diff --git a/.github/workflows/stale2.yml b/.github/workflows/stale2.yml
new file mode 100644
index 0000000..ce6f9c1
--- /dev/null
+++ b/.github/workflows/stale2.yml
@@ -0,0 +1,31 @@
+on:
+  schedule:
+    - cron: "0 0 * * *"
+
+name: Run Stale Bot on Issue Comments
+
+jobs:
+  build:
+    name: stale
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@master
+      - name: stale
+        uses: gatsbyjs/stale@master
+        with:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          DRY_RUN: true
+          DAYS_BEFORE_STALE: 60
+          DAYS_BEFORE_CLOSE: 30
+          STALE_ISSUE_LABEL: 'stale'
+          STALE_PR_LABEL: 'stale'
+          OPERATIONS_PER_RUN: 30
+          STALE_ISSUE_MESSAGE: 'This issue will be closed as no updates for 60 days'
+          CLOSE_MESSAGE: 'Closing stale issue after 90 days of inactivity'
+          EXEMPT_ISSUE_LABELS: |
+            bug
+            documentation
+            enhancement
+            feature
+            help wanted
+            rfc
diff --git a/dns_scripts/dns_add_duckdns b/dns_scripts/dns_add_duckdns
new file mode 100644
index 0000000..ef40efe
--- /dev/null
+++ b/dns_scripts/dns_add_duckdns
@@ -0,0 +1,19 @@
+#!/bin/bash
+
+# need to add your Token for duckdns below
+token=${DUCKDNS_TOKEN:-}
+
+if [ -z "$token" ]; then
+    echo "DUCKDNS_TOKEN not set"
+    exit 1
+fi
+
+domain="$1"
+txtvalue="$2"
+
+response=$(curl --silent "https://www.duckdns.org/update?domains=${domain}&token=${token}&txt=${txtvalue}")
+if [ "$response" != "OK" ]; then
+    echo "Failed to update TXT record for ${domain} at duckdns.org (is the TOKEN valid?)"
+    echo "Response: $response"
+    exit 1
+fi
diff --git a/dns_scripts/dns_add_nsupdate b/dns_scripts/dns_add_nsupdate
index 13b0fc9..98f5e7f 100755
--- a/dns_scripts/dns_add_nsupdate
+++ b/dns_scripts/dns_add_nsupdate
@@ -14,26 +14,28 @@ token="$2"
 
 
 if [ -n "${DNS_NSUPDATE_KEYFILE}" ]; then
-    if [ -n "${DNS_NSUPDATE_KEY_HOOK}" ] && ! ${DNS_NSUPDATE_KEY_HOOK} 'add' 'open' "${fulldomain}" ; then
-        exit $(( $? + 128 ))
-    fi
+  if [ -n "${DNS_NSUPDATE_KEY_HOOK}" ] && ! ${DNS_NSUPDATE_KEY_HOOK} 'add' 'open' "${fulldomain}" ; then
+    exit $(( $? + 128 ))
+  fi
 
-    options="-k ${DNS_NSUPDATE_KEYFILE}"
+  options="-k ${DNS_NSUPDATE_KEYFILE}"
 fi
 
-# Note that blank line is a "send" command to nsupdate
+if [ -n "${DNS_SERVER}" ]; then
+        cmd+="server ${DNS_SERVER}\n"
+fi
 
-nsupdate "${options}" -v <<EOF
-update add  _acme-challenge.${fulldomain}. 300 in TXT "${token}"
+cmd+="update add  ${DNS_ZONE:-"_acme-challenge.${fulldomain}."} 300 in TXT \"${token}\"\n"
+cmd+="\n" # blank line is a "send" command to nsupdate
 
-EOF
+printf "$cmd" | nsupdate ${options} -v
 
 sts=$?
 
 if [ -n "${DNS_NSUPDATE_KEYFILE}" ]; then
-    if [ -n "${DNS_NSUPDATE_KEY_HOOK}" ] && ! ${DNS_NSUPDATE_KEY_HOOK} 'add' 'close'  "${fulldomain}"; then
-        exit $(( sts + ( $? * 10 ) ))
-    fi
+  if [ -n "${DNS_NSUPDATE_KEY_HOOK}" ] && ! ${DNS_NSUPDATE_KEY_HOOK} 'add' 'close'  "${fulldomain}"; then
+    exit $(( sts + ( $? * 10 ) ))
+  fi
 fi
 
 exit ${sts}
diff --git a/dns_scripts/dns_del_duckdns b/dns_scripts/dns_del_duckdns
new file mode 100644
index 0000000..b9b9f9f
--- /dev/null
+++ b/dns_scripts/dns_del_duckdns
@@ -0,0 +1,12 @@
+#!/bin/bash
+
+# need to add your Token for duckdns below
+token=${DUCKDNS_TOKEN:-}
+domain="$1"
+
+response=$(curl --silent "https://www.duckdns.org/update?domains=${domain}&token=${token}&txt=&clear=true")
+if [ "$response" != "OK" ]; then
+    echo "Failed to update TXT record for ${domain} at duckdns.org (is the TOKEN valid?)"
+    echo "$response"
+    exit 1
+fi
diff --git a/dns_scripts/dns_del_nsupdate b/dns_scripts/dns_del_nsupdate
index e8442e3..c0432b6 100755
--- a/dns_scripts/dns_del_nsupdate
+++ b/dns_scripts/dns_del_nsupdate
@@ -14,26 +14,28 @@ token="$2"
 #                          'open" / 'close'
 
 if [ -n "${DNS_NSUPDATE_KEYFILE}" ]; then
-    if [ -n "${DNS_NSUPDATE_KEY_HOOK}" ] && ! "${DNS_NSUPDATE_KEY_HOOK}" 'del' 'open' "${fulldomain}" ; then
-        exit $(( $? + 128 ))
-    fi
+  if [ -n "${DNS_NSUPDATE_KEY_HOOK}" ] && ! "${DNS_NSUPDATE_KEY_HOOK}" 'del' 'open' "${fulldomain}" ; then
+    exit $(( $? + 128 ))
+  fi
 
-    options="-k ${DNS_NSUPDATE_KEYFILE}"
+  options="-k ${DNS_NSUPDATE_KEYFILE}"
 fi
 
-# Note that blank line is a "send" command to nsupdate
+if [ -n "${DNS_SERVER}" ]; then
+        cmd+="server ${DNS_SERVER}\n"
+fi
 
-nsupdate "${options}" -v <<EOF
-update delete  "_acme-challenge.${fulldomain}." 300 in TXT "${token}"
+cmd+="update delete  ${DNS_ZONE:-"_acme-challenge.${fulldomain}."} 300 in TXT \"${token}\"\n"
+cmd+="\n" # blank line is a "send" command to nsupdate
 
-EOF
+printf "$cmd" | nsupdate ${options} -v
 
 sts=$?
 
 if [ -n "${DNS_NSUPDATE_KEYFILE}" ]; then
-    if [ -n "${DNS_NSUPDATE_KEY_HOOK}" ] && ! "${DNS_NSUPDATE_KEY_HOOK}" 'del' 'close'  "${fulldomain}" ; then
-        exit $(( sts + ( $? * 10 ) ))
-    fi
+  if [ -n "${DNS_NSUPDATE_KEY_HOOK}" ] && ! "${DNS_NSUPDATE_KEY_HOOK}" 'del' 'close'  "${fulldomain}" ; then
+      exit $(( sts + ( $? * 10 ) ))
+  fi
 fi
 
 exit ${sts}
diff --git a/docker-compose.yml b/docker-compose.yml
index 09a4264..b493888 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -3,7 +3,7 @@ services:
   pebble:
     image: letsencrypt/pebble:latest
     # TODO enable -strict
-    command: pebble -config /test/config/pebble-config.json -dnsserver 10.30.50.3:8053
+    command: pebble -config /test/config/pebble-config.json -dnsserver 10.30.50.3:53
     environment:
       # with Go 1.13.x which defaults TLS 1.3 to on
       GODEBUG: "tls13=1"
@@ -15,7 +15,7 @@ services:
         ipv4_address: 10.30.50.2
   challtestsrv:
     image: letsencrypt/pebble-challtestsrv:latest
-    command: pebble-challtestsrv -defaultIPv6 "" -defaultIPv4 10.30.50.3
+    command: pebble-challtestsrv -defaultIPv6 "" -defaultIPv4 10.30.50.3 -dns01 ":53"
     ports:
       - 8055:8055  # HTTP Management API
     networks:
@@ -129,6 +129,33 @@ services:
           - i.ubuntu.getssl.test
           - j.ubuntu.getssl.test
           - k.ubuntu.getssl.test
+  getssl-ubuntu16:
+    build:
+      context: .
+      dockerfile: test/Dockerfile-ubuntu16
+    container_name: getssl-ubuntu16
+    volumes:
+      - .:/getssl
+    environment:
+      GETSSL_HOST: ubuntu16.getssl.test
+      GETSSL_IP: 10.30.50.14
+      NGINX_CONFIG: /etc/nginx/sites-enabled/default
+    networks:
+      acmenet:
+        ipv4_address: 10.30.50.14
+        aliases:
+          - ubuntu16.getssl.test
+          - a.ubuntu16.getssl.test
+          - b.ubuntu16.getssl.test
+          - c.ubuntu16.getssl.test
+          - d.ubuntu16.getssl.test
+          - e.ubuntu16.getssl.test
+          - f.ubuntu16.getssl.test
+          - g.ubuntu16.getssl.test
+          - h.ubuntu16.getssl.test
+          - i.ubuntu16.getssl.test
+          - j.ubuntu16.getssl.test
+          - k.ubuntu16.getssl.test
   getssl-ubuntu18:
     build:
       context: .
@@ -138,11 +165,11 @@ services:
       - .:/getssl
     environment:
       GETSSL_HOST: ubuntu18.getssl.test
-      GETSSL_IP: 10.30.50.14
+      GETSSL_IP: 10.30.50.15
       NGINX_CONFIG: /etc/nginx/sites-enabled/default
     networks:
       acmenet:
-        ipv4_address: 10.30.50.14
+        ipv4_address: 10.30.50.15
         aliases:
           - ubuntu18.getssl.test
           - a.ubuntu18.getssl.test
@@ -156,7 +183,24 @@ services:
           - i.ubuntu18.getssl.test
           - j.ubuntu18.getssl.test
           - k.ubuntu18.getssl.test
-
+  getssl-duckdns:
+    build:
+      context: .
+      dockerfile: test/Dockerfile-ubuntu
+    container_name: getssl-duckdns
+    volumes:
+      - .:/getssl
+    environment:
+      GETSSL_HOST: getssl.duckdns.org
+      GETSSL_IP: 10.30.50.16
+      NGINX_CONFIG: /etc/nginx/sites-enabled/default
+      DUCKDNS_TOKEN: $DUCKDNS_TOKEN
+      STAGING: "true"
+    networks:
+      acmenet:
+        ipv4_address: 10.30.50.16
+        aliases:
+           - getssl.duckdns.org
 
 
 networks:
diff --git a/getssl b/getssl
index dbcd867..96f7423 100755
--- a/getssl
+++ b/getssl
@@ -212,6 +212,8 @@
 # 2020-02-12 Fix #424 - Sporadic "error in EC signing couldn't get R from ..." (2.18)
 # 2020-02-12 Fix "Registration key already in use" (2.19)
 # 2020-02-13 Fix bug with copying to all locations when creating RSA and ECDSA certs (2.20)
+# 2020-02-22 Change sign_string to use openssl asn1parse (better fix for #424)
+# 2020-02-23 Add dig to config check for systems without drill (ubuntu)
 # ----------------------------------------------------------------------------------------
 
 PROGNAME=${0##*/}
@@ -339,7 +341,7 @@ check_challenge_completion() { # checks with the ACME server if our challenge is
 
     # if ACME response is that their check gave an invalid response, error exit
     if [[ "$status" == "invalid" ]] ; then
-      err_detail=$(json_get "$response" detail)
+      err_detail=$(echo "$response" | grep "detail")
       error_exit "$domain:Verify error:$err_detail"
     fi
 
@@ -347,7 +349,8 @@ check_challenge_completion() { # checks with the ACME server if our challenge is
     if [[ "$status" == "pending" ]] ; then
       info "Pending"
     else
-      error_exit "$domain:Verify error:$response"
+      err_detail=$(echo "$response" | grep "detail")
+      error_exit "$domain:Verify error:$status:$err_detail"
     fi
     debug "sleep 5 secs before testing verify again"
     sleep 5
@@ -431,14 +434,23 @@ check_config() { # check the config files for all obvious errors
         info "${DOMAIN}: ACL location not specified for domain $d in $DOMAIN_DIR/getssl.cfg"
         config_errors=true
       fi
-      # check domain exist
-      if [[ "$DNS_CHECK_FUNC" == "drill" ]] || [[ "$DNS_CHECK_FUNC" == "dig" ]]; then
+      # check domain exists
+      if [[ "$DNS_CHECK_FUNC" == "drill" ]]; then
         if [[ "$($DNS_CHECK_FUNC "${d}" |grep -c "${d}")" -ge 1 ]]; then
           debug "found IP for ${d}"
         else
           info "${DOMAIN}: DNS lookup failed for ${d}"
           config_errors=true
         fi
+      elif [[ "$DNS_CHECK_FUNC" == "dig" ]]; then
+        if [[ "$($DNS_CHECK_FUNC "${d}" -t SOA|grep -c "^${d}")" -ge 1 ]]; then
+          debug "found SOA IP for ${d}"
+        elif [[ "$($DNS_CHECK_FUNC "${d}" -t A|grep -c "^${d}")" -ge 1 ]]; then
+          debug "found A IP for ${d}"
+        else
+          info "${DOMAIN}: DNS lookup failed for ${d}"
+          config_errors=true
+        fi
       elif [[ "$DNS_CHECK_FUNC" == "host" ]]; then
         if [[ "$($DNS_CHECK_FUNC "${d}" |grep -c "^${d}")" -ge 1 ]]; then
           debug "found IP for ${d}"
@@ -986,7 +998,7 @@ if [[ $VALIDATE_VIA_DNS == "true" ]]; then
                            | grep '"'|awk -F'"' '{ print $2}')
           elif [[ "$DNS_CHECK_FUNC" == "drill" ]] || [[ "$DNS_CHECK_FUNC" == "dig" ]]; then
             check_result=$($DNS_CHECK_FUNC TXT "_acme-challenge.${d}" "@${ns}" \
-                           | grep '300 IN TXT'|awk -F'"' '{ print $2}')
+                           | grep 'IN TXT'|awk -F'"' '{ print $2}')
           elif [[ "$DNS_CHECK_FUNC" == "host" ]]; then
             check_result=$($DNS_CHECK_FUNC -t TXT "_acme-challenge.${d}" "${ns}" \
                            | grep 'descriptive text'|awk -F'"' '{ print $2}')
@@ -1807,65 +1819,28 @@ sign_string() { # sign a string with a given key and algorithm and return urlbas
   if openssl rsa -in "${skey}" -noout 2>/dev/null ; then # RSA key
     signed64="$(printf '%s' "${str}" | openssl dgst -"$signalg" -sign "$key" | urlbase64)"
   elif openssl ec -in "${skey}" -noout 2>/dev/null ; then # Elliptic curve key.
-    signed=$(printf '%s' "${str}" | openssl dgst -"$signalg" -sign "$key" -hex | awk '{print $2}')
-    debug "EC signature $signed"
-    if [[ "${signed:4:4}" == "021f" ]]; then #sha256 which needs padding
-      R=$(echo -n 00;echo "$signed" | cut -c 9-70)
-      part2=$(echo "$signed" | cut -c 71-)
-    elif [[ "${signed:4:4}" == "0220" ]]; then #sha256
-      R=$(echo "$signed" | cut -c 9-72)
-      part2=$(echo "$signed" | cut -c 73-)
-    elif [[ "${signed:4:4}" == "0221" ]]; then #sha256 which needs trimming
-      R=$(echo "$signed" | cut -c 11-74)
-      part2=$(echo "$signed" | cut -c 75-)
-    elif [[ "${signed:4:4}" == "022f" ]]; then #sha384 which needs padding
-      info "Padding sha384"
-      R=$(echo -n 00;echo "$signed" | cut -c 9-102)
-      part2=$(echo "$signed" | cut -c 103-)
-    elif [[ "${signed:4:4}" == "0230" ]]; then #sha384
-      R=$(echo "$signed" | cut -c 9-104)
-      part2=$(echo "$signed" | cut -c 105-)
-    elif [[ "${signed:4:4}" == "0231" ]]; then #sha384 which needs trimming
-      R=$(echo "$signed" | cut -c 11-106)
-      part2=$(echo "$signed" | cut -c 107-)
-    elif [[ "${signed:6:4}" == "0240" ]]; then #sha512 which needs padding
-      R=$(echo -n 00;echo "$signed" | cut -c 9-138)
-      part2=$(echo "$signed" | cut -c 141-)
-    elif [[ "${signed:6:4}" == "0241" ]]; then #sha512 which needs padding
-      R=$(echo -n 00;echo "$signed" | cut -c 11-140)
-      part2=$(echo "$signed" | cut -c 141-)
-    elif [[ "${signed:6:4}" == "0242" ]]; then #sha512
-      R=$(echo "$signed" | cut -c 11-142)
-      part2=$(echo "$signed" | cut -c 143-)
+    # ECDSA signature width
+    # e.g. 521 bits requires 66 bytes to express, a signature consists of 2 integers so 132 bytes
+    # https://crypto.stackexchange.com/questions/12299/ecc-key-size-and-signature-size/
+    if [ "$signalg" = "sha256" ]; then
+      w=64
+    elif [ "$signalg" = "sha384" ]; then
+      w=96
+    elif [ "$signalg" = "sha512" ]; then
+      w=132
     else
-      error_exit "error in EC signing couldn't get R from $signed"
+      error_exit "Unknown signing algorithm $signalg"
     fi
+    asn1parse=$(printf '%s' "${str}" | openssl dgst -"$signalg" -sign "$key" | openssl asn1parse -inform DER)
+    #shellcheck disable=SC2086
+    R=$(echo $asn1parse | awk '{ print $13 }' | cut -c2-)
     debug "R $R"
-
-    if [[ "${part2:0:4}" == "021f" ]]; then #sha256 with padding
-      S=$(echo -n 00;echo "$part2" | cut -c 5-)
-    elif [[ "${part2:0:4}" == "0220" ]]; then #sha256
-      S=$(echo "$part2" | cut -c 5-68)
-    elif [[ "${part2:0:4}" == "0221" ]]; then #sha256
-      S=$(echo "$part2" | cut -c 7-70)
-    elif [[ "${part2:0:4}" == "022f" ]]; then #sha384 with padding
-      S=$(echo -n 00;echo "$part2" | cut -c 5-)
-    elif [[ "${part2:0:4}" == "0230" ]]; then #sha384
-      S=$(echo "$part2" | cut -c 5-100)
-    elif [[ "${part2:0:4}" == "0231" ]]; then #sha384
-      S=$(echo "$part2" | cut -c 7-102)
-    elif [[ "${part2:0:4}" == "0240" ]]; then #sha512 with padding
-      S=$(echo -n 00;echo "$part2" | cut -c 5-)
-    elif [[ "${part2:0:4}" == "0241" ]]; then #sha512 with padding
-      S=$(echo -n 00;echo "$part2" | cut -c 5-)
-    elif [[ "${part2:0:4}" == "0242" ]]; then #sha512
-      S=$(echo "$part2" | cut -c 5-)
-    else
-      error_exit "error in EC signing couldn't get S from $signed"
-    fi
-
+    #shellcheck disable=SC2086
+    S=$(echo $asn1parse | awk '{ print $20 }' | cut -c2-)
     debug "S $S"
-    signed64=$(printf '%s' "${R}${S}" | hex2bin | urlbase64 )
+
+    # pad R and S to the correct length for the signing algorithm
+    signed64=$(printf "%${w}s%${w}s" "${R}" "${S}" | tr ' ' '0' | hex2bin | urlbase64 )
     debug "encoded RS $signed64"
   fi
 }
@@ -1905,6 +1880,8 @@ usage() { # echos out the program usage
 
 write_domain_template() { # write out a template file for a domain.
   cat > "$1" <<- _EOF_domain_
+	# vim: filetype=sh
+	#
 	# This file is read second (and per domain if running with the -a option)
 	# and overwrites any settings from the first file
 	#
@@ -1973,6 +1950,8 @@ write_domain_template() { # write out a template file for a domain.
 
 write_getssl_template() { # write out the main template file
   cat > "$1" <<- _EOF_getssl_
+	# vim: filetype=sh
+	#
 	# This file is read first and is common to all domains
 	#
 	# Uncomment and modify any variables you need
@@ -2098,7 +2077,7 @@ get_os
 requires which
 requires openssl
 requires curl
-requires nslookup drill dig host DNS_CHECK_FUNC
+requires dig nslookup drill host DNS_CHECK_FUNC
 requires awk
 requires tr
 requires date
diff --git a/test/1-simple-http01.bats b/test/1-simple-http01.bats
index 4c55304..fd96a8a 100644
--- a/test/1-simple-http01.bats
+++ b/test/1-simple-http01.bats
@@ -12,6 +12,9 @@ setup() {
 
 
 @test "Create new certificate using HTTP-01 verification" {
+    if [ -n "$STAGING" ]; then
+        skip "Using staging server, skipping internal test"
+    fi
     CONFIG_FILE="getssl-http01.cfg"
     setup_environment
     init_getssl
@@ -24,7 +27,9 @@ setup() {
 
 
 @test "Force renewal of certificate using HTTP-01" {
-    #!FIXME test certificate has been updated
+    if [ -n "$STAGING" ]; then
+        skip "Using staging server, skipping internal test"
+    fi
     run ${CODE_DIR}/getssl -f $GETSSL_HOST
     assert_success
     refute_output --regexp '[Ff][Aa][Ii][Ll][Ee][Dd]'
diff --git a/test/2-simple-dns01-dig.bats b/test/2-simple-dns01-dig.bats
new file mode 100644
index 0000000..cbac598
--- /dev/null
+++ b/test/2-simple-dns01-dig.bats
@@ -0,0 +1,42 @@
+#! /usr/bin/env bats
+
+load '/bats-support/load.bash'
+load '/bats-assert/load.bash'
+load '/getssl/test/test_helper.bash'
+
+
+# This is run for every test
+setup() {
+    export CURL_CA_BUNDLE=/root/pebble-ca-bundle.crt
+}
+
+
+@test "Create new certificate using DNS-01 verification (dig)" {
+    if [ -n "$STAGING" ]; then
+        skip "Using staging server, skipping internal test"
+    fi
+
+    CONFIG_FILE="getssl-dns01.cfg"
+    setup_environment
+    init_getssl
+    create_certificate -d
+    assert_success
+    assert_output --partial "dig"
+    refute_output --regexp '[Ff][Aa][Ii][Ll][Ee][Dd]'
+    refute_output --regexp '[^:][Ee][Rr][Rr][Oo][Rr][^:]'  # don't fail for :error:badNonce
+    refute_output --regexp '[Ww][Aa][Rr][Nn][Ii][Nn][Gg]'
+}
+
+
+@test "Force renewal of certificate using DNS-01 (dig)" {
+    if [ -n "$STAGING" ]; then
+        skip "Using staging server, skipping internal test"
+    fi
+    run ${CODE_DIR}/getssl -d -f $GETSSL_HOST
+    assert_success
+    assert_output --partial "dig"
+    refute_output --regexp '[Ff][Aa][Ii][Ll][Ee][Dd]'
+    refute_output --regexp '[^:][Ee][Rr][Rr][Oo][Rr][^:]'  # don't fail for :error:badNonce
+    refute_output --regexp '[Ww][Aa][Rr][Nn][Ii][Nn][Gg]'
+    cleanup_environment
+}
diff --git a/test/2-simple-dns01-nslookup.bats b/test/2-simple-dns01-nslookup.bats
new file mode 100644
index 0000000..f92d817
--- /dev/null
+++ b/test/2-simple-dns01-nslookup.bats
@@ -0,0 +1,34 @@
+#! /usr/bin/env bats
+
+load '/bats-support/load.bash'
+load '/bats-assert/load.bash'
+load '/getssl/test/test_helper.bash'
+
+
+# This is run for every test
+setup() {
+    export CURL_CA_BUNDLE=/root/pebble-ca-bundle.crt
+    mv /usr/bin/dig /usr/bin/dig.getssl.bak
+}
+
+
+teardown() {
+    mv /usr/bin/dig.getssl.bak /usr/bin/dig
+}
+
+
+@test "Create new certificate using DNS-01 verification (nslookup)" {
+    if [ -n "$STAGING" ]; then
+        skip "Using staging server, skipping internal test"
+    fi
+
+    CONFIG_FILE="getssl-dns01.cfg"
+    setup_environment
+    init_getssl
+    create_certificate -d
+    assert_success
+    assert_output --partial "nslookup"
+    refute_output --regexp '[Ff][Aa][Ii][Ll][Ee][Dd]'
+    refute_output --regexp '[^:][Ee][Rr][Rr][Oo][Rr][^:]'  # don't fail for :error:badNonce
+    refute_output --regexp '[Ww][Aa][Rr][Nn][Ii][Nn][Gg]'
+}
diff --git a/test/3-dual-rsa-ecdsa.bats b/test/3-dual-rsa-ecdsa.bats
index 2dc9257..7820a96 100644
--- a/test/3-dual-rsa-ecdsa.bats
+++ b/test/3-dual-rsa-ecdsa.bats
@@ -12,6 +12,9 @@ setup() {
 
 
 @test "Create dual certificates using HTTP-01 verification" {
+    if [ -n "$STAGING" ]; then
+        skip "Using staging server, skipping internal test"
+    fi
     CONFIG_FILE="getssl-http01-dual-rsa-ecdsa.cfg"
     setup_environment
     init_getssl
@@ -21,12 +24,17 @@ setup() {
 
 
 @test "Force renewal of dual certificates using HTTP-01" {
-    #!FIXME test certificate has been updated
+    if [ -n "$STAGING" ]; then
+        skip "Using staging server, skipping internal test"
+    fi
     run ${CODE_DIR}/getssl -f $GETSSL_HOST
     assert_success
 }
 
 @test "Create dual certificates using DNS-01 verification" {
+    if [ -n "$STAGING" ]; then
+        skip "Using staging server, skipping internal test"
+    fi
     CONFIG_FILE="getssl-dns01-dual-rsa-ecdsa.cfg"
     setup_environment
     init_getssl
@@ -36,7 +44,9 @@ setup() {
 
 
 @test "Force renewal of dual certificates using DNS-01" {
-    #!FIXME test certificate has been updated
+    if [ -n "$STAGING" ]; then
+        skip "Using staging server, skipping internal test"
+    fi
     run ${CODE_DIR}/getssl -f $GETSSL_HOST
     assert_success
     cleanup_environment
diff --git a/test/4-more-than-10-hosts.bats b/test/4-more-than-10-hosts.bats
index ff61d52..5bdfc2a 100644
--- a/test/4-more-than-10-hosts.bats
+++ b/test/4-more-than-10-hosts.bats
@@ -12,6 +12,9 @@ setup() {
 
 
 @test "Create certificates for more than 10 hosts using HTTP-01 verification" {
+    if [ -n "$STAGING" ]; then
+        skip "Using staging server, skipping internal test"
+    fi
     CONFIG_FILE="getssl-http01-10-hosts.cfg"
     setup_environment
 
@@ -30,7 +33,9 @@ setup() {
 
 
 @test "Force renewal of more than 10 certificates using HTTP-01" {
-    #!FIXME test certificate has been updated
+    if [ -n "$STAGING" ]; then
+        skip "Using staging server, skipping internal test"
+    fi
     run ${CODE_DIR}/getssl -f $GETSSL_HOST
     assert_success
     refute_output --regexp '[Ff][Aa][Ii][Ll][Ee][Dd]'
diff --git a/test/5-secp384-http01.bats b/test/5-secp384-http01.bats
index 9010d58..29da2da 100644
--- a/test/5-secp384-http01.bats
+++ b/test/5-secp384-http01.bats
@@ -12,6 +12,9 @@ setup() {
 
 
 @test "Create new secp384r1 certificate using HTTP-01 verification" {
+    if [ -n "$STAGING" ]; then
+        skip "Using staging server, skipping internal test"
+    fi
     CONFIG_FILE="getssl-http01-secp384.cfg"
     setup_environment
     init_getssl
@@ -21,12 +24,18 @@ setup() {
 
 
 @test "Force renewal of secp384r1 certificate using HTTP-01" {
+    if [ -n "$STAGING" ]; then
+        skip "Using staging server, skipping internal test"
+    fi
     run ${CODE_DIR}/getssl -f $GETSSL_HOST
     assert_success
 }
 
 
 @test "Create new secp521r1 certificate using HTTP-01 verification" {
+    if [ -n "$STAGING" ]; then
+        skip "Using staging server, skipping internal test"
+    fi
     CONFIG_FILE="getssl-http01-secp521.cfg"
     setup_environment
     init_getssl
@@ -36,6 +45,9 @@ setup() {
 
 
 @test "Force renewal of secp521r1 certificate using HTTP-01" {
+    if [ -n "$STAGING" ]; then
+        skip "Using staging server, skipping internal test"
+    fi
     run ${CODE_DIR}/getssl -f $GETSSL_HOST
     assert_success
 }
diff --git a/test/6-dual-rsa-ecdsa-copy-2-locations.bats b/test/6-dual-rsa-ecdsa-copy-2-locations.bats
index 4e64043..aae21bb 100644
--- a/test/6-dual-rsa-ecdsa-copy-2-locations.bats
+++ b/test/6-dual-rsa-ecdsa-copy-2-locations.bats
@@ -7,17 +7,24 @@ load '/getssl/test/test_helper.bash'
 
 # These are run for every test, not once per file
 setup() {
-    export CURL_CA_BUNDLE=/root/pebble-ca-bundle.crt
-    curl --silent -X POST -d '{"host":"'a.$GETSSL_HOST'", "addresses":["'$GETSSL_IP'"]}' http://10.30.50.3:8055/add-a
+    if [ -z "$STAGING" ]; then
+        export CURL_CA_BUNDLE=/root/pebble-ca-bundle.crt
+        curl --silent -X POST -d '{"host":"'a.$GETSSL_HOST'", "addresses":["'$GETSSL_IP'"]}' http://10.30.50.3:8055/add-a
+    fi
 }
 
 
 teardown() {
-    curl --silent -X POST -d '{"host":"'a.$GETSSL_HOST'", "addresses":["'$GETSSL_IP'"]}' http://10.30.50.3:8055/del-a
+    if [ -z "$STAGING" ]; then
+        curl --silent -X POST -d '{"host":"'a.$GETSSL_HOST'", "addresses":["'$GETSSL_IP'"]}' http://10.30.50.3:8055/del-a
+    fi
 }
 
 
 @test "Create dual certificates and copy RSA and ECDSA chain and key to two locations" {
+    if [ -n "$STAGING" ]; then
+        skip "Using staging server, skipping internal test"
+    fi
     CONFIG_FILE="getssl-http01-dual-rsa-ecdsa-2-locations.cfg"
     setup_environment
     mkdir -p /root/a.${GETSSL_HOST}
diff --git a/test/2-simple-dns01.bats b/test/7-duckdns-dns01.bats
similarity index 50%
rename from test/2-simple-dns01.bats
rename to test/7-duckdns-dns01.bats
index 9d9f44b..e81b414 100644
--- a/test/2-simple-dns01.bats
+++ b/test/7-duckdns-dns01.bats
@@ -5,14 +5,20 @@ load '/bats-assert/load.bash'
 load '/getssl/test/test_helper.bash'
 
 
-# This is run for every test
+# These are run for every test, not once per file
 setup() {
-    export CURL_CA_BUNDLE=/root/pebble-ca-bundle.crt
+    if [ -n "$STAGING" ]; then
+        export GETSSL_HOST=getssl.duckdns.org
+    fi
 }
 
 
-@test "Create new certificate using DNS-01 verification" {
-    CONFIG_FILE="getssl-dns01.cfg"
+@test "Create new certificate using staging server and DuckDNS" {
+    if [ -z "$STAGING" ]; then
+        skip "Running internal tests, skipping external test"
+    fi
+    CONFIG_FILE="getssl-duckdns01.cfg"
+
     setup_environment
     init_getssl
     create_certificate
@@ -22,13 +28,15 @@ setup() {
     refute_output --regexp '[Ww][Aa][Rr][Nn][Ii][Nn][Gg]'
 }
 
-
-@test "Force renewal of certificate using DNS-01" {
-    #!FIXME test certificate has been updated
+@test "Force renewal of certificate using staging server and DuckDNS" {
+    if [ -z "$STAGING" ]; then
+        skip "Running internal tests, skipping external test"
+    fi
     run ${CODE_DIR}/getssl -f $GETSSL_HOST
     assert_success
     refute_output --regexp '[Ff][Aa][Ii][Ll][Ee][Dd]'
     refute_output --regexp '[Ee][Rr][Rr][Oo][Rr]'
     refute_output --regexp '[Ww][Aa][Rr][Nn][Ii][Nn][Gg]'
     cleanup_environment
+    curl --silent -X POST -d '{"host":"getssl.duckdns.org", "addresses":["'$GETSSL_IP'"]}' http://10.30.50.3:8055/del-a
 }
diff --git a/test/8-duckdns-ecdsa.bats b/test/8-duckdns-ecdsa.bats
new file mode 100644
index 0000000..0950d96
--- /dev/null
+++ b/test/8-duckdns-ecdsa.bats
@@ -0,0 +1,78 @@
+#! /usr/bin/env bats
+
+load '/bats-support/load.bash'
+load '/bats-assert/load.bash'
+load '/getssl/test/test_helper.bash'
+
+
+# These are run for every test, not once per file
+setup() {
+    if [ -n "$STAGING" ]; then
+        export GETSSL_HOST=getssl.duckdns.org
+    fi
+}
+
+
+@test "Create new certificate using staging server and prime256v1" {
+    if [ -z "$STAGING" ]; then
+        skip "Running internal tests, skipping external test"
+    fi
+    CONFIG_FILE="getssl-duckdns01.cfg"
+    GETSSL_HOST=getssl.duckdns.org
+
+    setup_environment
+    init_getssl
+    sed -e 's/rsa/prime256v1/g' < "${CODE_DIR}/test/test-config/${CONFIG_FILE}" > "${INSTALL_DIR}/.getssl/${GETSSL_HOST}/getssl.cfg"
+    run ${CODE_DIR}/getssl -d "$GETSSL_HOST"
+    assert_success
+    refute_output --regexp '[Ff][Aa][Ii][Ll][Ee][Dd]'
+    refute_output --regexp '[^:][Ee][Rr][Rr][Oo][Rr][^:]'
+    refute_output --regexp '[Ww][Aa][Rr][Nn][Ii][Nn][Gg]'
+}
+
+
+@test "Force renewal of certificate using staging server and prime256v1" {
+    if [ -z "$STAGING" ]; then
+        skip "Running internal tests, skipping external test"
+    fi
+    run ${CODE_DIR}/getssl -d -f $GETSSL_HOST
+    assert_success
+    refute_output --regexp '[Ff][Aa][Ii][Ll][Ee][Dd]'
+    refute_output --regexp '[^:][Ee][Rr][Rr][Oo][Rr][^:]'
+    refute_output --regexp '[Ww][Aa][Rr][Nn][Ii][Nn][Gg]'
+    cleanup_environment
+}
+
+
+@test "Create new certificate using staging server and secp384r1" {
+    if [ -z "$STAGING" ]; then
+        skip "Running internal tests, skipping external test"
+    fi
+    CONFIG_FILE="getssl-duckdns01.cfg"
+    GETSSL_HOST=getssl.duckdns.org
+
+    setup_environment
+    init_getssl
+    sed -e 's/rsa/secp384r1/g' < "${CODE_DIR}/test/test-config/${CONFIG_FILE}" > "${INSTALL_DIR}/.getssl/${GETSSL_HOST}/getssl.cfg"
+    run ${CODE_DIR}/getssl -d "$GETSSL_HOST"
+    assert_success
+    refute_output --regexp '[Ff][Aa][Ii][Ll][Ee][Dd]'
+    refute_output --regexp '[^:][Ee][Rr][Rr][Oo][Rr][^:]'
+    refute_output --regexp '[Ww][Aa][Rr][Nn][Ii][Nn][Gg]'
+}
+
+
+@test "Force renewal of certificate using staging server and secp384r1" {
+    if [ -z "$STAGING" ]; then
+        skip "Running internal tests, skipping external test"
+    fi
+    run ${CODE_DIR}/getssl -d -f $GETSSL_HOST
+    assert_success
+    refute_output --regexp '[Ff][Aa][Ii][Ll][Ee][Dd]'
+    refute_output --regexp '[^:][Ee][Rr][Rr][Oo][Rr][^:]'
+    refute_output --regexp '[Ww][Aa][Rr][Nn][Ii][Nn][Gg]'
+    cleanup_environment
+}
+
+
+# Note letsencrypt doesn't support ECDSA curve P-521 as it's being deprecated
diff --git a/test/Dockerfile-ubuntu16 b/test/Dockerfile-ubuntu16
new file mode 100644
index 0000000..958bb6f
--- /dev/null
+++ b/test/Dockerfile-ubuntu16
@@ -0,0 +1,25 @@
+FROM ubuntu:xenial
+# xenial = 16
+
+# Note this image uses mawk
+
+# Update and install required software
+RUN apt-get update --fix-missing
+RUN apt-get install -y git curl dnsutils wget nginx-light
+
+WORKDIR /root
+RUN mkdir /etc/nginx/pki
+RUN mkdir /etc/nginx/pki/private
+COPY ./test/test-config/nginx-ubuntu-no-ssl /etc/nginx/sites-enabled/default
+
+# Prevent "Can't load /root/.rnd into RNG" error from openssl
+# RUN touch /root/.rnd
+
+# BATS (Bash Automated Testings)
+RUN git clone https://github.com/bats-core/bats-core.git /bats-core
+RUN git clone https://github.com/jasonkarns/bats-support /bats-support
+RUN git clone https://github.com/jasonkarns/bats-assert-1 /bats-assert
+RUN /bats-core/install.sh /usr/local
+
+# Run eternal loop - for testing
+CMD tail -f /dev/null
diff --git a/test/debug-test.sh b/test/debug-test.sh
index ab00666..890366b 100644
--- a/test/debug-test.sh
+++ b/test/debug-test.sh
@@ -9,14 +9,20 @@ if [ $# -eq 2 ]; then
     shift
 fi
 
+#shellcheck disable=SC1091
+source /getssl/test/test_helper.bash
+
 CONFIG_FILE=$1
 if [ ! -e "$CONFIG_FILE" ]; then
     CONFIG_FILE=${CODE_DIR}/test/test-config/${CONFIG_FILE}
 fi
-source /getssl/test/test_helper.bash
 
 setup_environment 3>&1
-export CURL_CA_BUNDLE=/root/pebble-ca-bundle.crt
+
+# Only add the pebble CA to the cert bundle if using pebble
+if grep -q pebble "${CONFIG_FILE}"; then
+    export CURL_CA_BUNDLE=/root/pebble-ca-bundle.crt
+fi
 
 "${CODE_DIR}/getssl" -c "$GETSSL_HOST" 3>&1
 cp "${CONFIG_FILE}" "${INSTALL_DIR}/.getssl/${GETSSL_HOST}/getssl.cfg"
diff --git a/test/run-all-tests.cmd b/test/run-all-tests.cmd
index 16c6fd5..e887b6e 100644
--- a/test/run-all-tests.cmd
+++ b/test/run-all-tests.cmd
@@ -1,5 +1,15 @@
+echo %time%
 docker exec -it getssl-alpine bats /getssl/test
+echo %time%
 docker exec -it getssl-centos6 bats /getssl/test
+echo %time%
 docker exec -it getssl-debian bats /getssl/test
+echo %time%
 docker exec -it getssl-ubuntu bats /getssl/test
+echo %time%
 docker exec -it getssl-ubuntu18 bats /getssl/test
+echo %time%
+docker exec -it getssl-ubuntu16 bats /getssl/test
+echo %time%
+docker exec -it getssl-duckdns bats /getssl/test
+echo %time%
diff --git a/test/run-all-tests.sh b/test/run-all-tests.sh
index b526c63..6a0eb8a 100644
--- a/test/run-all-tests.sh
+++ b/test/run-all-tests.sh
@@ -5,3 +5,4 @@ docker exec -it getssl-centos6 bats /getssl/test
 docker exec -it getssl-debian bats /getssl/test
 docker exec -it getssl-ubuntu bats /getssl/test
 docker exec -it getssl-ubuntu18 bats /getssl/test
+docker exec -it getssl-duckdns bats /getssl/test
diff --git a/test/test-config/getssl-dns01-dual-rsa-ecdsa.cfg b/test/test-config/getssl-dns01-dual-rsa-ecdsa.cfg
index 042ed15..543c201 100644
--- a/test/test-config/getssl-dns01-dual-rsa-ecdsa.cfg
+++ b/test/test-config/getssl-dns01-dual-rsa-ecdsa.cfg
@@ -7,6 +7,7 @@ CA="https://pebble:14000/dir"
 VALIDATE_VIA_DNS=true
 DNS_ADD_COMMAND="/getssl/dns_scripts/dns_add_challtestsrv"
 DNS_DEL_COMMAND="/getssl/dns_scripts/dns_del_challtestsrv"
+AUTH_DNS_SERVER=10.30.50.3
 
 DUAL_RSA_ECDSA="true"
 ACCOUNT_KEY_TYPE="prime256v1"
diff --git a/test/test-config/getssl-dns01.cfg b/test/test-config/getssl-dns01.cfg
index 98637b0..7e26b98 100644
--- a/test/test-config/getssl-dns01.cfg
+++ b/test/test-config/getssl-dns01.cfg
@@ -7,6 +7,7 @@ CA="https://pebble:14000/dir"
 VALIDATE_VIA_DNS=true
 DNS_ADD_COMMAND="/getssl/dns_scripts/dns_add_challtestsrv"
 DNS_DEL_COMMAND="/getssl/dns_scripts/dns_del_challtestsrv"
+AUTH_DNS_SERVER=10.30.50.3
 
 # Additional domains - this could be multiple domains / subdomains in a comma separated list
 SANS=""
diff --git a/test/test-config/getssl-duckdns01.cfg b/test/test-config/getssl-duckdns01.cfg
new file mode 100644
index 0000000..10ac366
--- /dev/null
+++ b/test/test-config/getssl-duckdns01.cfg
@@ -0,0 +1,37 @@
+# Test that the script works with external dns provider and staging server
+#
+CA="https://acme-staging-v02.api.letsencrypt.org/directory"
+
+VALIDATE_VIA_DNS=true
+DNS_ADD_COMMAND="/getssl/dns_scripts/dns_add_duckdns"
+DNS_DEL_COMMAND="/getssl/dns_scripts/dns_del_duckdns"
+AUTH_DNS_SERVER=1.1.1.1
+CHECK_ALL_AUTH_DNS=false
+DNS_EXTRA_WAIT=30
+
+ACCOUNT_KEY_TYPE="rsa"
+PRIVATE_KEY_ALG="rsa"
+
+# Additional domains - this could be multiple domains / subdomains in a comma separated list
+SANS=""
+
+# Acme Challenge Location. The first line for the domain, the following ones for each additional domain.
+ACL=('/var/www/html/.well-known/acme-challenge')
+
+#Set USE_SINGLE_ACL="true" to use a single ACL for all checks
+USE_SINGLE_ACL="false"
+
+# Location for all your certs, these can either be on the server (full path name)
+# or using ssh /sftp as for the ACL
+DOMAIN_CERT_LOCATION="/etc/nginx/pki/server.crt"
+DOMAIN_KEY_LOCATION="/etc/nginx/pki/private/server.key"
+CA_CERT_LOCATION="/etc/nginx/pki/chain.crt"
+DOMAIN_CHAIN_LOCATION="" # this is the domain cert and CA cert
+DOMAIN_PEM_LOCATION="" # this is the domain_key, domain cert and CA cert
+
+# The command needed to reload apache / nginx or whatever you use
+RELOAD_CMD="cp /getssl/test/test-config/nginx-ubuntu-ssl ${NGINX_CONFIG} && /getssl/test/restart-nginx"
+
+# Define the server type and confirm correct certificate is installed (using a custom port)
+SERVER_TYPE="https"
+CHECK_REMOTE="true"
diff --git a/test/test_helper.bash b/test/test_helper.bash
index 554d60a..0d106fa 100644
--- a/test/test_helper.bash
+++ b/test/test_helper.bash
@@ -39,5 +39,6 @@ init_getssl() {
 create_certificate() {
     # Create certificate
     cp "${CODE_DIR}/test/test-config/${CONFIG_FILE}" "${INSTALL_DIR}/.getssl/${GETSSL_HOST}/getssl.cfg"
-    run ${CODE_DIR}/getssl "$GETSSL_HOST"
+    # shellcheck disable=SC2086
+    run ${CODE_DIR}/getssl $1 "$GETSSL_HOST"
 }