33 changed files with 583 additions and 1222 deletions
--- a/.github/workflows/DNS.yml
+++ b/.github/workflows/DNS.yml
@ -65,7 +65,7 @@ jobs:
      TokenName4: ${{ secrets.TokenName4}}
      TokenName5: ${{ secrets.TokenName5}}
    steps:
-    - uses: actions/checkout@v4
+    - uses: actions/checkout@v3
    - name: Clone acmetest
      run: cd .. && git clone --depth=1 https://github.com/acmesh-official/acmetest.git  && cp -r acme.sh acmetest/
    - name: Set env file
@ -113,7 +113,7 @@ jobs:
      TokenName4: ${{ secrets.TokenName4}}
      TokenName5: ${{ secrets.TokenName5}}
    steps:
-    - uses: actions/checkout@v4
+    - uses: actions/checkout@v3
    - name: Install tools
      run:  brew install socat
    - name: Clone acmetest
@ -164,7 +164,7 @@ jobs:
    - name: Set git to use LF
      run: |
          git config --global core.autocrlf false
-    - uses: actions/checkout@v4
+    - uses: actions/checkout@v3
    - name: Install cygwin base packages with chocolatey
      run: |
          choco config get cacheLocation
@ -204,7 +204,7 @@ jobs:
  FreeBSD:
-    runs-on: ubuntu-latest
+    runs-on: macos-12
    needs: Windows
    env:
      TEST_DNS : ${{ secrets.TEST_DNS }}
@ -223,10 +223,10 @@ jobs:
      TokenName4: ${{ secrets.TokenName4}}
      TokenName5: ${{ secrets.TokenName5}}
    steps:
-    - uses: actions/checkout@v4
+    - uses: actions/checkout@v3
    - name: Clone acmetest
      run: cd .. && git clone --depth=1 https://github.com/acmesh-official/acmetest.git  && cp -r acme.sh acmetest/
-    - uses: vmactions/freebsd-vm@v1
+    - uses: vmactions/freebsd-vm@v0
      with:
        envs: 'TEST_DNS TestingDomain TEST_DNS_NO_WILDCARD TEST_DNS_NO_SUBDOMAIN TEST_DNS_SLEEP CASE TEST_LOCAL DEBUG http_proxy https_proxy TokenName1 TokenName2 TokenName3 TokenName4 TokenName5 ${{ secrets.TokenName1}} ${{ secrets.TokenName2}} ${{ secrets.TokenName3}} ${{ secrets.TokenName4}} ${{ secrets.TokenName5}}'
        prepare: pkg install -y socat curl
@ -255,7 +255,7 @@ jobs:
  OpenBSD:
-    runs-on: ubuntu-latest
+    runs-on: macos-12
    needs: FreeBSD
    env:
      TEST_DNS : ${{ secrets.TEST_DNS }}
@ -274,10 +274,10 @@ jobs:
      TokenName4: ${{ secrets.TokenName4}}
      TokenName5: ${{ secrets.TokenName5}}
    steps:
-    - uses: actions/checkout@v4
+    - uses: actions/checkout@v3
    - name: Clone acmetest
      run: cd .. && git clone --depth=1 https://github.com/acmesh-official/acmetest.git  && cp -r acme.sh acmetest/
-    - uses: vmactions/openbsd-vm@v1
+    - uses: vmactions/openbsd-vm@v0
      with:
        envs: 'TEST_DNS TestingDomain TEST_DNS_NO_WILDCARD TEST_DNS_NO_SUBDOMAIN TEST_DNS_SLEEP CASE TEST_LOCAL DEBUG http_proxy https_proxy TokenName1 TokenName2 TokenName3 TokenName4 TokenName5 ${{ secrets.TokenName1}} ${{ secrets.TokenName2}} ${{ secrets.TokenName3}} ${{ secrets.TokenName4}} ${{ secrets.TokenName5}}'
        prepare: pkg_add socat curl
@ -306,7 +306,7 @@ jobs:
  NetBSD:
-    runs-on: ubuntu-latest
+    runs-on: macos-12
    needs: OpenBSD
    env:
      TEST_DNS : ${{ secrets.TEST_DNS }}
@ -325,14 +325,14 @@ jobs:
      TokenName4: ${{ secrets.TokenName4}}
      TokenName5: ${{ secrets.TokenName5}}
    steps:
-    - uses: actions/checkout@v4
+    - uses: actions/checkout@v3
    - name: Clone acmetest
      run: cd .. && git clone --depth=1 https://github.com/acmesh-official/acmetest.git  && cp -r acme.sh acmetest/
-    - uses: vmactions/netbsd-vm@v1
+    - uses: vmactions/netbsd-vm@v0
      with:
        envs: 'TEST_DNS TestingDomain TEST_DNS_NO_WILDCARD TEST_DNS_NO_SUBDOMAIN TEST_DNS_SLEEP CASE TEST_LOCAL DEBUG http_proxy https_proxy TokenName1 TokenName2 TokenName3 TokenName4 TokenName5 ${{ secrets.TokenName1}} ${{ secrets.TokenName2}} ${{ secrets.TokenName3}} ${{ secrets.TokenName4}} ${{ secrets.TokenName5}}'
        prepare: |
-          /usr/sbin/pkg_add curl socat
+          pkg_add curl socat
        usesh: true
        copyback: false
        run: |
@ -358,7 +358,7 @@ jobs:
  DragonFlyBSD:
-    runs-on: ubuntu-latest
+    runs-on: macos-12
    needs: NetBSD
    env:
      TEST_DNS : ${{ secrets.TEST_DNS }}
@ -377,10 +377,10 @@ jobs:
      TokenName4: ${{ secrets.TokenName4}}
      TokenName5: ${{ secrets.TokenName5}}
    steps:
-    - uses: actions/checkout@v4
+    - uses: actions/checkout@v3
    - name: Clone acmetest
      run: cd .. && git clone --depth=1 https://github.com/acmesh-official/acmetest.git  && cp -r acme.sh acmetest/
-    - uses: vmactions/dragonflybsd-vm@v1
+    - uses: vmactions/dragonflybsd-vm@v0
      with:
        envs: 'TEST_DNS TestingDomain TEST_DNS_NO_WILDCARD TEST_DNS_NO_SUBDOMAIN TEST_DNS_SLEEP CASE TEST_LOCAL DEBUG http_proxy https_proxy TokenName1 TokenName2 TokenName3 TokenName4 TokenName5 ${{ secrets.TokenName1}} ${{ secrets.TokenName2}} ${{ secrets.TokenName3}} ${{ secrets.TokenName4}} ${{ secrets.TokenName5}}'
        prepare: |
@ -413,7 +413,7 @@ jobs:
  Solaris:
-    runs-on: ubuntu-latest
+    runs-on: macos-12
    needs: DragonFlyBSD
    env:
      TEST_DNS : ${{ secrets.TEST_DNS }}
@ -433,10 +433,10 @@ jobs:
      TokenName4: ${{ secrets.TokenName4}}
      TokenName5: ${{ secrets.TokenName5}}
    steps:
-    - uses: actions/checkout@v4
+    - uses: actions/checkout@v3
    - name: Clone acmetest
      run: cd .. && git clone --depth=1 https://github.com/acmesh-official/acmetest.git  && cp -r acme.sh acmetest/
-    - uses: vmactions/solaris-vm@v1
+    - uses: vmactions/solaris-vm@v0
      with:
        envs: 'TEST_DNS TestingDomain TEST_DNS_NO_WILDCARD TEST_DNS_NO_SUBDOMAIN TEST_DNS_SLEEP CASE TEST_LOCAL DEBUG http_proxy https_proxy HTTPS_INSECURE TokenName1 TokenName2 TokenName3 TokenName4 TokenName5 ${{ secrets.TokenName1}} ${{ secrets.TokenName2}} ${{ secrets.TokenName3}} ${{ secrets.TokenName4}} ${{ secrets.TokenName5}}'
        copyback: false
@ -463,52 +463,3 @@ jobs:
          ./letest.sh
  Omnios:
    runs-on: ubuntu-latest
    needs: Solaris
    env:
      TEST_DNS : ${{ secrets.TEST_DNS }}
      TestingDomain: ${{ secrets.TestingDomain }}
      TEST_DNS_NO_WILDCARD: ${{ secrets.TEST_DNS_NO_WILDCARD }}
      TEST_DNS_NO_SUBDOMAIN: ${{ secrets.TEST_DNS_NO_SUBDOMAIN }}
      TEST_DNS_SLEEP: ${{ secrets.TEST_DNS_SLEEP }}
      CASE: le_test_dnsapi
      TEST_LOCAL: 1
      DEBUG: ${{ secrets.DEBUG }}
      http_proxy: ${{ secrets.http_proxy }}
      https_proxy: ${{ secrets.https_proxy }}
      HTTPS_INSECURE: 1 # always set to 1 to ignore https error, since Omnios doesn't accept the expired ISRG X1 root
      TokenName1: ${{ secrets.TokenName1}}
      TokenName2: ${{ secrets.TokenName2}}
      TokenName3: ${{ secrets.TokenName3}}
      TokenName4: ${{ secrets.TokenName4}}
      TokenName5: ${{ secrets.TokenName5}}
    steps:
    - uses: actions/checkout@v4
    - name: Clone acmetest
      run: cd .. && git clone --depth=1 https://github.com/acmesh-official/acmetest.git  && cp -r acme.sh acmetest/
    - uses: vmactions/omnios-vm@v1
      with:
        envs: 'TEST_DNS TestingDomain TEST_DNS_NO_WILDCARD TEST_DNS_NO_SUBDOMAIN TEST_DNS_SLEEP CASE TEST_LOCAL DEBUG http_proxy https_proxy HTTPS_INSECURE TokenName1 TokenName2 TokenName3 TokenName4 TokenName5 ${{ secrets.TokenName1}} ${{ secrets.TokenName2}} ${{ secrets.TokenName3}} ${{ secrets.TokenName4}} ${{ secrets.TokenName5}}'
        copyback: false
        prepare: pkg install socat
        run: |
          if [ "${{ secrets.TokenName1}}" ] ; then
            export ${{ secrets.TokenName1}}="${{ secrets.TokenValue1}}"
          fi
          if [ "${{ secrets.TokenName2}}" ] ; then
            export ${{ secrets.TokenName2}}="${{ secrets.TokenValue2}}"
          fi
          if [ "${{ secrets.TokenName3}}" ] ; then
            export ${{ secrets.TokenName3}}="${{ secrets.TokenValue3}}"
          fi
          if [ "${{ secrets.TokenName4}}" ] ; then
            export ${{ secrets.TokenName4}}="${{ secrets.TokenValue4}}"
          fi
          if [ "${{ secrets.TokenName5}}" ] ; then
            export ${{ secrets.TokenName5}}="${{ secrets.TokenValue5}}"
          fi
          cd ../acmetest
          ./letest.sh
--- a/.github/workflows/DragonFlyBSD.yml
+++ b/.github/workflows/DragonFlyBSD.yml
@ -1,71 +1,71 @@
-name: DragonFlyBSD
+name: DragonFlyBSD
-on:
+on:
-  push:
+  push:
-    branches:
+    branches:
-      - '*'
+      - '*'
-    paths:
+    paths:
-      - '*.sh'
+      - '*.sh'
-      - '.github/workflows/DragonFlyBSD.yml'
+      - '.github/workflows/DragonFlyBSD.yml'
-
+
-  pull_request:
+  pull_request:
-    branches:
+    branches:
-      - dev
+      - dev
-    paths:
+    paths:
-      - '*.sh'
+      - '*.sh'
-      - '.github/workflows/DragonFlyBSD.yml'
+      - '.github/workflows/DragonFlyBSD.yml'
-
+
-concurrency: 
+concurrency: 
-  group: ${{ github.workflow }}-${{ github.ref }}
+  group: ${{ github.workflow }}-${{ github.ref }}
-  cancel-in-progress: true
+  cancel-in-progress: true
-
+
-
+
-
+
-jobs:
+
-  DragonFlyBSD:
+jobs:
-    strategy:
+  DragonFlyBSD:
-      matrix:
+    strategy:
-        include:
+      matrix:
-         - TEST_ACME_Server: "LetsEncrypt.org_test"
+        include:
-           CA_ECDSA: ""
+         - TEST_ACME_Server: "LetsEncrypt.org_test"
-           CA: ""
+           CA_ECDSA: ""
-           CA_EMAIL: ""
+           CA: ""
-           TEST_PREFERRED_CHAIN: (STAGING) Pretend Pear X1
+           CA_EMAIL: ""
-         #- TEST_ACME_Server: "ZeroSSL.com"
+           TEST_PREFERRED_CHAIN: (STAGING) Pretend Pear X1
-         #  CA_ECDSA: "ZeroSSL ECC Domain Secure Site CA"
+         #- TEST_ACME_Server: "ZeroSSL.com"
-         #  CA: "ZeroSSL RSA Domain Secure Site CA"
+         #  CA_ECDSA: "ZeroSSL ECC Domain Secure Site CA"
-         #  CA_EMAIL: "githubtest@acme.sh"
+         #  CA: "ZeroSSL RSA Domain Secure Site CA"
-         #  TEST_PREFERRED_CHAIN: ""
+         #  CA_EMAIL: "githubtest@acme.sh"
-    runs-on: ubuntu-latest
+         #  TEST_PREFERRED_CHAIN: ""
-    env:
+    runs-on: macos-12
-      TEST_LOCAL: 1
+    env:
-      TEST_ACME_Server: ${{ matrix.TEST_ACME_Server }}
+      TEST_LOCAL: 1
-      CA_ECDSA: ${{ matrix.CA_ECDSA }}
+      TEST_ACME_Server: ${{ matrix.TEST_ACME_Server }}
-      CA: ${{ matrix.CA }}
+      CA_ECDSA: ${{ matrix.CA_ECDSA }}
-      CA_EMAIL: ${{ matrix.CA_EMAIL }}
+      CA: ${{ matrix.CA }}
-      TEST_PREFERRED_CHAIN: ${{ matrix.TEST_PREFERRED_CHAIN }}
+      CA_EMAIL: ${{ matrix.CA_EMAIL }}
-      ACME_USE_WGET: ${{ matrix.ACME_USE_WGET }}
+      TEST_PREFERRED_CHAIN: ${{ matrix.TEST_PREFERRED_CHAIN }}
-    steps:
+    steps:
-    - uses: actions/checkout@v4
+    - uses: actions/checkout@v3
-    - uses: vmactions/cf-tunnel@v0
+    - uses: vmactions/cf-tunnel@v0
-      id: tunnel
+      id: tunnel
-      with:
+      with:
-        protocol: http
+        protocol: http
-        port: 8080
+        port: 8080
-    - name: Set envs
+    - name: Set envs
-      run: echo "TestingDomain=${{steps.tunnel.outputs.server}}" >> $GITHUB_ENV
+      run: echo "TestingDomain=${{steps.tunnel.outputs.server}}" >> $GITHUB_ENV
-    - name: Clone acmetest
+    - name: Clone acmetest
-      run: cd .. && git clone --depth=1 https://github.com/acmesh-official/acmetest.git  && cp -r acme.sh acmetest/
+      run: cd .. && git clone --depth=1 https://github.com/acmesh-official/acmetest.git  && cp -r acme.sh acmetest/
-    - uses: vmactions/dragonflybsd-vm@v1
+    - uses: vmactions/dragonflybsd-vm@v0
-      with:
+      with:
-        envs: 'TEST_LOCAL TestingDomain TEST_ACME_Server CA_ECDSA CA CA_EMAIL TEST_PREFERRED_CHAIN ACME_USE_WGET'
+        envs: 'TEST_LOCAL TestingDomain TEST_ACME_Server CA_ECDSA CA CA_EMAIL TEST_PREFERRED_CHAIN'
-        nat: |
+        copyback: "false"
-          "8080": "80"
+        nat: |
-        prepare: |
+          "8080": "80"
-          pkg install -y curl socat libnghttp2
+        prepare: |
-        usesh: true
+          pkg install -y curl socat libnghttp2
-        copyback: false
+        usesh: true
-        run: |
+        run: |
-          cd ../acmetest \
+          cd ../acmetest \
-          && ./letest.sh
+          && ./letest.sh
-
+
-
+
--- a/.github/workflows/FreeBSD.yml
+++ b/.github/workflows/FreeBSD.yml
@ -41,7 +41,7 @@ jobs:
         #  CA: "ZeroSSL RSA Domain Secure Site CA"
         #  CA_EMAIL: "githubtest@acme.sh"
         #  TEST_PREFERRED_CHAIN: ""
-    runs-on: ubuntu-latest
+    runs-on: macos-12
    env:
      TEST_LOCAL: 1
      TEST_ACME_Server: ${{ matrix.TEST_ACME_Server }}
@ -51,7 +51,7 @@ jobs:
      TEST_PREFERRED_CHAIN: ${{ matrix.TEST_PREFERRED_CHAIN }}
      ACME_USE_WGET: ${{ matrix.ACME_USE_WGET }}
    steps:
-    - uses: actions/checkout@v4
+    - uses: actions/checkout@v3
    - uses: vmactions/cf-tunnel@v0
      id: tunnel
      with:
@ -61,7 +61,7 @@ jobs:
      run: echo "TestingDomain=${{steps.tunnel.outputs.server}}" >> $GITHUB_ENV
    - name: Clone acmetest
      run: cd .. && git clone --depth=1 https://github.com/acmesh-official/acmetest.git  && cp -r acme.sh acmetest/
-    - uses: vmactions/freebsd-vm@v1
+    - uses: vmactions/freebsd-vm@v0
      with:
        envs: 'TEST_LOCAL TestingDomain TEST_ACME_Server CA_ECDSA CA CA_EMAIL TEST_PREFERRED_CHAIN ACME_USE_WGET'
        nat: |
--- a/.github/workflows/Linux.yml
+++ b/.github/workflows/Linux.yml
@ -33,7 +33,7 @@ jobs:
      TEST_PREFERRED_CHAIN: (STAGING) Pretend Pear X1
      TEST_ACME_Server: "LetsEncrypt.org_test"
    steps:
-    - uses: actions/checkout@v4
+    - uses: actions/checkout@v3
    - name: Clone acmetest
      run: |
          cd .. \
--- a/.github/workflows/MacOS.yml
+++ b/.github/workflows/MacOS.yml
@ -44,7 +44,7 @@ jobs:
      CA_EMAIL: ${{ matrix.CA_EMAIL }}
      TEST_PREFERRED_CHAIN: ${{ matrix.TEST_PREFERRED_CHAIN }}
    steps:
-    - uses: actions/checkout@v4
+    - uses: actions/checkout@v3
    - name: Install tools
      run:  brew install socat
    - name: Clone acmetest
--- a/.github/workflows/NetBSD.yml
+++ b/.github/workflows/NetBSD.yml
@ -1,71 +1,71 @@
-name: NetBSD
+name: NetBSD
-on:
+on:
-  push:
+  push:
-    branches:
+    branches:
-      - '*'
+      - '*'
-    paths:
+    paths:
-      - '*.sh'
+      - '*.sh'
-      - '.github/workflows/NetBSD.yml'
+      - '.github/workflows/NetBSD.yml'
-
+
-  pull_request:
+  pull_request:
-    branches:
+    branches:
-      - dev
+      - dev
-    paths:
+    paths:
-      - '*.sh'
+      - '*.sh'
-      - '.github/workflows/NetBSD.yml'
+      - '.github/workflows/NetBSD.yml'
-
+
-concurrency: 
+concurrency: 
-  group: ${{ github.workflow }}-${{ github.ref }}
+  group: ${{ github.workflow }}-${{ github.ref }}
-  cancel-in-progress: true
+  cancel-in-progress: true
-
+
-
+
-
+
-jobs:
+
-  NetBSD:
+jobs:
-    strategy:
+  NetBSD:
-      matrix:
+    strategy:
-        include:
+      matrix:
-         - TEST_ACME_Server: "LetsEncrypt.org_test"
+        include:
-           CA_ECDSA: ""
+         - TEST_ACME_Server: "LetsEncrypt.org_test"
-           CA: ""
+           CA_ECDSA: ""
-           CA_EMAIL: ""
+           CA: ""
-           TEST_PREFERRED_CHAIN: (STAGING) Pretend Pear X1
+           CA_EMAIL: ""
-         #- TEST_ACME_Server: "ZeroSSL.com"
+           TEST_PREFERRED_CHAIN: (STAGING) Pretend Pear X1
-         #  CA_ECDSA: "ZeroSSL ECC Domain Secure Site CA"
+         #- TEST_ACME_Server: "ZeroSSL.com"
-         #  CA: "ZeroSSL RSA Domain Secure Site CA"
+         #  CA_ECDSA: "ZeroSSL ECC Domain Secure Site CA"
-         #  CA_EMAIL: "githubtest@acme.sh"
+         #  CA: "ZeroSSL RSA Domain Secure Site CA"
-         #  TEST_PREFERRED_CHAIN: ""
+         #  CA_EMAIL: "githubtest@acme.sh"
-    runs-on: ubuntu-latest
+         #  TEST_PREFERRED_CHAIN: ""
-    env:
+    runs-on: macos-12
-      TEST_LOCAL: 1
+    env:
-      TEST_ACME_Server: ${{ matrix.TEST_ACME_Server }}
+      TEST_LOCAL: 1
-      CA_ECDSA: ${{ matrix.CA_ECDSA }}
+      TEST_ACME_Server: ${{ matrix.TEST_ACME_Server }}
-      CA: ${{ matrix.CA }}
+      CA_ECDSA: ${{ matrix.CA_ECDSA }}
-      CA_EMAIL: ${{ matrix.CA_EMAIL }}
+      CA: ${{ matrix.CA }}
-      TEST_PREFERRED_CHAIN: ${{ matrix.TEST_PREFERRED_CHAIN }}
+      CA_EMAIL: ${{ matrix.CA_EMAIL }}
-      ACME_USE_WGET: ${{ matrix.ACME_USE_WGET }}
+      TEST_PREFERRED_CHAIN: ${{ matrix.TEST_PREFERRED_CHAIN }}
-    steps:
+    steps:
-    - uses: actions/checkout@v4
+    - uses: actions/checkout@v3
-    - uses: vmactions/cf-tunnel@v0
+    - uses: vmactions/cf-tunnel@v0
-      id: tunnel
+      id: tunnel
-      with:
+      with:
-        protocol: http
+        protocol: http
-        port: 8080
+        port: 8080
-    - name: Set envs
+    - name: Set envs
-      run: echo "TestingDomain=${{steps.tunnel.outputs.server}}" >> $GITHUB_ENV
+      run: echo "TestingDomain=${{steps.tunnel.outputs.server}}" >> $GITHUB_ENV
-    - name: Clone acmetest
+    - name: Clone acmetest
-      run: cd .. && git clone --depth=1 https://github.com/acmesh-official/acmetest.git  && cp -r acme.sh acmetest/
+      run: cd .. && git clone --depth=1 https://github.com/acmesh-official/acmetest.git  && cp -r acme.sh acmetest/
-    - uses: vmactions/netbsd-vm@v1
+    - uses: vmactions/netbsd-vm@v0
-      with:
+      with:
-        envs: 'TEST_LOCAL TestingDomain TEST_ACME_Server CA_ECDSA CA CA_EMAIL TEST_PREFERRED_CHAIN ACME_USE_WGET'
+        envs: 'TEST_LOCAL TestingDomain TEST_ACME_Server CA_ECDSA CA CA_EMAIL TEST_PREFERRED_CHAIN'
-        nat: |
+        nat: |
-          "8080": "80"
+          "8080": "80"
-        prepare: |
+        prepare: |
-          /usr/sbin/pkg_add curl socat
+          pkg_add curl socat
-        usesh: true
+        usesh: true
-        copyback: false
+        copyback: false
-        run: |
+        run: |
-          cd ../acmetest \
+          cd ../acmetest \
-          && ./letest.sh
+          && ./letest.sh
-
+
-
+
--- a/.github/workflows/Omnios.yml
+++ b/.github/workflows/Omnios.yml
@ -1,75 +0,0 @@
 name: Omnios
 on:
  push:
    branches:
      - '*'
    paths:
      - '*.sh'
      - '.github/workflows/Omnios.yml'
  pull_request:
    branches:
      - dev
    paths:
      - '*.sh'
      - '.github/workflows/Omnios.yml'
 concurrency: 
  group: ${{ github.workflow }}-${{ github.ref }}
  cancel-in-progress: true
 jobs:
  Omnios:
    strategy:
      matrix:
        include:
         - TEST_ACME_Server: "LetsEncrypt.org_test"
           CA_ECDSA: ""
           CA: ""
           CA_EMAIL: ""
           TEST_PREFERRED_CHAIN: (STAGING) Pretend Pear X1
         - TEST_ACME_Server: "LetsEncrypt.org_test"
           CA_ECDSA: ""
           CA: ""
           CA_EMAIL: ""
           TEST_PREFERRED_CHAIN: (STAGING) Pretend Pear X1
           ACME_USE_WGET: 1
         #- TEST_ACME_Server: "ZeroSSL.com"
         #  CA_ECDSA: "ZeroSSL ECC Domain Secure Site CA"
         #  CA: "ZeroSSL RSA Domain Secure Site CA"
         #  CA_EMAIL: "githubtest@acme.sh"
         #  TEST_PREFERRED_CHAIN: ""
    runs-on: ubuntu-latest
    env:
      TEST_LOCAL: 1
      TEST_ACME_Server: ${{ matrix.TEST_ACME_Server }}
      CA_ECDSA: ${{ matrix.CA_ECDSA }}
      CA: ${{ matrix.CA }}
      CA_EMAIL: ${{ matrix.CA_EMAIL }}
      TEST_PREFERRED_CHAIN: ${{ matrix.TEST_PREFERRED_CHAIN }}
      ACME_USE_WGET: ${{ matrix.ACME_USE_WGET }}
    steps:
    - uses: actions/checkout@v4
    - uses: vmactions/cf-tunnel@v0
      id: tunnel
      with:
        protocol: http
        port: 8080
    - name: Set envs
      run: echo "TestingDomain=${{steps.tunnel.outputs.server}}" >> $GITHUB_ENV
    - name: Clone acmetest
      run: cd .. && git clone --depth=1 https://github.com/acmesh-official/acmetest.git  && cp -r acme.sh acmetest/
    - uses: vmactions/omnios-vm@v1
      with:
        envs: 'TEST_LOCAL TestingDomain TEST_ACME_Server CA_ECDSA CA CA_EMAIL TEST_PREFERRED_CHAIN ACME_USE_WGET'
        nat: |
          "8080": "80"
        prepare: pkg install socat wget
        copyback: false
        run: |
          cd ../acmetest \
          && ./letest.sh
--- a/.github/workflows/OpenBSD.yml
+++ b/.github/workflows/OpenBSD.yml
@ -41,7 +41,7 @@ jobs:
         #  CA: "ZeroSSL RSA Domain Secure Site CA"
         #  CA_EMAIL: "githubtest@acme.sh"
         #  TEST_PREFERRED_CHAIN: ""
-    runs-on: ubuntu-latest
+    runs-on: macos-12
    env:
      TEST_LOCAL: 1
      TEST_ACME_Server: ${{ matrix.TEST_ACME_Server }}
@ -51,7 +51,7 @@ jobs:
      TEST_PREFERRED_CHAIN: ${{ matrix.TEST_PREFERRED_CHAIN }}
      ACME_USE_WGET: ${{ matrix.ACME_USE_WGET }}
    steps:
-    - uses: actions/checkout@v4
+    - uses: actions/checkout@v3
    - uses: vmactions/cf-tunnel@v0
      id: tunnel
      with:
@ -61,7 +61,7 @@ jobs:
      run: echo "TestingDomain=${{steps.tunnel.outputs.server}}" >> $GITHUB_ENV
    - name: Clone acmetest
      run: cd .. && git clone --depth=1 https://github.com/acmesh-official/acmetest.git  && cp -r acme.sh acmetest/
-    - uses: vmactions/openbsd-vm@v1
+    - uses: vmactions/openbsd-vm@v0
      with:
        envs: 'TEST_LOCAL TestingDomain TEST_ACME_Server CA_ECDSA CA CA_EMAIL TEST_PREFERRED_CHAIN ACME_USE_WGET'
        nat: |
--- a/.github/workflows/PebbleStrict.yml
+++ b/.github/workflows/PebbleStrict.yml
@ -33,7 +33,7 @@ jobs:
      TEST_CA: "Pebble Intermediate CA"
    steps:
-    - uses: actions/checkout@v4
+    - uses: actions/checkout@v3
    - name: Install tools
      run: sudo apt-get install -y socat
    - name: Run Pebble
@ -58,7 +58,7 @@ jobs:
      TEST_IPCERT: 1
    steps:
-    - uses: actions/checkout@v4
+    - uses: actions/checkout@v3
    - name: Install tools
      run: sudo apt-get install -y socat
    - name: Run Pebble
--- a/.github/workflows/Solaris.yml
+++ b/.github/workflows/Solaris.yml
@ -1,75 +1,74 @@
-name: Solaris
+name: Solaris
-on:
+on:
-  push:
+  push:
-    branches:
+    branches:
-      - '*'
+      - '*'
-    paths:
+    paths:
-      - '*.sh'
+      - '*.sh'
-      - '.github/workflows/Solaris.yml'
+      - '.github/workflows/Solaris.yml'
-
+
-  pull_request:
+  pull_request:
-    branches:
+    branches:
-      - dev
+      - dev
-    paths:
+    paths:
-      - '*.sh'
+      - '*.sh'
-      - '.github/workflows/Solaris.yml'
+      - '.github/workflows/Solaris.yml'
-
+
-concurrency: 
+
-  group: ${{ github.workflow }}-${{ github.ref }}
+
-  cancel-in-progress: true
+concurrency: 
-
+  group: ${{ github.workflow }}-${{ github.ref }}
-
+  cancel-in-progress: true
-
+
-jobs:
+jobs:
-  Solaris:
+  Solaris:
-    strategy:
+    strategy:
-      matrix:
+      matrix:
-        include:
+        include:
-         - TEST_ACME_Server: "LetsEncrypt.org_test"
+         - TEST_ACME_Server: "LetsEncrypt.org_test"
-           CA_ECDSA: ""
+           CA_ECDSA: ""
-           CA: ""
+           CA: ""
-           CA_EMAIL: ""
+           CA_EMAIL: ""
-           TEST_PREFERRED_CHAIN: (STAGING) Pretend Pear X1
+           TEST_PREFERRED_CHAIN: (STAGING) Pretend Pear X1
-         - TEST_ACME_Server: "LetsEncrypt.org_test"
+         - TEST_ACME_Server: "LetsEncrypt.org_test"
-           CA_ECDSA: ""
+           CA_ECDSA: ""
-           CA: ""
+           CA: ""
-           CA_EMAIL: ""
+           CA_EMAIL: ""
-           TEST_PREFERRED_CHAIN: (STAGING) Pretend Pear X1
+           TEST_PREFERRED_CHAIN: (STAGING) Pretend Pear X1
-           ACME_USE_WGET: 1
+           ACME_USE_WGET: 1
-         #- TEST_ACME_Server: "ZeroSSL.com"
+         #- TEST_ACME_Server: "ZeroSSL.com"
-         #  CA_ECDSA: "ZeroSSL ECC Domain Secure Site CA"
+         #  CA_ECDSA: "ZeroSSL ECC Domain Secure Site CA"
-         #  CA: "ZeroSSL RSA Domain Secure Site CA"
+         #  CA: "ZeroSSL RSA Domain Secure Site CA"
-         #  CA_EMAIL: "githubtest@acme.sh"
+         #  CA_EMAIL: "githubtest@acme.sh"
-         #  TEST_PREFERRED_CHAIN: ""
+         #  TEST_PREFERRED_CHAIN: ""
-    runs-on: ubuntu-latest
+    runs-on: macos-12
-    env:
+    env:
-      TEST_LOCAL: 1
+      TEST_LOCAL: 1
-      TEST_ACME_Server: ${{ matrix.TEST_ACME_Server }}
+      TEST_ACME_Server: ${{ matrix.TEST_ACME_Server }}
-      CA_ECDSA: ${{ matrix.CA_ECDSA }}
+      CA_ECDSA: ${{ matrix.CA_ECDSA }}
-      CA: ${{ matrix.CA }}
+      CA: ${{ matrix.CA }}
-      CA_EMAIL: ${{ matrix.CA_EMAIL }}
+      CA_EMAIL: ${{ matrix.CA_EMAIL }}
-      TEST_PREFERRED_CHAIN: ${{ matrix.TEST_PREFERRED_CHAIN }}
+      TEST_PREFERRED_CHAIN: ${{ matrix.TEST_PREFERRED_CHAIN }}
-      ACME_USE_WGET: ${{ matrix.ACME_USE_WGET }}
+      ACME_USE_WGET: ${{ matrix.ACME_USE_WGET }}
-    steps:
+    steps:
-    - uses: actions/checkout@v4
+    - uses: actions/checkout@v3
-    - uses: vmactions/cf-tunnel@v0
+    - uses: vmactions/cf-tunnel@v0
-      id: tunnel
+      id: tunnel
-      with:
+      with:
-        protocol: http
+        protocol: http
-        port: 8080
+        port: 8080
-    - name: Set envs
+    - name: Set envs
-      run: echo "TestingDomain=${{steps.tunnel.outputs.server}}" >> $GITHUB_ENV
+      run: echo "TestingDomain=${{steps.tunnel.outputs.server}}" >> $GITHUB_ENV
-    - name: Clone acmetest
+    - name: Clone acmetest
-      run: cd .. && git clone --depth=1 https://github.com/acmesh-official/acmetest.git  && cp -r acme.sh acmetest/
+      run: cd .. && git clone --depth=1 https://github.com/acmesh-official/acmetest.git  && cp -r acme.sh acmetest/
-    - uses: vmactions/solaris-vm@v1
+    - uses: vmactions/solaris-vm@v0
-      with:
+      with:
-        envs: 'TEST_LOCAL TestingDomain TEST_ACME_Server CA_ECDSA CA CA_EMAIL TEST_PREFERRED_CHAIN ACME_USE_WGET'
+        envs: 'TEST_LOCAL TestingDomain TEST_ACME_Server CA_ECDSA CA CA_EMAIL TEST_PREFERRED_CHAIN ACME_USE_WGET'
-        nat: |
+        copyback: "false"
-          "8080": "80"
+        nat: |
-        prepare: pkgutil -y -i socat curl wget
+          "8080": "80"
-        copyback: false
+        prepare: pkgutil -y -i socat curl wget
-        run: |
+        run: |
-          cd ../acmetest \
+          cd ../acmetest \
-          && ./letest.sh
+          && ./letest.sh
-
+
--- a/.github/workflows/Ubuntu.yml
+++ b/.github/workflows/Ubuntu.yml
@ -70,7 +70,7 @@ jobs:
      TestingDomain: ${{ matrix.TestingDomain }}
      ACME_USE_WGET: ${{ matrix.ACME_USE_WGET }}
    steps:
-    - uses: actions/checkout@v4
+    - uses: actions/checkout@v3
    - name: Install tools
      run: sudo apt-get install -y socat wget
    - name: Start StepCA
--- a/.github/workflows/Windows.yml
+++ b/.github/workflows/Windows.yml
@ -49,7 +49,7 @@ jobs:
    - name: Set git to use LF
      run: |
          git config --global core.autocrlf false
-    - uses: actions/checkout@v4
+    - uses: actions/checkout@v3
    - name: Install cygwin base packages with chocolatey
      run: |
          choco config get cacheLocation
--- a/.github/workflows/dockerhub.yml
+++ b/.github/workflows/dockerhub.yml
@ -41,7 +41,7 @@ jobs:
    if: "contains(needs.CheckToken.outputs.hasToken, 'true')"
    steps:
      - name: checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@v3
      - name: Set up QEMU
        uses: docker/setup-qemu-action@v2
      - name: Set up Docker Buildx
--- a/.github/workflows/pr_dns.yml
+++ b/.github/workflows/pr_dns.yml
@ -4,6 +4,8 @@ on:
  pull_request_target:
    types:
      - opened
    branches:
      - 'dev'
    paths:
      - 'dnsapi/*.sh'
@ -20,11 +22,9 @@ jobs:
              owner: context.repo.owner,
              repo: context.repo.repo,
              body: `**Welcome**
-                First thing: don't send PR to the master branch, please send to the dev branch instead.
+                Please make sure you're read our [DNS API Dev Guide](../wiki/DNS-API-Dev-Guide) and [DNS-API-Test](../wiki/DNS-API-Test).
                Please make sure you've read our [DNS API Dev Guide](../wiki/DNS-API-Dev-Guide) and [DNS-API-Test](../wiki/DNS-API-Test).
                Then reply on this message, otherwise, your code will not be reviewed or merged.
                We look forward to reviewing your Pull request shortly ✨
                注意: 必须通过了 [DNS-API-Test](../wiki/DNS-API-Test) 才会被 review. 无论是修改, 还是新加的 dns api, 都必须确保通过这个测试.
                `
            })
--- a/.github/workflows/pr_notify.yml
+++ b/.github/workflows/pr_notify.yml
@ -22,7 +22,7 @@ jobs:
              owner: context.repo.owner,
              repo: context.repo.repo,
              body: `**Welcome**
-                Please make sure you've read our [Code-of-conduct](../wiki/Code-of-conduct) and  add the usage here: [notify](../wiki/notify).
+                Please make sure you're read our [Code-of-conduct](../wiki/Code-of-conduct) and  add the usage here: [notify](../wiki/notify).
                Then reply on this message, otherwise, your code will not be reviewed or merged.
                We look forward to reviewing your Pull request shortly ✨
                `
--- a/.github/workflows/shellcheck.yml
+++ b/.github/workflows/shellcheck.yml
@ -22,7 +22,7 @@ jobs:
  ShellCheck:
    runs-on: ubuntu-latest
    steps:
-    - uses: actions/checkout@v4
+    - uses: actions/checkout@v3
    - name: Install Shellcheck
      run: sudo apt-get install -y shellcheck
    - name: DoShellcheck
@ -31,7 +31,7 @@ jobs:
  shfmt:
    runs-on: ubuntu-latest
    steps:
-    - uses: actions/checkout@v4
+    - uses: actions/checkout@v3
    - name: Install shfmt
      run: curl -sSL https://github.com/mvdan/sh/releases/download/v3.1.2/shfmt_v3.1.2_linux_amd64 -o ~/shfmt && chmod +x ~/shfmt
    - name: shfmt
--- a/README.md
+++ b/README.md
@ -8,7 +8,7 @@
 [![Windows](https://github.com/acmesh-official/acme.sh/actions/workflows/Windows.yml/badge.svg)](https://github.com/acmesh-official/acme.sh/actions/workflows/Windows.yml)
 [![Solaris](https://github.com/acmesh-official/acme.sh/actions/workflows/Solaris.yml/badge.svg)](https://github.com/acmesh-official/acme.sh/actions/workflows/Solaris.yml)
 [![DragonFlyBSD](https://github.com/acmesh-official/acme.sh/actions/workflows/DragonFlyBSD.yml/badge.svg)](https://github.com/acmesh-official/acme.sh/actions/workflows/DragonFlyBSD.yml)
-[![Omnios](https://github.com/acmesh-official/acme.sh/actions/workflows/Omnios.yml/badge.svg)](https://github.com/acmesh-official/acme.sh/actions/workflows/Omnios.yml)
+
 ![Shellcheck](https://github.com/acmesh-official/acme.sh/workflows/Shellcheck/badge.svg)
 ![PebbleStrict](https://github.com/acmesh-official/acme.sh/workflows/PebbleStrict/badge.svg)
@ -73,21 +73,20 @@ Twitter: [@neilpangxa](https://twitter.com/neilpangxa)
 |7|[![OpenBSD](https://github.com/acmesh-official/acme.sh/actions/workflows/OpenBSD.yml/badge.svg)](https://github.com/acmesh-official/acme.sh/actions/workflows/OpenBSD.yml)|OpenBSD
 |8|[![NetBSD](https://github.com/acmesh-official/acme.sh/actions/workflows/NetBSD.yml/badge.svg)](https://github.com/acmesh-official/acme.sh/actions/workflows/NetBSD.yml)|NetBSD
 |9|[![DragonFlyBSD](https://github.com/acmesh-official/acme.sh/actions/workflows/DragonFlyBSD.yml/badge.svg)](https://github.com/acmesh-official/acme.sh/actions/workflows/DragonFlyBSD.yml)|DragonFlyBSD
-|10|[![Omnios](https://github.com/acmesh-official/acme.sh/actions/workflows/Omnios.yml/badge.svg)](https://github.com/acmesh-official/acme.sh/actions/workflows/Omnios.yml)|Omnios
+|10|[![Linux](https://github.com/acmesh-official/acme.sh/actions/workflows/Linux.yml/badge.svg)](https://github.com/acmesh-official/acme.sh/actions/workflows/Linux.yml)| Debian
-|11|[![Linux](https://github.com/acmesh-official/acme.sh/actions/workflows/Linux.yml/badge.svg)](https://github.com/acmesh-official/acme.sh/actions/workflows/Linux.yml)| Debian
+|11|[![Linux](https://github.com/acmesh-official/acme.sh/actions/workflows/Linux.yml/badge.svg)](https://github.com/acmesh-official/acme.sh/actions/workflows/Linux.yml)|CentOS
-|12|[![Linux](https://github.com/acmesh-official/acme.sh/actions/workflows/Linux.yml/badge.svg)](https://github.com/acmesh-official/acme.sh/actions/workflows/Linux.yml)|CentOS
+|12|[![Linux](https://github.com/acmesh-official/acme.sh/actions/workflows/Linux.yml/badge.svg)](https://github.com/acmesh-official/acme.sh/actions/workflows/Linux.yml)|openSUSE
-|13|[![Linux](https://github.com/acmesh-official/acme.sh/actions/workflows/Linux.yml/badge.svg)](https://github.com/acmesh-official/acme.sh/actions/workflows/Linux.yml)|openSUSE
+|13|[![Linux](https://github.com/acmesh-official/acme.sh/actions/workflows/Linux.yml/badge.svg)](https://github.com/acmesh-official/acme.sh/actions/workflows/Linux.yml)|Alpine Linux (with curl)
-|14|[![Linux](https://github.com/acmesh-official/acme.sh/actions/workflows/Linux.yml/badge.svg)](https://github.com/acmesh-official/acme.sh/actions/workflows/Linux.yml)|Alpine Linux (with curl)
+|14|[![Linux](https://github.com/acmesh-official/acme.sh/actions/workflows/Linux.yml/badge.svg)](https://github.com/acmesh-official/acme.sh/actions/workflows/Linux.yml)|Archlinux
-|15|[![Linux](https://github.com/acmesh-official/acme.sh/actions/workflows/Linux.yml/badge.svg)](https://github.com/acmesh-official/acme.sh/actions/workflows/Linux.yml)|Archlinux
+|15|[![Linux](https://github.com/acmesh-official/acme.sh/actions/workflows/Linux.yml/badge.svg)](https://github.com/acmesh-official/acme.sh/actions/workflows/Linux.yml)|fedora
-|16|[![Linux](https://github.com/acmesh-official/acme.sh/actions/workflows/Linux.yml/badge.svg)](https://github.com/acmesh-official/acme.sh/actions/workflows/Linux.yml)|fedora
+|16|[![Linux](https://github.com/acmesh-official/acme.sh/actions/workflows/Linux.yml/badge.svg)](https://github.com/acmesh-official/acme.sh/actions/workflows/Linux.yml)|Kali Linux
-|17|[![Linux](https://github.com/acmesh-official/acme.sh/actions/workflows/Linux.yml/badge.svg)](https://github.com/acmesh-official/acme.sh/actions/workflows/Linux.yml)|Kali Linux
+|17|[![Linux](https://github.com/acmesh-official/acme.sh/actions/workflows/Linux.yml/badge.svg)](https://github.com/acmesh-official/acme.sh/actions/workflows/Linux.yml)|Oracle Linux
-|18|[![Linux](https://github.com/acmesh-official/acme.sh/actions/workflows/Linux.yml/badge.svg)](https://github.com/acmesh-official/acme.sh/actions/workflows/Linux.yml)|Oracle Linux
+|18|[![Linux](https://github.com/acmesh-official/acme.sh/actions/workflows/Linux.yml/badge.svg)](https://github.com/acmesh-official/acme.sh/actions/workflows/Linux.yml)|Mageia
-|19|[![Linux](https://github.com/acmesh-official/acme.sh/actions/workflows/Linux.yml/badge.svg)](https://github.com/acmesh-official/acme.sh/actions/workflows/Linux.yml)|Mageia
+|19|[![Linux](https://github.com/acmesh-official/acme.sh/actions/workflows/Linux.yml/badge.svg)](https://github.com/acmesh-official/acme.sh/actions/workflows/Linux.yml)|Gentoo Linux
-|10|[![Linux](https://github.com/acmesh-official/acme.sh/actions/workflows/Linux.yml/badge.svg)](https://github.com/acmesh-official/acme.sh/actions/workflows/Linux.yml)|Gentoo Linux
+|10|[![Linux](https://github.com/acmesh-official/acme.sh/actions/workflows/Linux.yml/badge.svg)](https://github.com/acmesh-official/acme.sh/actions/workflows/Linux.yml)|ClearLinux
-|11|[![Linux](https://github.com/acmesh-official/acme.sh/actions/workflows/Linux.yml/badge.svg)](https://github.com/acmesh-official/acme.sh/actions/workflows/Linux.yml)|ClearLinux
+|11|-----| Cloud Linux  https://github.com/acmesh-official/acme.sh/issues/111
-|22|-----| Cloud Linux  https://github.com/acmesh-official/acme.sh/issues/111
+|22|-----| OpenWRT: Tested and working. See [wiki page](https://github.com/acmesh-official/acme.sh/wiki/How-to-run-on-OpenWRT)
-|23|-----| OpenWRT: Tested and working. See [wiki page](https://github.com/acmesh-official/acme.sh/wiki/How-to-run-on-OpenWRT)
+|23|[![](https://acmesh-official.github.io/acmetest/status/proxmox.svg)](https://github.com/acmesh-official/letest#here-are-the-latest-status)| Proxmox: See Proxmox VE Wiki. Version [4.x, 5.0, 5.1](https://pve.proxmox.com/wiki/HTTPS_Certificate_Configuration_(Version_4.x,_5.0_and_5.1)#Let.27s_Encrypt_using_acme.sh), version [5.2 and up](https://pve.proxmox.com/wiki/Certificate_Management)
 |24|[![](https://acmesh-official.github.io/acmetest/status/proxmox.svg)](https://github.com/acmesh-official/letest#here-are-the-latest-status)| Proxmox: See Proxmox VE Wiki. Version [4.x, 5.0, 5.1](https://pve.proxmox.com/wiki/HTTPS_Certificate_Configuration_(Version_4.x,_5.0_and_5.1)#Let.27s_Encrypt_using_acme.sh), version [5.2 and up](https://pve.proxmox.com/wiki/Certificate_Management)
 Check our [testing project](https://github.com/acmesh-official/acmetest):
--- a/acme.sh
+++ b/acme.sh
@ -1,6 +1,6 @@
 #!/usr/bin/env sh
-VER=3.0.8
+VER=3.0.7
 PROJECT_NAME="acme.sh"
@ -931,7 +931,7 @@ fi
 _egrep_o() {
  if [ "$__USE_EGREP" ]; then
-    egrep -o -- "$1" 2>/dev/null
+    egrep -o -- "$1"
  else
    sed -n 's/.*\('"$1"'\).*/\1/p'
  fi
@ -1430,9 +1430,6 @@ _toPkcs() {
  else
    ${ACME_OPENSSL_BIN:-openssl} pkcs12 -export -out "$_cpfx" -inkey "$_ckey" -in "$_ccert" -certfile "$_cca"
  fi
  if [ "$?" == "0" ]; then
    _savedomainconf "Le_PFXPassword" "$pfxPassword"
  fi
 }
@ -1798,10 +1795,6 @@ _date2time() {
  if date -u -j -f "%Y-%m-%d %H:%M:%S" "$(echo "$1" | tr -d "Z" | tr "T" ' ')" +"%s" 2>/dev/null; then
    return
  fi
  #Omnios
  if da="$(echo "$1" | tr -d "Z" | tr "T" ' ')" perl -MTime::Piece -e 'print Time::Piece->strptime($ENV{da}, "%Y-%m-%d %H:%M:%S")->epoch, "\n";' 2>/dev/null; then
    return
  fi
  _err "Can not parse _date2time $1"
  return 1
 }
@ -2399,18 +2392,13 @@ _migratedomainconf() {
  _old_key="$1"
  _new_key="$2"
  _b64encode="$3"
-  _old_value=$(_readdomainconf "$_old_key")
+  _value=$(_readdomainconf "$_old_key")
  if [ -z "$_value" ]; then
    return 1 # oldkey is not found
  fi
  _savedomainconf "$_new_key" "$_value" "$_b64encode"
  _cleardomainconf "$_old_key"
-  if [ -z "$_old_value" ]; then
+  _debug "Domain config $_old_key has been migrated to $_new_key"
    return 1 # migrated failed: old value is empty
  fi
  _new_value=$(_readdomainconf "$_new_key")
  if [ -n "$_new_value" ]; then
    _debug "Domain config new key exists, old key $_old_key='$_old_value' has been removed."
    return 1 # migrated failed: old value replaced by new value
  fi
  _savedomainconf "$_new_key" "$_old_value" "$_b64encode"
  _debug "Domain config $_old_key has been migrated to $_new_key."
 }
 #_migratedeployconf   oldkey  newkey  base64encode
@ -2507,10 +2495,10 @@ _startserver() {
  _debug Le_Listen_V6 "$Le_Listen_V6"
  _NC="socat"
-  if [ "$Le_Listen_V6" ]; then
+  if [ "$Le_Listen_V4" ]; then
    _NC="$_NC -6"
  else
    _NC="$_NC -4"
  elif [ "$Le_Listen_V6" ]; then
    _NC="$_NC -6"
  fi
  if [ "$DEBUG" ] && [ "$DEBUG" -gt "1" ]; then
@ -2527,34 +2515,22 @@ _startserver() {
  _content_len="$(printf "%s" "$content" | wc -c)"
  _debug _content_len "$_content_len"
  _debug "_NC" "$_NC $SOCAT_OPTIONS"
  export _SOCAT_ERR="$(_mktemp)"
  $_NC $SOCAT_OPTIONS SYSTEM:"sleep 1; \
 echo 'HTTP/1.0 200 OK'; \
 echo 'Content-Length\: $_content_len'; \
 echo ''; \
-printf '%s' '$content';" 2>"$_SOCAT_ERR" &
+printf '%s' '$content';" &
  serverproc="$!"
  if [ -f "$_SOCAT_ERR" ]; then
    if grep "Permission denied" "$_SOCAT_ERR" >/dev/null; then
      _err "socat: $(cat $_SOCAT_ERR)"
      _err "Can not listen for user: $(whoami)"
      _err "Maybe try with root again?"
      rm -f "$_SOCAT_ERR"
      return 1
    fi
  fi
 }
 _stopserver() {
  pid="$1"
  _debug "pid" "$pid"
  if [ -z "$pid" ]; then
    rm -f "$_SOCAT_ERR"
    return
  fi
  kill $pid
  rm -f "$_SOCAT_ERR"
 }
@ -3203,8 +3179,7 @@ _setNginx() {
    return 1
  fi
  _info "Check the nginx conf before setting up."
-  if ! nginx -t >/dev/null 2>&1; then
+  if ! nginx -t >/dev/null; then
    _err "It seems that nginx conf is not correct, cannot continue."
    return 1
  fi
@ -3231,14 +3206,14 @@ location ~ \"^/\.well-known/acme-challenge/([-_a-zA-Z0-9]+)\$\" {
  fi
  _debug3 "Modified config:$(cat $FOUND_REAL_NGINX_CONF)"
  _info "nginx conf is done, let's check it again."
-  if ! nginx -t >/dev/null 2>&1; then
+  if ! nginx -t >/dev/null; then
    _err "It seems that nginx conf was broken, let's restore."
    cat "$_backup_conf" >"$FOUND_REAL_NGINX_CONF"
    return 1
  fi
  _info "Reload nginx"
-  if ! nginx -s reload >/dev/null 2>&1; then
+  if ! nginx -s reload >/dev/null; then
    _err "It seems that nginx reload error, let's restore."
    cat "$_backup_conf" >"$FOUND_REAL_NGINX_CONF"
    return 1
@ -3776,7 +3751,7 @@ _regAccount() {
    eab_sign_t="$eab_protected64.$eab_payload64"
    _debug3 eab_sign_t "$eab_sign_t"
-    key_hex="$(_durl_replace_base64 "$_eab_hmac_key" | _dbase64 | _hex_dump | tr -d ' ')"
+    key_hex="$(_durl_replace_base64 "$_eab_hmac_key" | _dbase64 multi | _hex_dump | tr -d ' ')"
    _debug3 key_hex "$key_hex"
    eab_signature=$(printf "%s" "$eab_sign_t" | _hmac sha256 $key_hex | _base64 | _url_replace)
@ -4536,7 +4511,7 @@ issue() {
  vlist="$Le_Vlist"
  _cleardomainconf "Le_Vlist"
-  _debug "Getting domain auth token for each domain"
+  _info "Getting domain auth token for each domain"
  sep='#'
  dvsep=','
  if [ -z "$vlist" ]; then
@ -4592,22 +4567,12 @@ issue() {
    if [ "$_notAfter" ]; then
      _newOrderObj="$_newOrderObj,\"notAfter\": \"$_notAfter\""
    fi
    _debug "STEP 1, Ordering a Certificate"
    if ! _send_signed_request "$ACME_NEW_ORDER" "$_newOrderObj}"; then
      _err "Create new order error."
      _clearup
      _on_issue_err "$_post_hook"
      return 1
    fi
    if _contains "$response" "invalid"; then
      if echo "$response" | _normalizeJson | grep '"status":"invalid"' >/dev/null 2>&1; then
        _err "Create new order with invalid status."
        _err "$response"
        _clearup
        _on_issue_err "$_post_hook"
        return 1
      fi
    fi
    Le_LinkOrder="$(echo "$responseHeaders" | grep -i '^Location.*$' | _tail_n 1 | tr -d "\r\n " | cut -d ":" -f 2-)"
    _debug Le_LinkOrder "$Le_LinkOrder"
@ -4632,7 +4597,6 @@ issue() {
      return 1
    fi
    _debug "STEP 2, Get the authorizations of each domain"
    #domain and authz map
    _authorizations_map=""
    for _authz_url in $(echo "$_authorizations_seg" | tr ',' ' '); do
@ -4641,7 +4605,6 @@ issue() {
        _err "get to authz error."
        _err "_authorizations_seg" "$_authorizations_seg"
        _err "_authz_url" "$_authz_url"
        _err "$response"
        _clearup
        _on_issue_err "$_post_hook"
        return 1
@ -4649,14 +4612,6 @@ issue() {
      response="$(echo "$response" | _normalizeJson)"
      _debug2 response "$response"
      if echo "$response" | grep '"status":"invalid"' >/dev/null 2>&1; then
        _err "get authz objec with invalid status, please try again later."
        _err "_authorizations_seg" "$_authorizations_seg"
        _err "$response"
        _clearup
        _on_issue_err "$_post_hook"
        return 1
      fi
      _d="$(echo "$response" | _egrep_o '"value" *: *"[^"]*"' | cut -d : -f 2- | tr -d ' "')"
      if _contains "$response" "\"wildcard\" *: *true"; then
        _d="*.$_d"
@ -5341,12 +5296,6 @@ $_authorizations_map"
  _savedomainconf "Le_NextRenewTimeStr" "$Le_NextRenewTimeStr"
  _savedomainconf "Le_NextRenewTime" "$Le_NextRenewTime"
  #convert to pkcs12
  if [ "$Le_PFXPassword" ]; then
    _toPkcs "$CERT_PFX_PATH" "$CERT_KEY_PATH" "$CERT_PATH" "$CA_CERT_PATH" "$Le_PFXPassword"
  fi
  export CERT_PFX_PATH
  if [ "$_real_cert$_real_key$_real_ca$_reload_cmd$_real_fullchain" ]; then
    _savedomainconf "Le_RealCertPath" "$_real_cert"
    _savedomainconf "Le_RealCACertPath" "$_real_ca"
--- a/deploy/haproxy.sh
+++ b/deploy/haproxy.sh
@ -36,19 +36,6 @@
 # Note: This functionality requires HAProxy was compiled against
 # a version of OpenSSL that supports this.
 #
 # export DEPLOY_HAPROXY_HOT_UPDATE="yes"
 # export DEPLOY_HAPROXY_STATS_SOCKET="UNIX:/run/haproxy/admin.sock"
 #
 # OPTIONAL: Deploy the certificate over the HAProxy stats socket without
 # needing to reload HAProxy. Default is "no".
 #
 # Require the socat binary. DEPLOY_HAPROXY_STATS_SOCKET variable uses the socat
 # address format.
 #
 # export DEPLOY_HAPROXY_MASTER_CLI="UNIX:/run/haproxy-master.sock"
 #
 # OPTIONAL: To use the master CLI with DEPLOY_HAPROXY_HOT_UPDATE="yes" instead
 # of a stats socket, use this variable.
 ########  Public functions #####################
@ -59,7 +46,6 @@ haproxy_deploy() {
  _ccert="$3"
  _cca="$4"
  _cfullchain="$5"
  _cmdpfx=""
  # Some defaults
  DEPLOY_HAPROXY_PEM_PATH_DEFAULT="/etc/haproxy"
@ -67,8 +53,6 @@ haproxy_deploy() {
  DEPLOY_HAPROXY_BUNDLE_DEFAULT="no"
  DEPLOY_HAPROXY_ISSUER_DEFAULT="no"
  DEPLOY_HAPROXY_RELOAD_DEFAULT="true"
  DEPLOY_HAPROXY_HOT_UPDATE_DEFAULT="no"
  DEPLOY_HAPROXY_STATS_SOCKET_DEFAULT="UNIX:/run/haproxy/admin.sock"
  _debug _cdomain "${_cdomain}"
  _debug _ckey "${_ckey}"
@ -102,11 +86,6 @@ haproxy_deploy() {
    _savedomainconf Le_Deploy_haproxy_pem_name "${Le_Deploy_haproxy_pem_name}"
  elif [ -z "${Le_Deploy_haproxy_pem_name}" ]; then
    Le_Deploy_haproxy_pem_name="${DEPLOY_HAPROXY_PEM_NAME_DEFAULT}"
    # We better not have '*' as the first character
    if [ "${Le_Deploy_haproxy_pem_name%%"${Le_Deploy_haproxy_pem_name#?}"}" = '*' ]; then
      # removes the first characters and add a _ instead
      Le_Deploy_haproxy_pem_name="_${Le_Deploy_haproxy_pem_name#?}"
    fi
  fi
  # BUNDLE is optional. If not provided then assume "${DEPLOY_HAPROXY_BUNDLE_DEFAULT}"
@ -139,36 +118,6 @@ haproxy_deploy() {
    Le_Deploy_haproxy_reload="${DEPLOY_HAPROXY_RELOAD_DEFAULT}"
  fi
  # HOT_UPDATE is optional. If not provided then assume "${DEPLOY_HAPROXY_HOT_UPDATE_DEFAULT}"
  _getdeployconf DEPLOY_HAPROXY_HOT_UPDATE
  _debug2 DEPLOY_HAPROXY_HOT_UPDATE "${DEPLOY_HAPROXY_HOT_UPDATE}"
  if [ -n "${DEPLOY_HAPROXY_HOT_UPDATE}" ]; then
    Le_Deploy_haproxy_hot_update="${DEPLOY_HAPROXY_HOT_UPDATE}"
    _savedomainconf Le_Deploy_haproxy_hot_update "${Le_Deploy_haproxy_hot_update}"
  elif [ -z "${Le_Deploy_haproxy_hot_update}" ]; then
    Le_Deploy_haproxy_hot_update="${DEPLOY_HAPROXY_HOT_UPDATE_DEFAULT}"
  fi
  # STATS_SOCKET is optional. If not provided then assume "${DEPLOY_HAPROXY_STATS_SOCKET_DEFAULT}"
  _getdeployconf DEPLOY_HAPROXY_STATS_SOCKET
  _debug2 DEPLOY_HAPROXY_STATS_SOCKET "${DEPLOY_HAPROXY_STATS_SOCKET}"
  if [ -n "${DEPLOY_HAPROXY_STATS_SOCKET}" ]; then
    Le_Deploy_haproxy_stats_socket="${DEPLOY_HAPROXY_STATS_SOCKET}"
    _savedomainconf Le_Deploy_haproxy_stats_socket "${Le_Deploy_haproxy_stats_socket}"
  elif [ -z "${Le_Deploy_haproxy_stats_socket}" ]; then
    Le_Deploy_haproxy_stats_socket="${DEPLOY_HAPROXY_STATS_SOCKET_DEFAULT}"
  fi
  # MASTER_CLI is optional. No defaults are used. When the master CLI is used,
  # all commands are sent with a prefix.
  _getdeployconf DEPLOY_HAPROXY_MASTER_CLI
  _debug2 DEPLOY_HAPROXY_MASTER_CLI "${DEPLOY_HAPROXY_MASTER_CLI}"
  if [ -n "${DEPLOY_HAPROXY_MASTER_CLI}" ]; then
    Le_Deploy_haproxy_stats_socket="${DEPLOY_HAPROXY_MASTER_CLI}"
    _savedomainconf Le_Deploy_haproxy_stats_socket "${Le_Deploy_haproxy_stats_socket}"
    _cmdpfx="@1 " # command prefix used for master CLI only.
  fi
  # Set the suffix depending if we are creating a bundle or not
  if [ "${Le_Deploy_haproxy_bundle}" = "yes" ]; then
    _info "Bundle creation requested"
@ -193,13 +142,12 @@ haproxy_deploy() {
  _issuer="${_pem}.issuer"
  _ocsp="${_pem}.ocsp"
  _reload="${Le_Deploy_haproxy_reload}"
  _statssock="${Le_Deploy_haproxy_stats_socket}"
  _info "Deploying PEM file"
  # Create a temporary PEM file
  _temppem="$(_mktemp)"
  _debug _temppem "${_temppem}"
-  cat "${_ccert}" "${_cca}" "${_ckey}" | grep . >"${_temppem}"
+  cat "${_ckey}" "${_ccert}" "${_cca}" >"${_temppem}"
  _ret="$?"
  # Check that we could create the temporary file
@ -317,86 +265,15 @@ haproxy_deploy() {
    fi
  fi
-  if [ "${Le_Deploy_haproxy_hot_update}" = "yes" ]; then
+  # Reload HAProxy
-    # set the socket name for messages
+  _debug _reload "${_reload}"
-    if [ -n "${_cmdpfx}" ]; then
+  eval "${_reload}"
-      _socketname="master CLI"
+  _ret=$?
-    else
+  if [ "${_ret}" != "0" ]; then
-      _socketname="stats socket"
+    _err "Error code ${_ret} during reload"
-    fi
+    return ${_ret}
    # Update certificate over HAProxy stats socket or master CLI.
    if _exists socat; then
      # look for the certificate on the stats socket, to chose between updating or creating one
      _socat_cert_cmd="echo '${_cmdpfx}show ssl cert' | socat '${_statssock}' - | grep -q '^${_pem}$'"
      _debug _socat_cert_cmd "${_socat_cert_cmd}"
      eval "${_socat_cert_cmd}"
      _ret=$?
      if [ "${_ret}" != "0" ]; then
        _newcert="1"
        _info "Creating new certificate '${_pem}' over HAProxy ${_socketname}."
        # certificate wasn't found, it's a new one. We should check if the crt-list exists and creates/inserts the certificate.
        _socat_crtlist_show_cmd="echo '${_cmdpfx}show ssl crt-list' | socat '${_statssock}' - | grep -q '^${Le_Deploy_haproxy_pem_path}$'"
        _debug _socat_crtlist_show_cmd "${_socat_crtlist_show_cmd}"
        eval "${_socat_crtlist_show_cmd}"
        _ret=$?
        if [ "${_ret}" != "0" ]; then
          _err "Couldn't find '${Le_Deploy_haproxy_pem_path}' in haproxy 'show ssl crt-list'"
          return "${_ret}"
        fi
        # create a new certificate
        _socat_new_cmd="echo '${_cmdpfx}new ssl cert ${_pem}' | socat '${_statssock}' - | grep -q 'New empty'"
        _debug _socat_new_cmd "${_socat_new_cmd}"
        eval "${_socat_new_cmd}"
        _ret=$?
        if [ "${_ret}" != "0" ]; then
          _err "Couldn't create '${_pem}' in haproxy"
          return "${_ret}"
        fi
      else
        _info "Update existing certificate '${_pem}' over HAProxy ${_socketname}."
      fi
      _socat_cert_set_cmd="echo -e '${_cmdpfx}set ssl cert ${_pem} <<\n$(cat "${_pem}")\n' | socat '${_statssock}' - | grep -q 'Transaction created'"
      _debug _socat_cert_set_cmd "${_socat_cert_set_cmd}"
      eval "${_socat_cert_set_cmd}"
      _ret=$?
      if [ "${_ret}" != "0" ]; then
        _err "Can't update '${_pem}' in haproxy"
        return "${_ret}"
      fi
      _socat_cert_commit_cmd="echo '${_cmdpfx}commit ssl cert ${_pem}' | socat '${_statssock}' - | grep -q '^Success!$'"
      _debug _socat_cert_commit_cmd "${_socat_cert_commit_cmd}"
      eval "${_socat_cert_commit_cmd}"
      _ret=$?
      if [ "${_ret}" != "0" ]; then
        _err "Can't commit '${_pem}' in haproxy"
        return ${_ret}
      fi
      if [ "${_newcert}" = "1" ]; then
        # if this is a new certificate, it needs to be inserted into the crt-list`
        _socat_cert_add_cmd="echo '${_cmdpfx}add ssl crt-list ${Le_Deploy_haproxy_pem_path} ${_pem}' | socat '${_statssock}' - | grep -q 'Success!'"
        _debug _socat_cert_add_cmd "${_socat_cert_add_cmd}"
        eval "${_socat_cert_add_cmd}"
        _ret=$?
        if [ "${_ret}" != "0" ]; then
          _err "Can't update '${_pem}' in haproxy"
          return "${_ret}"
        fi
      fi
    else
      _err "'socat' is not available, couldn't update over ${_socketname}"
    fi
  else
-    # Reload HAProxy
+    _info "Reload successful"
    _debug _reload "${_reload}"
    eval "${_reload}"
    _ret=$?
    if [ "${_ret}" != "0" ]; then
      _err "Error code ${_ret} during reload"
      return ${_ret}
    else
      _info "Reload successful"
    fi
  fi
  return 0
--- a/deploy/panos.sh
+++ b/deploy/panos.sh
@ -12,9 +12,6 @@
 #     export PANOS_USER=""    #User *MUST* have Commit and Import Permissions in XML API for Admin Role
 #     export PANOS_PASS=""
 #
 # OPTIONAL
 #    export PANOS_TEMPLATE="" #Template Name of panorama managed devices
 #
 # The script will automatically generate a new API key if
 # no key is found, or if a saved key has expired or is invalid.
@ -81,9 +78,6 @@ deployer() {
      content="$content${nl}--$delim${nl}Content-Disposition: form-data; name=\"key\"\r\n\r\n$_panos_key"
      content="$content${nl}--$delim${nl}Content-Disposition: form-data; name=\"format\"\r\n\r\npem"
      content="$content${nl}--$delim${nl}Content-Disposition: form-data; name=\"file\"; filename=\"$(basename "$_cfullchain")\"${nl}Content-Type: application/octet-stream${nl}${nl}$(cat "$_cfullchain")"
      if [ "$_panos_template" ]; then
        content="$content${nl}--$delim${nl}Content-Disposition: form-data; name=\"target-tpl\"\r\n\r\n$_panos_template"
      fi
    fi
    if [ "$type" = 'key' ]; then
      panos_url="${panos_url}?type=import"
@ -93,9 +87,6 @@ deployer() {
      content="$content${nl}--$delim${nl}Content-Disposition: form-data; name=\"format\"\r\n\r\npem"
      content="$content${nl}--$delim${nl}Content-Disposition: form-data; name=\"passphrase\"\r\n\r\n123456"
      content="$content${nl}--$delim${nl}Content-Disposition: form-data; name=\"file\"; filename=\"$(basename "$_cdomain.key")\"${nl}Content-Type: application/octet-stream${nl}${nl}$(cat "$_ckey")"
      if [ "$_panos_template" ]; then
        content="$content${nl}--$delim${nl}Content-Disposition: form-data; name=\"target-tpl\"\r\n\r\n$_panos_template"
      fi
    fi
    #Close multipart
    content="$content${nl}--$delim--${nl}${nl}"
@ -182,20 +173,10 @@ panos_deploy() {
    unset _panos_key
  fi
  # PANOS_TEMPLATE
  if [ "$PANOS_TEMPLATE" ]; then
    _debug "Detected ENV variable PANOS_TEMPLATE. Saving to file."
    _savedeployconf PANOS_TEMPLATE "$PANOS_TEMPLATE" 1
  else
    _debug "Attempting to load variable PANOS_TEMPLATE from file."
    _getdeployconf PANOS_TEMPLATE
  fi
  #Store variables
  _panos_host=$PANOS_HOST
  _panos_user=$PANOS_USER
  _panos_pass=$PANOS_PASS
  _panos_template=$PANOS_TEMPLATE
  #Test API Key if found.  If the key is invalid, the variable _panos_key will be unset.
  if [ "$_panos_host" ] && [ "$_panos_key" ]; then
--- a/deploy/proxmoxve.sh
+++ b/deploy/proxmoxve.sh
@ -99,11 +99,11 @@ proxmoxve_deploy() {
    _proxmoxve_api_token_key="$DEPLOY_PROXMOXVE_API_TOKEN_KEY"
    _savedeployconf DEPLOY_PROXMOXVE_API_TOKEN_KEY "$DEPLOY_PROXMOXVE_API_TOKEN_KEY"
  fi
-  _debug2 DEPLOY_PROXMOXVE_API_TOKEN_KEY "$_proxmoxve_api_token_key"
+  _debug2 DEPLOY_PROXMOXVE_API_TOKEN_KEY _proxmoxve_api_token_key
  # PVE API Token header value. Used in "Authorization: PVEAPIToken".
  _proxmoxve_header_api_token="${_proxmoxve_user}@${_proxmoxve_user_realm}!${_proxmoxve_api_token_name}=${_proxmoxve_api_token_key}"
-  _debug2 "Auth Header" "$_proxmoxve_header_api_token"
+  _debug2 "Auth Header" _proxmoxve_header_api_token
  # Ugly. I hate putting heredocs inside functions because heredocs don't
  # account for whitespace correctly but it _does_ work and is several times
@ -124,8 +124,8 @@ HEREDOC
  )
  _debug2 Payload "$_json_payload"
-  _info "Push certificates to server"
+  # Push certificates to server.
-  export HTTPS_INSECURE=1
+  export _HTTPS_INSECURE=1
  export _H1="Authorization: PVEAPIToken=${_proxmoxve_header_api_token}"
  _post "$_json_payload" "$_target_url" "" POST "application/json"
--- a/deploy/routeros.sh
+++ b/deploy/routeros.sh
@ -137,7 +137,7 @@ routeros_deploy() {
    return $_err_code
  fi
-  DEPLOY_SCRIPT_CMD="/system script add name=\"LECertDeploy-$_cdomain\" owner=$ROUTER_OS_USERNAME \
+  DEPLOY_SCRIPT_CMD="/system script add name=\"LE Cert Deploy - $_cdomain\" owner=$ROUTER_OS_USERNAME \
 comment=\"generated by routeros deploy script in acme.sh\" \
 source=\"/certificate remove [ find name=$_cdomain.cer_0 ];\
 \n/certificate remove [ find name=$_cdomain.cer_1 ];\
@ -158,11 +158,11 @@ source=\"/certificate remove [ find name=$_cdomain.cer_0 ];\
    return $_err_code
  fi
-  if ! _ssh_remote_cmd "/system script run \"LECertDeploy-$_cdomain\""; then
+  if ! _ssh_remote_cmd "/system script run \"LE Cert Deploy - $_cdomain\""; then
    return $_err_code
  fi
-  if ! _ssh_remote_cmd "/system script remove \"LECertDeploy-$_cdomain\""; then
+  if ! _ssh_remote_cmd "/system script remove \"LE Cert Deploy - $_cdomain\""; then
    return $_err_code
  fi
--- a/deploy/synology_dsm.sh
+++ b/deploy/synology_dsm.sh
@ -8,38 +8,20 @@
 # Updated: 2023-07-03
 # Issues:  https://github.com/acmesh-official/acme.sh/issues/2727
 ################################################################################
-# Usage (shown values are the examples):
+# Usage:
-# 1. Set required environment variables:
+# 1. export SYNO_Username="adminUser"
-# - use automatically created temp admin user to authenticate
+# 2. export SYNO_Password="adminPassword"
-#   export SYNO_USE_TEMP_ADMIN=1
+# Optional exports (shown values are the defaults):
-# - or provide your own admin user credential to authenticate
+# - export SYNO_Certificate="" to replace a specific certificate via description
-#   1. export SYNO_USERNAME="adminUser"
+# - export SYNO_Scheme="http"
-#   2. export SYNO_PASSWORD="adminPassword"
+# - export SYNO_Hostname="localhost"
-# 2. Set optional environment variables
+# - export SYNO_Port="5000"
-# - common optional variables
+# - export SYNO_Device_Name="CertRenewal" - required for skipping 2FA-OTP
-#   - export SYNO_SCHEME="http"         - defaults to "http"
+# - export SYNO_Device_ID=""              - required for skipping 2FA-OTP
-#   - export SYNO_HOSTNAME="localhost"  - defaults to "localhost"
+# 3. acme.sh --deploy --deploy-hook synology_dsm -d example.com
 #   - export SYNO_PORT="5000"           - defaults to "5000"
 #   - export SYNO_CREATE=1 - to allow creating the cert if it doesn't exist
 #   - export SYNO_CERTIFICATE="" - to replace a specific cert by its
 #                                    description
 # - temp admin optional variables
 #   - export SYNO_LOCAL_HOSTNAME=1   - if set to 1, force to treat hostname is
 #                                      targeting current local machine (since
 #                                      this method only locally supported)
 # - exsiting admin 2FA-OTP optional variables
 #   - export SYNO_OTP_CODE="XXXXXX" - if set, script won't require to
 #                                     interactive input the OTP code
 #   - export SYNO_DEVICE_NAME="CertRenewal" - if set, script won't require to
 #                                             interactive input the device name
 #   - export SYNO_DEVICE_ID=""      - (deprecated, auth with OTP code instead)
 #                                     required for omitting 2FA-OTP
 # 3. Run command:
 # acme.sh --deploy --deploy-hook synology_dsm -d example.com
 ################################################################################
 # Dependencies:
-# - curl
+# - jq & curl
 # - synouser & synogroup (When available and SYNO_USE_TEMP_ADMIN is set)
 ################################################################################
 # Return value:
 # 0 means success, otherwise error.
@ -55,85 +37,59 @@ synology_dsm_deploy() {
  _debug _cdomain "$_cdomain"
-  # Get username and password, but don't save until we authenticated successfully
+  # Get username & password, but don't save until we authenticated successfully
-  _migratedeployconf SYNO_Username SYNO_USERNAME
+  _getdeployconf SYNO_Username
-  _migratedeployconf SYNO_Password SYNO_PASSWORD
+  _getdeployconf SYNO_Password
-  _migratedeployconf SYNO_Device_ID SYNO_DEVICE_ID
+  _getdeployconf SYNO_Create
-  _migratedeployconf SYNO_Device_Name SYNO_DEVICE_NAME
+  _getdeployconf SYNO_DID
-  _getdeployconf SYNO_USERNAME
+  _getdeployconf SYNO_TOTP_SECRET
-  _getdeployconf SYNO_PASSWORD
+  _getdeployconf SYNO_Device_Name
-  _getdeployconf SYNO_DEVICE_ID
+  _getdeployconf SYNO_Device_ID
-  _getdeployconf SYNO_DEVICE_NAME
+  if [ -z "${SYNO_Username:-}" ] || [ -z "${SYNO_Password:-}" ]; then
-
+    _err "SYNO_Username & SYNO_Password must be set"
  # Prepare to use temp admin if SYNO_USE_TEMP_ADMIN is set
  _debug2 SYNO_USE_TEMP_ADMIN "$SYNO_USE_TEMP_ADMIN"
  _getdeployconf SYNO_USE_TEMP_ADMIN
  _check2cleardeployconfexp SYNO_USE_TEMP_ADMIN
  _debug2 SYNO_USE_TEMP_ADMIN "$SYNO_USE_TEMP_ADMIN"
  if [ -n "$SYNO_USE_TEMP_ADMIN" ]; then
    if ! _exists synouser || ! _exists synogroup; then
      _err "Tools are missing for creating temp admin user, please set SYNO_USERNAME and SYNO_PASSWORD instead."
      return 1
    fi
    [ -n "$SYNO_USERNAME" ] || _savedeployconf SYNO_USERNAME ""
    [ -n "$SYNO_PASSWORD" ] || _savedeployconf SYNO_PASSWORD ""
    _debug "Setting temp admin user credential..."
    SYNO_USERNAME=sc-acmesh-tmp
    SYNO_PASSWORD=$(head /dev/urandom | tr -dc A-Za-z0-9 | head -c 16)
    # Set 2FA-OTP settings to empty consider they won't be needed.
    SYNO_DEVICE_ID=
    SYNO_DEVICE_NAME=
    SYNO_OTP_CODE=
  else
    _debug2 SYNO_USERNAME "$SYNO_USERNAME"
    _secure_debug2 SYNO_PASSWORD "$SYNO_PASSWORD"
    _debug2 SYNO_DEVICE_NAME "$SYNO_DEVICE_NAME"
    _secure_debug2 SYNO_DEVICE_ID "$SYNO_DEVICE_ID"
  fi
  if [ -z "$SYNO_USERNAME" ] || [ -z "$SYNO_PASSWORD" ]; then
    _err "You must set either SYNO_USE_TEMP_ADMIN, or set both SYNO_USERNAME and SYNO_PASSWORD."
    return 1
  fi
  if [ -n "${SYNO_Device_Name:-}" ] && [ -z "${SYNO_Device_ID:-}" ]; then
    _err "SYNO_Device_Name set, but SYNO_Device_ID is empty"
    return 1
  fi
  _debug2 SYNO_Username "$SYNO_Username"
  _secure_debug2 SYNO_Password "$SYNO_Password"
  _debug2 SYNO_Create "$SYNO_Create"
  _debug2 SYNO_Device_Name "$SYNO_Device_Name"
  _secure_debug2 SYNO_Device_ID "$SYNO_Device_ID"
-  # Optional scheme, hostname and port for Synology DSM
+  # Optional scheme, hostname & port for Synology DSM
-  _migratedeployconf SYNO_Scheme SYNO_SCHEME
+  _getdeployconf SYNO_Scheme
-  _migratedeployconf SYNO_Hostname SYNO_HOSTNAME
+  _getdeployconf SYNO_Hostname
-  _migratedeployconf SYNO_Port SYNO_PORT
+  _getdeployconf SYNO_Port
  _getdeployconf SYNO_SCHEME
  _getdeployconf SYNO_HOSTNAME
  _getdeployconf SYNO_PORT
-  # Default values for scheme, hostname and port
+  # Default values for scheme, hostname & port
-  # Defaulting to localhost and http, because it's localhost…
+  # Defaulting to localhost & http, because it's localhost…
-  [ -n "$SYNO_SCHEME" ] || SYNO_SCHEME="http"
+  [ -n "${SYNO_Scheme}" ] || SYNO_Scheme="http"
-  [ -n "$SYNO_HOSTNAME" ] || SYNO_HOSTNAME="localhost"
+  [ -n "${SYNO_Hostname}" ] || SYNO_Hostname="localhost"
-  [ -n "$SYNO_PORT" ] || SYNO_PORT="5000"
+  [ -n "${SYNO_Port}" ] || SYNO_Port="5000"
-  _savedeployconf SYNO_SCHEME "$SYNO_SCHEME"
+  _savedeployconf SYNO_Scheme "$SYNO_Scheme"
-  _savedeployconf SYNO_HOSTNAME "$SYNO_HOSTNAME"
+  _savedeployconf SYNO_Hostname "$SYNO_Hostname"
-  _savedeployconf SYNO_PORT "$SYNO_PORT"
+  _savedeployconf SYNO_Port "$SYNO_Port"
-  _debug2 SYNO_SCHEME "$SYNO_SCHEME"
+  _debug2 SYNO_Scheme "$SYNO_Scheme"
-  _debug2 SYNO_HOSTNAME "$SYNO_HOSTNAME"
+  _debug2 SYNO_Hostname "$SYNO_Hostname"
-  _debug2 SYNO_PORT "$SYNO_PORT"
+  _debug2 SYNO_Port "$SYNO_Port"
  # Get the certificate description, but don't save it until we verify it's real
-  _migratedeployconf SYNO_Certificate SYNO_CERTIFICATE "base64"
+  _getdeployconf SYNO_Certificate
-  _getdeployconf SYNO_CERTIFICATE
+  _debug SYNO_Certificate "${SYNO_Certificate:-}"
  _check2cleardeployconfexp SYNO_CERTIFICATE
  _debug SYNO_CERTIFICATE "${SYNO_CERTIFICATE:-}"
  # shellcheck disable=SC1003 # We are not trying to escape a single quote
-  if printf "%s" "$SYNO_CERTIFICATE" | grep '\\'; then
+  if printf "%s" "$SYNO_Certificate" | grep '\\'; then
    _err "Do not use a backslash (\) in your certificate description"
    return 1
  fi
-  _debug "Getting API version..."
+  _base_url="$SYNO_Scheme://$SYNO_Hostname:$SYNO_Port"
  _base_url="$SYNO_SCHEME://$SYNO_HOSTNAME:$SYNO_PORT"
  _debug _base_url "$_base_url"
  _debug "Getting API version"
  response=$(_get "$_base_url/webapi/query.cgi?api=SYNO.API.Info&version=1&method=query&query=SYNO.API.Auth")
  api_path=$(echo "$response" | grep "SYNO.API.Auth" | sed -n 's/.*"path" *: *"\([^"]*\)".*/\1/p')
  api_version=$(echo "$response" | grep "SYNO.API.Auth" | sed -n 's/.*"maxVersion" *: *\([0-9]*\).*/\1/p')
@ -141,160 +97,63 @@ synology_dsm_deploy() {
  _debug3 api_path "$api_path"
  _debug3 api_version "$api_version"
-  # Login, get the session ID and SynoToken from JSON
+  # Login, get the session ID & SynoToken from JSON
-  _info "Logging into $SYNO_HOSTNAME:$SYNO_PORT..."
+  _info "Logging into $SYNO_Hostname:$SYNO_Port"
-  encoded_username="$(printf "%s" "$SYNO_USERNAME" | _url_encode)"
+  encoded_username="$(printf "%s" "$SYNO_Username" | _url_encode)"
-  encoded_password="$(printf "%s" "$SYNO_PASSWORD" | _url_encode)"
+  encoded_password="$(printf "%s" "$SYNO_Password" | _url_encode)"
  # ## START ## - DEPRECATED, for backward compatibility
  _getdeployconf SYNO_TOTP_SECRET
  otp_code=""
  # START - DEPRECATED, only kept for legacy compatibility reasons
  if [ -n "$SYNO_TOTP_SECRET" ]; then
    _info "WARNING: Usage of SYNO_TOTP_SECRET is deprecated!"
    _info "         See synology_dsm.sh script or ACME.sh Wiki page for details:"
    _info "         https://github.com/acmesh-official/acme.sh/wiki/Synology-NAS-Guide"
-    if ! _exists oathtool; then
+    DEPRECATED_otp_code=""
    if _exists oathtool; then
      DEPRECATED_otp_code="$(oathtool --base32 --totp "${SYNO_TOTP_SECRET}" 2>/dev/null)"
    else
      _err "oathtool could not be found, install oathtool to use SYNO_TOTP_SECRET"
      return 1
    fi
    DEPRECATED_otp_code="$(oathtool --base32 --totp "$SYNO_TOTP_SECRET" 2>/dev/null)"
-    if [ -z "$SYNO_DEVICE_ID" ]; then
+    if [ -n "$SYNO_DID" ]; then
-      _getdeployconf SYNO_DID
+      _H1="Cookie: did=$SYNO_DID"
      [ -n "$SYNO_DID" ] || SYNO_DEVICE_ID="$SYNO_DID"
    fi
    if [ -n "$SYNO_DEVICE_ID" ]; then
      _H1="Cookie: did=$SYNO_DEVICE_ID"
      export _H1
      _debug3 H1 "${_H1}"
    fi
-    response=$(_post "method=login&account=$encoded_username&passwd=$encoded_password&api=SYNO.API.Auth&version=$api_version&enable_syno_token=yes&otp_code=$DEPRECATED_otp_code&device_name=certrenewal&device_id=$SYNO_DEVICE_ID" "$_base_url/webapi/auth.cgi?enable_syno_token=yes")
+    response=$(_post "method=login&account=$encoded_username&passwd=$encoded_password&api=SYNO.API.Auth&version=$api_version&enable_syno_token=yes&otp_code=$DEPRECATED_otp_code&device_name=certrenewal&device_id=$SYNO_DID" "$_base_url/webapi/auth.cgi?enable_syno_token=yes")
    _debug3 response "$response"
-  # ## END ## - DEPRECATED, for backward compatibility
+  # END - DEPRECATED, only kept for legacy compatibility reasons
-  # If SYNO_DEVICE_ID or SYNO_OTP_CODE is set, we treat current account enabled 2FA-OTP.
+  # Get device ID if still empty first, otherwise log in right away
-  # Notice that if SYNO_USE_TEMP_ADMIN=1, both variables will be unset
+  elif [ -z "${SYNO_Device_ID:-}" ]; then
-  else
+    printf "Enter OTP code for user '%s': " "$SYNO_Username"
-    if [ -n "$SYNO_DEVICE_ID" ] || [ -n "$SYNO_OTP_CODE" ]; then
+    read -r otp_code
-      response='{"error":{"code":403}}'
+    if [ -z "${SYNO_Device_Name:-}" ]; then
    # Assume the current account disabled 2FA-OTP, try to log in right away.
    else
      if [ -n "$SYNO_USE_TEMP_ADMIN" ]; then
        _getdeployconf SYNO_LOCAL_HOSTNAME
        _debug SYNO_LOCAL_HOSTNAME "${SYNO_LOCAL_HOSTNAME:-}"
        if [ "$SYNO_LOCAL_HOSTNAME" != "1" ] && [ "$SYNO_LOCAL_HOSTNAME" == "$SYNO_HOSTNAME" ]; then
          if [ "$SYNO_HOSTNAME" != "localhost" ] && [ "$SYNO_HOSTNAME" != "127.0.0.1" ]; then
            _err "SYNO_USE_TEMP_ADMIN=1 Only support locally deployment, if you are sure that hostname $SYNO_HOSTNAME is targeting to your **current local machine**, execute 'export SYNO_LOCAL_HOSTNAME=1' then rerun."
            return 1
          fi
        fi
        _debug "Creating temp admin user in Synology DSM..."
        if synogroup --help | grep -q '\-\-memberadd '; then
          _temp_admin_create "$SYNO_USERNAME" "$SYNO_PASSWORD"
          synogroup --memberadd administrators "$SYNO_USERNAME" >/dev/null
        elif synogroup --help | grep -q '\-\-member '; then
          # For supporting DSM 6.x which only has `--member` parameter.
          cur_admins=$(synogroup --get administrators | awk -F '[][]' '/Group Members/,0{if(NF>1)printf "%s ", $2}')
          if [ -n "$cur_admins" ]; then
            _temp_admin_create "$SYNO_USERNAME" "$SYNO_PASSWORD"
            _secure_debug3 admin_users "$cur_admins$SYNO_USERNAME"
            # shellcheck disable=SC2086
            synogroup --member administrators $cur_admins $SYNO_USERNAME >/dev/null
          else
            _err "Tool synogroup may be broken, please set SYNO_USERNAME and SYNO_PASSWORD instead."
            return 1
          fi
        else
          _err "Unsupported synogroup tool detected, please set SYNO_USERNAME and SYNO_PASSWORD instead."
          return 1
        fi
        # havig a workaround to temporary disable enforce 2FA-OTP
        otp_enforce_option=$(synogetkeyvalue /etc/synoinfo.conf otp_enforce_option)
        if [ -n "$otp_enforce_option" ] && [ "${otp_enforce_option:-"none"}" != "none" ]; then
          synosetkeyvalue /etc/synoinfo.conf otp_enforce_option none
          _info "Temporary disabled enforce 2FA-OTP to complete authentication."
          _info "previous_otp_enforce_option" "$otp_enforce_option"
        else
          otp_enforce_option=""
        fi
      fi
      response=$(_get "$_base_url/webapi/entry.cgi?api=SYNO.API.Auth&version=$api_version&method=login&format=sid&account=$encoded_username&passwd=$encoded_password&enable_syno_token=yes")
      if [ -n "$SYNO_USE_TEMP_ADMIN" ] && [ -n "$otp_enforce_option" ]; then
        synosetkeyvalue /etc/synoinfo.conf otp_enforce_option "$otp_enforce_option"
        _info "Restored previous enforce 2FA-OTP option."
      fi
      _debug3 response "$response"
    fi
  fi
  error_code=$(echo "$response" | grep '"error":' | grep -o '"code":[0-9]*' | grep -o '[0-9]*')
  _debug2 error_code "$error_code"
  # Account has 2FA-OTP enabled, since error 403 reported.
  # https://global.download.synology.com/download/Document/Software/DeveloperGuide/Firmware/DSM/All/enu/Synology_DiskStation_Administration_CLI_Guide.pdf
  if [ "$error_code" == "403" ]; then
    if [ -z "$SYNO_DEVICE_NAME" ]; then
      printf "Enter device name or leave empty for default (CertRenewal): "
-      read -r SYNO_DEVICE_NAME
+      read -r SYNO_Device_Name
-      [ -n "$SYNO_DEVICE_NAME" ] || SYNO_DEVICE_NAME="CertRenewal"
+      [ -n "${SYNO_Device_Name}" ] || SYNO_Device_Name="CertRenewal"
    fi
-    if [ -n "$SYNO_DEVICE_ID" ]; then
+    response=$(_get "$_base_url/webapi/$api_path?api=SYNO.API.Auth&version=$api_version&method=login&format=sid&account=$encoded_username&passwd=$encoded_password&otp_code=$otp_code&enable_syno_token=yes&enable_device_token=yes&device_name=$SYNO_Device_Name")
-      # Omit OTP code with SYNO_DEVICE_ID.
+    _secure_debug3 response "$response"
      response=$(_get "$_base_url/webapi/$api_path?api=SYNO.API.Auth&version=$api_version&method=login&format=sid&account=$encoded_username&passwd=$encoded_password&enable_syno_token=yes&device_name=$SYNO_DEVICE_NAME&device_id=$SYNO_DEVICE_ID")
      _secure_debug3 response "$response"
    else
      # Require the OTP code if still unset.
      if [ -z "$SYNO_OTP_CODE" ]; then
        printf "Enter OTP code for user '%s': " "$SYNO_USERNAME"
        read -r SYNO_OTP_CODE
      fi
      _secure_debug SYNO_OTP_CODE "${SYNO_OTP_CODE:-}"
-      if [ -z "$SYNO_OTP_CODE" ]; then
+    id_property='device_id'
-        response='{"error":{"code":404}}'
+    [ "${api_version}" -gt '6' ] || id_property='did'
-      else
+    SYNO_Device_ID=$(echo "$response" | grep "$id_property" | sed -n 's/.*"'$id_property'" *: *"\([^"]*\).*/\1/p')
-        response=$(_get "$_base_url/webapi/$api_path?api=SYNO.API.Auth&version=$api_version&method=login&format=sid&account=$encoded_username&passwd=$encoded_password&enable_syno_token=yes&enable_device_token=yes&device_name=$SYNO_DEVICE_NAME&otp_code=$SYNO_OTP_CODE")
+    _secure_debug2 SYNO_Device_ID "$SYNO_Device_ID"
-        _secure_debug3 response "$response"
+  else
-
+    response=$(_get "$_base_url/webapi/$api_path?api=SYNO.API.Auth&version=$api_version&method=login&format=sid&account=$encoded_username&passwd=$encoded_password&enable_syno_token=yes&device_name=$SYNO_Device_Name&device_id=$SYNO_Device_ID")
-        id_property='device_id'
+    _debug3 response "$response"
        [ "${api_version}" -gt '6' ] || id_property='did'
        SYNO_DEVICE_ID=$(echo "$response" | grep "$id_property" | sed -n 's/.*"'$id_property'" *: *"\([^"]*\).*/\1/p')
        _secure_debug2 SYNO_DEVICE_ID "$SYNO_DEVICE_ID"
      fi
    fi
    error_code=$(echo "$response" | grep '"error":' | grep -o '"code":[0-9]*' | grep -o '[0-9]*')
    _debug2 error_code "$error_code"
  fi
  if [ -n "$error_code" ]; then
    if [ "$error_code" == "403" ] && [ -n "$SYNO_DEVICE_ID" ]; then
      _cleardeployconf SYNO_DEVICE_ID
      _err "Failed to authenticate with SYNO_DEVICE_ID (may expired or invalid), please try again in a new terminal window."
    elif [ "$error_code" == "404" ]; then
      _err "Failed to authenticate with provided 2FA-OTP code, please try again in a new terminal window."
    elif [ "$error_code" == "406" ]; then
      if [ -n "$SYNO_USE_TEMP_ADMIN" ]; then
        _err "SYNO_USE_TEMP_ADMIN=1 is not supported if enforce auth with 2FA-OTP is enabled."
      else
        _err "Enforce auth with 2FA-OTP enabled, please configure the user to enable 2FA-OTP to continue."
      fi
    elif [ "$error_code" == "400" ] || [ "$error_code" == "401" ] || [ "$error_code" == "408" ] || [ "$error_code" == "409" ] || [ "$error_code" == "410" ]; then
      _err "Failed to authenticate with a non-existent or disabled account, or the account password is incorrect or has expired."
    else
      _err "Failed to authenticate with error: $error_code."
    fi
    _temp_admin_cleanup "$SYNO_USE_TEMP_ADMIN" "$SYNO_USERNAME"
    return 1
  fi
  sid=$(echo "$response" | grep "sid" | sed -n 's/.*"sid" *: *"\([^"]*\).*/\1/p')
  token=$(echo "$response" | grep "synotoken" | sed -n 's/.*"synotoken" *: *"\([^"]*\).*/\1/p')
  _debug "Session ID" "$sid"
  _debug SynoToken "$token"
-  if [ -z "$sid" ] || [ -z "$token" ]; then
+  if [ -z "$SYNO_DID" ] && [ -z "$SYNO_Device_ID" ] || [ -z "$sid" ] || [ -z "$token" ]; then
-    # Still can't get necessary info even got no errors, may Synology have API updated?
+    _err "Unable to authenticate to $_base_url - check your username & password."
-    _err "Unable to authenticate to $_base_url, you may report the full log to the community."
+    _err "If two-factor authentication is enabled for the user, set SYNO_Device_ID."
    _temp_admin_cleanup "$SYNO_USE_TEMP_ADMIN" "$SYNO_USERNAME"
    return 1
  fi
@ -302,62 +161,36 @@ synology_dsm_deploy() {
  export _H1
  _debug2 H1 "${_H1}"
-  # Now that we know the username and password are good, save them if not in temp admin mode.
+  # Now that we know the username & password are good, save them
-  if [ -n "$SYNO_USE_TEMP_ADMIN" ]; then
+  _savedeployconf SYNO_Username "$SYNO_Username"
-    _cleardeployconf SYNO_USERNAME
+  _savedeployconf SYNO_Password "$SYNO_Password"
-    _cleardeployconf SYNO_PASSWORD
+  _savedeployconf SYNO_Device_Name "$SYNO_Device_Name"
-    _cleardeployconf SYNO_DEVICE_ID
+  _savedeployconf SYNO_Device_ID "$SYNO_Device_ID"
    _cleardeployconf SYNO_DEVICE_NAME
    _savedeployconf SYNO_USE_TEMP_ADMIN "$SYNO_USE_TEMP_ADMIN"
    _savedeployconf SYNO_LOCAL_HOSTNAME "$SYNO_HOSTNAME"
  else
    _savedeployconf SYNO_USERNAME "$SYNO_USERNAME"
    _savedeployconf SYNO_PASSWORD "$SYNO_PASSWORD"
    _savedeployconf SYNO_DEVICE_ID "$SYNO_DEVICE_ID"
    _savedeployconf SYNO_DEVICE_NAME "$SYNO_DEVICE_NAME"
  fi
-  _info "Getting certificates in Synology DSM..."
+  _info "Getting certificates in Synology DSM"
  response=$(_post "api=SYNO.Core.Certificate.CRT&method=list&version=1&_sid=$sid" "$_base_url/webapi/entry.cgi")
  _debug3 response "$response"
-  escaped_certificate="$(printf "%s" "$SYNO_CERTIFICATE" | sed 's/\([].*^$[]\)/\\\1/g;s/"/\\\\"/g')"
+  escaped_certificate="$(printf "%s" "$SYNO_Certificate" | sed 's/\([].*^$[]\)/\\\1/g;s/"/\\\\"/g')"
  _debug escaped_certificate "$escaped_certificate"
  id=$(echo "$response" | sed -n "s/.*\"desc\":\"$escaped_certificate\",\"id\":\"\([^\"]*\).*/\1/p")
  _debug2 id "$id"
-  error_code=$(echo "$response" | grep '"error":' | grep -o '"code":[0-9]*' | grep -o '[0-9]*')
+  if [ -z "$id" ] && [ -z "${SYNO_Create:-}" ]; then
-  _debug2 error_code "$error_code"
+    _err "Unable to find certificate: $SYNO_Certificate & \$SYNO_Create is not set"
  if [ -n "$error_code" ]; then
    if [ "$error_code" -eq 105 ]; then
      _err "Current user is not administrator and does not have sufficient permission for deploying."
    else
      _err "Failed to fetch certificate info with error: $error_code, please try again or contact Synology to learn more."
    fi
    _temp_admin_cleanup "$SYNO_USE_TEMP_ADMIN" "$SYNO_USERNAME"
    return 1
  fi
  _migratedeployconf SYNO_Create SYNO_CREATE
  _getdeployconf SYNO_CREATE
  _debug2 SYNO_CREATE "$SYNO_CREATE"
  if [ -z "$id" ] && [ -z "$SYNO_CREATE" ]; then
    _err "Unable to find certificate: $SYNO_CERTIFICATE and $SYNO_CREATE is not set."
    _temp_admin_cleanup "$SYNO_USE_TEMP_ADMIN" "$SYNO_USERNAME"
    return 1
  fi
  # We've verified this certificate description is a thing, so save it
-  _savedeployconf SYNO_CERTIFICATE "$SYNO_CERTIFICATE" "base64"
+  _savedeployconf SYNO_Certificate "$SYNO_Certificate" "base64"
-  _info "Generating form POST request..."
+  _info "Generate form POST request"
  nl="\0015\0012"
  delim="--------------------------$(_utc_date | tr -d -- '-: ')"
  content="--$delim${nl}Content-Disposition: form-data; name=\"key\"; filename=\"$(basename "$_ckey")\"${nl}Content-Type: application/octet-stream${nl}${nl}$(cat "$_ckey")\0012"
  content="$content${nl}--$delim${nl}Content-Disposition: form-data; name=\"cert\"; filename=\"$(basename "$_ccert")\"${nl}Content-Type: application/octet-stream${nl}${nl}$(cat "$_ccert")\0012"
  content="$content${nl}--$delim${nl}Content-Disposition: form-data; name=\"inter_cert\"; filename=\"$(basename "$_cca")\"${nl}Content-Type: application/octet-stream${nl}${nl}$(cat "$_cca")\0012"
  content="$content${nl}--$delim${nl}Content-Disposition: form-data; name=\"id\"${nl}${nl}$id"
-  content="$content${nl}--$delim${nl}Content-Disposition: form-data; name=\"desc\"${nl}${nl}${SYNO_CERTIFICATE}"
+  content="$content${nl}--$delim${nl}Content-Disposition: form-data; name=\"desc\"${nl}${nl}${SYNO_Certificate}"
  if echo "$response" | sed -n "s/.*\"desc\":\"$escaped_certificate\",\([^{]*\).*/\1/p" | grep -- 'is_default":true' >/dev/null; then
    _debug2 default "This is the default certificate"
    content="$content${nl}--$delim${nl}Content-Disposition: form-data; name=\"as_default\"${nl}${nl}true"
@ -368,22 +201,21 @@ synology_dsm_deploy() {
  content="$(printf "%b_" "$content")"
  content="${content%_}" # protect trailing \n
-  _info "Upload certificate to the Synology DSM."
+  _info "Upload certificate to the Synology DSM"
  response=$(_post "$content" "$_base_url/webapi/entry.cgi?api=SYNO.Core.Certificate&method=import&version=1&SynoToken=$token&_sid=$sid" "" "POST" "multipart/form-data; boundary=${delim}")
  _debug3 response "$response"
  if ! echo "$response" | grep '"error":' >/dev/null; then
    if echo "$response" | grep '"restart_httpd":true' >/dev/null; then
-      _info "Restart HTTP services succeeded."
+      _info "Restarting HTTP services succeeded"
    else
-      _info "Restart HTTP services failed."
+      _info "Restarting HTTP services failed"
    fi
-    _temp_admin_cleanup "$SYNO_USE_TEMP_ADMIN" "$SYNO_USERNAME"
+
    _logout
    return 0
  else
-    _temp_admin_cleanup "$SYNO_USE_TEMP_ADMIN" "$SYNO_USERNAME"
+    _err "Unable to update certificate, error code $response"
    _err "Unable to update certificate, got error response: $response."
    _logout
    return 1
  fi
@ -391,44 +223,7 @@ synology_dsm_deploy() {
 ####################  Private functions below ##################################
 _logout() {
-  # Logout CERT user only to not occupy a permanent session, e.g. in DSM's "Connected Users" widget (based on previous variables)
+  # Logout to not occupy a permanent session, e.g. in DSM's "Connected Users" widget
-  response=$(_get "$_base_url/webapi/$api_path?api=SYNO.API.Auth&version=$api_version&method=logout&_sid=$sid")
+  response=$(_get "$_base_url/webapi/entry.cgi?api=SYNO.API.Auth&version=$api_version&method=logout")
  _debug3 response "$response"
 }
 _temp_admin_create() {
  _username="$1"
  _password="$2"
  synouser --del "$_username" >/dev/null 2>/dev/null
  synouser --add "$_username" "$_password" "" 0 "scruelt@hotmail.com" 0 >/dev/null
 }
 _temp_admin_cleanup() {
  _flag=$1
  _username=$2
  if [ -n "${_flag}" ]; then
    _debug "Cleanuping temp admin info..."
    synouser --del "$_username" >/dev/null
  fi
 }
 #_cleardeployconf   key
 _cleardeployconf() {
  _cleardomainconf "SAVED_$1"
 }
 # key
 _check2cleardeployconfexp() {
  _key="$1"
  _clear_key="CLEAR_$_key"
  # Clear saved settings if explicitly requested
  if [ -n "$(eval echo \$"$_clear_key")" ]; then
    _debug2 "$_key: value cleared from config, exported value will be ignored."
    _cleardeployconf "$_key"
    eval "$_key"=
    export "$_key"=
    eval SAVED_"$_key"=
    export SAVED_"$_key"=
  fi
 }
--- a/dnsapi/dns_1984hosting.sh
+++ b/dnsapi/dns_1984hosting.sh
@ -128,7 +128,7 @@ _1984hosting_login() {
  _debug "Login to 1984Hosting as user $One984HOSTING_Username."
  username=$(printf '%s' "$One984HOSTING_Username" | _url_encode)
  password=$(printf '%s' "$One984HOSTING_Password" | _url_encode)
-  url="https://1984.hosting/api/auth/"
+  url="https://1984.hosting/accounts/checkuserauth/"
  _get "https://1984.hosting/accounts/login/" | grep "csrfmiddlewaretoken"
  csrftoken="$(grep -i '^set-cookie:' "$HTTP_HEADER" | _egrep_o 'csrftoken=[^;]*;' | tr -d ';')"
@ -185,7 +185,7 @@ _check_cookies() {
    return 1
  fi
-  _authget "https://1984.hosting/api/auth/"
+  _authget "https://1984.hosting/accounts/loginstatus/"
  if _contains "$_response" '"ok": true'; then
    _debug "Cached cookies still valid."
    return 0
--- a/dnsapi/dns_aws.sh
+++ b/dnsapi/dns_aws.sh
@ -145,6 +145,7 @@ dns_aws_rm() {
  fi
  _sleep 1
  return 1
 }
 ####################  Private functions below ##################################
@ -156,7 +157,7 @@ _get_root() {
  # iterate over names (a.b.c.d -> b.c.d -> c.d -> d)
  while true; do
-    h=$(printf "%s" "$domain" | cut -d . -f $i-100 | sed 's/\./\\./g')
+    h=$(printf "%s" "$domain" | cut -d . -f $i-100)
    _debug "Checking domain: $h"
    if [ -z "$h" ]; then
      _error "invalid domain"
@ -206,40 +207,24 @@ _use_container_role() {
 }
 _use_instance_role() {
-  _instance_role_name_url="http://169.254.169.254/latest/meta-data/iam/security-credentials/"
+  _url="http://169.254.169.254/latest/meta-data/iam/security-credentials/"
-
+  _debug "_url" "$_url"
-  if _get "$_instance_role_name_url" true 1 | _head_n 1 | grep -Fq 401; then
+  if ! _get "$_url" true 1 | _head_n 1 | grep -Fq 200; then
    _debug "Using IMDSv2"
    _token_url="http://169.254.169.254/latest/api/token"
    export _H1="X-aws-ec2-metadata-token-ttl-seconds: 21600"
    _token="$(_post "" "$_token_url" "" "PUT")"
    _secure_debug3 "_token" "$_token"
    if [ -z "$_token" ]; then
      _debug "Unable to fetch IMDSv2 token from instance metadata"
      return 1
    fi
    export _H1="X-aws-ec2-metadata-token: $_token"
  fi
  if ! _get "$_instance_role_name_url" true 1 | _head_n 1 | grep -Fq 200; then
    _debug "Unable to fetch IAM role from instance metadata"
    return 1
  fi
-
+  _aws_role=$(_get "$_url" "" 1)
-  _instance_role_name=$(_get "$_instance_role_name_url" "" 1)
+  _debug "_aws_role" "$_aws_role"
-  _debug "_instance_role_name" "$_instance_role_name"
+  _use_metadata "$_url$_aws_role"
  _use_metadata "$_instance_role_name_url$_instance_role_name" "$_token"
 }
 _use_metadata() {
  export _H1="X-aws-ec2-metadata-token: $2"
  _aws_creds="$(
    _get "$1" "" 1 |
      _normalizeJson |
      tr '{,}' '\n' |
      while read -r _line; do
-        _key="$(echo "${_line%%:*}" | tr -d '\"')"
+        _key="$(echo "${_line%%:*}" | tr -d '"')"
        _value="${_line#*:}"
        _debug3 "_key" "$_key"
        _secure_debug3 "_value" "$_value"
--- a/dnsapi/dns_do.sh
+++ b/dnsapi/dns_do.sh
@ -0,0 +1,148 @@
 #!/usr/bin/env sh
 # DNS API for Domain-Offensive / Resellerinterface / Domainrobot
 # Report bugs at https://github.com/seidler2547/acme.sh/issues
 # set these environment variables to match your customer ID and password:
 # DO_PID="KD-1234567"
 # DO_PW="cdfkjl3n2"
 DO_URL="https://soap.resellerinterface.de/"
 ########  Public functions #####################
 #Usage: dns_myapi_add   _acme-challenge.www.domain.com   "XKrxpRBosdIKFzxW_CT3KLZNf6q0HG9i01zxXp5CPBs"
 dns_do_add() {
  fulldomain=$1
  txtvalue=$2
  if _dns_do_authenticate; then
    _info "Adding TXT record to ${_domain} as ${fulldomain}"
    _dns_do_soap createRR origin "${_domain}" name "${fulldomain}" type TXT data "${txtvalue}" ttl 300
    if _contains "${response}" '>success<'; then
      return 0
    fi
    _err "Could not create resource record, check logs"
  fi
  return 1
 }
 #fulldomain
 dns_do_rm() {
  fulldomain=$1
  if _dns_do_authenticate; then
    if _dns_do_list_rrs; then
      _dns_do_had_error=0
      for _rrid in ${_rr_list}; do
        _info "Deleting resource record $_rrid for $_domain"
        _dns_do_soap deleteRR origin "${_domain}" rrid "${_rrid}"
        if ! _contains "${response}" '>success<'; then
          _dns_do_had_error=1
          _err "Could not delete resource record for ${_domain}, id ${_rrid}"
        fi
      done
      return $_dns_do_had_error
    fi
  fi
  return 1
 }
 ####################  Private functions below ##################################
 _dns_do_authenticate() {
  _info "Authenticating as ${DO_PID}"
  _dns_do_soap authPartner partner "${DO_PID}" password "${DO_PW}"
  if _contains "${response}" '>success<'; then
    _get_root "$fulldomain"
    _debug "_domain $_domain"
    return 0
  else
    _err "Authentication failed, are DO_PID and DO_PW set correctly?"
  fi
  return 1
 }
 _dns_do_list_rrs() {
  _dns_do_soap getRRList origin "${_domain}"
  if ! _contains "${response}" 'SOAP-ENC:Array'; then
    _err "getRRList origin ${_domain} failed"
    return 1
  fi
  _rr_list="$(echo "${response}" |
    tr -d "\n\r\t" |
    sed -e 's/<item xsi:type="ns2:Map">/\n/g' |
    grep ">$(_regexcape "$fulldomain")</value>" |
    sed -e 's/<\/item>/\n/g' |
    grep '>id</key><value' |
    _egrep_o '>[0-9]{1,16}<' |
    tr -d '><')"
  [ "${_rr_list}" ]
 }
 _dns_do_soap() {
  func="$1"
  shift
  # put the parameters to xml
  body="<tns:${func} xmlns:tns=\"${DO_URL}\">"
  while [ "$1" ]; do
    _k="$1"
    shift
    _v="$1"
    shift
    body="$body<$_k>$_v</$_k>"
  done
  body="$body</tns:${func}>"
  _debug2 "SOAP request ${body}"
  # build SOAP XML
  _xml='<?xml version="1.0" encoding="UTF-8"?>
 <env:Envelope xmlns:env="http://schemas.xmlsoap.org/soap/envelope/">
  <env:Body>'"$body"'</env:Body>
 </env:Envelope>'
  # set SOAP headers
  export _H1="SOAPAction: ${DO_URL}#${func}"
  if ! response="$(_post "${_xml}" "${DO_URL}")"; then
    _err "Error <$1>"
    return 1
  fi
  _debug2 "SOAP response $response"
  # retrieve cookie header
  _H2="$(_egrep_o 'Cookie: [^;]+' <"$HTTP_HEADER" | _head_n 1)"
  export _H2
  return 0
 }
 _get_root() {
  domain=$1
  i=1
  _dns_do_soap getDomainList
  _all_domains="$(echo "${response}" |
    tr -d "\n\r\t " |
    _egrep_o 'domain</key><value[^>]+>[^<]+' |
    sed -e 's/^domain<\/key><value[^>]*>//g')"
  while true; do
    h=$(printf "%s" "$domain" | cut -d . -f $i-100)
    if [ -z "$h" ]; then
      return 1
    fi
    if _contains "${_all_domains}" "^$(_regexcape "$h")\$"; then
      _domain="$h"
      return 0
    fi
    i=$(_math $i + 1)
  done
  _debug "$domain not found"
  return 1
 }
 _regexcape() {
  echo "$1" | sed -e 's/\([]\.$*^[]\)/\\\1/g'
 }
--- a/dnsapi/dns_gandi_livedns.sh
+++ b/dnsapi/dns_gandi_livedns.sh
@ -13,7 +13,7 @@
 #
 ########  Public functions #####################
-GANDI_LIVEDNS_API="https://api.gandi.net/v5/livedns"
+GANDI_LIVEDNS_API="https://dns.api.gandi.net/api/v5"
 #Usage: dns_gandi_livedns_add   _acme-challenge.www.domain.com   "XKrxpRBosdIKFzxW_CT3KLZNf6q0HG9i01zxXp5CPBs"
 dns_gandi_livedns_add() {
@ -78,7 +78,7 @@ dns_gandi_livedns_rm() {
  _gandi_livedns_rest PUT \
    "domains/$_domain/records/$_sub_domain/TXT" \
    "{\"rrset_ttl\": 300, \"rrset_values\": $_new_rrset_values}" &&
-    _contains "$response" '{"message":"DNS Record Created"}' &&
+    _contains "$response" '{"message": "DNS Record Created"}' &&
    _info "Removing record $(__green "success")"
 }
@ -134,7 +134,7 @@ _dns_gandi_append_record() {
  _debug new_rrset_values "$_rrset_values"
  _gandi_livedns_rest PUT "domains/$_domain/records/$sub_domain/TXT" \
    "{\"rrset_ttl\": 300, \"rrset_values\": $_rrset_values}" &&
-    _contains "$response" '{"message":"DNS Record Created"}' &&
+    _contains "$response" '{"message": "DNS Record Created"}' &&
    _info "Adding record $(__green "success")"
 }
@ -144,11 +144,11 @@ _dns_gandi_existing_rrset_values() {
  if ! _gandi_livedns_rest GET "domains/$domain/records/$sub_domain"; then
    return 1
  fi
-  if ! _contains "$response" '"rrset_type":"TXT"'; then
+  if ! _contains "$response" '"rrset_type": "TXT"'; then
    _debug "Does not have a _acme-challenge TXT record yet."
    return 1
  fi
-  if _contains "$response" '"rrset_values":\[\]'; then
+  if _contains "$response" '"rrset_values": \[\]'; then
    _debug "Empty rrset_values for TXT record, no previous TXT record."
    return 1
  fi
@ -169,7 +169,7 @@ _gandi_livedns_rest() {
  if [ -n "$GANDI_LIVEDNS_TOKEN" ]; then
    export _H2="Authorization: Bearer $GANDI_LIVEDNS_TOKEN"
  else
-    export _H2="Authorization: Apikey $GANDI_LIVEDNS_KEY"
+    export _H2="X-Api-Key: $GANDI_LIVEDNS_KEY"
  fi
  if [ "$m" = "GET" ]; then
--- a/dnsapi/dns_gcloud.sh
+++ b/dnsapi/dns_gcloud.sh
@ -42,7 +42,7 @@ dns_gcloud_rm() {
  echo "$rrdatas" | grep -F -v -- "\"$txtvalue\"" | _dns_gcloud_add_rrs || return $?
  _dns_gcloud_execute_tr || return $?
-  _info "$fulldomain record removed"
+  _info "$fulldomain record added"
 }
 ####################  Private functions below ##################################
--- a/dnsapi/dns_gcore.sh
+++ b/dnsapi/dns_gcore.sh
@ -4,8 +4,8 @@
 #GCORE_Key='773$7b7adaf2a2b32bfb1b83787b4ff32a67eb178e3ada1af733e47b1411f2461f7f4fa7ed7138e2772a46124377bad7384b3bb8d87748f87b3f23db4b8bbe41b2bb'
 #
-GCORE_Api="https://api.gcore.com/dns/v2"
+GCORE_Api="https://api.gcorelabs.com/dns/v2"
-GCORE_Doc="https://api.gcore.com/docs/dns"
+GCORE_Doc="https://apidocs.gcore.com/dns"
 ########  Public functions #####################
--- a/dnsapi/dns_kappernet.sh
+++ b/dnsapi/dns_kappernet.sh
@ -6,7 +6,8 @@
 #KAPPERNETDNS_Key="yourKAPPERNETapikey"
 #KAPPERNETDNS_Secret="yourKAPPERNETapisecret"
-#KAPPERNETDNS_Api="https://dnspanel.kapper.net/API/1.2?APIKey=$KAPPERNETDNS_Key&APISecret=$KAPPERNETDNS_Secret"
+
 KAPPERNETDNS_Api="https://dnspanel.kapper.net/API/1.2?APIKey=$KAPPERNETDNS_Key&APISecret=$KAPPERNETDNS_Secret"
 ###############################################################################
 # called with
@ -18,9 +19,10 @@ dns_kappernet_add() {
  KAPPERNETDNS_Key="${KAPPERNETDNS_Key:-$(_readaccountconf_mutable KAPPERNETDNS_Key)}"
  KAPPERNETDNS_Secret="${KAPPERNETDNS_Secret:-$(_readaccountconf_mutable KAPPERNETDNS_Secret)}"
  KAPPERNETDNS_Api="https://dnspanel.kapper.net/API/1.2?APIKey=$KAPPERNETDNS_Key&APISecret=$KAPPERNETDNS_Secret"
  if [ -z "$KAPPERNETDNS_Key" ] || [ -z "$KAPPERNETDNS_Secret" ]; then
    KAPPERNETDNS_Key=""
    KAPPERNETDNS_Secret=""
    _err "Please specify your kapper.net api key and secret."
    _err "If you have not received yours - send your mail to"
    _err "support@kapper.net to get  your key and secret."
@ -39,7 +41,7 @@ dns_kappernet_add() {
  _debug _domain "DOMAIN: $_domain"
  _info "Trying to add TXT DNS Record"
-  data="%7B%22name%22%3A%22$fullhostname%22%2C%22type%22%3A%22TXT%22%2C%22content%22%3A%22$txtvalue%22%2C%22ttl%22%3A%22300%22%2C%22prio%22%3A%22%22%7D"
+  data="%7B%22name%22%3A%22$fullhostname%22%2C%22type%22%3A%22TXT%22%2C%22content%22%3A%22$txtvalue%22%2C%22ttl%22%3A%223600%22%2C%22prio%22%3A%22%22%7D"
  if _kappernet_api GET "action=new&subject=$_domain&data=$data"; then
    if _contains "$response" "{\"OK\":true"; then
@ -64,9 +66,10 @@ dns_kappernet_rm() {
  KAPPERNETDNS_Key="${KAPPERNETDNS_Key:-$(_readaccountconf_mutable KAPPERNETDNS_Key)}"
  KAPPERNETDNS_Secret="${KAPPERNETDNS_Secret:-$(_readaccountconf_mutable KAPPERNETDNS_Secret)}"
  KAPPERNETDNS_Api="https://dnspanel.kapper.net/API/1.2?APIKey=$KAPPERNETDNS_Key&APISecret=$KAPPERNETDNS_Secret"
  if [ -z "$KAPPERNETDNS_Key" ] || [ -z "$KAPPERNETDNS_Secret" ]; then
    KAPPERNETDNS_Key=""
    KAPPERNETDNS_Secret=""
    _err "Please specify your kapper.net api key and secret."
    _err "If you have not received yours - send your mail to"
    _err "support@kapper.net to get  your key and secret."
@ -78,7 +81,7 @@ dns_kappernet_rm() {
  _saveaccountconf_mutable KAPPERNETDNS_Secret "$KAPPERNETDNS_Secret"
  _info "Trying to remove the TXT Record: $fullhostname containing $txtvalue"
-  data="%7B%22name%22%3A%22$fullhostname%22%2C%22type%22%3A%22TXT%22%2C%22content%22%3A%22$txtvalue%22%2C%22ttl%22%3A%22300%22%2C%22prio%22%3A%22%22%7D"
+  data="%7B%22name%22%3A%22$fullhostname%22%2C%22type%22%3A%22TXT%22%2C%22content%22%3A%22$txtvalue%22%2C%22ttl%22%3A%223600%22%2C%22prio%22%3A%22%22%7D"
  if _kappernet_api GET "action=del&subject=$fullhostname&data=$data"; then
    if _contains "$response" "{\"OK\":true"; then
      return 0
@ -138,7 +141,7 @@ _kappernet_api() {
  if [ "$method" = "GET" ]; then
    response="$(_get "$url")"
  else
-    _err "Unsupported method or missing Secret/Key"
+    _err "Unsupported method"
    return 1
  fi
--- a/dnsapi/dns_limacity.sh
+++ b/dnsapi/dns_limacity.sh
@ -1,94 +0,0 @@
 #!/usr/bin/env sh
 # Created by Laraveluser
 #
 # Pass credentials before "acme.sh --issue --dns dns_limacity ..."
 # --
 # export LIMACITY_APIKEY="<API-KEY>"
 # --
 #
 # Pleas note: APIKEY must have following roles: dns.admin, domains.reader
 ########  Public functions #####################
 LIMACITY_APIKEY="${LIMACITY_APIKEY:-$(_readaccountconf_mutable LIMACITY_APIKEY)}"
 AUTH=$(printf "%s" "api:$LIMACITY_APIKEY" | _base64 -w 0)
 export _H1="Authorization: Basic $AUTH"
 export _H2="Content-Type: application/json"
 APIBASE=https://www.lima-city.de/usercp
 #Usage: dns_limacity_add   _acme-challenge.www.domain.com   "XKrxpRBosdIKFzxW_CT3KLZNf6q0HG9i01zxXp5CPBs"
 dns_limacity_add() {
  _debug LIMACITY_APIKEY "$LIMACITY_APIKEY"
  if [ "$LIMACITY_APIKEY" = "" ]; then
    _err "No Credentials given"
    return 1
  fi
  # save the dns server and key to the account conf file.
  _saveaccountconf_mutable LIMACITY_APIKEY "${LIMACITY_APIKEY}"
  fulldomain=$1
  txtvalue=$2
  if ! _lima_get_domain_id "$fulldomain"; then return 1; fi
  msg=$(_post "{\"nameserver_record\":{\"name\":\"${fulldomain}\",\"type\":\"TXT\",\"content\":\"${txtvalue}\",\"ttl\":60}}" "${APIBASE}/domains/${LIMACITY_DOMAINID}/records.json" "" "POST")
  _debug "$msg"
  if [ "$(echo "$msg" | _egrep_o "\"status\":\"ok\"")" = "" ]; then
    _err "$msg"
    return 1
  fi
  return 0
 }
 #Usage: dns_limacity_rm   _acme-challenge.www.domain.com
 dns_limacity_rm() {
  fulldomain=$1
  txtvalue=$2
  if ! _lima_get_domain_id "$fulldomain"; then return 1; fi
  for recordId in $(_get "${APIBASE}/domains/${LIMACITY_DOMAINID}/records.json" | _egrep_o "{\"id\":[0-9]*[^}]*,\"name\":\"${fulldomain}\"" | _egrep_o "[0-9]*"); do
    _post "" "${APIBASE}/domains/${LIMACITY_DOMAINID}/records/${recordId}" "" "DELETE"
  done
  return 0
 }
 ####################  Private functions below ##################################
 _lima_get_domain_id() {
  domain="$1"
  _debug "$domain"
  i=2
  p=1
  domains=$(_get "${APIBASE}/domains.json")
  if [ "$(echo "$domains" | _egrep_o "\{.*""domains""")" ]; then
    response="$(echo "$domains" | tr -d "\n" | tr '{' "|" | sed 's/|/&{/g' | tr "|" "\n")"
    while true; do
      h=$(printf "%s" "$domain" | cut -d . -f $i-100)
      _debug h "$h"
      if [ -z "$h" ]; then
        #not valid
        return 1
      fi
      hostedzone="$(echo "$response" | _egrep_o "\{.*""unicode_fqdn""[^,]+""$h"".*\}")"
      if [ "$hostedzone" ]; then
        LIMACITY_DOMAINID=$(printf "%s\n" "$hostedzone" | _egrep_o "\"id\":\s*[0-9]+" | _head_n 1 | cut -d : -f 2 | tr -d \ )
        if [ "$LIMACITY_DOMAINID" ]; then
          _sub_domain=$(printf "%s" "$domain" | cut -d . -f 1-$p)
          _domain=$h
          return 0
        fi
        return 1
      fi
      p=$i
      i=$(_math "$i" + 1)
    done
  fi
  return 1
 }
--- a/dnsapi/dns_west_cn.sh
+++ b/dnsapi/dns_west_cn.sh
@ -1,105 +0,0 @@
 #!/usr/bin/env sh
 # West.cn Domain api
 #WEST_Username="username"
 #WEST_Key="sADDsdasdgdsf"
 #Set key at https://www.west.cn/manager/API/APIconfig.asp
 REST_API="https://api.west.cn/API/v2"
 ########  Public functions #####################
 #Usage: add  _acme-challenge.www.domain.com   "XKrxpRBosdIKFzxW_CT3KLZNf6q0HG9i01zxXp5CPBs"
 dns_west_cn_add() {
  fulldomain=$1
  txtvalue=$2
  WEST_Username="${WEST_Username:-$(_readaccountconf_mutable WEST_Username)}"
  WEST_Key="${WEST_Key:-$(_readaccountconf_mutable WEST_Key)}"
  if [ -z "$WEST_Username" ] || [ -z "$WEST_Key" ]; then
    WEST_Username=""
    WEST_Key=""
    _err "You don't specify west api key and username yet."
    _err "Please set you key and try again."
    return 1
  fi
  #save the api key and email to the account conf file.
  _saveaccountconf_mutable WEST_Username "$WEST_Username"
  _saveaccountconf_mutable WEST_Key "$WEST_Key"
  add_record "$fulldomain" "$txtvalue"
 }
 #Usage: rm _acme-challenge.www.domain.com
 dns_west_cn_rm() {
  fulldomain=$1
  txtvalue=$2
  WEST_Username="${WEST_Username:-$(_readaccountconf_mutable WEST_Username)}"
  WEST_Key="${WEST_Key:-$(_readaccountconf_mutable WEST_Key)}"
  if ! _rest POST "domain/dns/" "act=dnsrec.list&username=$WEST_Username&apikey=$WEST_Key&domain=$fulldomain&hostname=$fulldomain&record_type=TXT"; then
    _err "dnsrec.list error."
    return 1
  fi
  if _contains "$response" 'no records'; then
    _info "Don't need to remove."
    return 0
  fi
  record_id=$(echo "$response" | tr "{" "\n" | grep -- "$txtvalue" | grep '^"record_id"' | cut -d : -f 2 | cut -d ',' -f 1)
  _debug record_id "$record_id"
  if [ -z "$record_id" ]; then
    _err "Can not get record id."
    return 1
  fi
  if ! _rest POST "domain/dns/" "act=dnsrec.remove&username=$WEST_Username&apikey=$WEST_Key&domain=$fulldomain&hostname=$fulldomain&record_id=$record_id"; then
    _err "dnsrec.remove error."
    return 1
  fi
  _contains "$response" "success"
 }
 #add the txt record.
 #usage: add fulldomain txtvalue
 add_record() {
  fulldomain=$1
  txtvalue=$2
  _info "Adding record"
  if ! _rest POST "domain/dns/" "act=dnsrec.add&username=$WEST_Username&apikey=$WEST_Key&domain=$fulldomain&hostname=$fulldomain&record_type=TXT&record_value=$txtvalue"; then
    return 1
  fi
  _contains "$response" "success"
 }
 #Usage: method  URI  data
 _rest() {
  m="$1"
  ep="$2"
  data="$3"
  _debug "$ep"
  url="$REST_API/$ep"
  _debug url "$url"
  if [ "$m" = "GET" ]; then
    response="$(_get "$url" | tr -d '\r')"
  else
    _debug2 data "$data"
    response="$(_post "$data" "$url" | tr -d '\r')"
  fi
  if [ "$?" != "0" ]; then
    _err "error $ep"
    return 1
  fi
  _debug2 response "$response"
  return 0
 }
--- a/notify/mattermost.sh
+++ b/notify/mattermost.sh
@ -1,52 +0,0 @@
 #!/usr/bin/env sh
 # Support mattermost bots
 #MATTERMOST_API_URL=""
 #MATTERMOST_CHANNEL_ID=""
 #MATTERMOST_BOT_TOKEN=""
 mattermost_send() {
  _subject="$1"
  _content="$2"
  _statusCode="$3" #0: success, 1: error 2($RENEW_SKIP): skipped
  _debug "_statusCode" "$_statusCode"
  MATTERMOST_API_URL="${MATTERMOST_API_URL:-$(_readaccountconf_mutable MATTERMOST_API_URL)}"
  if [ -z "$MATTERMOST_API_URL" ]; then
    _err "You didn't specify a Mattermost API URL MATTERMOST_API_URL yet."
    return 1
  fi
  _saveaccountconf_mutable MATTERMOST_API_URL "$MATTERMOST_API_URL"
  MATTERMOST_CHANNEL_ID="${MATTERMOST_CHANNEL_ID:-$(_readaccountconf_mutable MATTERMOST_CHANNEL_ID)}"
  if [ -z "$MATTERMOST_CHANNEL_ID" ]; then
    _err "You didn't specify a Mattermost channel id MATTERMOST_CHANNEL_ID yet."
    return 1
  fi
  _saveaccountconf_mutable MATTERMOST_CHANNEL_ID "$MATTERMOST_CHANNEL_ID"
  MATTERMOST_BOT_TOKEN="${MATTERMOST_BOT_TOKEN:-$(_readaccountconf_mutable MATTERMOST_BOT_TOKEN)}"
  if [ -z "$MATTERMOST_BOT_TOKEN" ]; then
    _err "You didn't specify a Mattermost bot API token MATTERMOST_BOT_TOKEN yet."
    return 1
  fi
  _saveaccountconf_mutable MATTERMOST_BOT_TOKEN "$MATTERMOST_BOT_TOKEN"
  _content="$(printf "*%s*\n%s" "$_subject" "$_content" | _json_encode)"
  _data="{\"channel_id\": \"$MATTERMOST_CHANNEL_ID\", "
  _data="$_data\"message\": \"$_content\"}"
  export _H1="Authorization: Bearer $MATTERMOST_BOT_TOKEN"
  response=""
  if _post "$_data" "$MATTERMOST_API_URL" "" "POST" "application/json; charset=utf-8"; then
    MATTERMOST_RESULT_OK=$(echo "$response" | _egrep_o 'create_at')
    if [ "$?" = "0" ] && [ "$MATTERMOST_RESULT_OK" ]; then
      _info "mattermost send success."
      return 0
    fi
  fi
  _err "mattermost send error."
  _err "$response"
  return 1
 }