Context Navigation

← Previous Changeset
Next Changeset →

Changeset 79f7e49

Timestamp:

01/18/22 12:47:03 (3 years ago)

Author:

Edwin Eefting <edwin@datux.nl>

Branches:

Children:

Parents:

Message:

acmeupdate

Location:

Files:

: 7 edited

root/usr/bin/acme.sh (modified) (102 diffs)
root/usr/bin/syn3-acme-issue (modified) (1 diff)
root/usr/bin/syn3-acme-renew (modified) (1 diff)
syn3_acme.SlackBuild.log.gz (modified) (previous)
syn3_acme.build (modified) (1 diff)
syn3_acme.md5 (modified) (1 diff)
syn3_acme.pkg (modified) (previous)

Legend:

: Unmodified
: Added
: Removed

npl/syn3/acme/root/usr/bin/acme.sh

-                      r3daa803
+                      r79f7e49
 #!/usr/bin/env sh
 VER=3.0.1
+VER=2.8.8
 PROJECT_NAME="acme.sh"
 …
 _SUB_FOLDERS="$_SUB_FOLDER_DNSAPI $_SUB_FOLDER_DEPLOY $_SUB_FOLDER_NOTIFY"
+CA_LETSENCRYPT_V1="https://acme-v01.api.letsencrypt.org/directory"
+LETSENCRYPT_CA_V1="https://acme-v01.api.letsencrypt.org/directory"
+LETSENCRYPT_STAGING_CA_V1="https://acme-staging.api.letsencrypt.org/directory"
 CA_LETSENCRYPT_V2="https://acme-v02.api.letsencrypt.org/directory"
 …
 _ZERO_EAB_ENDPOINT="http://api.zerossl.com/acme/eab-credentials-email"
+CA_SSLCOM_RSA="https://acme.ssl.com/sslcom-dv-rsa"
+CA_SSLCOM_ECC="https://acme.ssl.com/sslcom-dv-ecc"
+DEFAULT_CA=$CA_ZEROSSL
+DEFAULT_CA=$CA_LETSENCRYPT_V2
 DEFAULT_STAGING_CA=$CA_LETSENCRYPT_V2_TEST
 CA_NAMES="
-ZeroSSL.com,zerossl
 LetsEncrypt.org,letsencrypt
 LetsEncrypt.org_test,letsencrypt_test,letsencrypttest
 BuyPass.com,buypass
 BuyPass.com_test,buypass_test,buypasstest
+SSL.com,sslcom
+ZeroSSL.com,zerossl
+"
 CA_SERVERS="$CA_ZEROSSL,$CA_LETSENCRYPT_V2,$CA_LETSENCRYPT_V2_TEST,$CA_BUYPASS,$CA_BUYPASS_TEST,$CA_SSLCOM_RSA"
+CA_SERVERS="$CA_LETSENCRYPT_V2,$CA_LETSENCRYPT_V2_TEST,$CA_BUYPASS,$CA_BUYPASS_TEST,$CA_ZEROSSL"
 DEFAULT_USER_AGENT="$PROJECT_NAME/$VER ($PROJECT)"
 …
 DOH_CLOUDFLARE=1
 DOH_GOOGLE=2
-DOH_ALI=3
-DOH_DP=4
 HIDDEN_VALUE="[hidden](please add '--output-insecure' to see this value)"
 …
 _ZEROSSL_WIKI="https://github.com/acmesh-official/acme.sh/wiki/ZeroSSL.com-CA"
-_SSLCOM_WIKI="https://github.com/acmesh-official/acme.sh/wiki/SSL.com-CA"
 _SERVER_WIKI="https://github.com/acmesh-official/acme.sh/wiki/Server"
 _PREFERRED_CHAIN_WIKI="https://github.com/acmesh-official/acme.sh/wiki/Preferred-Chain"
-_DNSCHECK_WIKI="https://github.com/acmesh-official/acme.sh/wiki/dnscheck"
 _DNS_MANUAL_ERR="The dns manual mode can not renew automatically, you must issue it again manually. You'd better use the other modes instead."
 …
 _h2b() {
+  if _exists xxd; then
+    if _contains "$(xxd --help 2>&1)" "assumes -c30"; then
+      if xxd -r -p -c 9999 2>/dev/null; then
+        return
+      fi
+    else
+      if xxd -r -p 2>/dev/null; then
+        return
+      fi
+    fi
+  if _exists xxd && xxd -r -p 2>/dev/null; then
+    return
   fi
 …
   if _isEccKey "$length"; then
     _debug "Using ec name: $eccname"
     if _opkey="$(${ACME_OPENSSL_BIN:-openssl} ecparam -name "$eccname" -noout -genkey 2>/dev/null)"; then
+    if _opkey="$(${ACME_OPENSSL_BIN:-openssl} ecparam -name "$eccname" -genkey 2>/dev/null)"; then
       echo "$_opkey" >"$f"
     else
 …
   else
     _debug "Using RSA: $length"
+    __traditional=""
+    if _contains "$(${ACME_OPENSSL_BIN:-openssl} help genrsa 2>&1)" "-traditional"; then
+      __traditional="-traditional"
+    fi
+    if _opkey="$(${ACME_OPENSSL_BIN:-openssl} genrsa $__traditional "$length" 2>/dev/null)"; then
+    if _opkey="$(${ACME_OPENSSL_BIN:-openssl} genrsa "$length" 2>/dev/null)"; then
       echo "$_opkey" >"$f"
     else
 …
   _debug2 csrconf "$csrconf"
   printf "[ req_distinguished_name ]\n[ req ]\ndistinguished_name = req_distinguished_name\nreq_extensions = v3_req\n[ v3_req ]\n\n" >"$csrconf"
+  printf "[ req_distinguished_name ]\n[ req ]\ndistinguished_name = req_distinguished_name\nreq_extensions = v3_req\n[ v3_req ]\n\nkeyUsage = nonRepudiation, digitalSignature, keyEncipherment" >"$csrconf"
   if [ "$acmeValidationv1" ]; then
 …
       _ACME_CURL="$_ACME_CURL -L "
     fi
     if [ "$DEBUG" ] && [ "$DEBUG" -ge 2 ]; then
+    if [ "$DEBUG" ] && [ "$DEBUG" -ge "2" ]; then
       _CURL_DUMP="$(_mktemp)"
       _ACME_CURL="$_ACME_CURL --trace-ascii $_CURL_DUMP "
 …
+}
-_HTTP_MAX_RETRY=8
 # body  url [needbase64] [POST|PUT|DELETE] [ContentType]
 …
   httpmethod="$4"
   _postContentType="$5"
-  _sleep_retry_sec=1
-  _http_retry_times=0
-  _hcode=0
-  while [ "${_http_retry_times}" -le "$_HTTP_MAX_RETRY" ]; do
-    [ "$_http_retry_times" = "$_HTTP_MAX_RETRY" ]
-    _lastHCode="$?"
-    _debug "Retrying post"
-    _post_impl "$body" "$_post_url" "$needbase64" "$httpmethod" "$_postContentType" "$_lastHCode"
-    _hcode="$?"
-    _debug _hcode "$_hcode"
-    if [ "$_hcode" = "0" ]; then
-      break
-    fi
-    _http_retry_times=$(_math $_http_retry_times + 1)
-    _sleep $_sleep_retry_sec
-  done
-  return $_hcode
+}
-# body  url [needbase64] [POST|PUT|DELETE] [ContentType] [displayError]
-_post_impl() {
-  body="$1"
-  _post_url="$2"
-  needbase64="$3"
-  httpmethod="$4"
-  _postContentType="$5"
-  displayError="$6"
   if [ -z "$httpmethod" ]; then
 …
     _ret="$?"
     if [ "$_ret" != "0" ]; then
+      if [ -z "$displayError" ] || [ "$displayError" = "0" ]; then
+        _err "Please refer to https://curl.haxx.se/libcurl/c/libcurl-errors.html for error code: $_ret"
+      fi
+      _err "Please refer to https://curl.haxx.se/libcurl/c/libcurl-errors.html for error code: $_ret"
       if [ "$DEBUG" ] && [ "$DEBUG" -ge "2" ]; then
         _err "Here is the curl dump log:"
 …
     fi
     if [ "$_ret" != "0" ]; then
+      if [ -z "$displayError" ] || [ "$displayError" = "0" ]; then
+        _err "Please refer to https://www.gnu.org/software/wget/manual/html_node/Exit-Status.html for error code: $_ret"
+      fi
+      _err "Please refer to https://www.gnu.org/software/wget/manual/html_node/Exit-Status.html for error code: $_ret"
     fi
     _sed_i "s/^ *//g" "$HTTP_HEADER"
 …
 # url getheader timeout
 _get() {
-  url="$1"
-  onlyheader="$2"
-  t="$3"
-  _sleep_retry_sec=1
-  _http_retry_times=0
-  _hcode=0
-  while [ "${_http_retry_times}" -le "$_HTTP_MAX_RETRY" ]; do
-    [ "$_http_retry_times" = "$_HTTP_MAX_RETRY" ]
-    _lastHCode="$?"
-    _debug "Retrying GET"
-    _get_impl "$url" "$onlyheader" "$t" "$_lastHCode"
-    _hcode="$?"
-    _debug _hcode "$_hcode"
-    if [ "$_hcode" = "0" ]; then
-      break
-    fi
-    _http_retry_times=$(_math $_http_retry_times + 1)
-    _sleep $_sleep_retry_sec
-  done
-  return $_hcode
+}
-# url getheader timeout displayError
-_get_impl() {
   _debug GET
   url="$1"
   onlyheader="$2"
   t="$3"
-  displayError="$4"
   _debug url "$url"
   _debug "timeout=$t"
+  _debug "displayError" "$displayError"
   _inithttp
 …
     ret=$?
     if [ "$ret" != "0" ]; then
+      if [ -z "$displayError" ] || [ "$displayError" = "0" ]; then
+        _err "Please refer to https://curl.haxx.se/libcurl/c/libcurl-errors.html for error code: $ret"
+      fi
+      _err "Please refer to https://curl.haxx.se/libcurl/c/libcurl-errors.html for error code: $ret"
       if [ "$DEBUG" ] && [ "$DEBUG" -ge "2" ]; then
         _err "Here is the curl dump log:"
 …
     fi
     if [ "$ret" != "0" ]; then
+      if [ -z "$displayError" ] || [ "$displayError" = "0" ]; then
+        _err "Please refer to https://www.gnu.org/software/wget/manual/html_node/Exit-Status.html for error code: $ret"
+      fi
+      _err "Please refer to https://www.gnu.org/software/wget/manual/html_node/Exit-Status.html for error code: $ret"
     fi
   else
 …
           _headers="$(cat "$HTTP_HEADER")"
           _debug2 _headers "$_headers"
           _CACHED_NONCE="$(echo "$_headers" | grep -i "Replay-Nonce:" | _head_n 1 | tr -d "\r\n " | cut -d ':' -f 2 | cut -d , -f 1)"
+          _CACHED_NONCE="$(echo "$_headers" | grep -i "Replay-Nonce:" | _head_n 1 | tr -d "\r\n " | cut -d ':' -f 2)"
         fi
       fi
 …
       continue
     fi
+    if [ "$url" = "$ACME_NEW_ACCOUNT" ]; then
+    if [ "$ACME_VERSION" = "2" ]; then
+      if [ "$url" = "$ACME_NEW_ACCOUNT" ]; then
+        protected="$JWK_HEADERPLACE_PART1$nonce\", \"url\": \"${url}$JWK_HEADERPLACE_PART2, \"jwk\": $jwk"'}'
+      elif [ "$url" = "$ACME_REVOKE_CERT" ] && [ "$keyfile" != "$ACCOUNT_KEY_PATH" ]; then
+        protected="$JWK_HEADERPLACE_PART1$nonce\", \"url\": \"${url}$JWK_HEADERPLACE_PART2, \"jwk\": $jwk"'}'
+      else
+        protected="$JWK_HEADERPLACE_PART1$nonce\", \"url\": \"${url}$JWK_HEADERPLACE_PART2, \"kid\": \"${ACCOUNT_URL}\""'}'
+      fi
+    else
       protected="$JWK_HEADERPLACE_PART1$nonce\", \"url\": \"${url}$JWK_HEADERPLACE_PART2, \"jwk\": $jwk"'}'
+    elif [ "$url" = "$ACME_REVOKE_CERT" ] && [ "$keyfile" != "$ACCOUNT_KEY_PATH" ]; then
+      protected="$JWK_HEADERPLACE_PART1$nonce\", \"url\": \"${url}$JWK_HEADERPLACE_PART2, \"jwk\": $jwk"'}'
+    else
+      protected="$JWK_HEADERPLACE_PART1$nonce\", \"url\": \"${url}$JWK_HEADERPLACE_PART2, \"kid\": \"${ACCOUNT_URL}\""'}'
+    fi
+    fi
     _debug3 protected "$protected"
 …
     _debug2 response "$response"
     _CACHED_NONCE="$(echo "$responseHeaders" | grep -i "Replay-Nonce:" | _head_n 1 | tr -d "\r\n " | cut -d ':' -f 2 | cut -d , -f 1)"
+    _CACHED_NONCE="$(echo "$responseHeaders" | grep -i "Replay-Nonce:" | _head_n 1 | tr -d "\r\n " | cut -d ':' -f 2)"
     if ! _startswith "$code" "2"; then
 …
       if _contains "$_body" "JWS has invalid anti-replay nonce" || _contains "$_body" "JWS has an invalid anti-replay nonce"; then
         _info "It seems the CA server is busy now, let's wait and retry. Sleeping $_sleep_retry_sec seconds."
-        _CACHED_NONCE=""
-        _sleep $_sleep_retry_sec
-        continue
-      fi
-      if _contains "$_body" "The Replay Nonce is not recognized"; then
-        _info "The replay Nonce is not valid, let's get a new one, Sleeping $_sleep_retry_sec seconds."
         _CACHED_NONCE=""
         _sleep $_sleep_retry_sec
 …
   fi
   _saved=$(_readdomainconf "SAVED_$_rac_key")
   eval "export $_rac_key=\"\$_saved\""
+  eval "export $_rac_key=\"$_saved\""
+}
 …
 _clearaccountconf() {
   _clear_conf "$ACCOUNT_CONF_PATH" "$1"
+}
-#key
-_clearaccountconf_mutable() {
-  _clearaccountconf "SAVED_$1"
-  #remove later
-  _clearaccountconf "$1"
+}
 …
 echo 'Content-Length\: $_content_len'; \
 echo ''; \
 printf '%s' '$content';" &
+printf -- '$content';" &
   serverproc="$!"
+}
 …
+}
-_clearAPI() {
-  ACME_NEW_ACCOUNT=""
-  ACME_KEY_CHANGE=""
-  ACME_NEW_AUTHZ=""
-  ACME_NEW_ORDER=""
-  ACME_REVOKE_CERT=""
-  ACME_NEW_NONCE=""
-  ACME_AGREEMENT=""
+}
 #server
 _initAPI() {
 …
   _debug "_init api for server: $_api_server"
+  MAX_API_RETRY_TIMES=10
+  _sleep_retry_sec=10
+  _request_retry_times=0
+  while [ -z "$ACME_NEW_ACCOUNT" ] && [ "${_request_retry_times}" -lt "$MAX_API_RETRY_TIMES" ]; do
+    _request_retry_times=$(_math "$_request_retry_times" + 1)
+  if [ -z "$ACME_NEW_ACCOUNT" ]; then
     response=$(_get "$_api_server")
     if [ "$?" != "0" ]; then
       _debug2 "response" "$response"
+      _info "Can not init api for: $_api_server."
+      _info "Sleep $_sleep_retry_sec and retry."
+      _sleep "$_sleep_retry_sec"
+      continue
+      _err "Can not init api."
+      return 1
     fi
     response=$(echo "$response" | _json_decode)
     _debug2 "response" "$response"
+    ACME_KEY_CHANGE=$(echo "$response" | _egrep_o 'keyChange" *: *"[^"]*"' | cut -d '"' -f 3)
+    ACME_KEY_CHANGE=$(echo "$response" | _egrep_o 'key-change" *: *"[^"]*"' | cut -d '"' -f 3)
+    if [ -z "$ACME_KEY_CHANGE" ]; then
+      ACME_KEY_CHANGE=$(echo "$response" | _egrep_o 'keyChange" *: *"[^"]*"' | cut -d '"' -f 3)
+    fi
     export ACME_KEY_CHANGE
+    ACME_NEW_AUTHZ=$(echo "$response" | _egrep_o 'newAuthz" *: *"[^"]*"' | cut -d '"' -f 3)
+    ACME_NEW_AUTHZ=$(echo "$response" | _egrep_o 'new-authz" *: *"[^"]*"' | cut -d '"' -f 3)
+    if [ -z "$ACME_NEW_AUTHZ" ]; then
+      ACME_NEW_AUTHZ=$(echo "$response" | _egrep_o 'newAuthz" *: *"[^"]*"' | cut -d '"' -f 3)
+    fi
     export ACME_NEW_AUTHZ
+    ACME_NEW_ORDER=$(echo "$response" | _egrep_o 'newOrder" *: *"[^"]*"' | cut -d '"' -f 3)
+    ACME_NEW_ORDER=$(echo "$response" | _egrep_o 'new-cert" *: *"[^"]*"' | cut -d '"' -f 3)
+    ACME_NEW_ORDER_RES="new-cert"
+    if [ -z "$ACME_NEW_ORDER" ]; then
+      ACME_NEW_ORDER=$(echo "$response" | _egrep_o 'new-order" *: *"[^"]*"' | cut -d '"' -f 3)
+      ACME_NEW_ORDER_RES="new-order"
+      if [ -z "$ACME_NEW_ORDER" ]; then
+        ACME_NEW_ORDER=$(echo "$response" | _egrep_o 'newOrder" *: *"[^"]*"' | cut -d '"' -f 3)
+      fi
+    fi
     export ACME_NEW_ORDER
+    ACME_NEW_ACCOUNT=$(echo "$response" | _egrep_o 'newAccount" *: *"[^"]*"' | cut -d '"' -f 3)
+    export ACME_NEW_ORDER_RES
+    ACME_NEW_ACCOUNT=$(echo "$response" | _egrep_o 'new-reg" *: *"[^"]*"' | cut -d '"' -f 3)
+    ACME_NEW_ACCOUNT_RES="new-reg"
+    if [ -z "$ACME_NEW_ACCOUNT" ]; then
+      ACME_NEW_ACCOUNT=$(echo "$response" | _egrep_o 'new-account" *: *"[^"]*"' | cut -d '"' -f 3)
+      ACME_NEW_ACCOUNT_RES="new-account"
+      if [ -z "$ACME_NEW_ACCOUNT" ]; then
+        ACME_NEW_ACCOUNT=$(echo "$response" | _egrep_o 'newAccount" *: *"[^"]*"' | cut -d '"' -f 3)
+        if [ "$ACME_NEW_ACCOUNT" ]; then
+          export ACME_VERSION=2
+        fi
+      fi
+    fi
     export ACME_NEW_ACCOUNT
+    ACME_REVOKE_CERT=$(echo "$response" | _egrep_o 'revokeCert" *: *"[^"]*"' | cut -d '"' -f 3)
+    export ACME_NEW_ACCOUNT_RES
+    ACME_REVOKE_CERT=$(echo "$response" | _egrep_o 'revoke-cert" *: *"[^"]*"' | cut -d '"' -f 3)
+    if [ -z "$ACME_REVOKE_CERT" ]; then
+      ACME_REVOKE_CERT=$(echo "$response" | _egrep_o 'revokeCert" *: *"[^"]*"' | cut -d '"' -f 3)
+    fi
     export ACME_REVOKE_CERT
+    ACME_NEW_NONCE=$(echo "$response" | _egrep_o 'newNonce" *: *"[^"]*"' | cut -d '"' -f 3)
+    ACME_NEW_NONCE=$(echo "$response" | _egrep_o 'new-nonce" *: *"[^"]*"' | cut -d '"' -f 3)
+    if [ -z "$ACME_NEW_NONCE" ]; then
+      ACME_NEW_NONCE=$(echo "$response" | _egrep_o 'newNonce" *: *"[^"]*"' | cut -d '"' -f 3)
+    fi
     export ACME_NEW_NONCE
+    ACME_AGREEMENT=$(echo "$response" | _egrep_o 'termsOfService" *: *"[^"]*"' | cut -d '"' -f 3)
+    ACME_AGREEMENT=$(echo "$response" | _egrep_o 'terms-of-service" *: *"[^"]*"' | cut -d '"' -f 3)
+    if [ -z "$ACME_AGREEMENT" ]; then
+      ACME_AGREEMENT=$(echo "$response" | _egrep_o 'termsOfService" *: *"[^"]*"' | cut -d '"' -f 3)
+    fi
     export ACME_AGREEMENT
 …
     _debug "ACME_AGREEMENT" "$ACME_AGREEMENT"
     _debug "ACME_NEW_NONCE" "$ACME_NEW_NONCE"
+    if [ "$ACME_NEW_ACCOUNT" ] && [ "$ACME_NEW_ORDER" ]; then
+      return 0
+    fi
+    _info "Sleep $_sleep_retry_sec and retry."
+    _sleep "$_sleep_retry_sec"
+  done
+  if [ "$ACME_NEW_ACCOUNT" ] && [ "$ACME_NEW_ORDER" ]; then
+    return 0
+  fi
+  _err "Can not init api, for $_api_server"
+  return 1
+    _debug "ACME_VERSION" "$ACME_VERSION"
+  fi
+}
 …
   _debug2 "_ACME_SERVER_HOST" "$_ACME_SERVER_HOST"
+  _ACME_SERVER_PATH="$(echo "$ACME_DIRECTORY" | cut -d : -f 2- | tr -s / | cut -d / -f 3-)"
+  _debug2 "_ACME_SERVER_PATH" "$_ACME_SERVER_PATH"
+  CA_DIR="$CA_HOME/$_ACME_SERVER_HOST/$_ACME_SERVER_PATH"
+  CA_DIR="$CA_HOME/$_ACME_SERVER_HOST"
   _DEFAULT_CA_CONF="$CA_DIR/ca.conf"
   if [ -z "$CA_CONF" ]; then
     CA_CONF="$_DEFAULT_CA_CONF"
 …
   _debug3 CA_CONF "$CA_CONF"
+  _OLD_CADIR="$CA_HOME/$_ACME_SERVER_HOST"
+  _OLD_ACCOUNT_KEY="$_OLD_CADIR/account.key"
+  _OLD_ACCOUNT_JSON="$_OLD_CADIR/account.json"
+  _OLD_CA_CONF="$_OLD_CADIR/ca.conf"
+  if [ -f "$CA_CONF" ]; then
+    . "$CA_CONF"
+  fi
+  if [ -z "$ACME_DIR" ]; then
+    ACME_DIR="/home/.acme"
+  fi
+  if [ -z "$APACHE_CONF_BACKUP_DIR" ]; then
+    APACHE_CONF_BACKUP_DIR="$LE_CONFIG_HOME"
+  fi
+  if [ -z "$USER_AGENT" ]; then
+    USER_AGENT="$DEFAULT_USER_AGENT"
+  fi
+  if [ -z "$HTTP_HEADER" ]; then
+    HTTP_HEADER="$LE_CONFIG_HOME/http.header"
+  fi
+  _OLD_ACCOUNT_KEY="$LE_WORKING_DIR/account.key"
+  _OLD_ACCOUNT_JSON="$LE_WORKING_DIR/account.json"
   _DEFAULT_ACCOUNT_KEY_PATH="$CA_DIR/account.key"
 …
   if [ -z "$ACCOUNT_KEY_PATH" ]; then
     ACCOUNT_KEY_PATH="$_DEFAULT_ACCOUNT_KEY_PATH"
-    if [ -f "$_OLD_ACCOUNT_KEY" ] && ! [ -f "$ACCOUNT_KEY_PATH" ]; then
-      mkdir -p "$CA_DIR"
-      mv "$_OLD_ACCOUNT_KEY" "$ACCOUNT_KEY_PATH"
-    fi
   fi
   if [ -z "$ACCOUNT_JSON_PATH" ]; then
     ACCOUNT_JSON_PATH="$_DEFAULT_ACCOUNT_JSON_PATH"
-    if [ -f "$_OLD_ACCOUNT_JSON" ] && ! [ -f "$ACCOUNT_JSON_PATH" ]; then
-      mkdir -p "$CA_DIR"
-      mv "$_OLD_ACCOUNT_JSON" "$ACCOUNT_JSON_PATH"
-    fi
-  fi
-  if [ -f "$_OLD_CA_CONF" ] && ! [ -f "$CA_CONF" ]; then
-    mkdir -p "$CA_DIR"
-    mv "$_OLD_CA_CONF" "$CA_CONF"
-  fi
-  if [ -f "$CA_CONF" ]; then
-    . "$CA_CONF"
-  fi
-  if [ -z "$ACME_DIR" ]; then
-    ACME_DIR="/home/.acme"
-  fi
-  if [ -z "$APACHE_CONF_BACKUP_DIR" ]; then
-    APACHE_CONF_BACKUP_DIR="$LE_CONFIG_HOME"
-  fi
-  if [ -z "$USER_AGENT" ]; then
-    USER_AGENT="$DEFAULT_USER_AGENT"
-  fi
-  if [ -z "$HTTP_HEADER" ]; then
-    HTTP_HEADER="$LE_CONFIG_HOME/http.header"
   fi
 …
       for included in $(cat "$2" | tr "\t" " " | grep "^ *include *.*;" | sed "s/include //" | tr -d " ;"); do
         _debug "check included $included"
-        if ! _startswith "$included" "/" && _exists dirname; then
-          _relpath="$(dirname "$_c_file")"
-          _debug "_relpath" "$_relpath"
-          included="$_relpath/$included"
-        fi
         if _checkConf "$1" "$included"; then
           return 0
 …
     _info "Run pre hook:'$_chk_pre_hook'"
     if ! (
-      export Le_Domain="$_chk_main_domain"
-      export Le_Alt="$_chk_alt_domains"
       cd "$DOMAIN_PATH" && eval "$_chk_pre_hook"
     ); then
 …
       netprc="$(echo "$_netprc" | grep "$_checkaddr")"
       if [ -z "$netprc" ]; then
         netprc="$(echo "$_netprc" | grep "$LOCAL_ANY_ADDRESS:$_checkport")"
+        netprc="$(echo "$_netprc" | grep "$LOCAL_ANY_ADDRESS")"
       fi
       if [ "$netprc" ]; then
 …
   mkdir -p "$CA_DIR"
+  if [ ! -f "$ACCOUNT_KEY_PATH" ] && [ -f "$_OLD_ACCOUNT_KEY" ]; then
+    _info "mv $_OLD_ACCOUNT_KEY to $ACCOUNT_KEY_PATH"
+    mv "$_OLD_ACCOUNT_KEY" "$ACCOUNT_KEY_PATH"
+  fi
+  if [ ! -f "$ACCOUNT_JSON_PATH" ] && [ -f "$_OLD_ACCOUNT_JSON" ]; then
+    _info "mv $_OLD_ACCOUNT_JSON to $ACCOUNT_JSON_PATH"
+    mv "$_OLD_ACCOUNT_JSON" "$ACCOUNT_JSON_PATH"
+  fi
   if [ ! -f "$ACCOUNT_KEY_PATH" ]; then
 …
     _savecaconf "CA_EMAIL" "$_email"
   fi
+  if [ "$ACME_DIRECTORY" = "$CA_ZEROSSL" ]; then
+    if [ -z "$_eab_id" ] || [ -z "$_eab_hmac_key" ]; then
+      _info "No EAB credentials found for ZeroSSL, let's get one"
+      if [ -z "$_email" ]; then
+        _info "$(__green "$PROJECT_NAME is using ZeroSSL as default CA now.")"
+        _info "$(__green "Please update your account with an email address first.")"
+        _info "$(__green "$PROJECT_ENTRY --register-account -m my@example.com")"
+        _info "See: $(__green "$_ZEROSSL_WIKI")"
+        return 1
+      fi
+      _eabresp=$(_post "email=$_email" $_ZERO_EAB_ENDPOINT)
+      if [ "$?" != "0" ]; then
+        _debug2 "$_eabresp"
+        _err "Can not get EAB credentials from ZeroSSL."
+        return 1
+      fi
+      _secure_debug2 _eabresp "$_eabresp"
+      _eab_id="$(echo "$_eabresp" | tr ',}' '\n\n' | grep '"eab_kid"' | cut -d : -f 2 | tr -d '"')"
+      _secure_debug2 _eab_id "$_eab_id"
+      if [ -z "$_eab_id" ]; then
+        _err "Can not resolve _eab_id"
+        return 1
+      fi
+      _eab_hmac_key="$(echo "$_eabresp" | tr ',}' '\n\n' | grep '"eab_hmac_key"' | cut -d : -f 2 | tr -d '"')"
+      _secure_debug2 _eab_hmac_key "$_eab_hmac_key"
+      if [ -z "$_eab_hmac_key" ]; then
+        _err "Can not resolve _eab_hmac_key"
+        return 1
+      fi
+      _savecaconf CA_EAB_KEY_ID "$_eab_id"
+      _savecaconf CA_EAB_HMAC_KEY "$_eab_hmac_key"
+    fi
+  fi
+  if [ "$_eab_id" ] && [ "$_eab_hmac_key" ]; then
+    eab_protected="{\"alg\":\"HS256\",\"kid\":\"$_eab_id\",\"url\":\"${ACME_NEW_ACCOUNT}\"}"
+    _debug3 eab_protected "$eab_protected"
+    eab_protected64=$(printf "%s" "$eab_protected" | _base64 | _url_replace)
+    _debug3 eab_protected64 "$eab_protected64"
+    eab_payload64=$(printf "%s" "$jwk" | _base64 | _url_replace)
+    _debug3 eab_payload64 "$eab_payload64"
+    eab_sign_t="$eab_protected64.$eab_payload64"
+    _debug3 eab_sign_t "$eab_sign_t"
+    key_hex="$(_durl_replace_base64 "$_eab_hmac_key" | _dbase64 multi | _hex_dump | tr -d ' ')"
+    _debug3 key_hex "$key_hex"
+    eab_signature=$(printf "%s" "$eab_sign_t" | _hmac sha256 $key_hex | _base64 | _url_replace)
+    _debug3 eab_signature "$eab_signature"
+    externalBinding=",\"externalAccountBinding\":{\"protected\":\"$eab_protected64\", \"payload\":\"$eab_payload64\", \"signature\":\"$eab_signature\"}"
+    _debug3 externalBinding "$externalBinding"
+  fi
+  if [ "$_email" ]; then
+    email_sg="\"contact\": [\"mailto:$_email\"], "
+  fi
+  regjson="{$email_sg\"termsOfServiceAgreed\": true$externalBinding}"
+  if [ "$ACME_VERSION" = "2" ]; then
+    if [ "$ACME_DIRECTORY" = "$CA_ZEROSSL" ]; then
+      if [ -z "$_eab_id" ] || [ -z "$_eab_hmac_key" ]; then
+        _info "No EAB credentials found for ZeroSSL, let's get one"
+        if [ -z "$_email" ]; then
+          _err "Please provide a email address for ZeroSSL account."
+          _err "See ZeroSSL usage: $_ZEROSSL_WIKI"
+          return 1
+        fi
+        _eabresp=$(_post "email=$_email" $_ZERO_EAB_ENDPOINT)
+        if [ "$?" != "0" ]; then
+          _debug2 "$_eabresp"
+          _err "Can not get EAB credentials from ZeroSSL."
+          return 1
+        fi
+        _eab_id="$(echo "$_eabresp" | tr ',}' '\n' | grep '"eab_kid"' | cut -d : -f 2 | tr -d '"')"
+        if [ -z "$_eab_id" ]; then
+          _err "Can not resolve _eab_id"
+          return 1
+        fi
+        _eab_hmac_key="$(echo "$_eabresp" | tr ',}' '\n' | grep '"eab_hmac_key"' | cut -d : -f 2 | tr -d '"')"
+        if [ -z "$_eab_hmac_key" ]; then
+          _err "Can not resolve _eab_hmac_key"
+          return 1
+        fi
+        _savecaconf CA_EAB_KEY_ID "$_eab_id"
+        _savecaconf CA_EAB_HMAC_KEY "$_eab_hmac_key"
+      fi
+    fi
+    if [ "$_eab_id" ] && [ "$_eab_hmac_key" ]; then
+      eab_protected="{\"alg\":\"HS256\",\"kid\":\"$_eab_id\",\"url\":\"${ACME_NEW_ACCOUNT}\"}"
+      _debug3 eab_protected "$eab_protected"
+      eab_protected64=$(printf "%s" "$eab_protected" | _base64 | _url_replace)
+      _debug3 eab_protected64 "$eab_protected64"
+      eab_payload64=$(printf "%s" "$jwk" | _base64 | _url_replace)
+      _debug3 eab_payload64 "$eab_payload64"
+      eab_sign_t="$eab_protected64.$eab_payload64"
+      _debug3 eab_sign_t "$eab_sign_t"
+      key_hex="$(_durl_replace_base64 "$_eab_hmac_key" | _dbase64 | _hex_dump | tr -d ' ')"
+      _debug3 key_hex "$key_hex"
+      eab_signature=$(printf "%s" "$eab_sign_t" | _hmac sha256 $key_hex | _base64 | _url_replace)
+      _debug3 eab_signature "$eab_signature"
+      externalBinding=",\"externalAccountBinding\":{\"protected\":\"$eab_protected64\", \"payload\":\"$eab_payload64\", \"signature\":\"$eab_signature\"}"
+      _debug3 externalBinding "$externalBinding"
+    fi
+    if [ "$_email" ]; then
+      email_sg="\"contact\": [\"mailto:$_email\"], "
+    fi
+    regjson="{$email_sg\"termsOfServiceAgreed\": true$externalBinding}"
+  else
+    _reg_res="$ACME_NEW_ACCOUNT_RES"
+    regjson='{"resource": "'$_reg_res'", "terms-of-service-agreed": true, "agreement": "'$ACME_AGREEMENT'"}'
+    if [ "$_email" ]; then
+      regjson='{"resource": "'$_reg_res'", "contact": ["mailto:'$_email'"], "terms-of-service-agreed": true, "agreement": "'$ACME_AGREEMENT'"}'
+    fi
+  fi
   _info "Registering account: $ACME_DIRECTORY"
 …
   _initpath
+  if [ ! -f "$ACCOUNT_KEY_PATH" ] && [ -f "$_OLD_ACCOUNT_KEY" ]; then
+    _info "mv $_OLD_ACCOUNT_KEY to $ACCOUNT_KEY_PATH"
+    mv "$_OLD_ACCOUNT_KEY" "$ACCOUNT_KEY_PATH"
+  fi
+  if [ ! -f "$ACCOUNT_JSON_PATH" ] && [ -f "$_OLD_ACCOUNT_JSON" ]; then
+    _info "mv $_OLD_ACCOUNT_JSON to $ACCOUNT_JSON_PATH"
+    mv "$_OLD_ACCOUNT_JSON" "$ACCOUNT_JSON_PATH"
+  fi
   if [ ! -f "$ACCOUNT_KEY_PATH" ]; then
     _err "Account key is not found at: $ACCOUNT_KEY_PATH"
 …
   _email="$(_getAccountEmail)"
+  if [ "$ACCOUNT_EMAIL" ]; then
+    updjson='{"contact": ["mailto:'$_email'"]}'
+  else
+    updjson='{"contact": []}'
+  fi
+  if [ "$ACME_VERSION" = "2" ]; then
+    if [ "$ACCOUNT_EMAIL" ]; then
+      updjson='{"contact": ["mailto:'$_email'"]}'
+    else
+      updjson='{"contact": []}'
+    fi
+  else
+    # ACMEv1: Updates happen the same way a registration is done.
+    # https://tools.ietf.org/html/draft-ietf-acme-acme-01#section-6.3
+    _regAccount
+    return
+  fi
+  # this part handles ACMEv2 account updates.
   _send_signed_request "$_accUri" "$updjson"
 …
   _initpath
+  if [ ! -f "$ACCOUNT_KEY_PATH" ] && [ -f "$_OLD_ACCOUNT_KEY" ]; then
+    _info "mv $_OLD_ACCOUNT_KEY to $ACCOUNT_KEY_PATH"
+    mv "$_OLD_ACCOUNT_KEY" "$ACCOUNT_KEY_PATH"
+  fi
+  if [ ! -f "$ACCOUNT_JSON_PATH" ] && [ -f "$_OLD_ACCOUNT_JSON" ]; then
+    _info "mv $_OLD_ACCOUNT_JSON to $ACCOUNT_JSON_PATH"
+    mv "$_OLD_ACCOUNT_JSON" "$ACCOUNT_JSON_PATH"
+  fi
   if [ ! -f "$ACCOUNT_KEY_PATH" ]; then
     _err "Account key is not found at: $ACCOUNT_KEY_PATH"
 …
   _initAPI
+  _djson="{\"status\":\"deactivated\"}"
+  if [ "$ACME_VERSION" = "2" ]; then
+    _djson="{\"status\":\"deactivated\"}"
+  else
+    _djson="{\"resource\": \"reg\", \"status\":\"deactivated\"}"
+  fi
   if _send_signed_request "$_accUri" "$_djson" && _contains "$response" '"deactivated"'; then
     _info "Deactivate account success for $_accUri."
 …
   _t_vtype="$3"
   _debug2 _t_vtype "$_t_vtype"
+  _send_signed_request "$_t_url" "{}"
+  if [ "$ACME_VERSION" = "2" ]; then
+    _send_signed_request "$_t_url" "{}"
+  else
+    _send_signed_request "$_t_url" "{\"resource\": \"challenge\", \"type\": \"$_t_vtype\", \"keyAuthorization\": \"$_t_key_authz\"}"
+  fi
+}
 …
 #checks if cf server is available
 _ns_is_available_cf() {
+  if _get "https://cloudflare-dns.com" "" 1 >/dev/null 2>&1; then
+    return 0
+  else
+    return 1
+  fi
+}
+_ns_is_available_google() {
+  if _get "https://dns.google" "" 1 >/dev/null 2>&1; then
+  if _get "https://cloudflare-dns.com" >/dev/null 2>&1; then
     return 0
   else
 …
   _cf_ld_type="$2"
   _cf_ep="https://dns.google/resolve"
-  _ns_lookup_impl "$_cf_ep" "$_cf_ld" "$_cf_ld_type"
+}
-_ns_is_available_ali() {
-  if _get "https://dns.alidns.com" "" 1 >/dev/null 2>&1; then
-    return 0
-  else
-    return 1
-  fi
+}
-#domain, type
-_ns_lookup_ali() {
-  _cf_ld="$1"
-  _cf_ld_type="$2"
-  _cf_ep="https://dns.alidns.com/resolve"
-  _ns_lookup_impl "$_cf_ep" "$_cf_ld" "$_cf_ld_type"
+}
-_ns_is_available_dp() {
-  if _get "https://doh.pub" "" 1 >/dev/null 2>&1; then
-    return 0
-  else
-    return 1
-  fi
+}
-#dnspod
-_ns_lookup_dp() {
-  _cf_ld="$1"
-  _cf_ld_type="$2"
-  _cf_ep="https://doh.pub/dns-query"
   _ns_lookup_impl "$_cf_ep" "$_cf_ld" "$_cf_ld_type"
+}
 …
       _debug "Use cloudflare doh server"
       export DOH_USE=$DOH_CLOUDFLARE
     elif _ns_is_available_google; then
+    else
       _debug "Use google doh server"
       export DOH_USE=$DOH_GOOGLE
-    elif _ns_is_available_ali; then
-      _debug "Use aliyun doh server"
-      export DOH_USE=$DOH_ALI
-    elif _ns_is_available_dp; then
-      _debug "Use dns pod doh server"
-      export DOH_USE=$DOH_DP
-    else
-      _err "No doh"
     fi
   fi
 …
   if [ "$DOH_USE" = "$DOH_CLOUDFLARE" ] || [ -z "$DOH_USE" ]; then
     _ns_lookup_cf "$@"
   elif [ "$DOH_USE" = "$DOH_GOOGLE" ]; then
+  else
     _ns_lookup_google "$@"
-  elif [ "$DOH_USE" = "$DOH_ALI" ]; then
-    _ns_lookup_ali "$@"
-  elif [ "$DOH_USE" = "$DOH_DP" ]; then
-    _ns_lookup_dp "$@"
-  else
-    _err "Unknown doh provider: DOH_USE=$DOH_USE"
   fi
 …
     _ns_purge_cf "$_p_txtdomain" "TXT"
   else
     _debug "no purge api for this doh api, just sleep 5 secs"
+    _debug "no purge api for google dns api, just sleep 5 secs"
     _sleep 5
   fi
 …
   while [ "$(_time)" -le "$_end_time" ]; do
-    _info "You can use '--dnssleep' to disable public dns checks."
-    _info "See: $_DNSCHECK_WIKI"
     _left=""
     for entry in $dns_entries; do
 …
 #file
 _get_chain_issuers() {
+_get_cert_issuers() {
   _cfile="$1"
+  if _contains "$(${ACME_OPENSSL_BIN:-openssl} help crl2pkcs7 2>&1)" "Usage: crl2pkcs7" || _contains "$(${ACME_OPENSSL_BIN:-openssl} crl2pkcs7 -help 2>&1)" "Usage: crl2pkcs7" || _contains "$(${ACME_OPENSSL_BIN:-openssl} crl2pkcs7 help 2>&1)" "unknown option help"; then
+    ${ACME_OPENSSL_BIN:-openssl} crl2pkcs7 -nocrl -certfile $_cfile | ${ACME_OPENSSL_BIN:-openssl} pkcs7 -print_certs -text -noout | grep -i 'Issuer:' | _egrep_o "CN *=[^,]*" | cut -d = -f 2
+  else
+    _cindex=1
+    for _startn in $(grep -n -- "$BEGIN_CERT" "$_cfile" | cut -d : -f 1); do
+      _endn="$(grep -n -- "$END_CERT" "$_cfile" | cut -d : -f 1 | _head_n $_cindex | _tail_n 1)"
+      _debug2 "_startn" "$_startn"
+      _debug2 "_endn" "$_endn"
+      if [ "$DEBUG" ]; then
+        _debug2 "cert$_cindex" "$(sed -n "$_startn,${_endn}p" "$_cfile")"
+      fi
+      sed -n "$_startn,${_endn}p" "$_cfile" | ${ACME_OPENSSL_BIN:-openssl} x509 -text -noout | grep 'Issuer:' | _egrep_o "CN *=[^,]*" | cut -d = -f 2 | sed "s/ *\(.*\)/\1/"
+      _cindex=$(_math $_cindex + 1)
+    done
+  fi
+}
+#
+_get_chain_subjects() {
+  _cfile="$1"
+  if _contains "$(${ACME_OPENSSL_BIN:-openssl} help crl2pkcs7 2>&1)" "Usage: crl2pkcs7" || _contains "$(${ACME_OPENSSL_BIN:-openssl} crl2pkcs7 -help 2>&1)" "Usage: crl2pkcs7" || _contains "$(${ACME_OPENSSL_BIN:-openssl} crl2pkcs7 help 2>&1)" "unknown option help"; then
+    ${ACME_OPENSSL_BIN:-openssl} crl2pkcs7 -nocrl -certfile $_cfile | ${ACME_OPENSSL_BIN:-openssl} pkcs7 -print_certs -text -noout | grep -i 'Subject:' | _egrep_o "CN *=[^,]*" | cut -d = -f 2
+  else
+    _cindex=1
+    for _startn in $(grep -n -- "$BEGIN_CERT" "$_cfile" | cut -d : -f 1); do
+      _endn="$(grep -n -- "$END_CERT" "$_cfile" | cut -d : -f 1 | _head_n $_cindex | _tail_n 1)"
+      _debug2 "_startn" "$_startn"
+      _debug2 "_endn" "$_endn"
+      if [ "$DEBUG" ]; then
+        _debug2 "cert$_cindex" "$(sed -n "$_startn,${_endn}p" "$_cfile")"
+      fi
+      sed -n "$_startn,${_endn}p" "$_cfile" | ${ACME_OPENSSL_BIN:-openssl} x509 -text -noout | grep -i 'Subject:' | _egrep_o "CN *=[^,]*" | cut -d = -f 2 | sed "s/ *\(.*\)/\1/"
+      _cindex=$(_math $_cindex + 1)
+    done
+  if _contains "$(${ACME_OPENSSL_BIN:-openssl} help crl2pkcs7 2>&1)" "Usage: crl2pkcs7" || _contains "$(${ACME_OPENSSL_BIN:-openssl} crl2pkcs7 help 2>&1)" "unknown option help"; then
+    ${ACME_OPENSSL_BIN:-openssl} crl2pkcs7 -nocrl -certfile $_cfile | ${ACME_OPENSSL_BIN:-openssl} pkcs7 -print_certs -text -noout | grep 'Issuer:' | _egrep_o "CN *=[^,]*" | cut -d = -f 2
+  else
+    ${ACME_OPENSSL_BIN:-openssl} x509 -in $_cfile -text -noout | grep 'Issuer:' | _egrep_o "CN *=[^,]*" | cut -d = -f 2
   fi
+}
 …
   _cfile="$1"
   _missuer="$2"
   _fissuers="$(_get_chain_issuers $_cfile)"
+  _fissuers="$(_get_cert_issuers $_cfile)"
   _debug2 _fissuers "$_fissuers"
+  _rootissuer="$(echo "$_fissuers" | _lower_case | _tail_n 1)"
+  _debug2 _rootissuer "$_rootissuer"
+  if _contains "$_fissuers" "$_missuer"; then
+    return 0
+  fi
+  _fissuers="$(echo "$_fissuers" | _lower_case)"
   _missuer="$(echo "$_missuer" | _lower_case)"
   _contains "$_rootissuer" "$_missuer"
+  _contains "$_fissuers" "$_missuer"
+}
 …
     _initpath "$_main_domain" "$_key_length"
     mkdir -p "$DOMAIN_PATH"
-  elif ! _hasfield "$_web_roots" "$W_DNS"; then
-    Le_OrderFinalize=""
-    Le_LinkOrder=""
-    Le_LinkCert=""
   fi
 …
   _debug "Using ACME_DIRECTORY: $ACME_DIRECTORY"
+  if ! _initAPI; then
+    return 1
+  fi
+  _initAPI
   if [ -f "$DOMAIN_CONF" ]; then
 …
   dvsep=','
   if [ -z "$vlist" ]; then
+    #make new order request
+    _identifiers="{\"type\":\"dns\",\"value\":\"$(_idn "$_main_domain")\"}"
+    _w_index=1
+    while true; do
+      d="$(echo "$_alt_domains," | cut -d , -f "$_w_index")"
+      _w_index="$(_math "$_w_index" + 1)"
+      _debug d "$d"
+      if [ -z "$d" ]; then
+        break
+      fi
+      _identifiers="$_identifiers,{\"type\":\"dns\",\"value\":\"$(_idn "$d")\"}"
+    done
+    _debug2 _identifiers "$_identifiers"
+    if ! _send_signed_request "$ACME_NEW_ORDER" "{\"identifiers\": [$_identifiers]}"; then
+      _err "Create new order error."
+      _clearup
+      _on_issue_err "$_post_hook"
+      return 1
+    fi
+    Le_LinkOrder="$(echo "$responseHeaders" | grep -i '^Location.*$' | _tail_n 1 | tr -d "\r\n " | cut -d ":" -f 2-)"
+    _debug Le_LinkOrder "$Le_LinkOrder"
+    Le_OrderFinalize="$(echo "$response" | _egrep_o '"finalize" *: *"[^"]*"' | cut -d '"' -f 4)"
+    _debug Le_OrderFinalize "$Le_OrderFinalize"
+    if [ -z "$Le_OrderFinalize" ]; then
+      _err "Create new order error. Le_OrderFinalize not found. $response"
+      _clearup
+      _on_issue_err "$_post_hook"
+      return 1
+    fi
+    #for dns manual mode
+    _savedomainconf "Le_OrderFinalize" "$Le_OrderFinalize"
+    _authorizations_seg="$(echo "$response" | _json_decode | _egrep_o '"authorizations" *: *\[[^\[]*\]' | cut -d '[' -f 2 | tr -d ']' | tr -d '"')"
+    _debug2 _authorizations_seg "$_authorizations_seg"
+    if [ -z "$_authorizations_seg" ]; then
+      _err "_authorizations_seg not found."
+      _clearup
+      _on_issue_err "$_post_hook"
+      return 1
+    fi
+    #domain and authz map
+    _authorizations_map=""
+    for _authz_url in $(echo "$_authorizations_seg" | tr ',' ' '); do
+      _debug2 "_authz_url" "$_authz_url"
+      if ! _send_signed_request "$_authz_url"; then
+        _err "get to authz error."
+        _err "_authorizations_seg" "$_authorizations_seg"
+        _err "_authz_url" "$_authz_url"
+    if [ "$ACME_VERSION" = "2" ]; then
+      #make new order request
+      _identifiers="{\"type\":\"dns\",\"value\":\"$(_idn "$_main_domain")\"}"
+      _w_index=1
+      while true; do
+        d="$(echo "$_alt_domains," | cut -d , -f "$_w_index")"
+        _w_index="$(_math "$_w_index" + 1)"
+        _debug d "$d"
+        if [ -z "$d" ]; then
+          break
+        fi
+        _identifiers="$_identifiers,{\"type\":\"dns\",\"value\":\"$(_idn "$d")\"}"
+      done
+      _debug2 _identifiers "$_identifiers"
+      if ! _send_signed_request "$ACME_NEW_ORDER" "{\"identifiers\": [$_identifiers]}"; then
+        _err "Create new order error."
         _clearup
         _on_issue_err "$_post_hook"
         return 1
       fi
+      response="$(echo "$response" | _normalizeJson)"
+      _debug2 response "$response"
+      _d="$(echo "$response" | _egrep_o '"value" *: *"[^"]*"' | cut -d : -f 2 | tr -d ' "')"
+      if _contains "$response" "\"wildcard\" *: *true"; then
+        _d="*.$_d"
+      fi
+      _debug2 _d "$_d"
+      _authorizations_map="$_d,$response
+      Le_LinkOrder="$(echo "$responseHeaders" | grep -i '^Location.*$' | _tail_n 1 | tr -d "\r\n " | cut -d ":" -f 2-)"
+      _debug Le_LinkOrder "$Le_LinkOrder"
+      Le_OrderFinalize="$(echo "$response" | _egrep_o '"finalize" *: *"[^"]*"' | cut -d '"' -f 4)"
+      _debug Le_OrderFinalize "$Le_OrderFinalize"
+      if [ -z "$Le_OrderFinalize" ]; then
+        _err "Create new order error. Le_OrderFinalize not found. $response"
+        _clearup
+        _on_issue_err "$_post_hook"
+        return 1
+      fi
+      #for dns manual mode
+      _savedomainconf "Le_OrderFinalize" "$Le_OrderFinalize"
+      _authorizations_seg="$(echo "$response" | _json_decode | _egrep_o '"authorizations" *: *\[[^\[]*\]' | cut -d '[' -f 2 | tr -d ']' | tr -d '"')"
+      _debug2 _authorizations_seg "$_authorizations_seg"
+      if [ -z "$_authorizations_seg" ]; then
+        _err "_authorizations_seg not found."
+        _clearup
+        _on_issue_err "$_post_hook"
+        return 1
+      fi
+      #domain and authz map
+      _authorizations_map=""
+      for _authz_url in $(echo "$_authorizations_seg" | tr ',' ' '); do
+        _debug2 "_authz_url" "$_authz_url"
+        if ! _send_signed_request "$_authz_url"; then
+          _err "get to authz error."
+          _err "_authorizations_seg" "$_authorizations_seg"
+          _err "_authz_url" "$_authz_url"
+          _clearup
+          _on_issue_err "$_post_hook"
+          return 1
+        fi
+        response="$(echo "$response" | _normalizeJson)"
+        _debug2 response "$response"
+        _d="$(echo "$response" | _egrep_o '"value" *: *"[^"]*"' | cut -d : -f 2 | tr -d ' "')"
+        if _contains "$response" "\"wildcard\" *: *true"; then
+          _d="*.$_d"
+        fi
+        _debug2 _d "$_d"
+        _authorizations_map="$_d,$response
 $_authorizations_map"
+    done
+    _debug2 _authorizations_map "$_authorizations_map"
+      done
+      _debug2 _authorizations_map "$_authorizations_map"
+    fi
     _index=0
 …
       fi
+      _idn_d="$(_idn "$d")"
+      _candidates="$(echo "$_authorizations_map" | grep -i "^$_idn_d,")"
+      _debug2 _candidates "$_candidates"
+      if [ "$(echo "$_candidates" | wc -l)" -gt 1 ]; then
+        for _can in $_candidates; do
+          if _startswith "$(echo "$_can" | tr '.' '|')" "$(echo "$_idn_d" | tr '.' '|'),"; then
+            _candidates="$_can"
+            break
+          fi
+        done
+      fi
+      response="$(echo "$_candidates" | sed "s/$_idn_d,//")"
+      _debug2 "response" "$response"
+      if [ -z "$response" ]; then
+        _err "get to authz error."
+        _err "_authorizations_map" "$_authorizations_map"
+        _clearup
+        _on_issue_err "$_post_hook"
+        return 1
+      if [ "$ACME_VERSION" = "2" ]; then
+        _idn_d="$(_idn "$d")"
+        _candidates="$(echo "$_authorizations_map" | grep -i "^$_idn_d,")"
+        _debug2 _candidates "$_candidates"
+        if [ "$(echo "$_candidates" | wc -l)" -gt 1 ]; then
+          for _can in $_candidates; do
+            if _startswith "$(echo "$_can" | tr '.' '|')" "$(echo "$_idn_d" | tr '.' '|'),"; then
+              _candidates="$_can"
+              break
+            fi
+          done
+        fi
+        response="$(echo "$_candidates" | sed "s/$_idn_d,//")"
+        _debug2 "response" "$response"
+        if [ -z "$response" ]; then
+          _err "get to authz error."
+          _err "_authorizations_map" "$_authorizations_map"
+          _clearup
+          _on_issue_err "$_post_hook"
+          return 1
+        fi
+      else
+        if ! __get_domain_new_authz "$d"; then
+          _clearup
+          _on_issue_err "$_post_hook"
+          return 1
+        fi
       fi
 …
           return 1
         fi
+        uri="$(echo "$entry" | _egrep_o '"url":"[^"]*' | cut -d '"' -f 4 | _head_n 1)"
+        if [ "$ACME_VERSION" = "2" ]; then
+          uri="$(echo "$entry" | _egrep_o '"url":"[^"]*' | cut -d '"' -f 4 | _head_n 1)"
+        else
+          uri="$(echo "$entry" | _egrep_o '"uri":"[^"]*' | cut -d '"' -f 4)"
+        fi
         _debug uri "$uri"
 …
       fi
+      _debug "sleep 2 secs to verify"
+      sleep 2
+      _debug "checking"
+      if [ "$ACME_VERSION" = "2" ]; then
+        _send_signed_request "$uri"
+      else
+        response="$(_get "$uri")"
+      fi
+      if [ "$?" != "0" ]; then
+        _err "$d:Verify error:$response"
+        _clearupwebbroot "$_currentRoot" "$removelevel" "$token"
+        _clearup
+        _on_issue_err "$_post_hook" "$vlist"
+        return 1
+      fi
       _debug2 original "$response"
 …
       status=$(echo "$response" | _egrep_o '"status":"[^"]*' | cut -d : -f 2 | tr -d '"')
+      _debug2 status "$status"
+      if _contains "$status" "invalid"; then
+      if [ "$status" = "valid" ]; then
+        _info "$(__green Success)"
+        _stopserver "$serverproc"
+        serverproc=""
+        _clearupwebbroot "$_currentRoot" "$removelevel" "$token"
+        break
+      fi
+      if [ "$status" = "invalid" ]; then
         error="$(echo "$response" | _egrep_o '"error":\{[^\}]*')"
         _debug2 error "$error"
 …
       fi
-      if _contains "$status" "valid"; then
-        _info "$(__green Success)"
-        _stopserver "$serverproc"
-        serverproc=""
-        _clearupwebbroot "$_currentRoot" "$removelevel" "$token"
-        break
-      fi
       if [ "$status" = "pending" ]; then
         _info "Pending, The CA is processing your order, please just wait. ($waittimes/$MAX_RETRY_TIMES)"
+        _info "Pending"
       elif [ "$status" = "processing" ]; then
         _info "Processing, The CA is processing your order, please just wait. ($waittimes/$MAX_RETRY_TIMES)"
+        _info "Processing"
       else
         _err "$d:Verify error:$response"
 …
         return 1
       fi
+      _debug "sleep 2 secs to verify again"
+      sleep 2
+      _debug "checking"
+      _send_signed_request "$uri"
+      if [ "$?" != "0" ]; then
+        _err "$d:Verify error:$response"
+        _clearupwebbroot "$_currentRoot" "$removelevel" "$token"
+        _clearup
+        _on_issue_err "$_post_hook" "$vlist"
+        return 1
+      fi
     done
 …
   der="$(_getfile "${CSR_PATH}" "${BEGIN_CSR}" "${END_CSR}" | tr -d "\r\n" | _url_replace)"
+  _info "Lets finalize the order."
+  _info "Le_OrderFinalize" "$Le_OrderFinalize"
+  if ! _send_signed_request "${Le_OrderFinalize}" "{\"csr\": \"$der\"}"; then
+    _err "Sign failed."
+    _on_issue_err "$_post_hook"
+    return 1
+  fi
+  if [ "$code" != "200" ]; then
+    _err "Sign failed, finalize code is not 200."
+    _err "$response"
+    _on_issue_err "$_post_hook"
+    return 1
+  fi
+  if [ -z "$Le_LinkOrder" ]; then
+    Le_LinkOrder="$(echo "$responseHeaders" | grep -i '^Location.*$' | _tail_n 1 | tr -d "\r\n \t" | cut -d ":" -f 2-)"
+  fi
+  _savedomainconf "Le_LinkOrder" "$Le_LinkOrder"
+  _link_cert_retry=0
+  _MAX_CERT_RETRY=30
+  while [ "$_link_cert_retry" -lt "$_MAX_CERT_RETRY" ]; do
+    if _contains "$response" "\"status\":\"valid\""; then
+      _debug "Order status is valid."
+      Le_LinkCert="$(echo "$response" | _egrep_o '"certificate" *: *"[^"]*"' | cut -d '"' -f 4)"
+      _debug Le_LinkCert "$Le_LinkCert"
+      if [ -z "$Le_LinkCert" ]; then
+        _err "Sign error, can not find Le_LinkCert"
+  if [ "$ACME_VERSION" = "2" ]; then
+    _info "Lets finalize the order."
+    _info "Le_OrderFinalize" "$Le_OrderFinalize"
+    if ! _send_signed_request "${Le_OrderFinalize}" "{\"csr\": \"$der\"}"; then
+      _err "Sign failed."
+      _on_issue_err "$_post_hook"
+      return 1
+    fi
+    if [ "$code" != "200" ]; then
+      _err "Sign failed, finalize code is not 200."
+      _err "$response"
+      _on_issue_err "$_post_hook"
+      return 1
+    fi
+    if [ -z "$Le_LinkOrder" ]; then
+      Le_LinkOrder="$(echo "$responseHeaders" | grep -i '^Location.*$' | _tail_n 1 | tr -d "\r\n \t" | cut -d ":" -f 2-)"
+    fi
+    _savedomainconf "Le_LinkOrder" "$Le_LinkOrder"
+    _link_cert_retry=0
+    _MAX_CERT_RETRY=30
+    while [ "$_link_cert_retry" -lt "$_MAX_CERT_RETRY" ]; do
+      if _contains "$response" "\"status\":\"valid\""; then
+        _debug "Order status is valid."
+        Le_LinkCert="$(echo "$response" | _egrep_o '"certificate" *: *"[^"]*"' | cut -d '"' -f 4)"
+        _debug Le_LinkCert "$Le_LinkCert"
+        if [ -z "$Le_LinkCert" ]; then
+          _err "Sign error, can not find Le_LinkCert"
+          _err "$response"
+          _on_issue_err "$_post_hook"
+          return 1
+        fi
+        break
+      elif _contains "$response" "\"processing\""; then
+        _info "Order status is processing, lets sleep and retry."
+        _retryafter=$(echo "$responseHeaders" | grep -i "^Retry-After *:" | cut -d : -f 2 | tr -d ' ' | tr -d '\r')
+        _debug "_retryafter" "$_retryafter"
+        if [ "$_retryafter" ]; then
+          _info "Retry after: $_retryafter"
+          _sleep $_retryafter
+        else
+          _sleep 2
+        fi
+      else
+        _err "Sign error, wrong status"
         _err "$response"
         _on_issue_err "$_post_hook"
         return 1
       fi
+      break
+    elif _contains "$response" "\"processing\""; then
+      _info "Order status is processing, lets sleep and retry."
+      _retryafter=$(echo "$responseHeaders" | grep -i "^Retry-After *:" | cut -d : -f 2 | tr -d ' ' | tr -d '\r')
+      _debug "_retryafter" "$_retryafter"
+      if [ "$_retryafter" ]; then
+        _info "Retry after: $_retryafter"
+        _sleep $_retryafter
+      else
+        _sleep 2
+      fi
+    else
+      _err "Sign error, wrong status"
+      #the order is processing, so we are going to poll order status
+      if [ -z "$Le_LinkOrder" ]; then
+        _err "Sign error, can not get order link location header"
+        _err "responseHeaders" "$responseHeaders"
+        _on_issue_err "$_post_hook"
+        return 1
+      fi
+      _info "Polling order status: $Le_LinkOrder"
+      if ! _send_signed_request "$Le_LinkOrder"; then
+        _err "Sign failed, can not post to Le_LinkOrder cert:$Le_LinkOrder."
+        _err "$response"
+        _on_issue_err "$_post_hook"
+        return 1
+      fi
+      _link_cert_retry="$(_math $_link_cert_retry + 1)"
+    done
+    if [ -z "$Le_LinkCert" ]; then
+      _err "Sign failed, can not get Le_LinkCert, retry time limit."
       _err "$response"
       _on_issue_err "$_post_hook"
       return 1
     fi
+    #the order is processing, so we are going to poll order status
+    if [ -z "$Le_LinkOrder" ]; then
+      _err "Sign error, can not get order link location header"
+      _err "responseHeaders" "$responseHeaders"
+      _on_issue_err "$_post_hook"
+      return 1
+    fi
+    _info "Polling order status: $Le_LinkOrder"
+    if ! _send_signed_request "$Le_LinkOrder"; then
+      _err "Sign failed, can not post to Le_LinkOrder cert:$Le_LinkOrder."
+    _info "Downloading cert."
+    _info "Le_LinkCert" "$Le_LinkCert"
+    if ! _send_signed_request "$Le_LinkCert"; then
+      _err "Sign failed, can not download cert:$Le_LinkCert."
       _err "$response"
       _on_issue_err "$_post_hook"
       return 1
     fi
+    _link_cert_retry="$(_math $_link_cert_retry + 1)"
+  done
+  if [ -z "$Le_LinkCert" ]; then
+    _err "Sign failed, can not get Le_LinkCert, retry time limit."
+    _err "$response"
+    _on_issue_err "$_post_hook"
+    return 1
+  fi
+  _info "Downloading cert."
+  _info "Le_LinkCert" "$Le_LinkCert"
+  if ! _send_signed_request "$Le_LinkCert"; then
+    _err "Sign failed, can not download cert:$Le_LinkCert."
+    _err "$response"
+    _on_issue_err "$_post_hook"
+    return 1
+  fi
+  echo "$response" >"$CERT_PATH"
+  _split_cert_chain "$CERT_PATH" "$CERT_FULLCHAIN_PATH" "$CA_CERT_PATH"
+  if [ -z "$_preferred_chain" ]; then
+    _preferred_chain=$(_readcaconf DEFAULT_PREFERRED_CHAIN)
+  fi
+  if [ "$_preferred_chain" ] && [ -f "$CERT_FULLCHAIN_PATH" ]; then
+    if [ "$DEBUG" ]; then
+      _debug "default chain issuers: " "$(_get_chain_issuers "$CERT_FULLCHAIN_PATH")"
+    fi
+    if ! _match_issuer "$CERT_FULLCHAIN_PATH" "$_preferred_chain"; then
+      rels="$(echo "$responseHeaders" | tr -d ' <>' | grep -i "^link:" | grep -i 'rel="alternate"' | cut -d : -f 2- | cut -d ';' -f 1)"
+      _debug2 "rels" "$rels"
+      for rel in $rels; do
+        _info "Try rel: $rel"
+        if ! _send_signed_request "$rel"; then
+          _err "Sign failed, can not download cert:$rel"
+          _err "$response"
+          continue
+        fi
+        _relcert="$CERT_PATH.alt"
+        _relfullchain="$CERT_FULLCHAIN_PATH.alt"
+        _relca="$CA_CERT_PATH.alt"
+        echo "$response" >"$_relcert"
+        _split_cert_chain "$_relcert" "$_relfullchain" "$_relca"
+        if [ "$DEBUG" ]; then
+          _debug "rel chain issuers: " "$(_get_chain_issuers "$_relfullchain")"
+        fi
+        if _match_issuer "$_relfullchain" "$_preferred_chain"; then
+          _info "Matched issuer in: $rel"
+          cat $_relcert >"$CERT_PATH"
+          cat $_relfullchain >"$CERT_FULLCHAIN_PATH"
+          cat $_relca >"$CA_CERT_PATH"
+          rm -f "$_relcert"
+          rm -f "$_relfullchain"
+          rm -f "$_relca"
+          break
+        fi
+        rm -f "$_relcert"
+        rm -f "$_relfullchain"
+        rm -f "$_relca"
+      done
+    fi
+    echo "$response" >"$CERT_PATH"
+    _split_cert_chain "$CERT_PATH" "$CERT_FULLCHAIN_PATH" "$CA_CERT_PATH"
+    if [ "$_preferred_chain" ] && [ -f "$CERT_FULLCHAIN_PATH" ]; then
+      if ! _match_issuer "$CERT_FULLCHAIN_PATH" "$_preferred_chain"; then
+        rels="$(echo "$responseHeaders" | tr -d ' <>' | grep -i "^link:" | grep -i 'rel="alternate"' | cut -d : -f 2- | cut -d ';' -f 1)"
+        _debug2 "rels" "$rels"
+        for rel in $rels; do
+          _info "Try rel: $rel"
+          if ! _send_signed_request "$rel"; then
+            _err "Sign failed, can not download cert:$rel"
+            _err "$response"
+            continue
+          fi
+          _relcert="$CERT_PATH.alt"
+          _relfullchain="$CERT_FULLCHAIN_PATH.alt"
+          _relca="$CA_CERT_PATH.alt"
+          echo "$response" >"$_relcert"
+          _split_cert_chain "$_relcert" "$_relfullchain" "$_relca"
+          if _match_issuer "$_relfullchain" "$_preferred_chain"; then
+            _info "Matched issuer in: $rel"
+            cat $_relcert >"$CERT_PATH"
+            cat $_relfullchain >"$CERT_FULLCHAIN_PATH"
+            cat $_relca >"$CA_CERT_PATH"
+            break
+          fi
+        done
+      fi
+    fi
+  else
+    if ! _send_signed_request "${ACME_NEW_ORDER}" "{\"resource\": \"$ACME_NEW_ORDER_RES\", \"csr\": \"$der\"}" "needbase64"; then
+      _err "Sign failed. $response"
+      _on_issue_err "$_post_hook"
+      return 1
+    fi
+    _rcert="$response"
+    Le_LinkCert="$(grep -i '^Location.*$' "$HTTP_HEADER" | _tail_n 1 | tr -d "\r\n" | cut -d " " -f 2)"
+    echo "$BEGIN_CERT" >"$CERT_PATH"
+    #if ! _get "$Le_LinkCert" | _base64 "multiline"  >> "$CERT_PATH" ; then
+    #  _debug "Get cert failed. Let's try last response."
+    #  printf -- "%s" "$_rcert" | _dbase64 "multiline" | _base64 "multiline" >> "$CERT_PATH"
+    #fi
+    if ! printf -- "%s" "$_rcert" | _dbase64 "multiline" | _base64 "multiline" >>"$CERT_PATH"; then
+      _debug "Try cert link."
+      _get "$Le_LinkCert" | _base64 "multiline" >>"$CERT_PATH"
+    fi
+    echo "$END_CERT" >>"$CERT_PATH"
   fi
 …
     cat "$CERT_PATH"
     _info "Your cert is in: $(__green "$CERT_PATH")"
+    _info "Your cert is in $(__green " $CERT_PATH ")"
     if [ -f "$CERT_KEY_PATH" ]; then
       _info "Your cert key is in: $(__green "$CERT_KEY_PATH")"
+      _info "Your cert key is in $(__green " $CERT_KEY_PATH ")"
     fi
 …
   fi
+  [ -f "$CA_CERT_PATH" ] && _info "The intermediate CA cert is in: $(__green "$CA_CERT_PATH")"
+  [ -f "$CERT_FULLCHAIN_PATH" ] && _info "And the full chain certs is there: $(__green "$CERT_FULLCHAIN_PATH")"
+  if [ "$ACME_VERSION" = "2" ]; then
+    _debug "v2 chain."
+  else
+    cp "$CERT_PATH" "$CERT_FULLCHAIN_PATH"
+    Le_LinkIssuer=$(grep -i '^Link' "$HTTP_HEADER" | _head_n 1 | cut -d " " -f 2 | cut -d ';' -f 1 | tr -d '<>')
+    if [ "$Le_LinkIssuer" ]; then
+      if ! _contains "$Le_LinkIssuer" ":"; then
+        _info "$(__red "Relative issuer link found.")"
+        Le_LinkIssuer="$_ACME_SERVER_HOST$Le_LinkIssuer"
+      fi
+      _debug Le_LinkIssuer "$Le_LinkIssuer"
+      _savedomainconf "Le_LinkIssuer" "$Le_LinkIssuer"
+      _link_issuer_retry=0
+      _MAX_ISSUER_RETRY=5
+      while [ "$_link_issuer_retry" -lt "$_MAX_ISSUER_RETRY" ]; do
+        _debug _link_issuer_retry "$_link_issuer_retry"
+        if [ "$ACME_VERSION" = "2" ]; then
+          if _send_signed_request "$Le_LinkIssuer"; then
+            echo "$response" >"$CA_CERT_PATH"
+            break
+          fi
+        else
+          if _get "$Le_LinkIssuer" >"$CA_CERT_PATH.der"; then
+            echo "$BEGIN_CERT" >"$CA_CERT_PATH"
+            _base64 "multiline" <"$CA_CERT_PATH.der" >>"$CA_CERT_PATH"
+            echo "$END_CERT" >>"$CA_CERT_PATH"
+            if ! _checkcert "$CA_CERT_PATH"; then
+              _err "Can not get the ca cert."
+              break
+            fi
+            cat "$CA_CERT_PATH" >>"$CERT_FULLCHAIN_PATH"
+            rm -f "$CA_CERT_PATH.der"
+            break
+          fi
+        fi
+        _link_issuer_retry=$(_math $_link_issuer_retry + 1)
+        _sleep "$_link_issuer_retry"
+      done
+      if [ "$_link_issuer_retry" = "$_MAX_ISSUER_RETRY" ]; then
+        _err "Max retry for issuer ca cert is reached."
+      fi
+    else
+      _debug "No Le_LinkIssuer header found."
+    fi
+  fi
+  [ -f "$CA_CERT_PATH" ] && _info "The intermediate CA cert is in $(__green " $CA_CERT_PATH ")"
+  [ -f "$CERT_FULLCHAIN_PATH" ] && _info "And the full chain certs is there: $(__green " $CERT_FULLCHAIN_PATH ")"
   Le_CertCreateTime=$(_time)
 …
   . "$DOMAIN_CONF"
   _debug Le_API "$Le_API"
+  if [ -z "$Le_API" ] || [ "$CA_LETSENCRYPT_V1" = "$Le_API" ]; then
+    #if this is from an old version, Le_API is empty,
+    #so, we force to use letsencrypt server
+    Le_API="$CA_LETSENCRYPT_V2"
+  if [ "$Le_API" = "$LETSENCRYPT_CA_V1" ]; then
+    _cleardomainconf Le_API
+    Le_API="$DEFAULT_CA"
+  fi
+  if [ "$Le_API" = "$LETSENCRYPT_STAGING_CA_V1" ]; then
+    _cleardomainconf Le_API
+    Le_API="$DEFAULT_STAGING_CA"
   fi
   if [ "$Le_API" ]; then
-    if [ "$Le_API" != "$ACME_DIRECTORY" ]; then
-      _clearAPI
-    fi
     export ACME_DIRECTORY="$Le_API"
     #reload ca configs
 …
     _debug3 "initpath again."
     _initpath "$Le_Domain" "$_isEcc"
-    _initAPI
   fi
 …
   _local_addr="${11}"
   _challenge_alias="${12}"
-  _preferred_chain="${13}"
   _csrsubj=$(_readSubjectFromCSR "$_csrfile")
 …
   fi
+  if [ -z "$ACME_VERSION" ] && _contains "$_csrsubj,$_csrdomainlist" "*."; then
+    export ACME_VERSION=2
+  fi
   _initpath "$_csrsubj" "$_csrkeylength"
   mkdir -p "$DOMAIN_PATH"
 …
   cp "$_csrfile" "$CSR_PATH"
   issue "$_csrW" "$_csrsubj" "$_csrdomainlist" "$_csrkeylength" "$_real_cert" "$_real_key" "$_real_ca" "$_reload_cmd" "$_real_fullchain" "$_pre_hook" "$_post_hook" "$_renew_hook" "$_local_addr" "$_challenge_alias" "$_preferred_chain"
+  issue "$_csrW" "$_csrsubj" "$_csrdomainlist" "$_csrkeylength" "$_real_cert" "$_real_key" "$_real_ca" "$_reload_cmd" "$_real_fullchain" "$_pre_hook" "$_post_hook" "$_renew_hook" "$_local_addr" "$_challenge_alias"
+}
 …
   if [ "$_real_cert" ]; then
     _info "Installing cert to: $_real_cert"
+    _info "Installing cert to:$_real_cert"
     if [ -f "$_real_cert" ] && [ ! "$_ACME_IS_RENEW" ]; then
       cp "$_real_cert" "$_backup_path/cert.bak"
 …
   if [ "$_real_ca" ]; then
     _info "Installing CA to: $_real_ca"
+    _info "Installing CA to:$_real_ca"
     if [ "$_real_ca" = "$_real_cert" ]; then
       echo "" >>"$_real_ca"
 …
   if [ "$_real_key" ]; then
     _info "Installing key to: $_real_key"
+    _info "Installing key to:$_real_key"
     if [ -f "$_real_key" ] && [ ! "$_ACME_IS_RENEW" ]; then
       cp "$_real_key" "$_backup_path/key.bak"
 …
   if [ "$_real_fullchain" ]; then
     _info "Installing full chain to: $_real_fullchain"
+    _info "Installing full chain to:$_real_fullchain"
     if [ -f "$_real_fullchain" ] && [ ! "$_ACME_IS_RENEW" ]; then
       cp "$_real_fullchain" "$_backup_path/fullchain.bak"
 …
   cr="$($_CRONTAB -l | grep "$PROJECT_ENTRY --cron")"
   if [ "$cr" ]; then
     if _exists uname && uname -a | grep SunOS >/dev/null; then
+    if _exists uname && uname -a | grep solaris >/dev/null; then
       $_CRONTAB -l | sed "/$PROJECT_ENTRY --cron/d" | $_CRONTAB --
     else
 …
   fi
-  . "$DOMAIN_CONF"
-  _debug Le_API "$Le_API"
-  if [ "$Le_API" ]; then
-    if [ "$Le_API" != "$ACME_DIRECTORY" ]; then
-      _clearAPI
-    fi
-    export ACME_DIRECTORY="$Le_API"
-    #reload ca configs
-    ACCOUNT_KEY_PATH=""
-    ACCOUNT_JSON_PATH=""
-    CA_CONF=""
-    _debug3 "initpath again."
-    _initpath "$Le_Domain" "$_isEcc"
-    _initAPI
-  fi
   cert="$(_getfile "${CERT_PATH}" "${BEGIN_CERT}" "${END_CERT}" | tr -d "\r\n" | _url_replace)"
 …
   _initAPI
+  data="{\"certificate\": \"$cert\",\"reason\":$_reason}"
+  if [ "$ACME_VERSION" = "2" ]; then
+    data="{\"certificate\": \"$cert\",\"reason\":$_reason}"
+  else
+    data="{\"resource\": \"revoke-cert\", \"certificate\": \"$cert\"}"
+  fi
   uri="${ACME_REVOKE_CERT}"
 …
   _d_domain="$1"
   _d_type="$2"
+  _initpath "$_d_domain" "$_d_type"
+  . "$DOMAIN_CONF"
+  _debug Le_API "$Le_API"
+  if [ "$Le_API" ]; then
+    if [ "$Le_API" != "$ACME_DIRECTORY" ]; then
+      _clearAPI
+    fi
+    export ACME_DIRECTORY="$Le_API"
+    #reload ca configs
+    ACCOUNT_KEY_PATH=""
+    ACCOUNT_JSON_PATH=""
+    CA_CONF=""
+    _debug3 "initpath again."
+    _initpath "$Le_Domain" "$_d_type"
+    _initAPI
+  fi
+  _identifiers="{\"type\":\"dns\",\"value\":\"$_d_domain\"}"
+  if ! _send_signed_request "$ACME_NEW_ORDER" "{\"identifiers\": [$_identifiers]}"; then
+    _err "Can not get domain new order."
+    return 1
+  fi
+  _authorizations_seg="$(echo "$response" | _egrep_o '"authorizations" *: *\[[^\]*\]' | cut -d '[' -f 2 | tr -d ']' | tr -d '"')"
+  _debug2 _authorizations_seg "$_authorizations_seg"
+  if [ -z "$_authorizations_seg" ]; then
+    _err "_authorizations_seg not found."
+    _clearup
+    _on_issue_err "$_post_hook"
+    return 1
+  fi
+  authzUri="$_authorizations_seg"
+  _debug2 "authzUri" "$authzUri"
+  if ! _send_signed_request "$authzUri"; then
+    _err "get to authz error."
+    _err "_authorizations_seg" "$_authorizations_seg"
+    _err "authzUri" "$authzUri"
+    _clearup
+    _on_issue_err "$_post_hook"
+    return 1
+  fi
+  response="$(echo "$response" | _normalizeJson)"
+  _debug2 response "$response"
+  _URL_NAME="url"
+  entries="$(echo "$response" | tr '][' '==' | _egrep_o "challenges\": *=[^=]*=" | tr '}{' '\n\n' | grep "\"status\": *\"valid\"")"
+  _initpath
+  if [ "$ACME_VERSION" = "2" ]; then
+    _identifiers="{\"type\":\"dns\",\"value\":\"$_d_domain\"}"
+    if ! _send_signed_request "$ACME_NEW_ORDER" "{\"identifiers\": [$_identifiers]}"; then
+      _err "Can not get domain new order."
+      return 1
+    fi
+    _authorizations_seg="$(echo "$response" | _egrep_o '"authorizations" *: *\[[^\]*\]' | cut -d '[' -f 2 | tr -d ']' | tr -d '"')"
+    _debug2 _authorizations_seg "$_authorizations_seg"
+    if [ -z "$_authorizations_seg" ]; then
+      _err "_authorizations_seg not found."
+      _clearup
+      _on_issue_err "$_post_hook"
+      return 1
+    fi
+    authzUri="$_authorizations_seg"
+    _debug2 "authzUri" "$authzUri"
+    if ! _send_signed_request "$authzUri"; then
+      _err "get to authz error."
+      _err "_authorizations_seg" "$_authorizations_seg"
+      _err "authzUri" "$authzUri"
+      _clearup
+      _on_issue_err "$_post_hook"
+      return 1
+    fi
+    response="$(echo "$response" | _normalizeJson)"
+    _debug2 response "$response"
+    _URL_NAME="url"
+  else
+    if ! __get_domain_new_authz "$_d_domain"; then
+      _err "Can not get domain new authz token."
+      return 1
+    fi
+    authzUri="$(echo "$responseHeaders" | grep "^Location:" | _head_n 1 | cut -d ':' -f 2- | tr -d "\r\n")"
+    _debug "authzUri" "$authzUri"
+    if [ "$code" ] && [ ! "$code" = '201' ]; then
+      _err "new-authz error: $response"
+      return 1
+    fi
+    _URL_NAME="uri"
+  fi
+  entries="$(echo "$response" | tr '][' '==' | _egrep_o "challenges\": *=[^=]*=" | tr '}{' '\n' | grep "\"status\": *\"valid\"")"
   if [ -z "$entries" ]; then
     _info "No valid entries found."
 …
     _info "Deactivate: $_vtype"
+    _djson="{\"status\":\"deactivated\"}"
+    if [ "$ACME_VERSION" = "2" ]; then
+      _djson="{\"status\":\"deactivated\"}"
+    else
+      _djson="{\"resource\": \"authz\", \"status\":\"deactivated\"}"
+    fi
     if _send_signed_request "$authzUri" "$_djson" && _contains "$response" '"deactivated"'; then
 …
+}
 # nocron confighome noprofile accountemail
+# nocron confighome noprofile
 install() {
 …
   _c_home="$2"
   _noprofile="$3"
-  _accountemail="$4"
   if ! _initpath; then
     _err "Install failed."
 …
       done
     fi
-  fi
-  if [ "$_accountemail" ]; then
-    _saveaccountconf "ACCOUNT_EMAIL" "$_accountemail"
   fi
 …
   --set-default-ca         Used with '--server', Set the default CA to use.
                            See: $_SERVER_WIKI
-  --set-default-chain      Set the default preferred chain for a CA.
-                           See: $_PREFERRED_CHAIN_WIKI
 …
   --config-home <directory>         Specifies the home dir to save all the configurations.
   --useragent <string>              Specifies the user agent string. it will be saved for future use too.
   -m, --email <email>               Specifies the account email, only valid for the '--install' and '--update-account' command.
+  -m, --accountemail <email>        Specifies the account email, only valid for the '--install' and '--update-account' command.
   --accountkey <file>               Specifies the account key path, only valid for the '--install' command.
   --days <ndays>                    Specifies the days to renew the cert when using '--issue' command. The default value is $DEFAULT_RENEW days.
 …
   --ca-bundle <file>                Specifies the path to the CA certificate bundle to verify api server's certificate.
   --ca-path <directory>             Specifies directory containing CA certificates in PEM format, used by wget or curl.
   --no-cron                         Only valid for '--install' command, which means: do not install the default cron job.
+  --nocron                          Only valid for '--install' command, which means: do not install the default cron job.
                                     In this case, the certs will not be renewed automatically.
   --no-profile                      Only valid for '--install' command, which means: do not install aliases to user profile.
+  --noprofile                       Only valid for '--install' command, which means: do not install aliases to user profile.
   --no-color                        Do not output color text.
   --force-color                     Force output of color text. Useful for non-interactive use with the aha tool for HTML E-Mails.
 …
+}
+installOnline() {
+# nocron noprofile
+_installOnline() {
   _info "Installing from online archive."
   _branch="$BRANCH"
   if [ -z "$_branch" ]; then
     _branch="master"
   fi
   target="$PROJECT/archive/$_branch.tar.gz"
+  _nocron="$1"
+  _noprofile="$2"
+  if [ ! "$BRANCH" ]; then
+    BRANCH="master"
+  fi
+  target="$PROJECT/archive/$BRANCH.tar.gz"
   _info "Downloading $target"
   localname="$_branch.tar.gz"
+  localname="$BRANCH.tar.gz"
   if ! _get "$target" >$localname; then
     _err "Download error."
 …
     fi
     cd "$PROJECT_NAME-$_branch"
+    cd "$PROJECT_NAME-$BRANCH"
     chmod +x $PROJECT_ENTRY
     if ./$PROJECT_ENTRY --install "$@"; then
+    if ./$PROJECT_ENTRY install "$_nocron" "" "$_noprofile"; then
       _info "Install success!"
       _initpath
 …
     cd ..
     rm -rf "$PROJECT_NAME-$_branch"
+    rm -rf "$PROJECT_NAME-$BRANCH"
     rm -f "$localname"
+  )
 …
   shift
   _hash_url="https://api.github.com/repos/acmesh-official/$PROJECT_NAME/git/refs/$_hash_path"
   _get $_hash_url | tr -d "\r\n" | tr '{},' '\n\n\n' | grep '"sha":' | cut -d '"' -f 4
+  _get $_hash_url | tr -d "\r\n" | tr '{},' '\n' | grep '"sha":' | cut -d '"' -f 4
+}
 …
     export LE_WORKING_DIR
     cd "$LE_WORKING_DIR"
     installOnline "--nocron" "--noprofile"
+    _installOnline "nocron" "noprofile"
   ); then
     _info "Upgrade success!"
 …
+}
 #server  #keylength
+#server
 _selectServer() {
   _server="$1"
-  _skeylength="$2"
   _server_lower="$(echo "$_server" | _lower_case)"
   _sindex=0
 …
         _debug2 "_selectServer match $sname"
         _serverdir="$(_getfield "$CA_SERVERS" $_sindex)"
-        if [ "$_serverdir" = "$CA_SSLCOM_RSA" ] && _isEccKey "$_skeylength"; then
-          _serverdir="$CA_SSLCOM_ECC"
-        fi
         _debug "Selected server: $_serverdir"
         ACME_DIRECTORY="$_serverdir"
 …
   if [ -z "$caurl" ]; then
     caurl="$DEFAULT_CA"
-  fi
-  if [ "$CA_SSLCOM_ECC" = "$caurl" ]; then
-    caurl="$CA_SSLCOM_RSA" #just hack to get the short name
   fi
   caurl_lower="$(echo $caurl | _lower_case)"
 …
   _saveaccountconf "DEFAULT_ACME_SERVER" "$ACME_DIRECTORY"
   _info "Changed default CA to: $(__green "$ACME_DIRECTORY")"
+}
-#preferred-chain
-setdefaultchain() {
-  _initpath
-  _preferred_chain="$1"
-  if [ -z "$_preferred_chain" ]; then
-    _err "Please give a '--preferred-chain value' value."
-    return 1
-  fi
-  mkdir -p "$CA_DIR"
-  _savecaconf "DEFAULT_PREFERRED_CHAIN" "$_preferred_chain"
+}
 …
       _CMD="install"
       ;;
-    --install-online)
-      shift
-      installOnline "$@"
-      return
-      ;;
     --uninstall)
       _CMD="uninstall"
 …
     --set-default-ca)
       _CMD="setdefaultca"
-      ;;
-    --set-default-chain)
-      _CMD="setdefaultchain"
       ;;
     -d | --domain)
 …
         fi
+        if _startswith "$_dvalue" "*."; then
+          _debug "Wildcard domain"
+          export ACME_VERSION=2
+        fi
         if [ -z "$_domain" ]; then
           _domain="$_dvalue"
 …
     --server)
       _server="$2"
+      _selectServer "$_server"
       shift
       ;;
 …
       shift
       ;;
     --keylength | -k)
       _keylength="$2"
 …
       shift
       ;;
     --cert-file | --certpath)
       _cert_file="$2"
 …
       shift
       ;;
     -m | --email | --accountemail)
+    -m | --accountemail)
       _accountemail="$2"
       export ACCOUNT_EMAIL="$_accountemail"
+      ACCOUNT_EMAIL="$_accountemail"
       shift
       ;;
 …
       shift
       ;;
     --no-cron | --nocron)
+    --nocron)
       _nocron="1"
       ;;
     --no-profile | --noprofile)
+    --noprofile)
       _noprofile="1"
       ;;
 …
     shift 1
   done
-  if [ "$_server" ]; then
-    _selectServer "$_server" "${_ecc:-$_keylength}"
-  fi
   if [ "${_CMD}" != "install" ]; then
 …
   _debug "Running cmd: ${_CMD}"
   case "${_CMD}" in
   install) install "$_nocron" "$_confighome" "$_noprofile" "$_accountemail" ;;
+  install) install "$_nocron" "$_confighome" "$_noprofile" ;;
   uninstall) uninstall "$_nocron" ;;
   upgrade) upgrade ;;
 …
     ;;
   signcsr)
     signcsr "$_csr" "$_webroot" "$_cert_file" "$_key_file" "$_ca_file" "$_reloadcmd" "$_fullchain_file" "$_pre_hook" "$_post_hook" "$_renew_hook" "$_local_address" "$_challenge_alias" "$_preferred_chain"
+    signcsr "$_csr" "$_webroot" "$_cert_file" "$_key_file" "$_ca_file" "$_reloadcmd" "$_fullchain_file" "$_pre_hook" "$_post_hook" "$_renew_hook" "$_local_address" "$_challenge_alias"
     ;;
   showcsr)
 …
     setdefaultca
     ;;
-  setdefaultchain)
-    setdefaultchain "$_preferred_chain"
-    ;;
   *)
     if [ "$_CMD" ]; then
 …
+}
+if [ "$INSTALLONLINE" ]; then
+  INSTALLONLINE=""
+  _installOnline
+  exit
+fi
 main() {
   [ -z "$1" ] && showhelp && return

npl/syn3/acme/root/usr/bin/syn3-acme-issue

r3daa803	r79f7e49
15	15
16	16	if [ "$EXIT" == "0" ]; then
17		cat /usr/webint/ssl/server.crt /usr/webint/ssl/server.~~pem~~ > /usr/webint/ssl/certandkey.pem
	17	cat /usr/webint/ssl/server.crt /usr/webint/ssl/server.key > /usr/webint/ssl/certandkey.pem
18	18	syn3-state certbot OK "SSL certificate valid."
19	19	fi

npl/syn3/acme/root/usr/bin/syn3-acme-renew

r3daa803	r79f7e49
15	15
16	16	if [ "$EXIT" == "0" ]; then
17		cat /usr/webint/ssl/server.crt /usr/webint/ssl/server.~~pem~~ > /usr/webint/ssl/certandkey.pem
	17	cat /usr/webint/ssl/server.crt /usr/webint/ssl/server.key > /usr/webint/ssl/certandkey.pem
18	18	syn3-state certbot OK "SSL certificate valid. `cat $STATUS`"
19	19	else

npl/syn3/acme/syn3_acme.build

r3daa803	r79f7e49
1		12
	1	10

npl/syn3/acme/syn3_acme.md5

-                      r3daa803
+                      r79f7e49
 d41d8cd98f00b204e9800998ecf8427e  ./root/etc/webint/SSL_DOMAINS.new
 f48d3c2742cbbdf0fe9b7bf77740c0  ./root/usr/bin/acme.sh
+c2dac1c09a1e0a5a923de7155251  ./root/usr/bin/acme.sh
 a0e5403f61c08e4eda04cd2e61d7938a  ./root/usr/bin/syn3-acme
 a6acd24402cd102ba0fa6698140dc0b2  ./root/usr/bin/syn3-acme-issue
 a90cca626fec2de3d266c94c0e7d321  ./root/usr/bin/syn3-acme-renew
 bf81f0d178c08b77421b11d71fcf347  ./syn3_acme.pkg
+aa594e0d86791b3aa9b7b1a3e88e42  ./root/usr/bin/syn3-acme-issue
+bbc278f45bd8ab36a946d4898dd0f  ./root/usr/bin/syn3-acme-renew
+b5ee1cb78f1410fe47edbf32e780  ./syn3_acme.pkg
 a66f2a0cb707f264b0268ee3d4956d3  ./syn3_acme.SlackBuild
 e469f08288ccd67b04f39cae180  ./syn3_acme.SlackBuild.log.gz
+c17d788610977961a07f821dad6ccc3  ./syn3_acme.SlackBuild.log.gz

Note: See TracChangeset for help on using the changeset viewer.

Download in other formats: