Merge branch 'dev' into master

.github/workflows/DNS.yml

@@ -1,5 +1,6 @@
 name: DNS
 on:
+  workflow_dispatch:
   push:
     paths:
       - 'dnsapi/*.sh'
@@ -280,7 +281,7 @@ jobs:
     - uses: vmactions/openbsd-vm@v1
       with:
         envs: 'TEST_DNS TestingDomain TEST_DNS_NO_WILDCARD TEST_DNS_NO_SUBDOMAIN TEST_DNS_SLEEP CASE TEST_LOCAL DEBUG http_proxy https_proxy TokenName1 TokenName2 TokenName3 TokenName4 TokenName5 ${{ secrets.TokenName1}} ${{ secrets.TokenName2}} ${{ secrets.TokenName3}} ${{ secrets.TokenName4}} ${{ secrets.TokenName5}}'
-        prepare: pkg_add socat curl
+        prepare: pkg_add socat curl libiconv
         usesh: true
         copyback: false
         run: |

.github/workflows/Linux.yml

@@ -26,7 +26,7 @@ jobs:
   Linux:
     strategy:
       matrix:
-        os: ["ubuntu:latest", "debian:latest", "almalinux:latest", "fedora:latest", "centos:7", "opensuse/leap:latest", "alpine:latest", "oraclelinux:8", "kalilinux/kali", "archlinux:latest", "mageia", "gentoo/stage3"]
+        os: ["ubuntu:latest", "debian:latest", "almalinux:latest", "fedora:latest", "opensuse/leap:latest", "alpine:latest", "oraclelinux:8", "kalilinux/kali", "archlinux:latest", "mageia", "gentoo/stage3"]
     runs-on: ubuntu-latest
     env:
       TEST_LOCAL: 1

.github/workflows/PebbleStrict.yml

@@ -37,7 +37,7 @@ jobs:
     - name: Install tools
       run: sudo apt-get install -y socat
     - name: Run Pebble
-      run: cd .. && curl https://raw.githubusercontent.com/letsencrypt/pebble/master/docker-compose.yml >docker-compose.yml && docker-compose up -d
+      run: cd .. && curl https://raw.githubusercontent.com/letsencrypt/pebble/master/docker-compose.yml >docker-compose.yml && docker compose up -d
     - name: Set up Pebble
       run: curl --request POST --data '{"ip":"10.30.50.1"}' http://localhost:8055/set-default-ipv4
     - name: Clone acmetest

.github/workflows/dockerhub.yml

@@ -15,6 +15,8 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
+env:
+  DOCKER_IMAGE: neilpang/acme.sh
 
 jobs:
   CheckToken:
@@ -44,6 +46,11 @@ jobs:
         uses: actions/checkout@v4
       - name: Set up QEMU
         uses: docker/setup-qemu-action@v2
+      - name: Extract Docker metadata
+        id: meta
+        uses: docker/[email protected]
+        with:
+          images: ${DOCKER_IMAGE}
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v2
       - name: login to docker hub
@@ -51,8 +58,6 @@ jobs:
           echo "${{ secrets.DOCKER_PASSWORD }}" | docker login -u "${{ secrets.DOCKER_USERNAME }}" --password-stdin
       - name: build and push the image
         run: |
-          DOCKER_IMAGE=neilpang/acme.sh
-
           if [[ $GITHUB_REF == refs/tags/* ]]; then
             DOCKER_IMAGE_TAG=${GITHUB_REF#refs/tags/}
           fi
@@ -66,8 +71,14 @@ jobs:
             fi
           fi
 
+          DOCKER_LABELS=()
+          while read -r label; do
+            DOCKER_LABELS+=(--label "${label}")
+          done <<<"${DOCKER_METADATA_OUTPUT_LABELS}"
+
           docker buildx build \
             --tag ${DOCKER_IMAGE}:${DOCKER_IMAGE_TAG} \
+            "${DOCKER_LABELS[@]}" \
             --output "type=image,push=true" \
             --build-arg AUTO_UPGRADE=${AUTO_UPGRADE} \
             --platform linux/arm64/v8,linux/amd64,linux/arm/v6,linux/arm/v7,linux/386,linux/ppc64le,linux/s390x .

.github/workflows/pr_notify.yml

@@ -1,4 +1,4 @@
-name: Check dns api
+name: Check notify api
 
 on:
   pull_request_target:

deploy/ali_cdn.sh

@@ -0,0 +1,88 @@
+#!/usr/bin/env sh
+# shellcheck disable=SC2034,SC2154
+
+# Script to create certificate to Alibaba Cloud CDN
+#
+# Docs: https://github.com/acmesh-official/acme.sh/wiki/deployhooks#33-deploy-your-certificate-to-cdn-or-dcdn-of-alibaba-cloud-aliyun
+#
+# This deployment required following variables
+# export Ali_Key="ALIACCESSKEY"
+# export Ali_Secret="ALISECRETKEY"
+# The credentials are shared with all the Alibaba Cloud deploy hooks and dnsapi
+#
+# To specify the CDN domain that is different from the certificate CN, usually used for multi-domain or wildcard certificates
+# export DEPLOY_ALI_CDN_DOMAIN="cdn.example.com"
+# If you have multiple CDN domains using the same certificate, just
+# export DEPLOY_ALI_CDN_DOMAIN="cdn1.example.com cdn2.example.com"
+#
+# For DCDN, see ali_dcdn deploy hook
+
+Ali_CDN_API="https://cdn.aliyuncs.com/"
+
+ali_cdn_deploy() {
+  _cdomain="$1"
+  _ckey="$2"
+  _ccert="$3"
+  _cca="$4"
+  _cfullchain="$5"
+
+  _debug _cdomain "$_cdomain"
+  _debug _ckey "$_ckey"
+  _debug _ccert "$_ccert"
+  _debug _cca "$_cca"
+  _debug _cfullchain "$_cfullchain"
+
+  # Load dnsapi/dns_ali.sh to reduce the duplicated codes
+  # https://github.com/acmesh-official/acme.sh/pull/5205#issuecomment-2357867276
+  dnsapi_ali="$(_findHook "$_cdomain" "$_SUB_FOLDER_DNSAPI" dns_ali)"
+  # shellcheck source=/dev/null
+  if ! . "$dnsapi_ali"; then
+    _err "Error loading file $dnsapi_ali. Please check your API file and try again."
+    return 1
+  fi
+
+  _prepare_ali_credentials || return 1
+
+  _getdeployconf DEPLOY_ALI_CDN_DOMAIN
+  if [ "$DEPLOY_ALI_CDN_DOMAIN" ]; then
+    _savedeployconf DEPLOY_ALI_CDN_DOMAIN "$DEPLOY_ALI_CDN_DOMAIN"
+  else
+    DEPLOY_ALI_CDN_DOMAIN="$_cdomain"
+  fi
+
+  # read cert and key files and urlencode both
+  _cert=$(_url_encode upper-hex <"$_cfullchain")
+  _key=$(_url_encode upper-hex <"$_ckey")
+
+  _debug2 _cert "$_cert"
+  _debug2 _key "$_key"
+
+  ## update domain ssl config
+  for domain in $DEPLOY_ALI_CDN_DOMAIN; do
+    _set_cdn_domain_ssl_certificate_query "$domain" "$_cert" "$_key"
+    if _ali_rest "Set CDN domain SSL certificate for $domain" "" POST; then
+      _info "Domain $domain certificate has been deployed successfully"
+    fi
+  done
+
+  return 0
+}
+
+# domain pub pri
+_set_cdn_domain_ssl_certificate_query() {
+  endpoint=$Ali_CDN_API
+  query=''
+  query=$query'AccessKeyId='$Ali_Key
+  query=$query'&Action=SetCdnDomainSSLCertificate'
+  query=$query'&CertType=upload'
+  query=$query'&DomainName='$1
+  query=$query'&Format=json'
+  query=$query'&SSLPri='$3
+  query=$query'&SSLProtocol=on'
+  query=$query'&SSLPub='$2
+  query=$query'&SignatureMethod=HMAC-SHA1'
+  query=$query"&SignatureNonce=$(_ali_nonce)"
+  query=$query'&SignatureVersion=1.0'
+  query=$query'&Timestamp='$(_timestamp)
+  query=$query'&Version=2018-05-10'
+}

deploy/ali_dcdn.sh

@@ -0,0 +1,88 @@
+#!/usr/bin/env sh
+# shellcheck disable=SC2034,SC2154
+
+# Script to create certificate to Alibaba Cloud DCDN
+#
+# Docs: https://github.com/acmesh-official/acme.sh/wiki/deployhooks#33-deploy-your-certificate-to-cdn-or-dcdn-of-alibaba-cloud-aliyun
+#
+# This deployment required following variables
+# export Ali_Key="ALIACCESSKEY"
+# export Ali_Secret="ALISECRETKEY"
+# The credentials are shared with all the Alibaba Cloud deploy hooks and dnsapi
+#
+# To specify the DCDN domain that is different from the certificate CN, usually used for multi-domain or wildcard certificates
+# export DEPLOY_ALI_DCDN_DOMAIN="dcdn.example.com"
+# If you have multiple CDN domains using the same certificate, just
+# export DEPLOY_ALI_DCDN_DOMAIN="dcdn1.example.com dcdn2.example.com"
+#
+# For regular CDN, see ali_cdn deploy hook
+
+Ali_DCDN_API="https://dcdn.aliyuncs.com/"
+
+ali_dcdn_deploy() {
+  _cdomain="$1"
+  _ckey="$2"
+  _ccert="$3"
+  _cca="$4"
+  _cfullchain="$5"
+
+  _debug _cdomain "$_cdomain"
+  _debug _ckey "$_ckey"
+  _debug _ccert "$_ccert"
+  _debug _cca "$_cca"
+  _debug _cfullchain "$_cfullchain"
+
+  # Load dnsapi/dns_ali.sh to reduce the duplicated codes
+  # https://github.com/acmesh-official/acme.sh/pull/5205#issuecomment-2357867276
+  dnsapi_ali="$(_findHook "$_cdomain" "$_SUB_FOLDER_DNSAPI" dns_ali)"
+  # shellcheck source=/dev/null
+  if ! . "$dnsapi_ali"; then
+    _err "Error loading file $dnsapi_ali. Please check your API file and try again."
+    return 1
+  fi
+
+  _prepare_ali_credentials || return 1
+
+  _getdeployconf DEPLOY_ALI_DCDN_DOMAIN
+  if [ "$DEPLOY_ALI_DCDN_DOMAIN" ]; then
+    _savedeployconf DEPLOY_ALI_DCDN_DOMAIN "$DEPLOY_ALI_DCDN_DOMAIN"
+  else
+    DEPLOY_ALI_DCDN_DOMAIN="$_cdomain"
+  fi
+
+  # read cert and key files and urlencode both
+  _cert=$(_url_encode upper-hex <"$_cfullchain")
+  _key=$(_url_encode upper-hex <"$_ckey")
+
+  _debug2 _cert "$_cert"
+  _debug2 _key "$_key"
+
+  ## update domain ssl config
+  for domain in $DEPLOY_ALI_DCDN_DOMAIN; do
+    _set_dcdn_domain_ssl_certificate_query "$domain" "$_cert" "$_key"
+    if _ali_rest "Set DCDN domain SSL certificate for $domain" "" POST; then
+      _info "Domain $domain certificate has been deployed successfully"
+    fi
+  done
+
+  return 0
+}
+
+# domain pub pri
+_set_dcdn_domain_ssl_certificate_query() {
+  endpoint=$Ali_DCDN_API
+  query=''
+  query=$query'AccessKeyId='$Ali_Key
+  query=$query'&Action=SetDcdnDomainSSLCertificate'
+  query=$query'&CertType=upload'
+  query=$query'&DomainName='$1
+  query=$query'&Format=json'
+  query=$query'&SSLPri='$3
+  query=$query'&SSLProtocol=on'
+  query=$query'&SSLPub='$2
+  query=$query'&SignatureMethod=HMAC-SHA1'
+  query=$query"&SignatureNonce=$(_ali_nonce)"
+  query=$query'&SignatureVersion=1.0'
+  query=$query'&Timestamp='$(_timestamp)
+  query=$query'&Version=2018-01-15'
+}

deploy/exim4.sh

@@ -109,6 +109,5 @@ exim4_deploy() {
     fi
     return 1
   fi
-  return 0
 
 }

deploy/routeros.sh

@@ -137,7 +137,8 @@ routeros_deploy() {
     return $_err_code
   fi
 
-  DEPLOY_SCRIPT_CMD="/system script add name=\"LECertDeploy-$_cdomain\" owner=$ROUTER_OS_USERNAME \
+  DEPLOY_SCRIPT_CMD=":do {/system script remove \"LECertDeploy-$_cdomain\" } on-error={ }; \
+/system script add name=\"LECertDeploy-$_cdomain\" owner=$ROUTER_OS_USERNAME \
 comment=\"generated by routeros deploy script in acme.sh\" \
 source=\"/certificate remove [ find name=$_cdomain.cer_0 ];\
 \n/certificate remove [ find name=$_cdomain.cer_1 ];\
@@ -146,8 +147,8 @@ source=\"/certificate remove [ find name=$_cdomain.cer_0 ];\
 \n/certificate import file-name=$_cdomain.cer passphrase=\\\"\\\";\
 \n/certificate import file-name=$_cdomain.key passphrase=\\\"\\\";\
 \ndelay 1;\
-\n/file remove $_cdomain.cer;\
-\n/file remove $_cdomain.key;\
+\n:do {/file remove $_cdomain.cer; } on-error={ }\
+\n:do {/file remove $_cdomain.key; } on-error={ }\
 \ndelay 2;\
 \n/ip service set www-ssl certificate=$_cdomain.cer_0;\
 \n$ROUTER_OS_ADDITIONAL_SERVICES;\

deploy/synology_dsm.sh

@@ -39,7 +39,7 @@
 ################################################################################
 # Dependencies:
 # - curl
-# - synouser & synogroup (When available and SYNO_USE_TEMP_ADMIN is set)
+# - synouser & synogroup & synosetkeyvalue (Required for SYNO_USE_TEMP_ADMIN=1)
 ################################################################################
 # Return value:
 # 0 means success, otherwise error.
@@ -66,14 +66,18 @@ synology_dsm_deploy() {
   _getdeployconf SYNO_DEVICE_NAME
 
   # Prepare to use temp admin if SYNO_USE_TEMP_ADMIN is set
-  _debug2 SYNO_USE_TEMP_ADMIN "$SYNO_USE_TEMP_ADMIN"
   _getdeployconf SYNO_USE_TEMP_ADMIN
   _check2cleardeployconfexp SYNO_USE_TEMP_ADMIN
   _debug2 SYNO_USE_TEMP_ADMIN "$SYNO_USE_TEMP_ADMIN"
 
   if [ -n "$SYNO_USE_TEMP_ADMIN" ]; then
-    if ! _exists synouser || ! _exists synogroup; then
-      _err "Tools are missing for creating temp admin user, please set SYNO_USERNAME and SYNO_PASSWORD instead."
+    if ! _exists synouser || ! _exists synogroup || ! _exists synosetkeyvalue; then
+      _err "Missing required tools to creat temp admin user, please set SYNO_USERNAME and SYNO_PASSWORD instead."
+      _err "Notice: temp admin user authorization method only supports local deployment on DSM."
+      return 1
+    fi
+    if synouser --help 2>&1 | grep -q 'Permission denied'; then
+      _err "For creating temp admin user, the deploy script must be run as root."
       return 1
     fi
 
@@ -109,9 +113,9 @@ synology_dsm_deploy() {
 
   # Default values for scheme, hostname and port
   # Defaulting to localhost and http, because it's localhost…
-  [ -n "$SYNO_SCHEME" ] || SYNO_SCHEME="http"
-  [ -n "$SYNO_HOSTNAME" ] || SYNO_HOSTNAME="localhost"
-  [ -n "$SYNO_PORT" ] || SYNO_PORT="5000"
+  [ -n "$SYNO_SCHEME" ] || SYNO_SCHEME=http
+  [ -n "$SYNO_HOSTNAME" ] || SYNO_HOSTNAME=localhost
+  [ -n "$SYNO_PORT" ] || SYNO_PORT=5000
   _savedeployconf SYNO_SCHEME "$SYNO_SCHEME"
   _savedeployconf SYNO_HOSTNAME "$SYNO_HOSTNAME"
   _savedeployconf SYNO_PORT "$SYNO_PORT"
@@ -169,7 +173,7 @@ synology_dsm_deploy() {
       _debug3 H1 "${_H1}"
     fi
 
-    response=$(_post "method=login&account=$encoded_username&passwd=$encoded_password&api=SYNO.API.Auth&version=$api_version&enable_syno_token=yes&otp_code=$DEPRECATED_otp_code&device_name=certrenewal&device_id=$SYNO_DEVICE_ID" "$_base_url/webapi/auth.cgi?enable_syno_token=yes")
+    response=$(_post "method=login&account=$encoded_username&passwd=$encoded_password&api=SYNO.API.Auth&version=$api_version&enable_syno_token=yes&otp_code=$DEPRECATED_otp_code&device_name=certrenewal&device_id=$SYNO_DEVICE_ID" "$_base_url/webapi/$api_path?enable_syno_token=yes")
     _debug3 response "$response"
   # ## END ## - DEPRECATED, for backward compatibility
   # If SYNO_DEVICE_ID or SYNO_OTP_CODE is set, we treat current account enabled 2FA-OTP.
@@ -184,7 +188,7 @@ synology_dsm_deploy() {
         _debug SYNO_LOCAL_HOSTNAME "${SYNO_LOCAL_HOSTNAME:-}"
         if [ "$SYNO_LOCAL_HOSTNAME" != "1" ] && [ "$SYNO_LOCAL_HOSTNAME" == "$SYNO_HOSTNAME" ]; then
           if [ "$SYNO_HOSTNAME" != "localhost" ] && [ "$SYNO_HOSTNAME" != "127.0.0.1" ]; then
-            _err "SYNO_USE_TEMP_ADMIN=1 Only support locally deployment, if you are sure that hostname $SYNO_HOSTNAME is targeting to your **current local machine**, execute 'export SYNO_LOCAL_HOSTNAME=1' then rerun."
+            _err "SYNO_USE_TEMP_ADMIN=1 only support local deployment, though if you are sure that the hostname $SYNO_HOSTNAME is targeting to your **current local machine**, execute 'export SYNO_LOCAL_HOSTNAME=1' then rerun."
             return 1
           fi
         fi
@@ -201,24 +205,27 @@ synology_dsm_deploy() {
             # shellcheck disable=SC2086
             synogroup --member administrators $cur_admins $SYNO_USERNAME >/dev/null
           else
-            _err "Tool synogroup may be broken, please set SYNO_USERNAME and SYNO_PASSWORD instead."
+            _err "The tool synogroup may be broken, please set SYNO_USERNAME and SYNO_PASSWORD instead."
             return 1
           fi
         else
           _err "Unsupported synogroup tool detected, please set SYNO_USERNAME and SYNO_PASSWORD instead."
           return 1
         fi
-        # havig a workaround to temporary disable enforce 2FA-OTP
+        # havig a workaround to temporary disable enforce 2FA-OTP, will restore
+        # it soon (after a single request), though if any accident occurs like
+        # unexpected interruption, this setting can be easily reverted manually.
         otp_enforce_option=$(synogetkeyvalue /etc/synoinfo.conf otp_enforce_option)
         if [ -n "$otp_enforce_option" ] && [ "${otp_enforce_option:-"none"}" != "none" ]; then
           synosetkeyvalue /etc/synoinfo.conf otp_enforce_option none
-          _info "Temporary disabled enforce 2FA-OTP to complete authentication."
+          _info "Enforcing 2FA-OTP has been disabled to complete temp admin authentication."
+          _info "Notice: it will be restored soon, if not, you can restore it manually via Control Panel."
           _info "previous_otp_enforce_option" "$otp_enforce_option"
         else
           otp_enforce_option=""
         fi
       fi
-      response=$(_get "$_base_url/webapi/entry.cgi?api=SYNO.API.Auth&version=$api_version&method=login&format=sid&account=$encoded_username&passwd=$encoded_password&enable_syno_token=yes")
+      response=$(_get "$_base_url/webapi/$api_path?api=SYNO.API.Auth&version=$api_version&method=login&format=sid&account=$encoded_username&passwd=$encoded_password&enable_syno_token=yes")
       if [ -n "$SYNO_USE_TEMP_ADMIN" ] && [ -n "$otp_enforce_option" ]; then
         synosetkeyvalue /etc/synoinfo.conf otp_enforce_option "$otp_enforce_option"
         _info "Restored previous enforce 2FA-OTP option."
@@ -230,7 +237,7 @@ synology_dsm_deploy() {
   error_code=$(echo "$response" | grep '"error":' | grep -o '"code":[0-9]*' | grep -o '[0-9]*')
   _debug2 error_code "$error_code"
   # Account has 2FA-OTP enabled, since error 403 reported.
-  # https://global.download.synology.com/download/Document/Software/DeveloperGuide/Firmware/DSM/All/enu/Synology_DiskStation_Administration_CLI_Guide.pdf
+  # https://global.download.synology.com/download/Document/Software/DeveloperGuide/Os/DSM/All/enu/DSM_Login_Web_API_Guide_enu.pdf
   if [ "$error_code" == "403" ]; then
     if [ -z "$SYNO_DEVICE_NAME" ]; then
       printf "Enter device name or leave empty for default (CertRenewal): "
@@ -274,12 +281,16 @@ synology_dsm_deploy() {
       _err "Failed to authenticate with provided 2FA-OTP code, please try again in a new terminal window."
     elif [ "$error_code" == "406" ]; then
       if [ -n "$SYNO_USE_TEMP_ADMIN" ]; then
-        _err "SYNO_USE_TEMP_ADMIN=1 is not supported if enforce auth with 2FA-OTP is enabled."
+        _err "Failed with unexcepted error, please report this by providing full log with '--debug 3'."
       else
         _err "Enforce auth with 2FA-OTP enabled, please configure the user to enable 2FA-OTP to continue."
       fi
-    elif [ "$error_code" == "400" ] || [ "$error_code" == "401" ] || [ "$error_code" == "408" ] || [ "$error_code" == "409" ] || [ "$error_code" == "410" ]; then
-      _err "Failed to authenticate with a non-existent or disabled account, or the account password is incorrect or has expired."
+    elif [ "$error_code" == "400" ]; then
+      _err "Failed to authenticate, no such account or incorrect password."
+    elif [ "$error_code" == "401" ]; then
+      _err "Failed to authenticate with a non-existent account."
+    elif [ "$error_code" == "408" ] || [ "$error_code" == "409" ] || [ "$error_code" == "410" ]; then
+      _err "Failed to authenticate, the account password has expired or must be changed."
     else
       _err "Failed to authenticate with error: $error_code."
     fi
@@ -293,7 +304,7 @@ synology_dsm_deploy() {
   _debug SynoToken "$token"
   if [ -z "$sid" ] || [ -z "$token" ]; then
     # Still can't get necessary info even got no errors, may Synology have API updated?
-    _err "Unable to authenticate to $_base_url, you may report the full log to the community."
+    _err "Unable to authenticate to $_base_url, you may report this by providing full log with '--debug 3'."
     _temp_admin_cleanup "$SYNO_USE_TEMP_ADMIN" "$SYNO_USERNAME"
     return 1
   fi
@@ -331,7 +342,7 @@ synology_dsm_deploy() {
     if [ "$error_code" -eq 105 ]; then
       _err "Current user is not administrator and does not have sufficient permission for deploying."
     else
-      _err "Failed to fetch certificate info with error: $error_code, please try again or contact Synology to learn more."
+      _err "Failed to fetch certificate info: $error_code, please try again or contact Synology to learn more."
     fi
     _temp_admin_cleanup "$SYNO_USE_TEMP_ADMIN" "$SYNO_USERNAME"
     return 1

deploy/unifi.sh

@@ -5,6 +5,15 @@
 #   - self-hosted Unifi Controller
 #   - Unifi Cloud Key (Gen1/2/2+)
 #   - Unifi Cloud Key running UnifiOS (v2.0.0+, Gen2/2+ only)
+#   - Unifi Dream Machine
+#       This has not been tested on other "all-in-one" devices such as
+#       UDM Pro or Unifi Express.
+#
+#       OS Version v2.0.0+
+#       Network Application version 7.0.0+
+#       OS version ~3.1 removed java and keytool from the UnifiOS.
+#       Using PKCS12 format keystore appears to work fine.
+#
 # Please report bugs to https://github.com/acmesh-official/acme.sh/issues/3359
 
 #returns 0 means success, otherwise error.
@@ -74,14 +83,16 @@ unifi_deploy() {
   _reload_cmd=""
 
   # Unifi Controller environment (self hosted or any Cloud Key) --
-  # auto-detect by file /usr/lib/unifi/data/keystore:
+  # auto-detect by file /usr/lib/unifi/data/keystore
   _unifi_keystore="${DEPLOY_UNIFI_KEYSTORE:-/usr/lib/unifi/data/keystore}"
   if [ -f "$_unifi_keystore" ]; then
-    _info "Installing certificate for Unifi Controller (Java keystore)"
     _debug _unifi_keystore "$_unifi_keystore"
     if ! _exists keytool; then
-      _err "keytool not found"
-      return 1
+      _do_keytool=0
+      _info "Installing certificate for Unifi Controller (PKCS12 keystore)."
+    else
+      _do_keytool=1
+      _info "Installing certificate for Unifi Controller (Java keystore)"
     fi
     if [ ! -w "$_unifi_keystore" ]; then
       _err "The file $_unifi_keystore is not writable, please change the permission."
@@ -92,6 +103,7 @@ unifi_deploy() {
 
     _debug "Generate import pkcs12"
     _import_pkcs12="$(_mktemp)"
+    _debug "_toPkcs $_import_pkcs12 $_ckey $_ccert $_cca $_unifi_keypass unifi root"
     _toPkcs "$_import_pkcs12" "$_ckey" "$_ccert" "$_cca" "$_unifi_keypass" unifi root
     # shellcheck disable=SC2181
     if [ "$?" != "0" ]; then
@@ -99,22 +111,57 @@ unifi_deploy() {
       return 1
     fi
 
-    _debug "Import into keystore: $_unifi_keystore"
-    if keytool -importkeystore \
-      -deststorepass "$_unifi_keypass" -destkeypass "$_unifi_keypass" -destkeystore "$_unifi_keystore" \
-      -srckeystore "$_import_pkcs12" -srcstoretype PKCS12 -srcstorepass "$_unifi_keypass" \
-      -alias unifi -noprompt; then
-      _debug "Import keystore success!"
-      rm "$_import_pkcs12"
+    # Save the existing keystore in case something goes wrong.
+    mv -f "${_unifi_keystore}" "${_unifi_keystore}"_original
+    _info "Previous keystore saved to ${_unifi_keystore}_original."
+
+    if [ "$_do_keytool" -eq 1 ]; then
+      _debug "Import into keystore: $_unifi_keystore"
+      if keytool -importkeystore \
+        -deststorepass "$_unifi_keypass" -destkeypass "$_unifi_keypass" -destkeystore "$_unifi_keystore" \
+        -srckeystore "$_import_pkcs12" -srcstoretype PKCS12 -srcstorepass "$_unifi_keypass" \
+        -alias unifi -noprompt; then
+        _debug "Import keystore success!"
+      else
+        _err "Error importing into Unifi Java keystore."
+        _err "Please re-run with --debug and report a bug."
+        _info "Restoring original keystore."
+        mv -f "${_unifi_keystore}"_original "${_unifi_keystore}"
+        rm "$_import_pkcs12"
+        return 1
+      fi
     else
-      _err "Error importing into Unifi Java keystore."
-      _err "Please re-run with --debug and report a bug."
-      rm "$_import_pkcs12"
-      return 1
+      _debug "Copying new keystore to $_unifi_keystore"
+      cp -f "$_import_pkcs12" "$_unifi_keystore"
+    fi
+
+    # Update unifi service for certificate cipher compatibility
+    if ${ACME_OPENSSL_BIN:-openssl} pkcs12 \
+      -in "$_import_pkcs12" \
+      -password pass:aircontrolenterprise \
+      -nokeys | ${ACME_OPENSSL_BIN:-openssl} x509 -text \
+      -noout | grep -i "signature" | grep -iq ecdsa >/dev/null 2>&1; then
+      cp -f /usr/lib/unifi/data/system.properties /usr/lib/unifi/data/system.properties_original
+      _info "Updating system configuration for cipher compatibility."
+      _info "Saved original system config to /usr/lib/unifi/data/system.properties_original"
+      sed -i '/unifi\.https\.ciphers/d' /usr/lib/unifi/data/system.properties
+      echo "unifi.https.ciphers=ECDHE-ECDSA-AES256-GCM-SHA384,ECDHE-RSA-AES128-GCM-SHA256" >>/usr/lib/unifi/data/system.properties
+      sed -i '/unifi\.https\.sslEnabledProtocols/d' /usr/lib/unifi/data/system.properties
+      echo "unifi.https.sslEnabledProtocols=TLSv1.3,TLSv1.2" >>/usr/lib/unifi/data/system.properties
+      _info "System configuration updated."
     fi
 
+    rm "$_import_pkcs12"
+
+    # Restarting unifi-core will bring up unifi, doing it out of order results in
+    # a certificate error, and breaks wifiman.
+    # Restart if we aren't doing unifi-core, otherwise stop for later restart.
     if systemctl -q is-active unifi; then
-      _reload_cmd="${_reload_cmd:+$_reload_cmd && }service unifi restart"
+      if [ ! -f "${DEPLOY_UNIFI_CORE_CONFIG:-/data/unifi-core/config}/unifi-core.key" ]; then
+        _reload_cmd="${_reload_cmd:+$_reload_cmd && }systemctl restart unifi"
+      else
+        _reload_cmd="${_reload_cmd:+$_reload_cmd && }systemctl stop unifi"
+      fi
     fi
     _services_updated="${_services_updated} unifi"
     _info "Install Unifi Controller certificate success!"
@@ -165,6 +212,11 @@ unifi_deploy() {
       return 1
     fi
 
+    # Save the existing certs in case something goes wrong.
+    cp -f "${_unifi_core_config}"/unifi-core.crt "${_unifi_core_config}"/unifi-core_original.crt
+    cp -f "${_unifi_core_config}"/unifi-core.key "${_unifi_core_config}"/unifi-core_original.key
+    _info "Previous certificate and key saved to ${_unifi_core_config}/unifi-core_original.crt/key."
+
     cat "$_cfullchain" >"${_unifi_core_config}/unifi-core.crt"
     cat "$_ckey" >"${_unifi_core_config}/unifi-core.key"
 

deploy/vault.sh

@@ -70,10 +70,10 @@ vault_deploy() {
 
   # JSON does not allow multiline strings.
   # So replacing new-lines with "\n" here
-  _ckey=$(sed -z 's/\n/\\n/g' <"$2")
-  _ccert=$(sed -z 's/\n/\\n/g' <"$3")
-  _cca=$(sed -z 's/\n/\\n/g' <"$4")
-  _cfullchain=$(sed -z 's/\n/\\n/g' <"$5")
+  _ckey=$(sed -e ':a' -e N -e '$ ! ba' -e 's/\n/\\n/g' <"$2")
+  _ccert=$(sed -e ':a' -e N -e '$ ! ba' -e 's/\n/\\n/g' <"$3")
+  _cca=$(sed -e ':a' -e N -e '$ ! ba' -e 's/\n/\\n/g' <"$4")
+  _cfullchain=$(sed -e ':a' -e N -e '$ ! ba' -e 's/\n/\\n/g' <"$5")
 
   export _H1="X-Vault-Token: $VAULT_TOKEN"
 

deploy/vsftpd.sh

@@ -106,5 +106,5 @@ vsftpd_deploy() {
     fi
     return 1
   fi
-  return 0
+
 }

dnsapi/dns_1984hosting.sh

@@ -211,8 +211,8 @@ _get_root() {
       return 1
     fi
 
-    _authget "https://1984.hosting/domains/soacheck/?zone=$h&nameserver=ns0.1984.is."
-    if _contains "$_response" "serial" && ! _contains "$_response" "null"; then
+    _authget "https://1984.hosting/domains/zonestatus/$h/?cached=no"
+    if _contains "$_response" '"ok": true'; then
       _sub_domain=$(printf "%s" "$domain" | cut -d . -f 1-"$p")
       _domain="$h"
       return 0
@@ -246,7 +246,6 @@ _authget() {
 }
 
 # Truncate huge HTML response
-# Echo: Argument list too long
 _htmlget() {
   export _H1="Cookie: $One984HOSTING_CSRFTOKEN_COOKIE; $One984HOSTING_SESSIONID_COOKIE"
   _response=$(_get "$1" | grep "$2")

dnsapi/dns_active24.sh

@@ -83,10 +83,10 @@ _get_root() {
     return 1
   fi
 
-  i=2
+  i=1
   p=1
   while true; do
-    h=$(printf "%s" "$domain" | cut -d . -f $i-100)
+    h=$(printf "%s" "$domain" | cut -d . -f "$i"-100)
     _debug "h" "$h"
     if [ -z "$h" ]; then
       #not valid
@@ -94,7 +94,7 @@ _get_root() {
     fi
 
     if _contains "$response" "\"$h\"" >/dev/null; then
-      _sub_domain=$(printf "%s" "$domain" | cut -d . -f 1-$p)
+      _sub_domain=$(printf "%s" "$domain" | cut -d . -f 1-"$p")
       _domain=$h
       return 0
     fi

dnsapi/dns_ad.sh

@@ -95,7 +95,7 @@ _get_root() {
   if _ad_rest GET "domain/"; then
     response="$(echo "$response" | tr -d "\n" | sed 's/{/\n&/g')"
     while true; do
-      h=$(printf "%s" "$domain" | cut -d . -f $i-100)
+      h=$(printf "%s" "$domain" | cut -d . -f "$i"-100)
       _debug h "$h"
       if [ -z "$h" ]; then
         #not valid
@@ -106,7 +106,7 @@ _get_root() {
       if [ "$hostedzone" ]; then
         _domain_id=$(printf "%s\n" "$hostedzone" | _egrep_o "\"id\":\s*[0-9]+" | _head_n 1 | cut -d : -f 2 | tr -d \ )
         if [ "$_domain_id" ]; then
-          _sub_domain=$(printf "%s" "$domain" | cut -d . -f 1-$p)
+          _sub_domain=$(printf "%s" "$domain" | cut -d . -f 1-"$p")
           _domain=$h
           return 0
         fi

dnsapi/dns_ali.sh

@@ -9,25 +9,19 @@ Options:
  Ali_Secret API Secret
 '
 
-Ali_API="https://alidns.aliyuncs.com/"
+# NOTICE:
+# This file is referenced by Alibaba Cloud Services deploy hooks
+# https://github.com/acmesh-official/acme.sh/pull/5205#issuecomment-2357867276
+# Be careful when modifying this file, especially when making breaking changes for common functions
+
+Ali_DNS_API="https://alidns.aliyuncs.com/"
 
 #Usage: dns_ali_add   _acme-challenge.www.domain.com   "XKrxpRBosdIKFzxW_CT3KLZNf6q0HG9i01zxXp5CPBs"
 dns_ali_add() {
   fulldomain=$1
   txtvalue=$2
 
-  Ali_Key="${Ali_Key:-$(_readaccountconf_mutable Ali_Key)}"
-  Ali_Secret="${Ali_Secret:-$(_readaccountconf_mutable Ali_Secret)}"
-  if [ -z "$Ali_Key" ] || [ -z "$Ali_Secret" ]; then
-    Ali_Key=""
-    Ali_Secret=""
-    _err "You don't specify aliyun api key and secret yet."
-    return 1
-  fi
-
-  #save the api key and secret to the account conf file.
-  _saveaccountconf_mutable Ali_Key "$Ali_Key"
-  _saveaccountconf_mutable Ali_Secret "$Ali_Secret"
+  _prepare_ali_credentials || return 1
 
   _debug "First detect the root zone"
   if ! _get_root "$fulldomain"; then
@@ -52,14 +46,74 @@ dns_ali_rm() {
   _clean
 }
 
-####################  Private functions below ##################################
+####################  Alibaba Cloud common functions below  ####################
+
+_prepare_ali_credentials() {
+  Ali_Key="${Ali_Key:-$(_readaccountconf_mutable Ali_Key)}"
+  Ali_Secret="${Ali_Secret:-$(_readaccountconf_mutable Ali_Secret)}"
+  if [ -z "$Ali_Key" ] || [ -z "$Ali_Secret" ]; then
+    Ali_Key=""
+    Ali_Secret=""
+    _err "You don't specify aliyun api key and secret yet."
+    return 1
+  fi
+
+  #save the api key and secret to the account conf file.
+  _saveaccountconf_mutable Ali_Key "$Ali_Key"
+  _saveaccountconf_mutable Ali_Secret "$Ali_Secret"
+}
+
+# act ign mtd
+_ali_rest() {
+  act="$1"
+  ign="$2"
+  mtd="${3:-GET}"
+
+  signature=$(printf "%s" "$mtd&%2F&$(printf "%s" "$query" | _url_encode upper-hex)" | _hmac "sha1" "$(printf "%s" "$Ali_Secret&" | _hex_dump | tr -d " ")" | _base64)
+  signature=$(printf "%s" "$signature" | _url_encode upper-hex)
+  url="$endpoint?Signature=$signature"
+
+  if [ "$mtd" = "GET" ]; then
+    url="$url&$query"
+    response="$(_get "$url")"
+  else
+    response="$(_post "$query" "$url" "" "$mtd" "application/x-www-form-urlencoded")"
+  fi
+
+  _ret="$?"
+  _debug2 response "$response"
+  if [ "$_ret" != "0" ]; then
+    _err "Error <$act>"
+    return 1
+  fi
+
+  if [ -z "$ign" ]; then
+    message="$(echo "$response" | _egrep_o "\"Message\":\"[^\"]*\"" | cut -d : -f 2 | tr -d \")"
+    if [ "$message" ]; then
+      _err "$message"
+      return 1
+    fi
+  fi
+}
+
+_ali_nonce() {
+  #_head_n 1 </dev/urandom | _digest "sha256" hex | cut -c 1-31
+  #Not so good...
+  date +"%s%N" | sed 's/%N//g'
+}
+
+_timestamp() {
+  date -u +"%Y-%m-%dT%H%%3A%M%%3A%SZ"
+}
+
+####################  Private functions below  ####################
 
 _get_root() {
   domain=$1
-  i=2
+  i=1
   p=1
   while true; do
-    h=$(printf "%s" "$domain" | cut -d . -f $i-100)
+    h=$(printf "%s" "$domain" | cut -d . -f "$i"-100)
     if [ -z "$h" ]; then
       #not valid
       return 1
@@ -71,7 +125,7 @@ _get_root() {
     fi
 
     if _contains "$response" "PageNumber"; then
-      _sub_domain=$(printf "%s" "$domain" | cut -d . -f 1-$p)
+      _sub_domain=$(printf "%s" "$domain" | cut -d . -f 1-"$p")
       _debug _sub_domain "$_sub_domain"
       _domain="$h"
       _debug _domain "$_domain"
@@ -83,52 +137,10 @@ _get_root() {
   return 1
 }
 
-_ali_rest() {
-  signature=$(printf "%s" "GET&%2F&$(_ali_urlencode "$query")" | _hmac "sha1" "$(printf "%s" "$Ali_Secret&" | _hex_dump | tr -d " ")" | _base64)
-  signature=$(_ali_urlencode "$signature")
-  url="$Ali_API?$query&Signature=$signature"
-
-  if ! response="$(_get "$url")"; then
-    _err "Error <$1>"
-    return 1
-  fi
-
-  _debug2 response "$response"
-  if [ -z "$2" ]; then
-    message="$(echo "$response" | _egrep_o "\"Message\":\"[^\"]*\"" | cut -d : -f 2 | tr -d \")"
-    if [ "$message" ]; then
-      _err "$message"
-      return 1
-    fi
-  fi
-}
-
-_ali_urlencode() {
-  _str="$1"
-  _str_len=${#_str}
-  _u_i=1
-  while [ "$_u_i" -le "$_str_len" ]; do
-    _str_c="$(printf "%s" "$_str" | cut -c "$_u_i")"
-    case $_str_c in [a-zA-Z0-9.~_-])
-      printf "%s" "$_str_c"
-      ;;
-    *)
-      printf "%%%02X" "'$_str_c"
-      ;;
-    esac
-    _u_i="$(_math "$_u_i" + 1)"
-  done
-}
-
-_ali_nonce() {
-  #_head_n 1 </dev/urandom | _digest "sha256" hex | cut -c 1-31
-  #Not so good...
-  date +"%s%N" | sed 's/%N//g'
-}
-
 _check_exist_query() {
   _qdomain="$1"
   _qsubdomain="$2"
+  endpoint=$Ali_DNS_API
   query=''
   query=$query'AccessKeyId='$Ali_Key
   query=$query'&Action=DescribeDomainRecords'
@@ -144,6 +156,7 @@ _check_exist_query() {
 }
 
 _add_record_query() {
+  endpoint=$Ali_DNS_API
   query=''
   query=$query'AccessKeyId='$Ali_Key
   query=$query'&Action=AddDomainRecord'
@@ -160,6 +173,7 @@ _add_record_query() {
 }
 
 _delete_record_query() {
+  endpoint=$Ali_DNS_API
   query=''
   query=$query'AccessKeyId='$Ali_Key
   query=$query'&Action=DeleteDomainRecord'
@@ -173,6 +187,7 @@ _delete_record_query() {
 }
 
 _describe_records_query() {
+  endpoint=$Ali_DNS_API
   query=''
   query=$query'AccessKeyId='$Ali_Key
   query=$query'&Action=DescribeDomainRecords'
@@ -203,7 +218,3 @@ _clean() {
   fi
 
 }
-
-_timestamp() {
-  date -u +"%Y-%m-%dT%H%%3A%M%%3A%SZ"
-}

dnsapi/dns_alviy.sh

@@ -0,0 +1,184 @@
+#!/usr/bin/env sh
+# Alviy domain api
+#
+# Get API key and secret from https://cloud.alviy.com/token
+#
+# Alviy_token="some-secret-key"
+#
+# Ex.: acme.sh --issue --staging --dns dns_alviy -d "*.s.example.com" -d "s.example.com"
+
+Alviy_Api="https://cloud.alviy.com/api/v1"
+
+########  Public functions #####################
+
+#Usage: dns_alviy_add  _acme-challenge.www.domain.com   "content"
+dns_alviy_add() {
+  fulldomain=$1
+  txtvalue=$2
+
+  Alviy_token="${Alviy_token:-$(_readaccountconf_mutable Alviy_token)}"
+  if [ -z "$Alviy_token" ]; then
+    Alviy_token=""
+    _err "Please specify Alviy token."
+    return 1
+  fi
+
+  #save the api key and email to the account conf file.
+  _saveaccountconf_mutable Alviy_token "$Alviy_token"
+
+  _debug "First detect the root zone"
+  if ! _get_root "$fulldomain"; then
+    _err "invalid domain"
+    return 1
+  fi
+
+  _debug _sub_domain "$_sub_domain"
+  _debug _domain "$_domain"
+
+  _debug "Getting existing records"
+  if _alviy_txt_exists "$_domain" "$fulldomain" "$txtvalue"; then
+    _info "This record already exists, skipping"
+    return 0
+  fi
+
+  _add_data="{\"content\":\"$txtvalue\",\"type\":\"TXT\"}"
+  _debug2 _add_data "$_add_data"
+  _info "Adding record"
+  if _alviy_rest POST "zone/$_domain/domain/$fulldomain/" "$_add_data"; then
+    _debug "Checking updated records of '${fulldomain}'"
+
+    if ! _alviy_txt_exists "$_domain" "$fulldomain" "$txtvalue"; then
+      _err "TXT record '${txtvalue}' for '${fulldomain}', value wasn't set!"
+      return 1
+    fi
+
+  else
+    _err "Add txt record error, value '${txtvalue}' for '${fulldomain}' was not set."
+    return 1
+  fi
+
+  _sleep 10
+  _info "Added TXT record '${txtvalue}' for '${fulldomain}'."
+  return 0
+}
+
+#fulldomain
+dns_alviy_rm() {
+  fulldomain=$1
+  txtvalue=$2
+
+  Alviy_token="${Alviy_token:-$(_readaccountconf_mutable Alviy_token)}"
+
+  _debug "First detect the root zone"
+  if ! _get_root "$fulldomain"; then
+    _err "invalid domain"
+    return 1
+  fi
+
+  _debug _sub_domain "$_sub_domain"
+  _debug _domain "$_domain"
+
+  if ! _alviy_txt_exists "$_domain" "$fulldomain" "$txtvalue"; then
+    _info "The record does not exist, skip"
+    return 0
+  fi
+
+  _add_data=""
+  uuid=$(echo "$response" | tr "{" "\n" | grep "$txtvalue" | tr "," "\n" | grep uuid | cut -d \" -f4)
+  # delete record
+  _debug "Delete TXT record for '${fulldomain}'"
+  if ! _alviy_rest DELETE "zone/$_domain/record/$uuid" "{\"confirm\":1}"; then
+    _err "Cannot delete empty TXT record for '$fulldomain'"
+    return 1
+  fi
+  _info "The record '$fulldomain'='$txtvalue' deleted"
+}
+
+####################  Private functions below ##################################
+#_acme-challenge.www.domain.com
+#returns
+# _sub_domain=_acme-challenge.www
+# _domain=domain.com
+_get_root() {
+  domain=$1
+  i=3
+  a="init"
+  while [ -n "$a" ]; do
+    a=$(printf "%s" "$domain" | cut -d . -f $i-)
+    i=$((i + 1))
+  done
+  n=$((i - 3))
+  h=$(printf "%s" "$domain" | cut -d . -f $n-)
+  if [ -z "$h" ]; then
+    #not valid
+    _alviy_rest GET "zone/$domain/"
+    _debug "can't get host from $domain"
+    return 1
+  fi
+
+  if ! _alviy_rest GET "zone/$h/"; then
+    return 1
+  fi
+
+  if _contains "$response" '"code":"NOT_FOUND"'; then
+    _debug "$h not found"
+  else
+    s=$((n - 1))
+    _sub_domain=$(printf "%s" "$domain" | cut -d . -f -$s)
+    _domain="$h"
+    return 0
+  fi
+  return 1
+}
+
+_alviy_txt_exists() {
+  zone=$1
+  domain=$2
+  content_data=$3
+  _debug "Getting existing records"
+
+  if ! _alviy_rest GET "zone/$zone/domain/$domain/TXT/"; then
+    _info "The record does not exist"
+    return 1
+  fi
+
+  if ! _contains "$response" "$3"; then
+    _info "The record has other value"
+    return 1
+  fi
+  # GOOD code return - TRUE function
+  return 0
+}
+
+_alviy_rest() {
+  method=$1
+  path="$2"
+  content_data="$3"
+  _debug "$path"
+
+  export _H1="Authorization: Bearer $Alviy_token"
+  export _H2="Content-Type: application/json"
+
+  if [ "$content_data" ] || [ "$method" = "DELETE" ]; then
+    _debug "data ($method): " "$content_data"
+    response="$(_post "$content_data" "$Alviy_Api/$path" "" "$method")"
+  else
+    response="$(_get "$Alviy_Api/$path")"
+  fi
+  _code="$(grep "^HTTP" "$HTTP_HEADER" | _tail_n 1 | cut -d " " -f 2 | tr -d "\\r\\n")"
+  if [ "$_code" = "401" ]; then
+    _err "It seems that your api key or secret is not correct."
+    return 1
+  fi
+
+  if [ "$_code" != "200" ]; then
+    _err "API call error ($method): $path Response code $_code"
+  fi
+  if [ "$?" != "0" ]; then
+    _err "error on rest call ($method): $path. Response:"
+    _err "$response"
+    return 1
+  fi
+  _debug2 response "$response"
+  return 0
+}

dnsapi/dns_anx.sh

@@ -130,18 +130,17 @@ _get_root() {
   i=1
   p=1
 
-  _anx_rest GET "zone.json"
-
   while true; do
-    h=$(printf "%s" "$domain" | cut -d . -f $i-100)
+    h=$(printf "%s" "$domain" | cut -d . -f "$i"-100)
     _debug h "$h"
     if [ -z "$h" ]; then
       #not valid
       return 1
     fi
 
+    _anx_rest GET "zone.json/${h}"
     if _contains "$response" "\"name\":\"$h\""; then
-      _sub_domain=$(printf "%s" "$domain" | cut -d . -f 1-$p)
+      _sub_domain=$(printf "%s" "$domain" | cut -d . -f 1-"$p")
       _domain=$h
       return 0
     fi

dnsapi/dns_arvan.sh

@@ -107,7 +107,7 @@ _get_root() {
   i=2
   p=1
   while true; do
-    h=$(printf "%s" "$domain" | cut -d . -f $i-100)
+    h=$(printf "%s" "$domain" | cut -d . -f "$i"-100)
     _debug h "$h"
     if [ -z "$h" ]; then
       #not valid
@@ -120,7 +120,7 @@ _get_root() {
     if _contains "$response" "\"domain\":\"$h\""; then
       _domain_id=$(echo "$response" | cut -d : -f 3 | cut -d , -f 1 | tr -d \")
       if [ "$_domain_id" ]; then
-        _sub_domain=$(printf "%s" "$domain" | cut -d . -f 1-$p)
+        _sub_domain=$(printf "%s" "$domain" | cut -d . -f 1-"$p")
         _domain=$h
         return 0
       fi

dnsapi/dns_aurora.sh

@@ -117,7 +117,7 @@ _get_root() {
   p=1
 
   while true; do
-    h=$(printf "%s" "$domain" | cut -d . -f $i-100)
+    h=$(printf "%s" "$domain" | cut -d . -f "$i"-100)
     _debug h "$h"
     if [ -z "$h" ]; then
       #not valid
@@ -132,7 +132,7 @@ _get_root() {
       _domain_id=$(echo "$response" | _normalizeJson | tr -d "{}" | tr "," "\n" | grep "\"id\": *\"" | cut -d : -f 2 | tr -d \" | _head_n 1 | tr -d " ")
       _debug _domain_id "$_domain_id"
       if [ "$_domain_id" ]; then
-        _sub_domain=$(printf "%s" "$domain" | cut -d . -f 1-$p)
+        _sub_domain=$(printf "%s" "$domain" | cut -d . -f 1-"$p")
         _domain=$h
         return 0
       fi

dnsapi/dns_autodns.sh

@@ -110,7 +110,7 @@ _get_autodns_zone() {
   p=1
 
   while true; do
-    h=$(printf "%s" "$domain" | cut -d . -f $i-100)
+    h=$(printf "%s" "$domain" | cut -d . -f "$i"-100)
     _debug h "$h"
 
     if [ -z "$h" ]; then
@@ -128,7 +128,7 @@ _get_autodns_zone() {
     if _contains "$autodns_response" "<summary>1</summary>" >/dev/null; then
       _zone="$(echo "$autodns_response" | _egrep_o '<name>[^<]*</name>' | cut -d '>' -f 2 | cut -d '<' -f 1)"
       _system_ns="$(echo "$autodns_response" | _egrep_o '<system_ns>[^<]*</system_ns>' | cut -d '>' -f 2 | cut -d '<' -f 1)"
-      _sub_domain=$(printf "%s" "$domain" | cut -d . -f 1-$p)
+      _sub_domain=$(printf "%s" "$domain" | cut -d . -f 1-"$p")
       return 0
     fi
 

dnsapi/dns_aws.sh

@@ -158,7 +158,7 @@ _get_root() {
 
   # iterate over names (a.b.c.d -> b.c.d -> c.d -> d)
   while true; do
-    h=$(printf "%s" "$domain" | cut -d . -f $i-100 | sed 's/\./\\./g')
+    h=$(printf "%s" "$domain" | cut -d . -f "$i"-100 | sed 's/\./\\./g')
     _debug "Checking domain: $h"
     if [ -z "$h" ]; then
       _error "invalid domain"
@@ -174,7 +174,7 @@ _get_root() {
         if [ "$hostedzone" ]; then
           _domain_id=$(printf "%s\n" "$hostedzone" | _egrep_o "<Id>.*<.Id>" | head -n 1 | _egrep_o ">.*<" | tr -d "<>")
           if [ "$_domain_id" ]; then
-            _sub_domain=$(printf "%s" "$domain" | cut -d . -f 1-$p)
+            _sub_domain=$(printf "%s" "$domain" | cut -d . -f 1-"$p")
             _domain=$h
             return 0
           fi

dnsapi/dns_azion.sh

@@ -100,7 +100,7 @@ _get_root() {
   fi
 
   while true; do
-    h=$(printf "%s" "$domain" | cut -d . -f $i-100)
+    h=$(printf "%s" "$domain" | cut -d . -f "$i"-100)
     _debug h "$h"
     if [ -z "$h" ]; then
       # not valid
@@ -111,7 +111,7 @@ _get_root() {
       _domain_id=$(echo "$response" | tr '{' "\n" | grep "\"domain\":\"$h\"" | _egrep_o "\"id\":[0-9]*" | _head_n 1 | cut -d : -f 2 | tr -d \")
       _debug _domain_id "$_domain_id"
       if [ "$_domain_id" ]; then
-        _sub_domain=$(printf "%s" "$domain" | cut -d . -f 1-$p)
+        _sub_domain=$(printf "%s" "$domain" | cut -d . -f 1-"$p")
         _domain=$h
         return 0
       fi

dnsapi/dns_azure.sh

@@ -11,12 +11,14 @@ Options:
  AZUREDNS_MANAGEDIDENTITY Use Managed Identity. Use Managed Identity assigned to a resource instead of a service principal. "true"/"false"
 '
 
+wiki=https://github.com/acmesh-official/acme.sh/wiki/How-to-use-Azure-DNS
+
 ########  Public functions #####################
 
 # Usage: add  _acme-challenge.www.domain.com   "XKrxpRBosdIKFzxW_CT3KLZNf6q0HG9i01zxXp5CPBs"
 # Used to add txt record
 #
-# Ref: https://docs.microsoft.com/en-us/rest/api/dns/recordsets/createorupdate
+# Ref: https://learn.microsoft.com/en-us/rest/api/dns/record-sets/create-or-update?view=rest-dns-2018-05-01&tabs=HTTP
 #
 
 dns_azure_add() {
@@ -133,7 +135,7 @@ dns_azure_add() {
 # Usage: fulldomain txtvalue
 # Used to remove the txt record after validation
 #
-# Ref: https://docs.microsoft.com/en-us/rest/api/dns/recordsets/delete
+# Ref: https://learn.microsoft.com/en-us/rest/api/dns/record-sets/delete?view=rest-dns-2018-05-01&tabs=HTTP
 #
 dns_azure_rm() {
   fulldomain=$1
@@ -265,10 +267,10 @@ _azure_rest() {
     if [ "$_code" = "401" ]; then
       # we have an invalid access token set to expired
       _saveaccountconf_mutable AZUREDNS_TOKENVALIDTO "0"
-      _err "access denied make sure your Azure settings are correct. See $WIKI"
+      _err "Access denied. Invalid access token. Make sure your Azure settings are correct. See: $wiki"
       return 1
     fi
-    # See https://docs.microsoft.com/en-us/azure/architecture/best-practices/retry-service-specific#general-rest-and-retry-guidelines for retryable HTTP codes
+    # See https://learn.microsoft.com/en-us/azure/architecture/best-practices/retry-service-specific#general-rest-and-retry-guidelines for retryable HTTP codes
     if [ "$_ret" != "0" ] || [ -z "$_code" ] || [ "$_code" = "408" ] || [ "$_code" = "500" ] || [ "$_code" = "503" ] || [ "$_code" = "504" ]; then
       _request_retry_times="$(_math "$_request_retry_times" + 1)"
       _info "REST call error $_code retrying $ep in $_request_retry_times s"
@@ -286,7 +288,7 @@ _azure_rest() {
   return 0
 }
 
-## Ref: https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-protocols-oauth-service-to-service#request-an-access-token
+## Ref: https://learn.microsoft.com/en-us/entra/identity-platform/v2-oauth2-client-creds-grant-flow#request-an-access-token
 _azure_getaccess_token() {
   managedIdentity=$1
   tenantID=$2
@@ -310,7 +312,7 @@ _azure_getaccess_token() {
   _debug "getting new bearer token"
 
   if [ "$managedIdentity" = true ]; then
-    # https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/how-to-use-vm-token#get-a-token-using-http
+    # https://learn.microsoft.com/en-us/entra/identity/managed-identities-azure-resources/how-to-use-vm-token#get-a-token-using-http
     export _H1="Metadata: true"
     response="$(_get http://169.254.169.254/metadata/identity/oauth2/token\?api-version=2018-02-01\&resource=https://management.azure.com/)"
     response="$(echo "$response" | _normalizeJson)"
@@ -330,7 +332,7 @@ _azure_getaccess_token() {
   fi
 
   if [ -z "$accesstoken" ]; then
-    _err "no acccess token received. Check your Azure settings see $WIKI"
+    _err "No acccess token received. Check your Azure settings. See: $wiki"
     return 1
   fi
   if [ "$_ret" != "0" ]; then
@@ -350,15 +352,18 @@ _get_root() {
   i=1
   p=1
 
-  ## Ref: https://docs.microsoft.com/en-us/rest/api/dns/zones/list
-  ## returns up to 100 zones in one response therefore handling more results is not not implemented
-  ## (ZoneListResult with  continuation token for the next page of results)
-  ## Per https://docs.microsoft.com/en-us/azure/azure-subscription-service-limits#dns-limits you are limited to 100 Zone/subscriptions anyways
+  ## Ref: https://learn.microsoft.com/en-us/rest/api/dns/zones/list?view=rest-dns-2018-05-01&tabs=HTTP
+  ## returns up to 100 zones in one response. Handling more results is not implemented
+  ## (ZoneListResult with continuation token for the next page of results)
+  ##
+  ## TODO: handle more than 100 results, as per:
+  ## https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/azure-subscription-service-limits#azure-dns-limits
+  ## The new limit is 250 Public DNS zones per subscription, while the old limit was only 100
   ##
   _azure_rest GET "https://management.azure.com/subscriptions/$subscriptionId/providers/Microsoft.Network/dnszones?\$top=500&api-version=2017-09-01" "" "$accesstoken"
   # Find matching domain name in Json response
   while true; do
-    h=$(printf "%s" "$domain" | cut -d . -f $i-100)
+    h=$(printf "%s" "$domain" | cut -d . -f "$i"-100)
     _debug2 "Checking domain: $h"
     if [ -z "$h" ]; then
       #not valid
@@ -373,7 +378,7 @@ _get_root() {
           #create the record at the domain apex (@) if only the domain name was provided as --domain-alias
           _sub_domain="@"
         else
-          _sub_domain=$(echo "$domain" | cut -d . -f 1-$p)
+          _sub_domain=$(echo "$domain" | cut -d . -f 1-"$p")
         fi
         _domain=$h
         return 0

dnsapi/dns_bunny.sh

@@ -196,7 +196,7 @@ _get_base_domain() {
     _debug2 domain_list "$domain_list"
 
     i=1
-    while [ $i -gt 0 ]; do
+    while [ "$i" -gt 0 ]; do
       ## get next longest domain
       _domain=$(printf "%s" "$fulldomain" | cut -d . -f "$i"-"$MAX_DOM")
       ## check we got something back from our cut (or are we at the end)
@@ -208,7 +208,7 @@ _get_base_domain() {
       ## check if it exists
       if [ -n "$found" ]; then
         ## exists - exit loop returning the parts
-        sub_point=$(_math $i - 1)
+        sub_point=$(_math "$i" - 1)
         _sub_domain=$(printf "%s" "$fulldomain" | cut -d . -f 1-"$sub_point")
         _domain_id="$(echo "$found" | _egrep_o "Id\"\s*\:\s*\"*[0-9]+" | _egrep_o "[0-9]+")"
         _debug _domain_id "$_domain_id"
@@ -218,11 +218,11 @@ _get_base_domain() {
         return 0
       fi
       ## increment cut point $i
-      i=$(_math $i + 1)
+      i=$(_math "$i" + 1)
     done
 
     if [ -z "$found" ]; then
-      page=$(_math $page + 1)
+      page=$(_math "$page" + 1)
       nextpage="https://api.bunny.net/dnszone?page=$page"
       ## Find the next page if we don't have a match.
       hasnextpage="$(echo "$domain_list" | _egrep_o "\"HasMoreItems\"\s*:\s*true")"

dnsapi/dns_cf.sh

@@ -186,7 +186,7 @@ _get_root() {
   fi
 
   while true; do
-    h=$(printf "%s" "$domain" | cut -d . -f $i-100)
+    h=$(printf "%s" "$domain" | cut -d . -f "$i"-100)
     _debug h "$h"
     if [ -z "$h" ]; then
       #not valid
@@ -206,7 +206,7 @@ _get_root() {
     if _contains "$response" "\"name\":\"$h\"" || _contains "$response" '"total_count":1'; then
       _domain_id=$(echo "$response" | _egrep_o "\[.\"id\": *\"[^\"]*\"" | _head_n 1 | cut -d : -f 2 | tr -d \" | tr -d " ")
       if [ "$_domain_id" ]; then
-        _sub_domain=$(printf "%s" "$domain" | cut -d . -f 1-$p)
+        _sub_domain=$(printf "%s" "$domain" | cut -d . -f 1-"$p")
         _domain=$h
         return 0
       fi

dnsapi/dns_cloudns.sh

@@ -164,7 +164,7 @@ _dns_cloudns_get_zone_info() {
 _dns_cloudns_get_zone_name() {
   i=2
   while true; do
-    zoneForCheck=$(printf "%s" "$1" | cut -d . -f $i-100)
+    zoneForCheck=$(printf "%s" "$1" | cut -d . -f "$i"-100)
 
     if [ -z "$zoneForCheck" ]; then
       return 1

dnsapi/dns_cn.sh

@@ -131,7 +131,7 @@ _cn_get_root() {
   p=1
   while true; do
 
-    h=$(printf "%s" "$domain" | cut -d . -f $i-100)
+    h=$(printf "%s" "$domain" | cut -d . -f "$i"-100)
     _debug h "$h"
     _debug _H1 "${_H1}"
 
@@ -149,7 +149,7 @@ _cn_get_root() {
     fi
 
     if _contains "$_cn_zonelist" "\"name\":\"$h\"" >/dev/null; then
-      _sub_domain=$(printf "%s" "$domain" | cut -d . -f 1-$p)
+      _sub_domain=$(printf "%s" "$domain" | cut -d . -f 1-"$p")
       _domain=$h
       return 0
     else

dnsapi/dns_conoha.sh

@@ -237,7 +237,7 @@ _get_root() {
   i=2
   p=1
   while true; do
-    h=$(printf "%s" "$domain" | cut -d . -f $i-100).
+    h=$(printf "%s" "$domain" | cut -d . -f "$i"-100).
     _debug h "$h"
     if [ -z "$h" ]; then
       #not valid
@@ -251,7 +251,7 @@ _get_root() {
     if _contains "$response" "\"name\":\"$h\"" >/dev/null; then
       _domain_id=$(printf "%s\n" "$response" | _egrep_o "\"id\":\"[^\"]*\"" | head -n 1 | cut -d : -f 2 | tr -d \")
       if [ "$_domain_id" ]; then
-        _sub_domain=$(printf "%s" "$domain" | cut -d . -f 1-$p)
+        _sub_domain=$(printf "%s" "$domain" | cut -d . -f 1-"$p")
         _domain=$h
         return 0
       fi

dnsapi/dns_constellix.sh

@@ -122,7 +122,7 @@ _get_root() {
   p=1
   _debug "Detecting root zone"
   while true; do
-    h=$(printf "%s" "$domain" | cut -d . -f $i-100)
+    h=$(printf "%s" "$domain" | cut -d . -f "$i"-100)
     if [ -z "$h" ]; then
       return 1
     fi
@@ -134,7 +134,7 @@ _get_root() {
     if _contains "$response" "\"name\":\"$h\""; then
       _domain_id=$(printf "%s\n" "$response" | _egrep_o "\"id\":[0-9]*" | cut -d ':' -f 2)
       if [ "$_domain_id" ]; then
-        _sub_domain=$(printf "%s" "$domain" | cut -d '.' -f 1-$p)
+        _sub_domain=$(printf "%s" "$domain" | cut -d '.' -f 1-"$p")
         _domain="$h"
 
         _debug _domain_id "$_domain_id"

dnsapi/dns_curanet.sh

@@ -142,7 +142,7 @@ _get_root() {
   i=1
 
   while true; do
-    h=$(printf "%s" "$domain" | cut -d . -f $i-100)
+    h=$(printf "%s" "$domain" | cut -d . -f "$i"-100)
     _debug h "$h"
     if [ -z "$h" ]; then
       #not valid

dnsapi/dns_da.sh

@@ -61,7 +61,7 @@ _get_root() {
   # response will contain "list[]=example.com&list[]=example.org"
   _da_api CMD_API_SHOW_DOMAINS "" "${domain}"
   while true; do
-    h=$(printf "%s" "$domain" | cut -d . -f $i-100)
+    h=$(printf "%s" "$domain" | cut -d . -f "$i"-100)
     _debug h "$h"
     if [ -z "$h" ]; then
       # not valid
@@ -69,7 +69,7 @@ _get_root() {
       return 1
     fi
     if _contains "$response" "$h" >/dev/null; then
-      _sub_domain=$(printf "%s" "$domain" | cut -d . -f 1-$p)
+      _sub_domain=$(printf "%s" "$domain" | cut -d . -f 1-"$p")
       _domain=$h
       return 0
     fi

dnsapi/dns_desec.sh

@@ -176,7 +176,7 @@ _get_root() {
   i=2
   p=1
   while true; do
-    h=$(printf "%s" "$domain" | cut -d . -f $i-100)
+    h=$(printf "%s" "$domain" | cut -d . -f "$i"-100)
     _debug h "$h"
     if [ -z "$h" ]; then
       #not valid
@@ -188,7 +188,7 @@ _get_root() {
     fi
 
     if _contains "$response" "\"name\":\"$h\"" >/dev/null; then
-      _sub_domain=$(printf "%s" "$domain" | cut -d . -f 1-$p)
+      _sub_domain=$(printf "%s" "$domain" | cut -d . -f 1-"$p")
       _domain=$h
       return 0
     fi

dnsapi/dns_dgon.sh

@@ -203,7 +203,7 @@ _get_base_domain() {
     _debug2 domain_list "$domain_list"
 
     i=1
-    while [ $i -gt 0 ]; do
+    while [ "$i" -gt 0 ]; do
       ## get next longest domain
       _domain=$(printf "%s" "$fulldomain" | cut -d . -f "$i"-"$MAX_DOM")
       ## check we got something back from our cut (or are we at the end)
@@ -215,14 +215,14 @@ _get_base_domain() {
       ## check if it exists
       if [ -n "$found" ]; then
         ## exists - exit loop returning the parts
-        sub_point=$(_math $i - 1)
+        sub_point=$(_math "$i" - 1)
         _sub_domain=$(printf "%s" "$fulldomain" | cut -d . -f 1-"$sub_point")
         _debug _domain "$_domain"
         _debug _sub_domain "$_sub_domain"
         return 0
       fi
       ## increment cut point $i
-      i=$(_math $i + 1)
+      i=$(_math "$i" + 1)
     done
 
     if [ -z "$found" ]; then

dnsapi/dns_dnsexit.sh

@@ -84,7 +84,7 @@ _get_root() {
   domain=$1
   i=1
   while true; do
-    _domain=$(printf "%s" "$domain" | cut -d . -f $i-100)
+    _domain=$(printf "%s" "$domain" | cut -d . -f "$i"-100)
     _debug h "$_domain"
     if [ -z "$_domain" ]; then
       return 1

dnsapi/dns_dnsimple.sh

@@ -92,7 +92,7 @@ _get_root() {
   i=2
   previous=1
   while true; do
-    h=$(printf "%s" "$domain" | cut -d . -f $i-100)
+    h=$(printf "%s" "$domain" | cut -d . -f "$i"-100)
     if [ -z "$h" ]; then
       # not valid
       return 1
@@ -105,7 +105,7 @@ _get_root() {
     if _contains "$response" 'not found'; then
       _debug "$h not found"
     else
-      _sub_domain=$(printf "%s" "$domain" | cut -d . -f 1-$previous)
+      _sub_domain=$(printf "%s" "$domain" | cut -d . -f 1-"$previous")
       _domain="$h"
 
       _debug _domain "$_domain"

dnsapi/dns_doapi.sh

@@ -2,7 +2,6 @@
 # shellcheck disable=SC2034
 dns_doapi_info='Domain-Offensive do.de
  Official LetsEncrypt API for do.de / Domain-Offensive.
- This is different from the dns_do adapter, because dns_do is only usable for enterprise customers.
  This API is also available to private customers/individuals.
 Site: do.de
 Docs: github.com/acmesh-official/acme.sh/wiki/dnsapi#dns_doapi
@@ -11,7 +10,7 @@ Options:
 Issues: github.com/acmesh-official/acme.sh/issues/2057
 '
 
-DO_API="https://www.do.de/api/letsencrypt"
+DO_API="https://my.do.de/api/letsencrypt"
 
 ########  Public functions #####################
 

dnsapi/dns_domeneshop.sh

@@ -93,7 +93,7 @@ _get_domainid() {
   i=2
   p=1
   while true; do
-    h=$(printf "%s" "$domain" | cut -d . -f $i-100)
+    h=$(printf "%s" "$domain" | cut -d . -f "$i"-100)
     _debug "h" "$h"
     if [ -z "$h" ]; then
       #not valid
@@ -102,7 +102,7 @@ _get_domainid() {
 
     if _contains "$response" "\"$h\"" >/dev/null; then
       # We have found the domain name.
-      _sub_domain=$(printf "%s" "$domain" | cut -d . -f 1-$p)
+      _sub_domain=$(printf "%s" "$domain" | cut -d . -f 1-"$p")
       _domain=$h
       _domainid=$(printf "%s" "$response" | _egrep_o "[^{]*\"domain\":\"$_domain\"[^}]*" | _egrep_o "\"id\":[0-9]+" | cut -d : -f 2)
       return 0

dnsapi/dns_dp.sh

@@ -109,7 +109,7 @@ _get_root() {
   i=2
   p=1
   while true; do
-    h=$(printf "%s" "$domain" | cut -d . -f $i-100)
+    h=$(printf "%s" "$domain" | cut -d . -f "$i"-100)
     if [ -z "$h" ]; then
       #not valid
       return 1
@@ -123,7 +123,7 @@ _get_root() {
       _domain_id=$(printf "%s\n" "$response" | _egrep_o "\"id\":\"[^\"]*\"" | cut -d : -f 2 | tr -d \")
       _debug _domain_id "$_domain_id"
       if [ "$_domain_id" ]; then
-        _sub_domain=$(printf "%s" "$domain" | cut -d . -f 1-$p)
+        _sub_domain=$(printf "%s" "$domain" | cut -d . -f 1-"$p")
         _debug _sub_domain "$_sub_domain"
         _domain="$h"
         _debug _domain "$_domain"

dnsapi/dns_dpi.sh

@@ -109,7 +109,7 @@ _get_root() {
   i=2
   p=1
   while true; do
-    h=$(printf "%s" "$domain" | cut -d . -f $i-100)
+    h=$(printf "%s" "$domain" | cut -d . -f "$i"-100)
     if [ -z "$h" ]; then
       #not valid
       return 1
@@ -123,7 +123,7 @@ _get_root() {
       _domain_id=$(printf "%s\n" "$response" | _egrep_o "\"id\":\"[^\"]*\"" | cut -d : -f 2 | tr -d \")
       _debug _domain_id "$_domain_id"
       if [ "$_domain_id" ]; then
-        _sub_domain=$(printf "%s" "$domain" | cut -d . -f 1-$p)
+        _sub_domain=$(printf "%s" "$domain" | cut -d . -f 1-"$p")
         _debug _sub_domain "$_sub_domain"
         _domain="$h"
         _debug _domain "$_domain"

dnsapi/dns_durabledns.sh

@@ -110,7 +110,7 @@ _get_root() {
   i=1
   p=1
   while true; do
-    h=$(printf "%s" "$domain" | cut -d . -f $i-100)
+    h=$(printf "%s" "$domain" | cut -d . -f "$i"-100)
     _debug h "$h"
     if [ -z "$h" ]; then
       #not valid
@@ -118,7 +118,7 @@ _get_root() {
     fi
 
     if _contains "$response" ">$h.</origin>"; then
-      _sub_domain=$(printf "%s" "$domain" | cut -d . -f 1-$p)
+      _sub_domain=$(printf "%s" "$domain" | cut -d . -f 1-"$p")
       _domain=$h
       return 0
     fi

dnsapi/dns_dynu.sh

@@ -126,7 +126,7 @@ _get_root() {
   i=2
   p=1
   while true; do
-    h=$(printf "%s" "$domain" | cut -d . -f $i-100)
+    h=$(printf "%s" "$domain" | cut -d . -f "$i"-100)
     _debug h "$h"
     if [ -z "$h" ]; then
       #not valid
@@ -140,7 +140,7 @@ _get_root() {
     if _contains "$response" "\"domainName\":\"$h\"" >/dev/null; then
       dnsId=$(printf "%s" "$response" | tr -d "{}" | cut -d , -f 2 | cut -d : -f 2)
       _domain_name=$h
-      _node=$(printf "%s" "$domain" | cut -d . -f 1-$p)
+      _node=$(printf "%s" "$domain" | cut -d . -f 1-"$p")
       return 0
     fi
     p=$i

dnsapi/dns_dynv6.sh

@@ -16,8 +16,8 @@ dynv6_api="https://dynv6.com/api/v2"
 # Please Read this guide first: https://github.com/Neilpang/acme.sh/wiki/DNS-API-Dev-Guide
 #Usage: dns_dynv6_add  _acme-challenge.www.domain.com  "XKrxpRBosdIKFzxW_CT3KLZNf6q0HG9i01zxXp5CPBs"
 dns_dynv6_add() {
-  fulldomain=$1
-  txtvalue=$2
+  fulldomain="$(echo "$1" | _lower_case)"
+  txtvalue="$2"
   _info "Using dynv6 api"
   _debug fulldomain "$fulldomain"
   _debug txtvalue "$txtvalue"
@@ -43,15 +43,14 @@ dns_dynv6_add() {
       _err "Something went wrong! it does not seem like the record was added successfully"
       return 1
     fi
-    return 1
   fi
-  return 1
+
 }
 #Usage: fulldomain txtvalue
 #Remove the txt record after validation.
 dns_dynv6_rm() {
-  fulldomain=$1
-  txtvalue=$2
+  fulldomain="$(echo "$1" | _lower_case)"
+  txtvalue="$2"
   _info "Using dynv6 API"
   _debug fulldomain "$fulldomain"
   _debug txtvalue "$txtvalue"
@@ -206,7 +205,7 @@ _get_zone_id() {
     return 1
   fi
 
-  zone_id="$(echo "$response" | tr '}' '\n' | grep "$selected" | tr ',' '\n' | grep id | tr -d '"')"
+  zone_id="$(echo "$response" | tr '}' '\n' | grep "$selected" | tr ',' '\n' | grep '"id":' | tr -d '"')"
   _zone_id="${zone_id#id:}"
   _debug "zone id: $_zone_id"
 }

dnsapi/dns_easydns.sh

@@ -121,7 +121,7 @@ _get_root() {
   i=1
   p=1
   while true; do
-    h=$(printf "%s" "$domain" | cut -d . -f $i-100)
+    h=$(printf "%s" "$domain" | cut -d . -f "$i"-100)
     _debug h "$h"
     if [ -z "$h" ]; then
       #not valid
@@ -133,7 +133,7 @@ _get_root() {
     fi
 
     if _contains "$response" "\"status\":200"; then
-      _sub_domain=$(printf "%s" "$domain" | cut -d . -f 1-$p)
+      _sub_domain=$(printf "%s" "$domain" | cut -d . -f 1-"$p")
       _domain=$h
       return 0
     fi

dnsapi/dns_euserv.sh

@@ -151,7 +151,7 @@ _get_root() {
   response="$_euserv_domain_orders"
 
   while true; do
-    h=$(echo "$domain" | cut -d . -f $i-100)
+    h=$(echo "$domain" | cut -d . -f "$i"-100)
     _debug h "$h"
     if [ -z "$h" ]; then
       #not valid
@@ -159,7 +159,7 @@ _get_root() {
     fi
 
     if _contains "$response" "$h"; then
-      _sub_domain=$(echo "$domain" | cut -d . -f 1-$p)
+      _sub_domain=$(echo "$domain" | cut -d . -f 1-"$p")
       _domain="$h"
       if ! _euserv_get_domain_id "$_domain"; then
         _err "invalid domain"

dnsapi/dns_exoscale.sh

@@ -119,7 +119,7 @@ _get_root() {
   i=2
   p=1
   while true; do
-    h=$(printf "%s" "$domain" | cut -d . -f $i-100)
+    h=$(printf "%s" "$domain" | cut -d . -f "$i"-100)
     _debug h "$h"
     if [ -z "$h" ]; then
       #not valid
@@ -130,7 +130,7 @@ _get_root() {
       _domain_id=$(echo "$response" | tr '{' "\n" | grep "\"name\":\"$h\"" | _egrep_o "\"id\":[^,]+" | _head_n 1 | cut -d : -f 2 | tr -d \")
       _domain_token=$(echo "$response" | tr '{' "\n" | grep "\"name\":\"$h\"" | _egrep_o "\"token\":\"[^\"]*\"" | _head_n 1 | cut -d : -f 2 | tr -d \")
       if [ "$_domain_token" ] && [ "$_domain_id" ]; then
-        _sub_domain=$(printf "%s" "$domain" | cut -d . -f 1-$p)
+        _sub_domain=$(printf "%s" "$domain" | cut -d . -f 1-"$p")
         _domain=$h
         return 0
       fi

dnsapi/dns_fornex.sh

@@ -90,7 +90,7 @@ _get_root() {
 
   i=1
   while true; do
-    h=$(printf "%s" "$domain" | cut -d . -f $i-100)
+    h=$(printf "%s" "$domain" | cut -d . -f "$i"-100)
     _debug h "$h"
     if [ -z "$h" ]; then
       #not valid

dnsapi/dns_gandi_livedns.sh

@@ -95,7 +95,7 @@ _get_root() {
   i=2
   p=1
   while true; do
-    h=$(printf "%s" "$domain" | cut -d . -f $i-100)
+    h=$(printf "%s" "$domain" | cut -d . -f "$i"-100)
     _debug h "$h"
     if [ -z "$h" ]; then
       #not valid
@@ -112,7 +112,7 @@ _get_root() {
     elif _contains "$response" '"code": 404'; then
       _debug "$h not found"
     else
-      _sub_domain=$(printf "%s" "$domain" | cut -d . -f 1-$p)
+      _sub_domain=$(printf "%s" "$domain" | cut -d . -f 1-"$p")
       _domain="$h"
       return 0
     fi

dnsapi/dns_gcore.sh

@@ -28,7 +28,7 @@ dns_gcore_add() {
   fi
 
   #save the api key to the account conf file.
-  _saveaccountconf_mutable GCORE_Key "$GCORE_Key"
+  _saveaccountconf_mutable GCORE_Key "$GCORE_Key" "base64"
 
   _debug "First detect the zone name"
   if ! _get_root "$fulldomain"; then
@@ -138,7 +138,7 @@ _get_root() {
   p=1
 
   while true; do
-    h=$(printf "%s" "$domain" | cut -d . -f $i-100)
+    h=$(printf "%s" "$domain" | cut -d . -f "$i"-100)
     _debug h "$h"
     if [ -z "$h" ]; then
       #not valid
@@ -152,7 +152,7 @@ _get_root() {
     if _contains "$response" "\"name\":\"$h\""; then
       _zone_name=$h
       if [ "$_zone_name" ]; then
-        _sub_domain=$(printf "%s" "$domain" | cut -d . -f 1-$p)
+        _sub_domain=$(printf "%s" "$domain" | cut -d . -f 1-"$p")
         _domain=$h
         return 0
       fi

dnsapi/dns_gd.sh

@@ -148,7 +148,7 @@ _get_root() {
   i=2
   p=1
   while true; do
-    h=$(printf "%s" "$domain" | cut -d . -f $i-100)
+    h=$(printf "%s" "$domain" | cut -d . -f "$i"-100)
     if [ -z "$h" ]; then
       #not valid
       return 1
@@ -161,7 +161,7 @@ _get_root() {
     if _contains "$response" '"code":"NOT_FOUND"'; then
       _debug "$h not found"
     else
-      _sub_domain=$(printf "%s" "$domain" | cut -d . -f 1-$p)
+      _sub_domain=$(printf "%s" "$domain" | cut -d . -f 1-"$p")
       _domain="$h"
       return 0
     fi

dnsapi/dns_geoscaling.sh

@@ -202,7 +202,7 @@ find_zone() {
   # Walk through all possible zone names
   strip_counter=1
   while true; do
-    attempted_zone=$(echo "${domain}" | cut -d . -f ${strip_counter}-)
+    attempted_zone=$(echo "${domain}" | cut -d . -f "${strip_counter}"-)
 
     # All possible zone names have been tried
     if [ -z "${attempted_zone}" ]; then

dnsapi/dns_googledomains.sh

@@ -132,7 +132,7 @@ _dns_googledomains_get_zone() {
 
   i=2
   while true; do
-    curr=$(printf "%s" "$domain" | cut -d . -f $i-100)
+    curr=$(printf "%s" "$domain" | cut -d . -f "$i"-100)
     _debug curr "$curr"
 
     if [ -z "$curr" ]; then

dnsapi/dns_he.sh

@@ -143,7 +143,7 @@ _find_zone() {
   # Walk through all possible zone names
   _strip_counter=1
   while true; do
-    _attempted_zone=$(echo "$_domain" | cut -d . -f ${_strip_counter}-)
+    _attempted_zone=$(echo "$_domain" | cut -d . -f "${_strip_counter}"-)
 
     # All possible zone names have been tried
     if [ -z "$_attempted_zone" ]; then

dnsapi/dns_hetzner.sh

@@ -181,7 +181,7 @@ _get_root() {
 
   _debug "Trying to get zone id by domain name for '$domain_without_acme'."
   while true; do
-    h=$(printf "%s" "$domain" | cut -d . -f $i-100)
+    h=$(printf "%s" "$domain" | cut -d . -f "$i"-100)
     if [ -z "$h" ]; then
       #not valid
       return 1
@@ -193,7 +193,7 @@ _get_root() {
     if _contains "$response" "\"name\":\"$h\"" || _contains "$response" '"total_entries":1'; then
       _domain_id=$(echo "$response" | _egrep_o "\[.\"id\":\"[^\"]*\"" | _head_n 1 | cut -d : -f 2 | tr -d \")
       if [ "$_domain_id" ]; then
-        _sub_domain=$(printf "%s" "$domain" | cut -d . -f 1-$p)
+        _sub_domain=$(printf "%s" "$domain" | cut -d . -f 1-"$p")
         _domain=$h
         HETZNER_Zone_ID=$_domain_id
         _savedomainconf "$domain_param_name" "$HETZNER_Zone_ID"

dnsapi/dns_hexonet.sh

@@ -123,7 +123,7 @@ _get_root() {
   i=1
   p=1
   while true; do
-    h=$(printf "%s" "$domain" | cut -d . -f $i-100)
+    h=$(printf "%s" "$domain" | cut -d . -f "$i"-100)
     _debug h "$h"
     if [ -z "$h" ]; then
       #not valid
@@ -135,7 +135,7 @@ _get_root() {
     fi
 
     if _contains "$response" "CODE=200"; then
-      _sub_domain=$(printf "%s" "$domain" | cut -d . -f 1-$p)
+      _sub_domain=$(printf "%s" "$domain" | cut -d . -f 1-"$p")
       _domain=$h
       return 0
     fi

dnsapi/dns_huaweicloud.sh

@@ -210,7 +210,7 @@ _get_recordset_id() {
   _zoneid=$3
   export _H1="X-Auth-Token: ${_token}"
 
-  response=$(_get "${dns_api}/v2/zones/${_zoneid}/recordsets?name=${_domain}")
+  response=$(_get "${dns_api}/v2/zones/${_zoneid}/recordsets?name=${_domain}&status=ACTIVE")
   if _contains "${response}" '"id"'; then
     _id="$(echo "${response}" | _egrep_o "\"id\": *\"[^\"]*\"" | cut -d : -f 2 | tr -d \" | tr -d " ")"
     printf "%s" "${_id}"
@@ -227,7 +227,7 @@ _add_record() {
 
   # Get Existing Records
   export _H1="X-Auth-Token: ${_token}"
-  response=$(_get "${dns_api}/v2/zones/${zoneid}/recordsets?name=${_domain}")
+  response=$(_get "${dns_api}/v2/zones/${zoneid}/recordsets?name=${_domain}&status=ACTIVE")
 
   _debug2 "${response}"
   _exist_record=$(echo "${response}" | _egrep_o '"records":[^]]*' | sed 's/\"records\"\:\[//g')

dnsapi/dns_internetbs.sh

@@ -133,7 +133,7 @@ _get_root() {
     fi
 
     while true; do
-      h=$(printf "%s" "$domain" | cut -d . -f ${i}-100)
+      h=$(printf "%s" "$domain" | cut -d . -f "${i}"-100)
       _debug h "$h"
       if [ -z "$h" ]; then
         #not valid
@@ -141,7 +141,7 @@ _get_root() {
       fi
 
       if _contains "$response" "\"$h\""; then
-        _sub_domain=$(printf "%s" "$domain" | cut -d . -f 1-${p})
+        _sub_domain=$(printf "%s" "$domain" | cut -d . -f 1-"${p}")
         _domain=${h}
         return 0
       fi

dnsapi/dns_inwx.sh

@@ -163,6 +163,15 @@ _inwx_check_cookie() {
   return 1
 }
 
+_htmlEscape() {
+  _s="$1"
+  _s=$(echo "$_s" | sed "s/&/&/g")
+  _s=$(echo "$_s" | sed "s/</\&lt;/g")
+  _s=$(echo "$_s" | sed "s/>/\&gt;/g")
+  _s=$(echo "$_s" | sed 's/"/\&quot;/g')
+  printf -- %s "$_s"
+}
+
 _inwx_login() {
 
   if _inwx_check_cookie; then
@@ -170,6 +179,8 @@ _inwx_login() {
     return 0
   fi
 
+  XML_PASS=$(_htmlEscape "$INWX_Password")
+
   xml_content=$(printf '<?xml version="1.0" encoding="UTF-8"?>
   <methodCall>
   <methodName>account.login</methodName>
@@ -193,7 +204,7 @@ _inwx_login() {
     </value>
    </param>
   </params>
-  </methodCall>' "$INWX_User" "$INWX_Password")
+  </methodCall>' "$INWX_User" "$XML_PASS")
 
   response="$(_post "$xml_content" "$INWX_Api" "" "POST")"
 
@@ -282,7 +293,7 @@ _get_root() {
 
   response="$(_post "$xml_content" "$INWX_Api" "" "POST")"
   while true; do
-    h=$(printf "%s" "$domain" | cut -d . -f $i-100)
+    h=$(printf "%s" "$domain" | cut -d . -f "$i"-100)
     _debug h "$h"
     if [ -z "$h" ]; then
       #not valid
@@ -290,7 +301,7 @@ _get_root() {
     fi
 
     if _contains "$response" "$h"; then
-      _sub_domain=$(printf "%s" "$domain" | cut -d . -f 1-$p)
+      _sub_domain=$(printf "%s" "$domain" | cut -d . -f 1-"$p")
       _domain="$h"
       return 0
     fi

dnsapi/dns_ionos.sh

@@ -87,7 +87,7 @@ _get_root() {
     _response="$(echo "$_response" | tr -d "\n")"
 
     while true; do
-      h=$(printf "%s" "$domain" | cut -d . -f $i-100)
+      h=$(printf "%s" "$domain" | cut -d . -f "$i"-100)
       if [ -z "$h" ]; then
         return 1
       fi
@@ -96,7 +96,7 @@ _get_root() {
       if [ "$_zone" ]; then
         _zone_id=$(printf "%s\n" "$_zone" | _egrep_o "\"id\":\"[a-fA-F0-9\-]*\"" | _head_n 1 | cut -d : -f 2 | tr -d '\"')
         if [ "$_zone_id" ]; then
-          _sub_domain=$(printf "%s" "$domain" | cut -d . -f 1-$p)
+          _sub_domain=$(printf "%s" "$domain" | cut -d . -f 1-"$p")
           _domain=$h
 
           return 0

dnsapi/dns_ionos_cloud.sh

@@ -0,0 +1,145 @@
+#!/usr/bin/env sh
+
+# Supports IONOS Cloud DNS API v1.15.4
+#
+# Usage:
+#   Export IONOS_TOKEN before calling acme.sh:
+#   $ export IONOS_TOKEN="..."
+#
+#   $ acme.sh --issue --dns dns_ionos_cloud ...
+
+IONOS_CLOUD_API="https://dns.de-fra.ionos.com"
+IONOS_CLOUD_ROUTE_ZONES="/zones"
+
+dns_ionos_cloud_add() {
+  fulldomain=$1
+  txtvalue=$2
+
+  if ! _ionos_init; then
+    return 1
+  fi
+
+  _record_name=$(printf "%s" "$fulldomain" | cut -d . -f 1)
+  _body="{\"properties\":{\"name\":\"$_record_name\", \"type\":\"TXT\", \"content\":\"$txtvalue\"}}"
+
+  if _ionos_cloud_rest POST "$IONOS_CLOUD_ROUTE_ZONES/$_zone_id/records" "$_body" && [ "$_code" = "202" ]; then
+    _info "TXT record has been created successfully."
+    return 0
+  fi
+
+  return 1
+}
+
+dns_ionos_cloud_rm() {
+  fulldomain=$1
+  txtvalue=$2
+
+  if ! _ionos_init; then
+    return 1
+  fi
+
+  if ! _ionos_cloud_get_record "$_zone_id" "$txtvalue" "$fulldomain"; then
+    _err "Could not find _acme-challenge TXT record."
+    return 1
+  fi
+
+  if _ionos_cloud_rest DELETE "$IONOS_CLOUD_ROUTE_ZONES/$_zone_id/records/$_record_id" && [ "$_code" = "202" ]; then
+    _info "TXT record has been deleted successfully."
+    return 0
+  fi
+
+  return 1
+}
+
+_ionos_init() {
+  IONOS_TOKEN="${IONOS_TOKEN:-$(_readaccountconf_mutable IONOS_TOKEN)}"
+
+  if [ -z "$IONOS_TOKEN" ]; then
+    _err "You didn't specify an IONOS token yet."
+    _err "Read https://api.ionos.com/docs/authentication/v1/#tag/tokens/operation/tokensGenerate to learn how to get a token."
+    _err "You need to set it before calling acme.sh:"
+    _err "\$ export IONOS_TOKEN=\"...\""
+    _err "\$ acme.sh --issue -d ... --dns dns_ionos_cloud"
+    return 1
+  fi
+
+  _saveaccountconf_mutable IONOS_TOKEN "$IONOS_TOKEN"
+
+  if ! _get_cloud_zone "$fulldomain"; then
+    _err "Cannot find zone $zone in your IONOS account."
+    return 1
+  fi
+
+  return 0
+}
+
+_get_cloud_zone() {
+  domain=$1
+  zone=$(printf "%s" "$domain" | cut -d . -f 2-)
+
+  if _ionos_cloud_rest GET "$IONOS_CLOUD_ROUTE_ZONES?filter.zoneName=$zone"; then
+    _response="$(echo "$_response" | tr -d "\n")"
+
+    _zone_list_items=$(echo "$_response" | _egrep_o "\"items\":.*")
+
+    _zone_id=$(printf "%s\n" "$_zone_list_items" | _egrep_o "\"id\":\"[a-fA-F0-9\-]*\"" | _head_n 1 | cut -d : -f 2 | tr -d '\"')
+    if [ "$_zone_id" ]; then
+      return 0
+    fi
+  fi
+
+  return 1
+}
+
+_ionos_cloud_get_record() {
+  zone_id=$1
+  txtrecord=$2
+  # this is to transform the domain to lower case
+  fulldomain=$(printf "%s" "$3" | _lower_case)
+  # this is to transform record name to lower case
+  # IONOS Cloud API transforms all record names to lower case
+  _record_name=$(printf "%s" "$fulldomain" | cut -d . -f 1 | _lower_case)
+
+  if _ionos_cloud_rest GET "$IONOS_CLOUD_ROUTE_ZONES/$zone_id/records"; then
+    _response="$(echo "$_response" | tr -d "\n")"
+
+    pattern="\{\"id\":\"[a-fA-F0-9\-]*\",\"type\":\"record\",\"href\":\"/zones/$zone_id/records/[a-fA-F0-9\-]*\",\"metadata\":\{\"createdDate\":\"[A-Z0-9\:\.\-]*\",\"lastModifiedDate\":\"[A-Z0-9\:\.\-]*\",\"fqdn\":\"$fulldomain\",\"state\":\"AVAILABLE\",\"zoneId\":\"$zone_id\"\},\"properties\":\{\"content\":\"$txtrecord\",\"enabled\":true,\"name\":\"$_record_name\",\"priority\":[0-9]*,\"ttl\":[0-9]*,\"type\":\"TXT\"\}\}"
+
+    _record="$(echo "$_response" | _egrep_o "$pattern")"
+    if [ "$_record" ]; then
+      _record_id=$(printf "%s\n" "$_record" | _egrep_o "\"id\":\"[a-fA-F0-9\-]*\"" | _head_n 1 | cut -d : -f 2 | tr -d '\"')
+      return 0
+    fi
+  fi
+
+  return 1
+}
+
+_ionos_cloud_rest() {
+  method="$1"
+  route="$2"
+  data="$3"
+
+  export _H1="Authorization: Bearer $IONOS_TOKEN"
+
+  # clear headers
+  : >"$HTTP_HEADER"
+
+  if [ "$method" != "GET" ]; then
+    _response="$(_post "$data" "$IONOS_CLOUD_API$route" "" "$method" "application/json")"
+  else
+    _response="$(_get "$IONOS_CLOUD_API$route")"
+  fi
+
+  _code="$(grep "^HTTP" "$HTTP_HEADER" | _tail_n 1 | cut -d " " -f 2 | tr -d "\\r\\n")"
+
+  if [ "$?" != "0" ]; then
+    _err "Error $route: $_response"
+    return 1
+  fi
+
+  _debug2 "_response" "$_response"
+  _debug2 "_code" "$_code"
+
+  return 0
+}

dnsapi/dns_ispconfig.sh

@@ -14,6 +14,8 @@ Options:
 # User must provide login data and URL to the ISPConfig installation incl. port.
 # The remote user in ISPConfig must have access to:
 # - DNS txt Functions
+# - DNS zone functions
+# - Client functions
 
 ########  Public functions #####################
 

dnsapi/dns_jd.sh

@@ -135,7 +135,7 @@ _get_root() {
   p=1
 
   while true; do
-    h=$(printf "%s" "$domain" | cut -d . -f $i-100)
+    h=$(printf "%s" "$domain" | cut -d . -f "$i"-100)
     _debug2 "Checking domain: $h"
     if ! jd_rest GET "domain"; then
       _err "error get domain list"
@@ -153,7 +153,7 @@ _get_root() {
       if [ "$hostedzone" ]; then
         _domain_id="$(echo "$hostedzone" | tr ',' '\n' | grep "\"id\":" | cut -d : -f 2)"
         if [ "$_domain_id" ]; then
-          _sub_domain=$(printf "%s" "$domain" | cut -d . -f 1-$p)
+          _sub_domain=$(printf "%s" "$domain" | cut -d . -f 1-"$p")
           _domain=$h
           return 0
         fi

dnsapi/dns_joker.sh

@@ -80,7 +80,7 @@ _get_root() {
   fulldomain=$1
   i=1
   while true; do
-    h=$(printf "%s" "$fulldomain" | cut -d . -f $i-100)
+    h=$(printf "%s" "$fulldomain" | cut -d . -f "$i"-100)
     _debug h "$h"
     if [ -z "$h" ]; then
       return 1

dnsapi/dns_kappernet.sh

@@ -102,7 +102,7 @@ _get_root() {
   i=2
   p=1
   while true; do
-    h=$(printf "%s" "$domain" | cut -d . -f $i-100)
+    h=$(printf "%s" "$domain" | cut -d . -f "$i"-100)
     if [ -z "$h" ]; then
       #not valid
       return 1
@@ -113,7 +113,7 @@ _get_root() {
     if _contains "$response" '"OK":false'; then
       _debug "$h not found"
     else
-      _sub_domain=$(printf "%s" "$domain" | cut -d . -f 1-$p)
+      _sub_domain=$(printf "%s" "$domain" | cut -d . -f 1-"$p")
       _domain="$h"
       return 0
     fi

dnsapi/dns_la.sh

@@ -113,7 +113,7 @@ _get_root() {
   p=1
 
   while true; do
-    h=$(printf "%s" "$domain" | cut -d . -f $i-100)
+    h=$(printf "%s" "$domain" | cut -d . -f "$i"-100)
     if [ -z "$h" ]; then
       #not valid
       return 1
@@ -126,7 +126,7 @@ _get_root() {
     if _contains "$response" '"domainid":'; then
       _domain_id=$(printf "%s" "$response" | grep '"domainid":' | cut -d : -f 2 | cut -d , -f 1 | tr -d '\r' | tr -d '\n')
       if [ "$_domain_id" ]; then
-        _sub_domain=$(printf "%s" "$domain" | cut -d . -f 1-$p)
+        _sub_domain=$(printf "%s" "$domain" | cut -d . -f 1-"$p")
         _domain="$h"
         return 0
       fi

dnsapi/dns_limacity.sh

@@ -69,7 +69,7 @@ _lima_get_domain_id() {
   if [ "$(echo "$domains" | _egrep_o "\{.*""domains""")" ]; then
     response="$(echo "$domains" | tr -d "\n" | tr '{' "|" | sed 's/|/&{/g' | tr "|" "\n")"
     while true; do
-      h=$(printf "%s" "$domain" | cut -d . -f $i-100)
+      h=$(printf "%s" "$domain" | cut -d . -f "$i"-100)
       _debug h "$h"
       if [ -z "$h" ]; then
         #not valid
@@ -80,7 +80,7 @@ _lima_get_domain_id() {
       if [ "$hostedzone" ]; then
         LIMACITY_DOMAINID=$(printf "%s\n" "$hostedzone" | _egrep_o "\"id\":\s*[0-9]+" | _head_n 1 | cut -d : -f 2 | tr -d \ )
         if [ "$LIMACITY_DOMAINID" ]; then
-          _sub_domain=$(printf "%s" "$domain" | cut -d . -f 1-$p)
+          _sub_domain=$(printf "%s" "$domain" | cut -d . -f 1-"$p")
           _domain=$h
           return 0
         fi

dnsapi/dns_linode.sh

@@ -136,7 +136,7 @@ _get_root() {
   if _rest GET "domain.list"; then
     response="$(echo "$response" | tr -d "\n" | tr '{' "|" | sed 's/|/&{/g' | tr "|" "\n")"
     while true; do
-      h=$(printf "%s" "$domain" | cut -d . -f $i-100)
+      h=$(printf "%s" "$domain" | cut -d . -f "$i"-100)
       _debug h "$h"
       if [ -z "$h" ]; then
         #not valid
@@ -147,7 +147,7 @@ _get_root() {
       if [ "$hostedzone" ]; then
         _domain_id=$(printf "%s\n" "$hostedzone" | _egrep_o "\"DOMAINID\":\s*[0-9]+" | _head_n 1 | cut -d : -f 2 | tr -d \ )
         if [ "$_domain_id" ]; then
-          _sub_domain=$(printf "%s" "$domain" | cut -d . -f 1-$p)
+          _sub_domain=$(printf "%s" "$domain" | cut -d . -f 1-"$p")
           _domain=$h
           return 0
         fi

dnsapi/dns_linode_v4.sh

@@ -138,7 +138,7 @@ _get_root() {
   if _rest GET; then
     response="$(echo "$response" | tr -d "\n" | tr '{' "|" | sed 's/|/&{/g' | tr "|" "\n")"
     while true; do
-      h=$(printf "%s" "$domain" | cut -d . -f $i-100)
+      h=$(printf "%s" "$domain" | cut -d . -f "$i"-100)
       _debug h "$h"
       if [ -z "$h" ]; then
         #not valid
@@ -149,7 +149,7 @@ _get_root() {
       if [ "$hostedzone" ]; then
         _domain_id=$(printf "%s\n" "$hostedzone" | _egrep_o "\"id\": *[0-9]+" | _head_n 1 | cut -d : -f 2 | tr -d \ )
         if [ "$_domain_id" ]; then
-          _sub_domain=$(printf "%s" "$domain" | cut -d . -f 1-$p)
+          _sub_domain=$(printf "%s" "$domain" | cut -d . -f 1-"$p")
           _domain=$h
           return 0
         fi

dnsapi/dns_loopia.sh

@@ -180,14 +180,14 @@ _get_root() {
 
   response="$(_post "$xml_content" "$LOOPIA_Api" "" "POST")"
   while true; do
-    h=$(echo "$domain" | cut -d . -f $i-100)
+    h=$(echo "$domain" | cut -d . -f "$i"-100)
     if [ -z "$h" ]; then
       #not valid
       return 1
     fi
 
     if _contains "$response" "$h"; then
-      _sub_domain=$(printf "%s" "$domain" | cut -d . -f 1-$p)
+      _sub_domain=$(printf "%s" "$domain" | cut -d . -f 1-"$p")
       _domain="$h"
       return 0
     fi

dnsapi/dns_lua.sh

@@ -110,7 +110,7 @@ _get_root() {
     return 1
   fi
   while true; do
-    h=$(printf "%s" "$domain" | cut -d . -f $i-100)
+    h=$(printf "%s" "$domain" | cut -d . -f "$i"-100)
     _debug h "$h"
     if [ -z "$h" ]; then
       #not valid
@@ -121,7 +121,7 @@ _get_root() {
       _domain_id=$(printf "%s\n" "$response" | _egrep_o "\"id\":[^,]*,\"name\":\"$h\"" | cut -d : -f 2 | cut -d , -f 1)
       _debug _domain_id "$_domain_id"
       if [ "$_domain_id" ]; then
-        _sub_domain=$(printf "%s" "$domain" | cut -d . -f 1-$p)
+        _sub_domain=$(printf "%s" "$domain" | cut -d . -f 1-"$p")
         _domain="$h"
         return 0
       fi

dnsapi/dns_maradns.sh

@@ -72,7 +72,7 @@ _reload_maradns() {
   pidpath="$1"
   kill -s HUP -- "$(cat "$pidpath")"
   if [ $? -ne 0 ]; then
-    _err "Unable to reload MaraDNS, kill returned $?"
+    _err "Unable to reload MaraDNS, kill returned"
     return 1
   fi
 }

dnsapi/dns_me.sh

@@ -107,7 +107,7 @@ _get_root() {
   i=2
   p=1
   while true; do
-    h=$(printf "%s" "$domain" | cut -d . -f $i-100)
+    h=$(printf "%s" "$domain" | cut -d . -f "$i"-100)
     if [ -z "$h" ]; then
       #not valid
       return 1
@@ -120,7 +120,7 @@ _get_root() {
     if _contains "$response" "\"name\":\"$h\""; then
       _domain_id=$(printf "%s\n" "$response" | sed 's/^{//; s/}$//; s/{.*}//' | sed -r 's/^.*"id":([0-9]+).*$/\1/')
       if [ "$_domain_id" ]; then
-        _sub_domain=$(printf "%s" "$domain" | cut -d . -f 1-$p)
+        _sub_domain=$(printf "%s" "$domain" | cut -d . -f 1-"$p")
         _domain="$h"
         return 0
       fi

dnsapi/dns_miab.sh

@@ -17,7 +17,7 @@ Author: Darven Dissek, William Gertz
 dns_miab_add() {
   fulldomain=$1
   txtvalue=$2
-  _info "Using miab challange add"
+  _info "Using miab challenge add"
   _debug fulldomain "$fulldomain"
   _debug txtvalue "$txtvalue"
 
@@ -26,7 +26,7 @@ dns_miab_add() {
     return 1
   fi
 
-  #check domain and seperate into doamin and host
+  #check domain and seperate into domain and host
   if ! _get_root "$fulldomain"; then
     _err "Cannot find any part of ${fulldomain} is hosted on ${MIAB_Server}"
     return 1
@@ -55,7 +55,7 @@ dns_miab_rm() {
   fulldomain=$1
   txtvalue=$2
 
-  _info "Using miab challage delete"
+  _info "Using miab challenge delete"
   _debug fulldomain "$fulldomain"
   _debug txtvalue "$txtvalue"
 
@@ -112,7 +112,7 @@ _get_root() {
   #cycle through the passed domain seperating out a test domain discarding
   #   the subdomain by marching thorugh the dots
   while true; do
-    _test_domain=$(printf "%s" "$_passed_domain" | cut -d . -f ${_i}-100)
+    _test_domain=$(printf "%s" "$_passed_domain" | cut -d . -f "${_i}"-100)
     _debug _test_domain "$_test_domain"
 
     if [ -z "$_test_domain" ]; then
@@ -122,7 +122,7 @@ _get_root() {
     #report found if the test domain is in the json response and
     #   report the subdomain
     if _contains "$response" "\"$_test_domain\""; then
-      _sub_domain=$(printf "%s" "$_passed_domain" | cut -d . -f 1-${_p})
+      _sub_domain=$(printf "%s" "$_passed_domain" | cut -d . -f 1-"${_p}")
       _domain=${_test_domain}
       return 0
     fi

dnsapi/dns_misaka.sh

@@ -116,7 +116,7 @@ _get_root() {
     return 1
   fi
   while true; do
-    h=$(printf "%s" "$domain" | cut -d . -f $i-100)
+    h=$(printf "%s" "$domain" | cut -d . -f "$i"-100)
     _debug h "$h"
     if [ -z "$h" ]; then
       #not valid
@@ -124,7 +124,7 @@ _get_root() {
     fi
 
     if _contains "$response" "\"name\":\"$h\""; then
-      _sub_domain=$(printf "%s" "$domain" | cut -d . -f 1-$p)
+      _sub_domain=$(printf "%s" "$domain" | cut -d . -f 1-"$p")
       _domain="$h"
       return 0
     fi

dnsapi/dns_mydnsjp.sh

@@ -126,7 +126,7 @@ _get_root() {
   fi
 
   while true; do
-    _domain=$(printf "%s" "$fulldomain" | cut -d . -f $i-100)
+    _domain=$(printf "%s" "$fulldomain" | cut -d . -f "$i"-100)
 
     if [ -z "$_domain" ]; then
       # not valid
@@ -134,7 +134,7 @@ _get_root() {
     fi
 
     if [ "$_domain" = "$_root_domain" ]; then
-      _sub_domain=$(printf "%s" "$fulldomain" | cut -d . -f 1-$p)
+      _sub_domain=$(printf "%s" "$fulldomain" | cut -d . -f 1-"$p")
       return 0
     fi
 

dnsapi/dns_mythic_beasts.sh

@@ -107,7 +107,7 @@ _get_root() {
 
   _debug "Detect the root zone"
   while true; do
-    h=$(printf "%s" "$domain" | cut -d . -f $i-100)
+    h=$(printf "%s" "$domain" | cut -d . -f "$i"-100)
     if [ -z "$h" ]; then
       _err "Domain exhausted"
       return 1
@@ -118,7 +118,7 @@ _get_root() {
     _mb_rest GET "$h/records"
     ret="$?"
     if [ "$ret" -eq 0 ]; then
-      _sub_domain=$(printf "%s" "$domain" | cut -d . -f 1-$p)
+      _sub_domain=$(printf "%s" "$domain" | cut -d . -f 1-"$p")
       _domain="$h"
       _debug _sub_domain "$_sub_domain"
       _debug _domain "$_domain"

dnsapi/dns_namecheap.sh

@@ -109,7 +109,7 @@ _get_root_by_getList() {
 
   while true; do
 
-    h=$(printf "%s" "$domain" | cut -d . -f $i-100)
+    h=$(printf "%s" "$domain" | cut -d . -f "$i"-100)
     _debug h "$h"
     if [ -z "$h" ]; then
       #not valid
@@ -123,7 +123,7 @@ _get_root_by_getList() {
     if ! _contains "$response" "$h"; then
       _debug "$h not found"
     else
-      _sub_domain=$(printf "%s" "$domain" | cut -d . -f 1-$p)
+      _sub_domain=$(printf "%s" "$domain" | cut -d . -f 1-"$p")
       _domain="$h"
       return 0
     fi
@@ -137,14 +137,14 @@ _get_root_by_getHosts() {
   i=100
   p=99
 
-  while [ $p -ne 0 ]; do
+  while [ "$p" -ne 0 ]; do
 
-    h=$(printf "%s" "$1" | cut -d . -f $i-100)
+    h=$(printf "%s" "$1" | cut -d . -f "$i"-100)
     if [ -n "$h" ]; then
       if _contains "$h" "\\."; then
         _debug h "$h"
         if _namecheap_set_tld_sld "$h"; then
-          _sub_domain=$(printf "%s" "$1" | cut -d . -f 1-$p)
+          _sub_domain=$(printf "%s" "$1" | cut -d . -f 1-"$p")
           _domain="$h"
           return 0
         else
@@ -378,7 +378,7 @@ _namecheap_set_tld_sld() {
 
   while true; do
 
-    _tld=$(printf "%s" "$domain" | cut -d . -f $i-100)
+    _tld=$(printf "%s" "$domain" | cut -d . -f "$i"-100)
     _debug tld "$_tld"
 
     if [ -z "$_tld" ]; then

dnsapi/dns_namecom.sh

@@ -159,15 +159,15 @@ _namecom_get_root() {
 
   # Need to exclude the last field (tld)
   numfields=$(echo "$domain" | _egrep_o "\." | wc -l)
-  while [ $i -le "$numfields" ]; do
-    host=$(printf "%s" "$domain" | cut -d . -f $i-100)
+  while [ "$i" -le "$numfields" ]; do
+    host=$(printf "%s" "$domain" | cut -d . -f "$i"-100)
     _debug host "$host"
     if [ -z "$host" ]; then
       return 1
     fi
 
     if _contains "$response" "$host"; then
-      _sub_domain=$(printf "%s" "$domain" | cut -d . -f 1-$p)
+      _sub_domain=$(printf "%s" "$domain" | cut -d . -f 1-"$p")
       _domain="$host"
       return 0
     fi

dnsapi/dns_namesilo.sh

@@ -109,15 +109,15 @@ _get_root() {
 
   # Need to exclude the last field (tld)
   numfields=$(echo "$domain" | _egrep_o "\." | wc -l)
-  while [ $i -le "$numfields" ]; do
-    host=$(printf "%s" "$domain" | cut -d . -f $i-100)
+  while [ "$i" -le "$numfields" ]; do
+    host=$(printf "%s" "$domain" | cut -d . -f "$i"-100)
     _debug host "$host"
     if [ -z "$host" ]; then
       return 1
     fi
 
     if _contains "$response" ">$host</domain>"; then
-      _sub_domain=$(printf "%s" "$domain" | cut -d . -f 1-$p)
+      _sub_domain=$(printf "%s" "$domain" | cut -d . -f 1-"$p")
       _domain="$host"
       return 0
     fi

dnsapi/dns_nederhost.sh

@@ -88,8 +88,8 @@ _get_root() {
   i=2
   p=1
   while true; do
-    _domain=$(printf "%s" "$domain" | cut -d . -f $i-100)
-    _sub_domain=$(printf "%s" "$domain" | cut -d . -f 1-$p)
+    _domain=$(printf "%s" "$domain" | cut -d . -f "$i"-100)
+    _sub_domain=$(printf "%s" "$domain" | cut -d . -f 1-"$p")
     _debug _domain "$_domain"
     if [ -z "$_domain" ]; then
       #not valid

dnsapi/dns_neodigit.sh

@@ -126,7 +126,7 @@ _get_root() {
   i=2
   p=1
   while true; do
-    h=$(printf "%s" "$domain" | cut -d . -f $i-100)
+    h=$(printf "%s" "$domain" | cut -d . -f "$i"-100)
     _debug h "$h"
     if [ -z "$h" ]; then
       #not valid
@@ -142,7 +142,7 @@ _get_root() {
     if _contains "$response" "\"name\":\"$h\"" >/dev/null; then
       _domain_id=$(echo "$response" | _egrep_o "\"id\":\s*[0-9]+" | _head_n 1 | cut -d: -f2 | cut -d, -f1)
       if [ "$_domain_id" ]; then
-        _sub_domain=$(printf "%s" "$domain" | cut -d . -f 1-$p)
+        _sub_domain=$(printf "%s" "$domain" | cut -d . -f 1-"$p")
         _domain=$h
         return 0
       fi

dnsapi/dns_netlify.sh

@@ -55,8 +55,6 @@ dns_netlify_add() {
     return 1
   fi
 
-  _err "Not fully implemented!"
-  return 1
 }
 
 #Usage: dns_myapi_rm   _acme-challenge.www.domain.com   "XKrxpRBosdIKFzxW_CT3KLZNf6q0HG9i01zxXp5CPBs"
@@ -95,7 +93,6 @@ dns_netlify_rm() {
       _err "error removing validation value ($_code)"
       return 1
     fi
-    return 0
   fi
   return 1
 }
@@ -111,7 +108,7 @@ _get_root() {
   _netlify_rest GET "dns_zones" "" "$accesstoken"
 
   while true; do
-    h=$(printf "%s" "$domain" | cut -d . -f $i-100)
+    h=$(printf "%s" "$domain" | cut -d . -f "$i"-100)
     _debug2 "Checking domain: $h"
     if [ -z "$h" ]; then
       #not valid
@@ -126,7 +123,7 @@ _get_root() {
           #create the record at the domain apex (@) if only the domain name was provided as --domain-alias
           _sub_domain="@"
         else
-          _sub_domain=$(echo "$domain" | cut -d . -f 1-$p)
+          _sub_domain=$(echo "$domain" | cut -d . -f 1-"$p")
         fi
         _domain=$h
         return 0

dnsapi/dns_nic.sh

@@ -169,7 +169,7 @@ _get_root() {
     fi
 
     if _contains "$_all_domains" "^$h$"; then
-      _sub_domain=$(printf "%s" "$domain" | cut -d . -f 1-$p)
+      _sub_domain=$(printf "%s" "$domain" | cut -d . -f 1-"$p")
       _domain=$h
       _service=$(printf "%s" "$response" | grep -m 1 "idn-name=\"$_domain\"" | sed -r "s/.*service=\"(.*)\".*$/\1/")
       return 0

dnsapi/dns_njalla.sh

@@ -126,7 +126,7 @@ _get_root() {
   p=1
 
   while true; do
-    h=$(printf "%s" "$domain" | cut -d . -f $i-100)
+    h=$(printf "%s" "$domain" | cut -d . -f "$i"-100)
     _debug h "$h"
     if [ -z "$h" ]; then
       #not valid
@@ -140,7 +140,7 @@ _get_root() {
     if _contains "$response" "\"$h\""; then
       _domain_returned=$(echo "$response" | _egrep_o "\{\"name\": *\"[^\"]*\"" | _head_n 1 | cut -d : -f 2 | tr -d \" | tr -d " ")
       if [ "$_domain_returned" ]; then
-        _sub_domain=$(printf "%s" "$domain" | cut -d . -f 1-$p)
+        _sub_domain=$(printf "%s" "$domain" | cut -d . -f 1-"$p")
         _domain=$h
         return 0
       fi

dnsapi/dns_nsone.sh

@@ -119,7 +119,7 @@ _get_root() {
     return 1
   fi
   while true; do
-    h=$(printf "%s" "$domain" | cut -d . -f $i-100)
+    h=$(printf "%s" "$domain" | cut -d . -f "$i"-100)
     _debug h "$h"
     if [ -z "$h" ]; then
       #not valid
@@ -127,7 +127,7 @@ _get_root() {
     fi
 
     if _contains "$response" "\"zone\":\"$h\""; then
-      _sub_domain=$(printf "%s" "$domain" | cut -d . -f 1-$p)
+      _sub_domain=$(printf "%s" "$domain" | cut -d . -f 1-"$p")
       _domain="$h"
       return 0
     fi

dnsapi/dns_nsupdate.sh

@@ -20,6 +20,7 @@ dns_nsupdate_add() {
   NSUPDATE_SERVER_PORT="${NSUPDATE_SERVER_PORT:-$(_readaccountconf_mutable NSUPDATE_SERVER_PORT)}"
   NSUPDATE_KEY="${NSUPDATE_KEY:-$(_readaccountconf_mutable NSUPDATE_KEY)}"
   NSUPDATE_ZONE="${NSUPDATE_ZONE:-$(_readaccountconf_mutable NSUPDATE_ZONE)}"
+  NSUPDATE_OPT="${NSUPDATE_OPT:-$(_readaccountconf_mutable NSUPDATE_OPT)}"
 
   _checkKeyFile || return 1
 
@@ -28,21 +29,25 @@ dns_nsupdate_add() {
   _saveaccountconf_mutable NSUPDATE_SERVER_PORT "${NSUPDATE_SERVER_PORT}"
   _saveaccountconf_mutable NSUPDATE_KEY "${NSUPDATE_KEY}"
   _saveaccountconf_mutable NSUPDATE_ZONE "${NSUPDATE_ZONE}"
+  _saveaccountconf_mutable NSUPDATE_OPT "${NSUPDATE_OPT}"
 
   [ -n "${NSUPDATE_SERVER}" ] || NSUPDATE_SERVER="localhost"
   [ -n "${NSUPDATE_SERVER_PORT}" ] || NSUPDATE_SERVER_PORT=53
+  [ -n "${NSUPDATE_OPT}" ] || NSUPDATE_OPT=""
 
   _info "adding ${fulldomain}. 60 in txt \"${txtvalue}\""
   [ -n "$DEBUG" ] && [ "$DEBUG" -ge "$DEBUG_LEVEL_1" ] && nsdebug="-d"
   [ -n "$DEBUG" ] && [ "$DEBUG" -ge "$DEBUG_LEVEL_2" ] && nsdebug="-D"
   if [ -z "${NSUPDATE_ZONE}" ]; then
-    nsupdate -k "${NSUPDATE_KEY}" $nsdebug <<EOF
+    #shellcheck disable=SC2086
+    nsupdate -k "${NSUPDATE_KEY}" $nsdebug $NSUPDATE_OPT <<EOF
 server ${NSUPDATE_SERVER}  ${NSUPDATE_SERVER_PORT}
 update add ${fulldomain}. 60 in txt "${txtvalue}"
 send
 EOF
   else
-    nsupdate -k "${NSUPDATE_KEY}" $nsdebug <<EOF
+    #shellcheck disable=SC2086
+    nsupdate -k "${NSUPDATE_KEY}" $nsdebug $NSUPDATE_OPT <<EOF
 server ${NSUPDATE_SERVER}  ${NSUPDATE_SERVER_PORT}
 zone ${NSUPDATE_ZONE}.
 update add ${fulldomain}. 60 in txt "${txtvalue}"
@@ -65,6 +70,7 @@ dns_nsupdate_rm() {
   NSUPDATE_SERVER_PORT="${NSUPDATE_SERVER_PORT:-$(_readaccountconf_mutable NSUPDATE_SERVER_PORT)}"
   NSUPDATE_KEY="${NSUPDATE_KEY:-$(_readaccountconf_mutable NSUPDATE_KEY)}"
   NSUPDATE_ZONE="${NSUPDATE_ZONE:-$(_readaccountconf_mutable NSUPDATE_ZONE)}"
+  NSUPDATE_OPT="${NSUPDATE_OPT:-$(_readaccountconf_mutable NSUPDATE_OPT)}"
 
   _checkKeyFile || return 1
   [ -n "${NSUPDATE_SERVER}" ] || NSUPDATE_SERVER="localhost"
@@ -73,13 +79,15 @@ dns_nsupdate_rm() {
   [ -n "$DEBUG" ] && [ "$DEBUG" -ge "$DEBUG_LEVEL_1" ] && nsdebug="-d"
   [ -n "$DEBUG" ] && [ "$DEBUG" -ge "$DEBUG_LEVEL_2" ] && nsdebug="-D"
   if [ -z "${NSUPDATE_ZONE}" ]; then
-    nsupdate -k "${NSUPDATE_KEY}" $nsdebug <<EOF
+    #shellcheck disable=SC2086
+    nsupdate -k "${NSUPDATE_KEY}" $nsdebug $NSUPDATE_OPT <<EOF
 server ${NSUPDATE_SERVER}  ${NSUPDATE_SERVER_PORT}
 update delete ${fulldomain}. txt
 send
 EOF
   else
-    nsupdate -k "${NSUPDATE_KEY}" $nsdebug <<EOF
+    #shellcheck disable=SC2086
+    nsupdate -k "${NSUPDATE_KEY}" $nsdebug $NSUPDATE_OPT <<EOF
 server ${NSUPDATE_SERVER}  ${NSUPDATE_SERVER_PORT}
 zone ${NSUPDATE_ZONE}.
 update delete ${fulldomain}. txt

dnsapi/dns_nw.sh

@@ -154,7 +154,7 @@ _get_root() {
 
     _debug response "${response}"
     while true; do
-      h=$(printf "%s" "${domain}" | cut -d . -f $i-100)
+      h=$(printf "%s" "${domain}" | cut -d . -f "$i"-100)
       _debug h "${h}"
       if [ -z "${h}" ]; then
         #not valid
@@ -165,7 +165,7 @@ _get_root() {
       if [ "${hostedzone}" ]; then
         _zone_id=$(printf "%s\n" "${hostedzone}" | _egrep_o "\"zone_id\": *[0-9]+" | _head_n 1 | cut -d : -f 2 | tr -d \ )
         if [ "${_zone_id}" ]; then
-          _sub_domain=$(printf "%s" "${domain}" | cut -d . -f 1-${p})
+          _sub_domain=$(printf "%s" "${domain}" | cut -d . -f 1-"${p}")
           _domain="${h}"
           return 0
         fi

dnsapi/dns_oci.sh

@@ -190,7 +190,7 @@ _get_zone() {
   p=1
 
   while true; do
-    h=$(printf "%s" "$domain" | cut -d . -f $i-100)
+    h=$(printf "%s" "$domain" | cut -d . -f "$i"-100)
     _debug h "$h"
     if [ -z "$h" ]; then
       # not valid
@@ -199,7 +199,7 @@ _get_zone() {
 
     _domain_id=$(_signed_request "GET" "/20180115/zones/$h" "" "id")
     if [ "$_domain_id" ]; then
-      _sub_domain=$(printf "%s" "$domain" | cut -d . -f 1-$p)
+      _sub_domain=$(printf "%s" "$domain" | cut -d . -f 1-"$p")
       _domain=$h
 
       _debug _domain_id "$_domain_id"

dnsapi/dns_omglol.sh

@@ -0,0 +1,395 @@
+#!/usr/bin/env sh
+# shellcheck disable=SC2034
+dns_myapi_info='omg.lol
+ Based on the omg.lol API, defined at https://api.omg.lol/
+Domains: omg.lol
+Site: github.com/acmesh-official/acme.sh/wiki/DNS-API-Dev-Guide
+Docs: github.com/acmesh-official/acme.sh/wiki/dnsapi#dns_duckdns
+Options:
+ OMG_ApiKey API Key from omg.lol.  This is accesible from the bottom of the account page at https://home.omg.lol/account
+ OMG_Address This is your omg.lol address, without the preceding @ - you can see your list on your dashboard at https://home.omg.lol/dashboard
+Issues: github.com/acmesh-official/acme.sh
+Author: @Kholin <[email protected]>
+'
+
+#returns 0 means success, otherwise error.
+
+########  Public functions #####################
+
+# Please Read this guide first: https://github.com/acmesh-official/acme.sh/wiki/DNS-API-Dev-Guide
+
+#Usage: dns_myapi_add   _acme-challenge.www.domain.com   "XKrxpRBosdIKFzxW_CT3KLZNf6q0HG9i01zxXp5CPBs"
+dns_omglol_add() {
+  fulldomain=$1
+  txtvalue=$2
+  OMG_ApiKey="${OMG_ApiKey:-$(_readaccountconf_mutable OMG_ApiKey)}"
+  OMG_Address="${OMG_Address:-$(_readaccountconf_mutable OMG_Address)}"
+
+  # As omg.lol includes a leading @ for their addresses, pre-strip this before save
+  OMG_Address="$(echo "$OMG_Address" | tr -d '@')"
+
+  _saveaccountconf_mutable OMG_ApiKey "$OMG_ApiKey"
+  _saveaccountconf_mutable OMG_Address "$OMG_Address"
+
+  _info "Using omg.lol."
+  _debug "Function" "dns_omglol_add()"
+  _debug "Full Domain Name" "$fulldomain"
+  _debug "txt Record Value" "$txtvalue"
+  _secure_debug "omg.lol API key" "$OMG_ApiKey"
+  _debug "omg.lol Address" "$OMG_Address"
+
+  omg_validate "$OMG_ApiKey" "$OMG_Address" "$fulldomain"
+  if [ ! $? ]; then
+    return 1
+  fi
+
+  dnsName=$(_getDnsRecordName "$fulldomain" "$OMG_Address")
+  authHeader="$(_createAuthHeader "$OMG_ApiKey")"
+
+  _debug2 "dns_omglol_add(): Address" "$dnsName"
+
+  omg_add "$OMG_Address" "$authHeader" "$dnsName" "$txtvalue"
+
+}
+
+#Usage: fulldomain txtvalue
+#Remove the txt record after validation.
+dns_omglol_rm() {
+  fulldomain=$1
+  txtvalue=$2
+  OMG_ApiKey="${OMG_ApiKey:-$(_readaccountconf_mutable OMG_ApiKey)}"
+  OMG_Address="${OMG_Address:-$(_readaccountconf_mutable OMG_Address)}"
+
+  # As omg.lol includes a leading @ for their addresses, strip this in case provided
+  OMG_Address="$(echo "$OMG_Address" | tr -d '@')"
+
+  _info "Using omg.lol"
+  _debug "Function" "dns_omglol_rm()"
+  _debug "Full Domain Name" "$fulldomain"
+  _debug "txt Record Value" "$txtvalue"
+  _secure_debug "omg.lol API key" "$OMG_ApiKey"
+  _debug "omg.lol Address" "$OMG_Address"
+
+  omg_validate "$OMG_ApiKey" "$OMG_Address" "$fulldomain"
+  if [ ! $? ]; then
+    return 1
+  fi
+
+  dnsName=$(_getDnsRecordName "$fulldomain" "$OMG_Address")
+  authHeader="$(_createAuthHeader "$OMG_ApiKey")"
+
+  omg_delete "$OMG_Address" "$authHeader" "$dnsName" "$txtvalue"
+}
+
+####################  Private functions below ##################################
+# Check that the minimum requirements are present.  Close ungracefully if not
+omg_validate() {
+  omg_apikey=$1
+  omg_address=$2
+  fulldomain=$3
+
+  _debug2 "Function" "dns_validate()"
+  _secure_debug2 "omg.lol API key" "$omg_apikey"
+  _debug2 "omg.lol Address" "$omg_address"
+  _debug2 "Full Domain Name" "$fulldomain"
+
+  if [ "" = "$omg_address" ]; then
+    _err "omg.lol base address not provided.  Exiting"
+    return 1
+  fi
+
+  if [ "" = "$omg_apikey" ]; then
+    _err "omg.lol API key not provided.  Exiting"
+    return 1
+  fi
+
+  _endswith "$fulldomain" "omg.lol"
+  if [ ! $? ]; then
+    _err "Domain name requested is not under omg.lol"
+    return 1
+  fi
+
+  _endswith "$fulldomain" "$omg_address.omg.lol"
+  if [ ! $? ]; then
+    _err "Domain name is not a subdomain of provided omg.lol address $omg_address"
+    return 1
+  fi
+
+  _debug "Required environment parameters are all present"
+}
+
+# Add (or modify) an entry for a new ACME query
+omg_add() {
+  address=$1
+  authHeader=$2
+  dnsName=$3
+  txtvalue=$4
+
+  _info "Creating DNS entry for $dnsName"
+  _debug2 "omg_add()"
+  _debug2 "omg.lol Address: " "$address"
+  _secure_debug2 "omg.lol authorization header: " "$authHeader"
+  _debug2 "Full Domain name:" "$dnsName.$address.omg.lol"
+  _debug2 "TXT value to set:" "$txtvalue"
+
+  export _H1="$authHeader"
+
+  endpoint="https://api.omg.lol/address/$address/dns"
+  _debug2 "Endpoint" "$endpoint"
+
+  payload='{"type": "TXT", "name":"'"$dnsName"'", "data":"'"$txtvalue"'", "ttl":30}'
+  _debug2 "Payload" "$payload"
+
+  response=$(_post "$payload" "$endpoint" "" "POST" "application/json")
+
+  omg_validate_add "$response" "$dnsName.$address" "$txtvalue"
+}
+
+omg_validate_add() {
+  response=$1
+  name=$2
+  content=$3
+
+  _debug "Validating DNS record addition"
+  _debug2 "omg_validate_add()"
+  _debug2 "Response" "$response"
+  _debug2 "DNS Name" "$name"
+  _debug2 "DNS value" "$content"
+
+  _jsonResponseCheck "$response" "success" "true"
+  if [ "1" = "$?" ]; then
+    _err "Response did not report success"
+    return 1
+  fi
+
+  _jsonResponseCheck "$response" "message" "Your DNS record was created successfully."
+  if [ "1" = "$?" ]; then
+    _err "Response message did not indicate DNS record was successfully created"
+    return 1
+  fi
+
+  _jsonResponseCheck "$response" "name" "$name"
+  if [ "1" = "$?" ]; then
+    _err "Response DNS Name did not match the response received"
+    return 1
+  fi
+
+  _jsonResponseCheck "$response" "content" "$content"
+  if [ "1" = "$?" ]; then
+    _err "Response DNS Name did not match the response received"
+    return 1
+  fi
+
+  _info "Record Created successfully"
+  return 0
+}
+
+omg_getRecords() {
+  address=$1
+  authHeader=$2
+  dnsName=$3
+  txtValue=$4
+
+  _debug2 "omg_getRecords()"
+  _debug2 "omg.lol Address: " "$address"
+  _secure_debug2 "omg.lol Auth Header: " "$authHeader"
+  _debug2 "omg.lol DNS name:" "$dnsName"
+  _debug2 "txt Value" "$txtValue"
+
+  export _H1="$authHeader"
+
+  endpoint="https://api.omg.lol/address/$address/dns"
+  _debug2 "Endpoint" "$endpoint"
+
+  payload=$(_get "$endpoint")
+
+  _debug2 "Received Payload:" "$payload"
+
+  # Reformat the JSON to be more parseable
+  recordID=$(echo "$payload" | _stripWhitespace)
+  recordID=$(echo "$recordID" | _exposeJsonArray)
+
+  # Now find the one with the right value, and caputre its ID
+  recordID=$(echo "$recordID" | grep -- "$txtValue" | grep -i -- "$dnsName.$address")
+  _getJsonElement "$recordID" "id"
+}
+
+omg_delete() {
+  address=$1
+  authHeader=$2
+  dnsName=$3
+  txtValue=$4
+
+  _info "Deleting DNS entry for $dnsName with value $txtValue"
+  _debug2 "omg_delete()"
+  _debug2 "omg.lol Address: " "$address"
+  _secure_debug2 "omg.lol Auth Header: " "$authHeader"
+  _debug2 "Full Domain name:" "$dnsName.$address.omg.lol"
+  _debug2 "txt Value" "$txtValue"
+
+  record=$(omg_getRecords "$address" "$authHeader" "$dnsName" "$txtvalue")
+  if [ "" = "$record" ]; then
+    _err "DNS record $address not found!"
+    return 1
+  fi
+
+  endpoint="https://api.omg.lol/address/$address/dns/$record"
+  _debug2 "Endpoint" "$endpoint"
+
+  export _H1="$authHeader"
+  output=$(_post "" "$endpoint" "" "DELETE")
+
+  _debug2 "Response" "$output"
+
+  omg_validate_delete "$output"
+}
+
+# Validate the response on request to delete.  Confirm stastus is success and
+# Message indicates deletion was successful
+# Input: Response - HTTP response received from delete request
+omg_validate_delete() {
+  response=$1
+
+  _info "Validating DNS record deletion"
+  _debug2 "omg_validate_delete()"
+  _debug2 "Response" "$response"
+
+  _jsonResponseCheck "$output" "success" "true"
+  if [ "1" = "$?" ]; then
+    _err "Response did not report success"
+    return 1
+  fi
+
+  _jsonResponseCheck "$output" "message" "OK, your DNS record has been deleted."
+  if [ "1" = "$?" ]; then
+    _err "Response message did not indicate DNS record was successfully deleted"
+    return 1
+  fi
+
+  _info "Record deleted successfully"
+  return 0
+}
+
+########## Utility Functions #####################################
+# All utility functions only log at debug3
+_jsonResponseCheck() {
+  response=$1
+  field=$2
+  correct=$3
+
+  correct=$(echo "$correct" | _lower_case)
+
+  _debug3 "jsonResponseCheck()"
+  _debug3 "Response to parse" "$response"
+  _debug3 "Field to get response from" "$field"
+  _debug3 "What is the correct response" "$correct"
+
+  responseValue=$(_jsonGetLastResponse "$response" "$field")
+
+  if [ "$responseValue" != "$correct" ]; then
+    _debug3 "Expected: $correct"
+    _debug3 "Actual: $responseValue"
+    return 1
+  else
+    _debug3 "Matched: $responseValue"
+  fi
+  return 0
+}
+
+_jsonGetLastResponse() {
+  response=$1
+  field=$2
+
+  _debug3 "jsonGetLastResponse()"
+  _debug3 "Response provided" "$response"
+  _debug3 "Field to get responses for" "$field"
+
+  responseValue=$(echo "$response" | grep -- "\"$field\"" | cut -f2 -d":")
+
+  _debug3 "Response lines found:" "$responseValue"
+
+  responseValue=$(echo "$responseValue" | sed 's/^ //g' | sed 's/^"//g' | sed 's/\\"//g')
+  responseValue=$(echo "$responseValue" | sed 's/,$//g' | sed 's/"$//g')
+  responseValue=$(echo "$responseValue" | _lower_case)
+
+  _debug3 "Responses found" "$responseValue"
+  _debug3 "Response Selected" "$(echo "$responseValue" | tail -1)"
+
+  echo "$responseValue" | tail -1
+}
+
+_stripWhitespace() {
+  tr -d '\n' | tr -d '\r' | tr -d '\t' | sed -r 's/ +/ /g' | sed 's/\\"//g'
+}
+
+_exposeJsonArray() {
+  sed -r 's/.*\[//g' | tr '}' '|' | tr '{' '|' | sed 's/|, |/|/g' | tr '|' '\n'
+}
+
+_getJsonElement() {
+  content=$1
+  field=$2
+
+  _debug3 "_getJsonElement()"
+  _debug3 "Input JSON element" "$content"
+  _debug3 "JSON element to isolate" "$field"
+
+  # With a single JSON entry to parse, convert commas to newlines puts each element on
+  # its own line - which then allows us to just grep teh name, remove the key, and
+  # isolate the value
+  output=$(echo "$content" | tr ',' '\n' | grep -- "\"$field\":" | sed 's/.*: //g')
+
+  _debug3 "String before unquoting: $output"
+
+  _unquoteString "$output"
+}
+
+_createAuthHeader() {
+  apikey=$1
+
+  _debug3 "_createAuthHeader()"
+  _secure_debug3 "Provided API Key" "$apikey"
+
+  authheader="Authorization: Bearer $apikey"
+  _secure_debug3 "Authorization Header" "$authheader"
+  echo "$authheader"
+}
+
+_getDnsRecordName() {
+  fqdn=$1
+  address=$2
+
+  _debug3 "_getDnsRecordName()"
+  _debug3 "FQDN" "$fqdn"
+  _debug3 "omg.lol Address" "$address"
+
+  echo "$fqdn" | sed 's/\.omg\.lol//g' | sed 's/\.'"$address"'$//g'
+}
+
+_unquoteString() {
+  output=$1
+  quotes=0
+
+  _debug3 "_unquoteString()"
+  _debug3 "Possibly quoted string" "$output"
+
+  _startswith "$output" "\""
+  if [ $? ]; then
+    quotes=$((quotes + 1))
+  fi
+
+  _endswith "$output" "\""
+  if [ $? ]; then
+    quotes=$((quotes + 1))
+  fi
+
+  _debug3 "Original String: $output"
+  _debug3 "Quotes found: $quotes"
+
+  if [ $((quotes)) -gt 1 ]; then
+    output=$(echo "$output" | sed 's/^"//g' | sed 's/"$//g')
+    _debug3 "Quotes removed: $output"
+  fi
+
+  echo "$output"
+}

dnsapi/dns_one.sh

@@ -94,7 +94,7 @@ _get_root() {
   i=1
   p=1
   while true; do
-    h=$(printf "%s" "$domain" | cut -d . -f $i-100)
+    h=$(printf "%s" "$domain" | cut -d . -f "$i"-100)
 
     if [ -z "$h" ]; then
       #not valid
@@ -104,7 +104,7 @@ _get_root() {
     response="$(_get "https://www.one.com/admin/api/domains/$h/dns/custom_records")"
 
     if ! _contains "$response" "CRMRST_000302"; then
-      _sub_domain=$(printf "%s" "$domain" | cut -d . -f 1-$p)
+      _sub_domain=$(printf "%s" "$domain" | cut -d . -f 1-"$p")
       _domain="$h"
       return 0
     fi

dnsapi/dns_online.sh

@@ -124,7 +124,7 @@ _get_root() {
   i=2
   p=1
   while true; do
-    h=$(printf "%s" "$domain" | cut -d . -f $i-100)
+    h=$(printf "%s" "$domain" | cut -d . -f "$i"-100)
     if [ -z "$h" ]; then
       #not valid
       return 1
@@ -133,7 +133,7 @@ _get_root() {
     _online_rest GET "domain/$h/version/active"
 
     if ! _contains "$response" "Domain not found" >/dev/null; then
-      _sub_domain=$(printf "%s" "$domain" | cut -d . -f 1-$p)
+      _sub_domain=$(printf "%s" "$domain" | cut -d . -f 1-"$p")
       _domain="$h"
       _real_dns_version=$(echo "$response" | _egrep_o '"uuid_ref":.*' | cut -d ':' -f 2 | cut -d '"' -f 2)
       return 0

dnsapi/dns_openprovider.sh

@@ -68,7 +68,7 @@ dns_openprovider_add() {
         new_item="$(echo "$item" | sed -n 's/.*<item>.*\(<name>\(.*\)'"$_domain_name"'\.'"$_domain_extension"'<\/name>.*\(<type>.*<\/type>\).*\(<value>.*<\/value>\).*\(<prio>.*<\/prio>\).*\(<ttl>.*<\/ttl>\)\).*<\/item>.*/<item><name>\2<\/name>\3\4\5\6<\/item>/p')"
       fi
 
-      if [ -z "$(echo "$new_item" | _egrep_o ".*<type>(A|AAAA|CNAME|MX|SPF|SRV|TXT|TLSA|SSHFP|CAA|NS)<\/type>.*")" ]; then
+      if [ -z "$(echo "$new_item" | _egrep_o ".*<type>(A|AAAA|CNAME|MX|SPF|SRV|TXT|TLSA|SSHFP|CAA)<\/type>.*")" ]; then
         _debug "not an allowed record type, skipping" "$new_item"
         continue
       fi
@@ -152,7 +152,7 @@ dns_openprovider_rm() {
         new_item="$(echo "$item" | sed -n 's/.*<item>.*\(<name>\(.*\)'"$_domain_name"'\.'"$_domain_extension"'<\/name>.*\(<type>.*<\/type>\).*\(<value>.*<\/value>\).*\(<prio>.*<\/prio>\).*\(<ttl>.*<\/ttl>\)\).*<\/item>.*/<item><name>\2<\/name>\3\4\5\6<\/item>/p')"
       fi
 
-      if [ -z "$(echo "$new_item" | _egrep_o ".*<type>(A|AAAA|CNAME|MX|SPF|SRV|TXT|TLSA|SSHFP|CAA|NS)<\/type>.*")" ]; then
+      if [ -z "$(echo "$new_item" | _egrep_o ".*<type>(A|AAAA|CNAME|MX|SPF|SRV|TXT|TLSA|SSHFP|CAA)<\/type>.*")" ]; then
         _debug "not an allowed record type, skipping" "$new_item"
         continue
       fi
@@ -186,7 +186,7 @@ _get_root() {
 
   results_retrieved=0
   while true; do
-    h=$(echo "$domain" | cut -d . -f $i-100)
+    h=$(echo "$domain" | cut -d . -f "$i"-100)
     _debug h "$h"
     if [ -z "$h" ]; then
       #not valid

dnsapi/dns_opnsense.sh

@@ -144,7 +144,7 @@ _get_root() {
   fi
 
   while true; do
-    h=$(printf "%s" "$domain" | cut -d . -f $i-100)
+    h=$(printf "%s" "$domain" | cut -d . -f "$i"-100)
     if [ -z "$h" ]; then
       #not valid
       return 1
@@ -153,13 +153,13 @@ _get_root() {
     id=$(echo "$_domain_response" | _egrep_o "\"uuid\":\"[a-z0-9\-]*\",\"enabled\":\"1\",\"type\":\"primary\",\"domainname\":\"${h}\"" | cut -d ':' -f 2 | cut -d '"' -f 2)
     if [ -n "$id" ]; then
       _debug id "$id"
-      _host=$(printf "%s" "$domain" | cut -d . -f 1-$p)
+      _host=$(printf "%s" "$domain" | cut -d . -f 1-"$p")
       _domain="${h}"
       _domainid="${id}"
       return 0
     fi
     p=$i
-    i=$(_math $i + 1)
+    i=$(_math "$i" + 1)
   done
   _debug "$domain not found"
 

dnsapi/dns_ovh.sh

@@ -113,7 +113,7 @@ _initAuth() {
     _saveaccountconf_mutable OVH_END_POINT "$OVH_END_POINT"
   fi
 
-  OVH_API="$(_ovh_get_api $OVH_END_POINT)"
+  OVH_API="$(_ovh_get_api "$OVH_END_POINT")"
   _debug OVH_API "$OVH_API"
 
   OVH_CK="${OVH_CK:-$(_readaccountconf_mutable OVH_CK)}"
@@ -260,7 +260,7 @@ _get_root() {
   i=1
   p=1
   while true; do
-    h=$(printf "%s" "$domain" | cut -d . -f $i-100)
+    h=$(printf "%s" "$domain" | cut -d . -f "$i"-100)
     if [ -z "$h" ]; then
       #not valid
       return 1
@@ -273,7 +273,7 @@ _get_root() {
     if ! _contains "$response" "This service does not exist" >/dev/null &&
       ! _contains "$response" "This call has not been granted" >/dev/null &&
       ! _contains "$response" "NOT_GRANTED_CALL" >/dev/null; then
-      _sub_domain=$(printf "%s" "$domain" | cut -d . -f 1-$p)
+      _sub_domain=$(printf "%s" "$domain" | cut -d . -f 1-"$p")
       _domain="$h"
       return 0
     fi

dnsapi/dns_pdns.sh

@@ -181,7 +181,7 @@ _get_root() {
   fi
 
   while true; do
-    h=$(printf "%s" "$domain" | cut -d . -f $i-100)
+    h=$(printf "%s" "$domain" | cut -d . -f "$i"-100)
 
     if _contains "$_zones_response" "\"name\":\"$h.\""; then
       _domain="$h."
@@ -194,7 +194,7 @@ _get_root() {
     if [ -z "$h" ]; then
       return 1
     fi
-    i=$(_math $i + 1)
+    i=$(_math "$i" + 1)
   done
   _debug "$domain not found"
 

dnsapi/dns_pointhq.sh

@@ -118,7 +118,7 @@ _get_root() {
   i=2
   p=1
   while true; do
-    h=$(printf "%s" "$domain" | cut -d . -f $i-100)
+    h=$(printf "%s" "$domain" | cut -d . -f "$i"-100)
     _debug h "$h"
     if [ -z "$h" ]; then
       #not valid
@@ -130,7 +130,7 @@ _get_root() {
     fi
 
     if _contains "$response" "\"name\":\"$h\"" >/dev/null; then
-      _sub_domain=$(printf "%s" "$domain" | cut -d . -f 1-$p)
+      _sub_domain=$(printf "%s" "$domain" | cut -d . -f 1-"$p")
       _domain=$h
       return 0
     fi

dnsapi/dns_porkbun.sh

@@ -9,7 +9,7 @@ Options:
 Issues: github.com/acmesh-official/acme.sh/issues/3450
 '
 
-PORKBUN_Api="https://porkbun.com/api/json/v3"
+PORKBUN_Api="https://api.porkbun.com/api/json/v3"
 
 ########  Public functions #####################
 
@@ -93,7 +93,7 @@ dns_porkbun_rm() {
       _err "Delete record error."
       return 1
     fi
-    echo "$response" | tr -d " " | grep '\"status\":"SUCCESS"' >/dev/null
+    echo "$response" | tr -d " " | grep '"status":"SUCCESS"' >/dev/null
   fi
 
 }
@@ -107,7 +107,7 @@ _get_root() {
   domain=$1
   i=1
   while true; do
-    h=$(printf "%s" "$domain" | cut -d . -f $i-100)
+    h=$(printf "%s" "$domain" | cut -d . -f "$i"-100)
     _debug h "$h"
     if [ -z "$h" ]; then
       return 1
@@ -139,7 +139,7 @@ _porkbun_rest() {
   api_key_trimmed=$(echo "$PORKBUN_API_KEY" | tr -d '"')
   secret_api_key_trimmed=$(echo "$PORKBUN_SECRET_API_KEY" | tr -d '"')
 
-  test -z "$data" && data="{" || data="$(echo $data | cut -d'}' -f1),"
+  test -z "$data" && data="{" || data="$(echo "$data" | cut -d'}' -f1),"
   data="$data\"apikey\":\"$api_key_trimmed\",\"secretapikey\":\"$secret_api_key_trimmed\"}"
 
   export _H1="Content-Type: application/json"

dnsapi/dns_rackcorp.sh

@@ -83,7 +83,7 @@ _get_root() {
     return 1
   fi
   while true; do
-    h=$(printf "%s" "$domain" | cut -d . -f $i-100)
+    h=$(printf "%s" "$domain" | cut -d . -f "$i"-100)
     _debug searchhost "$h"
     if [ -z "$h" ]; then
       _err "Could not find domain for record $domain in RackCorp using the provided credentials"
@@ -95,7 +95,7 @@ _get_root() {
 
     if _contains "$response" "\"matches\":1"; then
       if _contains "$response" "\"name\":\"$h\""; then
-        _lookup=$(printf "%s" "$domain" | cut -d . -f 1-$p)
+        _lookup=$(printf "%s" "$domain" | cut -d . -f 1-"$p")
         _domain="$h"
         return 0
       fi