echo "$response" | _normalizeJson)
+  profiles_json=$(echo "$normalized_response" | _egrep_o '"profiles" *: *\{[^\}]*\}')
+
+  if [ -z "$profiles_json" ]; then
+    _info "The CA '$_l_server_name' does not publish certificate profiles via its directory endpoint."
+    return 0
+  fi
+
+  # Strip the outer layer to get the key-value pairs
+  profiles_kv=$(echo "$profiles_json" | sed 's/"profiles" *: *{//' | sed 's/}$//' | tr ',' '\n')
+
+  printf "\n%-15s %s\n" "name" "info"
+  printf -- "--------------------------------------------------------------------\n"
+
+  _old_IFS="$IFS"
+  IFS='
+'
+  for pair in $profiles_kv; do
+    # Trim quotes and whitespace
+    _name=$(echo "$pair" | cut -d: -f1 | tr -d '" \t')
+    _info_url=$(echo "$pair" | cut -d: -f2- | sed 's/^ *//' | tr -d '"')
+    printf "%-15s %s\n" "$_name" "$_info_url"
+  done
+  IFS="$_old_IFS"
+
+  return 0
+}
+
 _deploy() {
   _d="$1"
   _hooks="$2"
@@ -6996,6 +7058,9 @@ Parameters:
                                       If no match, the default offered chain will be used. (default: empty)
                                       See: $_PREFERRED_CHAIN_WIKI
 
+  --cert-profile, --certificate-profile <profile>  If the CA offers profiles, select the desired profile
+                                      See: $_PROFILESELECTION_WIKI
+
   --valid-to    <date-time>         Request the NotAfter field of the cert.
                                       See: $_VALIDITY_WIKI
   --valid-from  <date-time>         Request the NotBefore field of the cert.
@@ -7371,6 +7436,7 @@ _process() {
   _preferred_chain=""
   _valid_from=""
   _valid_to=""
+  _certificate_profile=""
   while [ ${#} -gt 0 ]; do
     case "${1}" in
 
@@ -7474,6 +7540,9 @@ _process() {
     --set-default-chain)
       _CMD="setdefaultchain"
       ;;
+    --list-profiles)
+      _CMD="list_profiles"
+      ;;
     -d | --domain)
       _dvalue="$2"
 
@@ -7689,6 +7758,10 @@ _process() {
       _valid_to="$2"
       shift
       ;;
+    --certificate-profile | --cert-profile)
+      _certificate_profile="$2"
+      shift
+      ;;
     --httpport)
       _httpport="$2"
       Le_HTTPPort="$_httpport"
@@ -7964,7 +8037,7 @@ _process() {
   uninstall) uninstall "$_nocron" ;;
   upgrade) upgrade ;;
   issue)
-    issue "$_webroot" "$_domain" "$_altdomains" "$_keylength" "$_cert_file" "$_key_file" "$_ca_file" "$_reloadcmd" "$_fullchain_file" "$_pre_hook" "$_post_hook" "$_renew_hook" "$_local_address" "$_challenge_alias" "$_preferred_chain" "$_valid_from" "$_valid_to"
+    issue "$_webroot" "$_domain" "$_altdomains" "$_keylength" "$_cert_file" "$_key_file" "$_ca_file" "$_reloadcmd" "$_fullchain_file" "$_pre_hook" "$_post_hook" "$_renew_hook" "$_local_address" "$_challenge_alias" "$_preferred_chain" "$_valid_from" "$_valid_to" "$_certificate_profile"
     ;;
   deploy)
     deploy "$_domain" "$_deploy_hook" "$_ecc"
@@ -8035,6 +8108,9 @@ _process() {
   setdefaultchain)
     setdefaultchain "$_preferred_chain"
     ;;
+  list_profiles)
+    list_profiles
+    ;;
   *)
     if [ "$_CMD" ]; then
       _err "Invalid command: $_CMD"

deploy/cachefly.sh

@@ -0,0 +1,56 @@
+#!/usr/bin/env sh
+
+# Script to deploy certificate to CacheFly
+# https://api.cachefly.com/api/2.5/docs#tag/Certificates/paths/~1certificates/post
+
+# This deployment required following variables
+# export CACHEFLY_TOKEN="Your CacheFly API Token"
+
+# returns 0 means success, otherwise error.
+
+########  Public functions #####################
+
+#domain keyfile certfile cafile fullchain
+CACHEFLY_API_BASE="https://api.cachefly.com/api/2.5"
+
+cachefly_deploy() {
+  _cdomain="$1"
+  _ckey="$2"
+  _ccert="$3"
+  _cca="$4"
+  _cfullchain="$5"
+
+  _debug _cdomain "$_cdomain"
+  _debug _ckey "$_ckey"
+  _debug _ccert "$_ccert"
+  _debug _cca "$_cca"
+  _debug _cfullchain "$_cfullchain"
+
+  if [ -z "$CACHEFLY_TOKEN" ]; then
+    _err "CACHEFLY_TOKEN is not defined."
+    return 1
+  else
+    _savedomainconf CACHEFLY_TOKEN "$CACHEFLY_TOKEN"
+  fi
+
+  _info "Deploying certificate to CacheFly..."
+
+  ## upload certificate
+  string_fullchain=$(sed 's/$/\\n/' "$_cfullchain" | tr -d '\n')
+  string_key=$(sed 's/$/\\n/' "$_ckey" | tr -d '\n')
+
+  _request_body="{\"certificate\":\"$string_fullchain\",\"certificateKey\":\"$string_key\"}"
+  _debug _request_body "$_request_body"
+  _debug CACHEFLY_TOKEN "$CACHEFLY_TOKEN"
+  export _H1="Authorization: Bearer $CACHEFLY_TOKEN"
+  _response=$(_post "$_request_body" "$CACHEFLY_API_BASE/certificates" "" "POST" "application/json")
+
+  if _contains "$_response" "message"; then
+    _err "Error in deploying $_cdomain certificate to CacheFly."
+    _err "$_response"
+    return 1
+  fi
+  _debug response "$_response"
+  _info "Domain $_cdomain certificate successfully deployed to CacheFly."
+  return 0
+}

deploy/directadmin.sh

@@ -0,0 +1,86 @@
+#!/usr/bin/env sh
+
+# Script to deploy certificate to DirectAdmin
+# https://docs.directadmin.com/directadmin/customizing-workflow/api-all-about.html#creating-a-login-key
+# https://docs.directadmin.com/changelog/version-1.24.4.html#cmd-api-catch-all-pop-passwords-frontpage-protected-dirs-ssl-certs
+
+# This deployment required following variables
+# export DirectAdmin_SCHEME="https" # Optional, https or http, defaults to https
+# export DirectAdmin_ENDPOINT="example.com:2222"
+# export DirectAdmin_USERNAME="Your DirectAdmin Username"
+# export DirectAdmin_KEY="Your DirectAdmin Login Key or Password"
+# export DirectAdmin_MAIN_DOMAIN="Your DirectAdmin Main Domain, NOT Subdomain"
+
+# returns 0 means success, otherwise error.
+
+########  Public functions #####################
+
+#domain keyfile certfile cafile fullchain
+directadmin_deploy() {
+  _cdomain="$1"
+  _ckey="$2"
+  _ccert="$3"
+  _cca="$4"
+  _cfullchain="$5"
+
+  _debug _cdomain "$_cdomain"
+  _debug _ckey "$_ckey"
+  _debug _ccert "$_ccert"
+  _debug _cca "$_cca"
+  _debug _cfullchain "$_cfullchain"
+
+  if [ -z "$DirectAdmin_ENDPOINT" ]; then
+    _err "DirectAdmin_ENDPOINT is not defined."
+    return 1
+  else
+    _savedomainconf DirectAdmin_ENDPOINT "$DirectAdmin_ENDPOINT"
+  fi
+  if [ -z "$DirectAdmin_USERNAME" ]; then
+    _err "DirectAdmin_USERNAME is not defined."
+    return 1
+  else
+    _savedomainconf DirectAdmin_USERNAME "$DirectAdmin_USERNAME"
+  fi
+  if [ -z "$DirectAdmin_KEY" ]; then
+    _err "DirectAdmin_KEY is not defined."
+    return 1
+  else
+    _savedomainconf DirectAdmin_KEY "$DirectAdmin_KEY"
+  fi
+  if [ -z "$DirectAdmin_MAIN_DOMAIN" ]; then
+    _err "DirectAdmin_MAIN_DOMAIN is not defined."
+    return 1
+  else
+    _savedomainconf DirectAdmin_MAIN_DOMAIN "$DirectAdmin_MAIN_DOMAIN"
+  fi
+
+  # Optional SCHEME
+  _getdeployconf DirectAdmin_SCHEME
+  # set default values for DirectAdmin_SCHEME
+  [ -n "${DirectAdmin_SCHEME}" ] || DirectAdmin_SCHEME="https"
+
+  _info "Deploying certificate to DirectAdmin..."
+
+  # upload certificate
+  string_cfullchain=$(sed 's/$/\\n/' "$_cfullchain" | tr -d '\n')
+  string_key=$(sed 's/$/\\n/' "$_ckey" | tr -d '\n')
+
+  _request_body="{\"domain\":\"$DirectAdmin_MAIN_DOMAIN\",\"action\":\"save\",\"type\":\"paste\",\"certificate\":\"$string_key\n$string_cfullchain\n\"}"
+  _debug _request_body "$_request_body"
+  _debug DirectAdmin_ENDPOINT "$DirectAdmin_ENDPOINT"
+  _debug DirectAdmin_USERNAME "$DirectAdmin_USERNAME"
+  _debug DirectAdmin_KEY "$DirectAdmin_KEY"
+  _debug DirectAdmin_MAIN_DOMAIN "$DirectAdmin_MAIN_DOMAIN"
+  _response=$(_post "$_request_body" "$DirectAdmin_SCHEME://$DirectAdmin_USERNAME:$DirectAdmin_KEY@$DirectAdmin_ENDPOINT/CMD_API_SSL" "" "POST" "application/json")
+
+  if _contains "$_response" "error=1"; then
+    _err "Error in deploying $_cdomain certificate to DirectAdmin Domain $DirectAdmin_MAIN_DOMAIN."
+    _err "$_response"
+    return 1
+  fi
+
+  _info "$_response"
+  _info "Domain $_cdomain certificate successfully deployed to DirectAdmin Domain $DirectAdmin_MAIN_DOMAIN."
+
+  return 0
+}

deploy/edgio.sh

@@ -0,0 +1,86 @@
+#!/usr/bin/env sh
+
+# Here is a script to deploy cert to edgio using its API
+# https://docs.edg.io/guides/v7/develop/rest_api/authentication
+# https://docs.edg.io/rest_api/#tag/tls-certs/operation/postConfigV01TlsCerts
+
+# This deployment required following variables
+# export EDGIO_CLIENT_ID="Your Edgio Client ID"
+# export EDGIO_CLIENT_SECRET="Your Edgio Client Secret"
+# export EDGIO_ENVIRONMENT_ID="Your Edgio Environment ID"
+
+# If have more than one Environment ID
+# export EDGIO_ENVIRONMENT_ID="ENVIRONMENT_ID_1 ENVIRONMENT_ID_2"
+
+# returns 0 means success, otherwise error.
+
+########  Public functions #####################
+
+#domain keyfile certfile cafile fullchain
+edgio_deploy() {
+  _cdomain="$1"
+  _ckey="$2"
+  _ccert="$3"
+  _cca="$4"
+  _cfullchain="$5"
+
+  _debug _cdomain "$_cdomain"
+  _debug _ckey "$_ckey"
+  _debug _ccert "$_ccert"
+  _debug _cca "$_cca"
+  _debug _cfullchain "$_cfullchain"
+
+  if [ -z "$EDGIO_CLIENT_ID" ]; then
+    _err "EDGIO_CLIENT_ID is not defined."
+    return 1
+  else
+    _savedomainconf EDGIO_CLIENT_ID "$EDGIO_CLIENT_ID"
+  fi
+
+  if [ -z "$EDGIO_CLIENT_SECRET" ]; then
+    _err "EDGIO_CLIENT_SECRET is not defined."
+    return 1
+  else
+    _savedomainconf EDGIO_CLIENT_SECRET "$EDGIO_CLIENT_SECRET"
+  fi
+
+  if [ -z "$EDGIO_ENVIRONMENT_ID" ]; then
+    _err "EDGIO_ENVIRONMENT_ID is not defined."
+    return 1
+  else
+    _savedomainconf EDGIO_ENVIRONMENT_ID "$EDGIO_ENVIRONMENT_ID"
+  fi
+
+  _info "Getting access token"
+  _data="client_id=$EDGIO_CLIENT_ID&client_secret=$EDGIO_CLIENT_SECRET&grant_type=client_credentials&scope=app.config"
+  _debug Get_access_token_data "$_data"
+  _response=$(_post "$_data" "https://id.edgio.app/connect/token" "" "POST" "application/x-www-form-urlencoded")
+  _debug Get_access_token_response "$_response"
+  _access_token=$(echo "$_response" | _json_decode | _egrep_o '"access_token":"[^"]*' | cut -d : -f 2 | tr -d '"')
+  _debug _access_token "$_access_token"
+  if [ -z "$_access_token" ]; then
+    _err "Error in getting access token"
+    return 1
+  fi
+
+  _info "Uploading certificate"
+  string_ccert=$(sed 's/$/\\n/' "$_ccert" | tr -d '\n')
+  string_cca=$(sed 's/$/\\n/' "$_cca" | tr -d '\n')
+  string_key=$(sed 's/$/\\n/' "$_ckey" | tr -d '\n')
+
+  for ENVIRONMENT_ID in $EDGIO_ENVIRONMENT_ID; do
+    _data="{\"environment_id\":\"$ENVIRONMENT_ID\",\"primary_cert\":\"$string_ccert\",\"intermediate_cert\":\"$string_cca\",\"private_key\":\"$string_key\"}"
+    _debug Upload_certificate_data "$_data"
+    _H1="Authorization: Bearer $_access_token"
+    _response=$(_post "$_data" "https://edgioapis.com/config/v0.1/tls-certs" "" "POST" "application/json")
+    if _contains "$_response" "message"; then
+      _err "Error in deploying $_cdomain certificate to Edgio ENVIRONMENT_ID $ENVIRONMENT_ID."
+      _err "$_response"
+      return 1
+    fi
+    _debug Upload_certificate_response "$_response"
+    _info "Domain $_cdomain certificate successfully deployed to Edgio ENVIRONMENT_ID $ENVIRONMENT_ID."
+  done
+
+  return 0
+}

deploy/keyhelp.sh

@@ -0,0 +1,131 @@
+#!/usr/bin/env sh
+
+# Script to deploy certificate to KeyHelp
+# This deployment required following variables
+# export DEPLOY_KEYHELP_BASEURL="https://keyhelp.example.com"
+# export DEPLOY_KEYHELP_USERNAME="Your KeyHelp Username"
+# export DEPLOY_KEYHELP_PASSWORD="Your KeyHelp Password"
+# export DEPLOY_KEYHELP_DOMAIN_ID="Depoly certificate to this Domain ID"
+
+# Open the 'Edit domain' page, and you will see id=xxx at the end of the URL. This is the Domain ID.
+# https://DEPLOY_KEYHELP_BASEURL/index.php?page=domains&action=edit&id=xxx
+
+# If have more than one domain name
+# export DEPLOY_KEYHELP_DOMAIN_ID="111 222 333"
+
+keyhelp_deploy() {
+  _cdomain="$1"
+  _ckey="$2"
+  _ccert="$3"
+  _cca="$4"
+  _cfullchain="$5"
+
+  _debug _cdomain "$_cdomain"
+  _debug _ckey "$_ckey"
+  _debug _ccert "$_ccert"
+  _debug _cca "$_cca"
+  _debug _cfullchain "$_cfullchain"
+
+  if [ -z "$DEPLOY_KEYHELP_BASEURL" ]; then
+    _err "DEPLOY_KEYHELP_BASEURL is not defined."
+    return 1
+  else
+    _savedomainconf DEPLOY_KEYHELP_BASEURL "$DEPLOY_KEYHELP_BASEURL"
+  fi
+
+  if [ -z "$DEPLOY_KEYHELP_USERNAME" ]; then
+    _err "DEPLOY_KEYHELP_USERNAME is not defined."
+    return 1
+  else
+    _savedomainconf DEPLOY_KEYHELP_USERNAME "$DEPLOY_KEYHELP_USERNAME"
+  fi
+
+  if [ -z "$DEPLOY_KEYHELP_PASSWORD" ]; then
+    _err "DEPLOY_KEYHELP_PASSWORD is not defined."
+    return 1
+  else
+    _savedomainconf DEPLOY_KEYHELP_PASSWORD "$DEPLOY_KEYHELP_PASSWORD"
+  fi
+
+  if [ -z "$DEPLOY_KEYHELP_DOMAIN_ID" ]; then
+    _err "DEPLOY_KEYHELP_DOMAIN_ID is not defined."
+    return 1
+  else
+    _savedomainconf DEPLOY_KEYHELP_DOMAIN_ID "$DEPLOY_KEYHELP_DOMAIN_ID"
+  fi
+
+  # Optional DEPLOY_KEYHELP_ENFORCE_HTTPS
+  _getdeployconf DEPLOY_KEYHELP_ENFORCE_HTTPS
+  # set default values for DEPLOY_KEYHELP_ENFORCE_HTTPS
+  [ -n "${DEPLOY_KEYHELP_ENFORCE_HTTPS}" ] || DEPLOY_KEYHELP_ENFORCE_HTTPS="1"
+
+  _info "Logging in to keyhelp panel"
+  username_encoded="$(printf "%s" "${DEPLOY_KEYHELP_USERNAME}" | _url_encode)"
+  password_encoded="$(printf "%s" "${DEPLOY_KEYHELP_PASSWORD}" | _url_encode)"
+  _H1="Content-Type: application/x-www-form-urlencoded"
+  _response=$(_get "$DEPLOY_KEYHELP_BASEURL/index.php?submit=1&username=$username_encoded&password=$password_encoded" "TRUE")
+  _cookie="$(grep -i '^set-cookie:' "$HTTP_HEADER" | _head_n 1 | cut -d " " -f 2)"
+
+  # If cookies is not empty then logon successful
+  if [ -z "$_cookie" ]; then
+    _err "Fail to get cookie."
+    return 1
+  fi
+  _debug "cookie" "$_cookie"
+
+  _info "Uploading certificate"
+  _date=$(date +"%Y%m%d")
+  encoded_key="$(_url_encode <"$_ckey")"
+  encoded_ccert="$(_url_encode <"$_ccert")"
+  encoded_cca="$(_url_encode <"$_cca")"
+  certificate_name="$_cdomain-$_date"
+
+  _request_body="submit=1&certificate_name=$certificate_name&add_type=upload&text_private_key=$encoded_key&text_certificate=$encoded_ccert&text_ca_certificate=$encoded_cca"
+  _H1="Cookie: $_cookie"
+  _response=$(_post "$_request_body" "$DEPLOY_KEYHELP_BASEURL/index.php?page=ssl_certificates&action=add" "" "POST")
+  _message=$(echo "$_response" | grep -A 2 'message-body' | sed -n '/<div class="message-body ">/,/<\/div>/{//!p;}' | sed 's/<[^>]*>//g' | sed 's/^ *//;s/ *$//')
+  _info "_message" "$_message"
+  if [ -z "$_message" ]; then
+    _err "Fail to upload certificate."
+    return 1
+  fi
+
+  for DOMAIN_ID in $DEPLOY_KEYHELP_DOMAIN_ID; do
+    _info "Apply certificate to domain id $DOMAIN_ID"
+    _response=$(_get "$DEPLOY_KEYHELP_BASEURL/index.php?page=domains&action=edit&id=$DOMAIN_ID")
+    cert_value=$(echo "$_response" | grep "$certificate_name" | sed -n 's/.*value="\([^"]*\).*/\1/p')
+    target_type=$(echo "$_response" | grep 'target_type' | grep 'checked' | sed -n 's/.*value="\([^"]*\).*/\1/p')
+    if [ "$target_type" = "directory" ]; then
+      path=$(echo "$_response" | awk '/name="path"/{getline; print}' | sed -n 's/.*value="\([^"]*\).*/\1/p')
+    fi
+    echo "$_response" | grep "is_prefer_https" | grep "checked" >/dev/null
+    if [ $? -eq 0 ]; then
+      is_prefer_https=1
+    else
+      is_prefer_https=0
+    fi
+    echo "$_response" | grep "hsts_enabled" | grep "checked" >/dev/null
+    if [ $? -eq 0 ]; then
+      hsts_enabled=1
+    else
+      hsts_enabled=0
+    fi
+    _debug "cert_value" "$cert_value"
+    if [ -z "$cert_value" ]; then
+      _err "Fail to get certificate id."
+      return 1
+    fi
+
+    _request_body="submit=1&id=$DOMAIN_ID&target_type=$target_type&path=$path&is_prefer_https=$is_prefer_https&hsts_enabled=$hsts_enabled&certificate_type=custom&certificate_id=$cert_value&enforce_https=$DEPLOY_KEYHELP_ENFORCE_HTTPS"
+    _response=$(_post "$_request_body" "$DEPLOY_KEYHELP_BASEURL/index.php?page=domains&action=edit" "" "POST")
+    _message=$(echo "$_response" | grep -A 2 'message-body' | sed -n '/<div class="message-body ">/,/<\/div>/{//!p;}' | sed 's/<[^>]*>//g' | sed 's/^ *//;s/ *$//')
+    _info "_message" "$_message"
+    if [ -z "$_message" ]; then
+      _err "Fail to apply certificate."
+      return 1
+    fi
+  done
+
+  _info "Domain $_cdomain certificate successfully deployed to KeyHelp Domain ID $DEPLOY_KEYHELP_DOMAIN_ID."
+  return 0
+}

deploy/keyhelp_api.sh

@@ -0,0 +1,86 @@
+#!/usr/bin/env sh
+
+keyhelp_api_deploy() {
+  _cdomain="$1"
+  _ckey="$2"
+  _ccert="$3"
+  _cca="$4"
+
+  _debug _cdomain "$_cdomain"
+  _debug _ckey "$_ckey"
+  _debug _ccert "$_ccert"
+  _debug _cca "$_cca"
+
+  # Read config from saved values or env
+  _getdeployconf DEPLOY_KEYHELP_HOST
+  _getdeployconf DEPLOY_KEYHELP_API_KEY
+
+  _debug DEPLOY_KEYHELP_HOST "$DEPLOY_KEYHELP_HOST"
+  _secure_debug DEPLOY_KEYHELP_API_KEY "$DEPLOY_KEYHELP_API_KEY"
+
+  if [ -z "$DEPLOY_KEYHELP_HOST" ]; then
+    _err "KeyHelp host not found, please define DEPLOY_KEYHELP_HOST."
+    return 1
+  fi
+  if [ -z "$DEPLOY_KEYHELP_API_KEY" ]; then
+    _err "KeyHelp api key not found, please define DEPLOY_KEYHELP_API_KEY."
+    return 1
+  fi
+
+  # Save current values
+  _savedeployconf DEPLOY_KEYHELP_HOST "$DEPLOY_KEYHELP_HOST"
+  _savedeployconf DEPLOY_KEYHELP_API_KEY "$DEPLOY_KEYHELP_API_KEY"
+
+  _request_key="$(tr '\n' ':' <"$_ckey" | sed 's/:/\\n/g')"
+  _request_cert="$(tr '\n' ':' <"$_ccert" | sed 's/:/\\n/g')"
+  _request_ca="$(tr '\n' ':' <"$_cca" | sed 's/:/\\n/g')"
+
+  _request_body="{
+    \"name\": \"$_cdomain\",
+    \"components\": {
+      \"private_key\": \"$_request_key\",
+      \"certificate\": \"$_request_cert\",
+      \"ca_certificate\": \"$_request_ca\"
+    }
+  }"
+
+  _hosts="$(echo "$DEPLOY_KEYHELP_HOST" | tr "," " ")"
+  _keys="$(echo "$DEPLOY_KEYHELP_API_KEY" | tr "," " ")"
+  _i=1
+
+  for _host in $_hosts; do
+    _key="$(_getfield "$_keys" "$_i" " ")"
+    _i="$(_math "$_i" + 1)"
+
+    export _H1="X-API-Key: $_key"
+
+    _put_url="$_host/api/v2/certificates/name/$_cdomain"
+    if _post "$_request_body" "$_put_url" "" "PUT" "application/json" >/dev/null; then
+      _code="$(grep "^HTTP" "$HTTP_HEADER" | _tail_n 1 | cut -d " " -f 2 | tr -d "\r\n")"
+    else
+      _err "Cannot make PUT request to $_put_url"
+      return 1
+    fi
+
+    if [ "$_code" = "404" ]; then
+      _info "$_cdomain not found, creating new entry at $_host"
+
+      _post_url="$_host/api/v2/certificates"
+      if _post "$_request_body" "$_post_url" "" "POST" "application/json" >/dev/null; then
+        _code="$(grep "^HTTP" "$HTTP_HEADER" | _tail_n 1 | cut -d " " -f 2 | tr -d "\r\n")"
+      else
+        _err "Cannot make POST request to $_post_url"
+        return 1
+      fi
+    fi
+
+    if _startswith "$_code" "2"; then
+      _info "$_cdomain set at $_host"
+    else
+      _err "HTTP status code is $_code"
+      return 1
+    fi
+  done
+
+  return 0
+}

deploy/netlify.sh

@@ -0,0 +1,69 @@
+#!/usr/bin/env sh
+
+# Script to deploy certificate to Netlify
+# https://docs.netlify.com/api/get-started/#authentication
+# https://open-api.netlify.com/#tag/sniCertificate
+
+# This deployment required following variables
+# export Netlify_ACCESS_TOKEN="Your Netlify Access Token"
+# export Netlify_SITE_ID="Your Netlify Site ID"
+
+# If have more than one SITE ID
+# export Netlify_SITE_ID="SITE_ID_1 SITE_ID_2"
+
+# returns 0 means success, otherwise error.
+
+########  Public functions #####################
+
+#domain keyfile certfile cafile fullchain
+netlify_deploy() {
+  _cdomain="$1"
+  _ckey="$2"
+  _ccert="$3"
+  _cca="$4"
+  _cfullchain="$5"
+
+  _debug _cdomain "$_cdomain"
+  _debug _ckey "$_ckey"
+  _debug _ccert "$_ccert"
+  _debug _cca "$_cca"
+  _debug _cfullchain "$_cfullchain"
+
+  if [ -z "$Netlify_ACCESS_TOKEN" ]; then
+    _err "Netlify_ACCESS_TOKEN is not defined."
+    return 1
+  else
+    _savedomainconf Netlify_ACCESS_TOKEN "$Netlify_ACCESS_TOKEN"
+  fi
+  if [ -z "$Netlify_SITE_ID" ]; then
+    _err "Netlify_SITE_ID is not defined."
+    return 1
+  else
+    _savedomainconf Netlify_SITE_ID "$Netlify_SITE_ID"
+  fi
+
+  _info "Deploying certificate to Netlify..."
+
+  ## upload certificate
+  string_ccert=$(sed 's/$/\\n/' "$_ccert" | tr -d '\n')
+  string_cca=$(sed 's/$/\\n/' "$_cca" | tr -d '\n')
+  string_key=$(sed 's/$/\\n/' "$_ckey" | tr -d '\n')
+
+  for SITE_ID in $Netlify_SITE_ID; do
+    _request_body="{\"certificate\":\"$string_ccert\",\"key\":\"$string_key\",\"ca_certificates\":\"$string_cca\"}"
+    _debug _request_body "$_request_body"
+    _debug Netlify_ACCESS_TOKEN "$Netlify_ACCESS_TOKEN"
+    export _H1="Authorization: Bearer $Netlify_ACCESS_TOKEN"
+    _response=$(_post "$_request_body" "https://api.netlify.com/api/v1/sites/$SITE_ID/ssl" "" "POST" "application/json")
+
+    if _contains "$_response" "\"error\""; then
+      _err "Error in deploying $_cdomain certificate to Netlify SITE_ID $SITE_ID."
+      _err "$_response"
+      return 1
+    fi
+    _debug response "$_response"
+    _info "Domain $_cdomain certificate successfully deployed to Netlify SITE_ID $SITE_ID."
+  done
+
+  return 0
+}

deploy/truenas_ws.sh

@@ -39,13 +39,13 @@ _ws_call() {
   _debug "_ws_call arg2" "$2"
   _debug "_ws_call arg3" "$3"
   if [ $# -eq 3 ]; then
-    _ws_response=$(midclt -K "$DEPLOY_TRUENAS_APIKEY" call "$1" "$2" "$3")
+    _ws_response=$(midclt --uri "$_ws_uri" -K "$DEPLOY_TRUENAS_APIKEY" call "$1" "$2" "$3")
   fi
   if [ $# -eq 2 ]; then
-    _ws_response=$(midclt -K "$DEPLOY_TRUENAS_APIKEY" call "$1" "$2")
+    _ws_response=$(midclt --uri "$_ws_uri" -K "$DEPLOY_TRUENAS_APIKEY" call "$1" "$2")
   fi
   if [ $# -eq 1 ]; then
-    _ws_response=$(midclt -K "$DEPLOY_TRUENAS_APIKEY" call "$1")
+    _ws_response=$(midclt --uri "$_ws_uri" -K "$DEPLOY_TRUENAS_APIKEY" call "$1")
   fi
   _debug "_ws_response" "$_ws_response"
   printf "%s" "$_ws_response"
@@ -60,7 +60,7 @@ _ws_upload_cert() {
 import sys
 
 from truenas_api_client import Client
-with Client() as c:
+with Client(uri="$_ws_uri") as c:
 
   ### Login with API key
   print("I:Trying to upload new certificate...")
@@ -71,7 +71,7 @@ with Client() as c:
       fullchain = file.read()
     with open('$2', 'r') as file:
       privatekey = file.read()
-    ret = c.call("certificate.create", {"name": "$3", "create_type": "CERTIFICATE_CREATE_IMPORTED", "certificate": fullchain, "privatekey": privatekey, "passphrase": ""}, job=True)
+    ret = c.call("certificate.create", {"name": "$3", "create_type": "CERTIFICATE_CREATE_IMPORTED", "certificate": fullchain, "privatekey": privatekey}, job=True)
     print("R:" + str(ret["id"]))
     sys.exit(0)
   else:
@@ -121,7 +121,7 @@ _ws_check_jobid() {
 #   n/a
 _ws_get_job_result() {
   while true; do
-    sleep 2
+    _sleep 2
     _ws_response=$(_ws_call "core.get_jobs" "[[\"id\", \"=\", $1]]")
     if [ "$(printf "%s" "$_ws_response" | jq -r '.[]."state"')" != "RUNNING" ]; then
       _ws_result="$(printf "%s" "$_ws_response" | jq '.[]."result"')"
@@ -179,11 +179,27 @@ truenas_ws_deploy() {
 
   _info "Checking environment variables..."
   _getdeployconf DEPLOY_TRUENAS_APIKEY
+  _getdeployconf DEPLOY_TRUENAS_HOSTNAME
+  _getdeployconf DEPLOY_TRUENAS_PROTOCOL
   # Check API Key
   if [ -z "$DEPLOY_TRUENAS_APIKEY" ]; then
     _err "TrueNAS API key not found, please set the DEPLOY_TRUENAS_APIKEY environment variable."
     return 1
   fi
+  # Check Hostname, default to localhost if not set
+  if [ -z "$DEPLOY_TRUENAS_HOSTNAME" ]; then
+    _info "TrueNAS hostname not set. Using 'localhost'."
+    DEPLOY_TRUENAS_HOSTNAME="localhost"
+  fi
+  # Check protocol, default to ws if not set
+  if [ -z "$DEPLOY_TRUENAS_PROTOCOL" ]; then
+    _info "TrueNAS protocol not set. Using 'ws'."
+    DEPLOY_TRUENAS_PROTOCOL="ws"
+  fi
+  _ws_uri="$DEPLOY_TRUENAS_PROTOCOL://$DEPLOY_TRUENAS_HOSTNAME/websocket"
+  _debug2 DEPLOY_TRUENAS_HOSTNAME "$DEPLOY_TRUENAS_HOSTNAME"
+  _debug2 DEPLOY_TRUENAS_PROTOCOL "$DEPLOY_TRUENAS_PROTOCOL"
+  _debug _ws_uri "$_ws_uri"
   _secure_debug2 DEPLOY_TRUENAS_APIKEY "$DEPLOY_TRUENAS_APIKEY"
   _info "Environment variables: OK"
 
@@ -205,6 +221,8 @@ truenas_ws_deploy() {
     return 2
   fi
   _savedeployconf DEPLOY_TRUENAS_APIKEY "$DEPLOY_TRUENAS_APIKEY"
+  _savedeployconf DEPLOY_TRUENAS_HOSTNAME "$DEPLOY_TRUENAS_HOSTNAME"
+  _savedeployconf DEPLOY_TRUENAS_PROTOCOL "$DEPLOY_TRUENAS_PROTOCOL"
   _info "TrueNAS health: OK"
 
   ########## System info
@@ -304,7 +322,7 @@ truenas_ws_deploy() {
   _info "Restarting WebUI..."
   _ws_response=$(_ws_call "system.general.ui_restart")
   _info "Waiting for UI restart..."
-  sleep 6
+  _sleep 15
 
   ########## Certificates
 

deploy/unifi.sh

@@ -143,8 +143,10 @@ unifi_deploy() {
 
     # correct file ownership according to the directory, the keystore is placed in
     _unifi_keystore_dir=$(dirname "${_unifi_keystore}")
-    _unifi_keystore_dir_owner=$(find "${_unifi_keystore_dir}" -maxdepth 0 -printf '%u\n')
-    _unifi_keystore_owner=$(find "${_unifi_keystore}" -maxdepth 0 -printf '%u\n')
+    # shellcheck disable=SC2012
+    _unifi_keystore_dir_owner=$(ls -ld "${_unifi_keystore_dir}" | awk '{print $3}')
+    # shellcheck disable=SC2012
+    _unifi_keystore_owner=$(ls -l "${_unifi_keystore}" | awk '{print $3}')
     if ! [ "${_unifi_keystore_owner}" = "${_unifi_keystore_dir_owner}" ]; then
       _debug "Changing keystore owner to ${_unifi_keystore_dir_owner}"
       chown "$_unifi_keystore_dir_owner" "${_unifi_keystore}" >/dev/null 2>&1 # fail quietly if we're not running as root

dnsapi/dns_curanet.sh

@@ -15,7 +15,7 @@ CURANET_REST_URL="https://api.curanet.dk/dns/v1/Domains"
 CURANET_AUTH_URL="https://apiauth.dk.team.blue/auth/realms/Curanet/protocol/openid-connect/token"
 CURANET_ACCESS_TOKEN=""
 
-########  Public functions #####################
+########  Public functions ####################
 
 #Usage: dns_curanet_add   _acme-challenge.www.domain.com   "XKrxpRBosdIKFzxW_CT3KLZNf6q0HG9i01zxXp5CPBs"
 dns_curanet_add() {
@@ -154,7 +154,7 @@ _get_root() {
     export _H3="Authorization: Bearer $CURANET_ACCESS_TOKEN"
     response="$(_get "$CURANET_REST_URL/$h/Records" "" "")"
 
-    if [ ! "$(echo "$response" | _egrep_o "Entity not found")" ]; then
+    if [ ! "$(echo "$response" | _egrep_o "Entity not found|Bad Request")" ]; then
       _domain=$h
       return 0
     fi

dnsapi/dns_opnsense.sh

@@ -110,15 +110,16 @@ rm_record() {
   if _existingchallenge "$_domain" "$_host" "$new_challenge"; then
     # Delete
     if _opns_rest "POST" "/record/delRecord/${_uuid}" "\{\}"; then
-      if echo "$_return_str" | _egrep_o "\"result\":\"deleted\"" >/dev/null; then
-        _opns_rest "POST" "/service/reconfigure" "{}"
+      if echo "$response" | _egrep_o "\"result\":\"deleted\"" >/dev/null; then
         _debug "Record deleted"
+        _opns_rest "POST" "/service/reconfigure" "{}"
+        _debug "Service reconfigured"
       else
         _err "Error deleting record $_host from domain $fulldomain"
         return 1
       fi
     else
-      _err "Error deleting record $_host from domain $fulldomain"
+      _err "Error requesting deletion of record $_host from domain $fulldomain"
       return 1
     fi
   else
@@ -150,14 +151,17 @@ _get_root() {
       return 1
     fi
     _debug h "$h"
-    id=$(echo "$_domain_response" | _egrep_o "\"uuid\":\"[a-z0-9\-]*\",\"enabled\":\"1\",\"type\":\"primary\",\"domainname\":\"${h}\"" | cut -d ':' -f 2 | cut -d '"' -f 2)
-    if [ -n "$id" ]; then
-      _debug id "$id"
-      _host=$(printf "%s" "$domain" | cut -d . -f 1-"$p")
-      _domain="${h}"
-      _domainid="${id}"
-      return 0
-    fi
+    lines=$(echo "$_domain_response" | sed 's/{/\n/g')
+    for line in $lines; do
+      id=$(echo "$line" | _egrep_o "\"uuid\":\"[a-z0-9\-]*\",\"enabled\":\"1\",\"type\":\"primary\",.*\"domainname\":\"${h}\"" | cut -d ':' -f 2 | cut -d '"' -f 2)
+      if [ -n "$id" ]; then
+        _debug id "$id"
+        _host=$(printf "%s" "$domain" | cut -d . -f 1-"$p")
+        _domain="${h}"
+        _domainid="${id}"
+        return 0
+      fi
+    done
     p=$i
     i=$(_math "$i" + 1)
   done
@@ -206,13 +210,13 @@ _existingchallenge() {
     return 1
   fi
   _uuid=""
-  _uuid=$(echo "$_record_response" | _egrep_o "\"uuid\":\"[^\"]*\",\"enabled\":\"[01]\",\"domain\":\"$1\",\"name\":\"$2\",\"type\":\"TXT\",\"value\":\"$3\"" | cut -d ':' -f 2 | cut -d '"' -f 2)
+  _uuid=$(echo "$_record_response" | _egrep_o "\"uuid\":\"[a-z0-9\-]*\",\"enabled\":\"[01]\",\"domain\":\"[a-z0-9\-]*\",\"%domain\":\"$1\",\"name\":\"$2\",\"type\":\"TXT\",\"value\":\"$3\"" | cut -d ':' -f 2 | cut -d '"' -f 2)
 
   if [ -n "$_uuid" ]; then
     _debug uuid "$_uuid"
     return 0
   fi
-  _debug "${2}.$1{1} record not found"
+  _debug "${2}.${1} record not found"
 
   return 1
 }

dnsapi/dns_ovh.sh

@@ -201,7 +201,7 @@ dns_ovh_rm() {
     if ! _ovh_rest GET "domain/zone/$_domain/record/$rid"; then
       return 1
     fi
-    if _contains "$response" "\"target\":\"$txtvalue\""; then
+    if _contains "$response" "$txtvalue"; then
       _debug "Found txt id:$rid"
       if ! _ovh_rest DELETE "domain/zone/$_domain/record/$rid"; then
         return 1

notify/ntfy.sh

@@ -14,6 +14,13 @@ ntfy_send() {
   _debug "_content" "$_content"
   _debug "_statusCode" "$_statusCode"
 
+  _priority_default="default"
+  _priority_error="high"
+
+  _tag_success="white_check_mark"
+  _tag_error="warning"
+  _tag_info="information_source"
+
   NTFY_URL="${NTFY_URL:-$(_readaccountconf_mutable NTFY_URL)}"
   if [ "$NTFY_URL" ]; then
     _saveaccountconf_mutable NTFY_URL "$NTFY_URL"
@@ -30,7 +37,26 @@ ntfy_send() {
     export _H1="Authorization: Bearer $NTFY_TOKEN"
   fi
 
-  _data="${_subject}. $_content"
+  case "$_statusCode" in
+  0)
+    _priority="$_priority_default"
+    _tag="$_tag_success"
+    ;;
+  1)
+    _priority="$_priority_error"
+    _tag="$_tag_error"
+    ;;
+  2)
+    _priority="$_priority_default"
+    _tag="$_tag_info"
+    ;;
+  esac
+
+  export _H2="Priority: $_priority"
+  export _H3="Tags: $_tag"
+  export _H4="Title: $PROJECT_NAME: $_subject"
+
+  _data="$_content"
   response="$(_post "$_data" "$NTFY_URL/$NTFY_TOPIC" "" "POST" "")"
 
   if [ "$?" = "0" ] && _contains "$response" "expires"; then

notify/opsgenie.sh

@@ -0,0 +1,130 @@
+#!/usr/bin/env sh
+
+#Support OpsGenie API integration
+
+#OPSGENIE_API_KEY="" Required, opsgenie api key
+#OPSGENIE_REGION="" Optional, opsgenie region, can be EU or US (default: US)
+#OPSGENIE_PRIORITY_SUCCESS="" Optional, opsgenie priority for success (default: P5)
+#OPSGENIE_PRIORITY_ERROR="" Optional, opsgenie priority for error (default: P2)
+#OPSGENIE_PRIORITY_SKIP="" Optional, opsgenie priority for renew skipped (default: P5)
+
+_OPSGENIE_AVAIL_REGION="US,EU"
+_OPSGENIE_AVAIL_PRIORITIES="P1,P2,P3,P4,P5"
+
+opsgenie_send() {
+  _subject="$1"
+  _content="$2"
+  _status_code="$3" #0: success, 1: error, 2($RENEW_SKIP): skipped
+
+  OPSGENIE_API_KEY="${OPSGENIE_API_KEY:-$(_readaccountconf_mutable OPSGENIE_API_KEY)}"
+  if [ -z "$OPSGENIE_API_KEY" ]; then
+    OPSGENIE_API_KEY=""
+    _err "You didn't specify an OpsGenie API key OPSGENIE_API_KEY yet."
+    return 1
+  fi
+  _saveaccountconf_mutable OPSGENIE_API_KEY "$OPSGENIE_API_KEY"
+  export _H1="Authorization: GenieKey $OPSGENIE_API_KEY"
+
+  OPSGENIE_REGION="${OPSGENIE_REGION:-$(_readaccountconf_mutable OPSGENIE_REGION)}"
+  if [ -z "$OPSGENIE_REGION" ]; then
+    OPSGENIE_REGION="US"
+    _info "The OPSGENIE_REGION is not set, so use the default US as regeion."
+  elif ! _hasfield "$_OPSGENIE_AVAIL_REGION" "$OPSGENIE_REGION"; then
+    _err "The OPSGENIE_REGION \"$OPSGENIE_REGION\" is not available, should be one of $_OPSGENIE_AVAIL_REGION"
+    OPSGENIE_REGION=""
+    return 1
+  else
+    _saveaccountconf_mutable OPSGENIE_REGION "$OPSGENIE_REGION"
+  fi
+
+  OPSGENIE_PRIORITY_SUCCESS="${OPSGENIE_PRIORITY_SUCCESS:-$(_readaccountconf_mutable OPSGENIE_PRIORITY_SUCCESS)}"
+  if [ -z "$OPSGENIE_PRIORITY_SUCCESS" ]; then
+    OPSGENIE_PRIORITY_SUCCESS="P5"
+    _info "The OPSGENIE_PRIORITY_SUCCESS is not set, so use the default P5 as priority."
+  elif ! _hasfield "$_OPSGENIE_AVAIL_PRIORITIES" "$OPSGENIE_PRIORITY_SUCCESS"; then
+    _err "The OPSGENIE_PRIORITY_SUCCESS \"$OPSGENIE_PRIORITY_SUCCESS\" is not available, should be one of $_OPSGENIE_AVAIL_PRIORITIES"
+    OPSGENIE_PRIORITY_SUCCESS=""
+    return 1
+  else
+    _saveaccountconf_mutable OPSGENIE_PRIORITY_SUCCESS "$OPSGENIE_PRIORITY_SUCCESS"
+  fi
+
+  OPSGENIE_PRIORITY_ERROR="${OPSGENIE_PRIORITY_ERROR:-$(_readaccountconf_mutable OPSGENIE_PRIORITY_ERROR)}"
+  if [ -z "$OPSGENIE_PRIORITY_ERROR" ]; then
+    OPSGENIE_PRIORITY_ERROR="P2"
+    _info "The OPSGENIE_PRIORITY_ERROR is not set, so use the default P2 as priority."
+  elif ! _hasfield "$_OPSGENIE_AVAIL_PRIORITIES" "$OPSGENIE_PRIORITY_ERROR"; then
+    _err "The OPSGENIE_PRIORITY_ERROR \"$OPSGENIE_PRIORITY_ERROR\" is not available, should be one of $_OPSGENIE_AVAIL_PRIORITIES"
+    OPSGENIE_PRIORITY_ERROR=""
+    return 1
+  else
+    _saveaccountconf_mutable OPSGENIE_PRIORITY_ERROR "$OPSGENIE_PRIORITY_ERROR"
+  fi
+
+  OPSGENIE_PRIORITY_SKIP="${OPSGENIE_PRIORITY_SKIP:-$(_readaccountconf_mutable OPSGENIE_PRIORITY_SKIP)}"
+  if [ -z "$OPSGENIE_PRIORITY_SKIP" ]; then
+    OPSGENIE_PRIORITY_SKIP="P5"
+    _info "The OPSGENIE_PRIORITY_SKIP is not set, so use the default P5 as priority."
+  elif ! _hasfield "$_OPSGENIE_AVAIL_PRIORITIES" "$OPSGENIE_PRIORITY_SKIP"; then
+    _err "The OPSGENIE_PRIORITY_SKIP \"$OPSGENIE_PRIORITY_SKIP\" is not available, should be one of $_OPSGENIE_AVAIL_PRIORITIES"
+    OPSGENIE_PRIORITY_SKIP=""
+    return 1
+  else
+    _saveaccountconf_mutable OPSGENIE_PRIORITY_SKIP "$OPSGENIE_PRIORITY_SKIP"
+  fi
+
+  case "$OPSGENIE_REGION" in
+  "US")
+    _opsgenie_url="https://api.opsgenie.com/v2/alerts"
+    ;;
+  "EU")
+    _opsgenie_url="https://api.eu.opsgenie.com/v2/alerts"
+    ;;
+  *)
+    _err "opsgenie region error."
+    return 1
+    ;;
+  esac
+
+  case $_status_code in
+  0)
+    _priority=$OPSGENIE_PRIORITY_SUCCESS
+    ;;
+  1)
+    _priority=$OPSGENIE_PRIORITY_ERROR
+    ;;
+  2)
+    _priority=$OPSGENIE_PRIORITY_SKIP
+    ;;
+  *)
+    _priority=$OPSGENIE_PRIORITY_ERROR
+    ;;
+  esac
+
+  _subject_json=$(echo "$_subject" | _json_encode)
+  _content_json=$(echo "$_content" | _json_encode)
+  _subject_underscore=$(echo "$_subject" | sed 's/ /_/g')
+  _alias_json=$(echo "acme.sh-$(hostname)-$_subject_underscore-$(date +%Y%m%d)" | base64 --wrap=0 | _json_encode)
+
+  _data="{
+    \"message\": \"$_subject_json\",
+    \"alias\": \"$_alias_json\",
+    \"description\": \"$_content_json\",
+    \"tags\": [
+        \"acme.sh\",
+        \"host:$(hostname)\"
+    ],
+    \"entity\": \"$(hostname -f)\",
+    \"priority\": \"$_priority\"
+}"
+
+  if response=$(_post "$_data" "$_opsgenie_url" "" "" "application/json"); then
+    if ! _contains "$response" error; then
+      _info "opsgenie send success."
+      return 0
+    fi
+  fi
+  _err "opsgenie send error."
+  _err "$response"
+  return 1
+}

notify/telegram.sh

@@ -34,8 +34,8 @@ telegram_send() {
   fi
   _saveaccountconf_mutable TELEGRAM_BOT_URLBASE "$TELEGRAM_BOT_URLBASE"
 
-  _subject="$(printf "%s" "$_subject" | sed 's/\\/\\\\\\\\/g' | sed 's/\]/\\\\\]/g' | sed 's/\([_*[()~`>#+\-=|{}.!]\)/\\\\\1/g')"
-  _content="$(printf "%s" "$_content" | sed 's/\\/\\\\\\\\/g' | sed 's/\]/\\\\\]/g' | sed 's/\([_*[()~`>#+\-=|{}.!]\)/\\\\\1/g')"
+  _subject="$(printf "%s" "$_subject" | sed -E 's/([][()~`>#+=|{}.!*_\\-])/\\\\\1/g')"
+  _content="$(printf "%s" "$_content" | sed -E 's/([][()~`>#+=|{}.!*_\\-])/\\\\\1/g')"
   _content="$(printf "*%s*\n%s" "$_subject" "$_content" | _json_encode)"
   _data="{\"text\": \"$_content\", "
   _data="$_data\"chat_id\": \"$TELEGRAM_BOT_CHATID\", "