Merge branch 'master' of github.com:srvrco/getssl

.editorconfig

@@ -7,3 +7,6 @@ end_of_line = lf
 insert_final_newline = true
 indent_style = space
 indent_size = 2
+
+[Makefile]
+indent_style = tab

.gitattributes

@@ -0,0 +1,11 @@
+# Files not to include in .zip/.tar.gz archives
+#
+.git*           export-ignore
+
+# Handle line endings automatically for files detected as text
+# and leave all files detected as binary untouched.
+* text=auto
+
+# Make all text files lf formatted
+*     text eol=lf
+

.github/workflows/run-tests-staging-duckdns.yml

@@ -0,0 +1,34 @@
+name: Run all tests using DuckDNS
+on:
+  push:
+    paths-ignore:
+      - '.github/workflows/*'
+    branches:
+      - master
+  pull_request:
+    branches:
+      - master
+  workflow_dispatch:
+    branches:
+      - master
+env:
+  DUCKDNS_TOKEN: ${{ secrets.DUCKDNS_TOKEN == '' && '1d616aa9-b8e4-4bb4-b312-3289de82badb' || secrets.DUCKDNS_TOKEN }}
+jobs:
+  test-centos7-duckdns:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v2
+      - name: Build the docker-compose stack
+        run: docker-compose up -d --build
+      - name: Run test suite on CentOS7 against Staging using DuckDNS
+        run: test/run-test.sh centos7-duckdns
+  test-ubuntu-duckdns:
+    runs-on: ubuntu-latest
+    if: always()
+    needs: test-centos7-duckdns
+    steps:
+      - uses: actions/checkout@v2
+      - name: Build the docker-compose stack
+        run: docker-compose up -d --build
+      - name: Run test suite on Ubuntu against Staging using DuckDNS
+        run: test/run-test.sh ubuntu-duckdns

.github/workflows/run-tests-staging-dynu.yml

@@ -0,0 +1,34 @@
+name: Run all tests using Dynu
+on:
+  push:
+    paths-ignore:
+      - '.github/workflows/*'
+    branches:
+      - master
+  pull_request:
+    branches:
+      - master
+  workflow_dispatch:
+    branches:
+      - master
+env:
+  DYNU_API_KEY: ${{ secrets.DYNU_API_KEY == '' && '65cXefd35XbYf36546eg5dYcZT6X52Y2' || secrets.DYNU_API_KEY }}
+jobs:
+  test-centos7-dynu:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v2
+      - name: Build the docker-compose stack
+        run: docker-compose up -d --build
+      - name: Run test suite on CentOS7 against Staging using Dynu
+        run: test/run-test.sh centos7-dynu
+  test-ubuntu-dynu:
+    runs-on: ubuntu-latest
+    if: always()
+    needs: test-centos7-dynu
+    steps:
+      - uses: actions/checkout@v2
+      - name: Build the docker-compose stack
+        run: docker-compose up -d --build
+      - name: Run test suite on Ubuntu against Staging using Dynu
+        run: test/run-test.sh ubuntu-dynu

.github/workflows/shellcheck.yml

@@ -2,16 +2,21 @@ name: shellcheck
 
 on:
   push:
+    paths-ignore:
+      - '.github/workflows/*'
     branches: [ master ]
   pull_request:
     branches: [ master ]
+  workflow_dispatch:
+    branches:
+      - master
 
 jobs:
   lint:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v1
+      - uses: actions/checkout@v2
       - name: Lint check
-        uses: azohra/shell-linter@v0.2.0
+        uses: azohra/shell-linter@latest
         with:
           path: "getssl"

.github/workflows/stale2.yml

@@ -1,31 +1,16 @@
+name: 'Close stale issues and PRs'
 on:
   schedule:
-    - cron: "0 0 * * *"
-
-name: Run Stale Bot on Issue Comments
+    - cron: '45 2 * * *'
 
 jobs:
-  build:
-    name: stale
+  stale:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@master
-      - name: stale
-        uses: gatsbyjs/stale@master
+      - uses: actions/stale@v3
         with:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          DRY_RUN: true
-          DAYS_BEFORE_STALE: 60
-          DAYS_BEFORE_CLOSE: 30
-          STALE_ISSUE_LABEL: 'stale'
-          STALE_PR_LABEL: 'stale'
-          OPERATIONS_PER_RUN: 30
-          STALE_ISSUE_MESSAGE: 'This issue will be closed as no updates for 60 days'
-          CLOSE_MESSAGE: 'Closing stale issue after 90 days of inactivity'
-          EXEMPT_ISSUE_LABELS: |
-            bug
-            documentation
-            enhancement
-            feature
-            help wanted
-            rfc
+          stale-issue-message: 'This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 30 days.'
+          days-before-stale: 60
+          days-before-close: 30
+          any-of-labels: 'needs more information'
+          debug-only: false

.gitignore

@@ -1,2 +1,9 @@
-.history/
-.venv/
+*~
+*#
+*.swp
+*.tmp
+*.bak
+*.tdy
+*.tar.gz
+*.orig
+JSON.sh

.travis.yml

@@ -1,17 +0,0 @@
-language: bash
-
-# Use container-based infrastructure for quicker build start-up
-sudo: false
-
-addons:
-  apt:
-    sources:
-    - debian-sid    # Grab shellcheck from the Debian repo (o_O)
-    packages:
-    - shellcheck
-
-script:
- - bash -c 'shopt -s globstar; shellcheck getssl'
-
-matrix:
-  fast_finish: true

Makefile

@@ -19,10 +19,9 @@ ifneq ($(strip $(DESTDIR)),)
 	mkdir -p $(DESTDIR)
 endif
 
-	install -Dm755 getssl $(DESTDIR)/usr/bin/getssl
-	
-	install -dm755 $(DESTDIR)/usr/share/getssl
-	cp -r *_scripts $(DESTDIR)/usr/share/getssl
+	install -Dvm755 getssl $(DESTDIR)/usr/bin/getssl
+	install -dvm755 $(DESTDIR)/usr/share/getssl
+	for dir in *_scripts; do install -dv $(DESTDIR)/usr/share/getssl/$$dir; install -pv $$dir/* $(DESTDIR)/usr/share/getssl/$$dir/; done
 
 .PHONY: install
 

README.md

@@ -1,9 +1,31 @@
+# getssl <!-- omit in toc -->
+
 ![Run all tests](https://github.com/srvrco/getssl/workflows/Run%20all%20tests/badge.svg) ![shellcheck](https://github.com/srvrco/getssl/workflows/shellcheck/badge.svg)
-# getssl
 
 Obtain SSL certificates from the letsencrypt.org ACME server. Suitable
 for automating the process on remote servers.
 
+## Table of Contents <!-- omit in toc -->
+- [Features](#features)
+- [Installation](#installation)
+- [Overview](#overview)
+- [Getting started](#getting-started)
+- [Detailed guide to getting started with more examples](#detailed-guide-to-getting-started-with-more-examples)
+- [Wildcard certificates](#wildcard-certificates)
+- [Automating updates](#automating-updates)
+- [Structure](#structure)
+- [Server-Types](#server-types)
+- [Revoke a certificate](#revoke-a-certificate)
+- [Elliptic curve keys](#elliptic-curve-keys)
+- [Preferred Chain](#preferred-chain)
+- [Include Root certificate in full chain](#include-root-certificate-in-full-chain)
+- [Issues / problems / help](#issues--problems--help)
+
+## Upgrade broken in v2.43
+
+The automatic upgrade in v2.43 is broken as the url is incorrect.  If you have this version installed you'll need to manually upgrade using:
+```curl --silent --user-agent getssl/manual https://raw.githubusercontent.com/srvrco/getssl/latest/getssl --output getssl```
+
 ## Features
 
 * **Bash** - It runs on virtually all unix machines, including BSD, most
@@ -33,7 +55,7 @@ for automating the process on remote servers.
   debug information is available.
 * **Reload services** - After a new certificate is obtained then the
   relevant services (e.g. apache/nginx/postfix) can be reloaded.
-* **ACME v1 and V2** - Supports both ACME versions 1 and 2
+* **ACME v1 and V2** - Supports both ACME versions 1 and 2 (note ACMEv1 is deprecated and clients will automatically use v2)
 
 ## Installation
 
@@ -41,7 +63,7 @@ Since the script is only one file, you can use the following command for
 a quick installation of GetSSL only:
 
 ```sh
-curl --silent https://raw.githubusercontent.com/srvrco/getssl/master/getssl > getssl ; chmod 700 getssl
+curl --silent https://raw.githubusercontent.com/srvrco/getssl/latest/getssl > getssl ; chmod 700 getssl
 ```
 
 This will copy the getssl Bash script to the current location and change
@@ -71,25 +93,28 @@ desktop computer, or even a virtualbox) and add the checks, and
 certificates to a remote server ( providing you have a ssh with key,
 sftp or ftp access to the remote server).
 
-```getssl
-getssl ver. 2.02
+```getssl -h
+getssl ver. 2.36
 Obtain SSL certificates from the letsencrypt.org ACME server
 
-Usage: getssl [-h|--help] [-d|--debug] [-c|--create] [-f|--force] [-a|--all] [-q|--quiet] [-Q|--mute] [-u|--upgrade] [-k|--keep #] [-U|--nocheck] [-r|--revoke cert key] [-w working_dir] domain
+Usage: getssl [-h|--help] [-d|--debug] [-c|--create] [-f|--force] [-a|--all] [-q|--quiet] [-Q|--mute] [-u|--upgrade] [-X|--experimental tag] [-U|--nocheck] [-r|--revoke cert key] [-w working_dir] [--preferred-chain chain] domain   
 
 Options:
   -a, --all          Check all certificates
-  -d, --debug        Outputs debug information
+  -d, --debug        Output debug information
   -c, --create       Create default config files
   -f, --force        Force renewal of cert (overrides expiry checks)
   -h, --help         Display this help message and exit
+  -i, --install      Install certificates and reload service
   -q, --quiet        Quiet mode (only outputs on error, success of new cert, or getssl was upgraded)
-  -Q, --mute         Like -q, but mutes notification about successful upgrade
+  -Q, --mute         Like -q, but also mute notification about successful upgrade
   -r, --revoke   "cert" "key" [CA_server] Revoke a certificate (the cert and key are required)
-  -u, --upgrade      Upgrade getssl if a more recent version is available
-  -k, --keep     "#" Maximum amount of old getssl versions to keep when upgrading
+  -u, --upgrade      Upgrade getssl if a more recent version is available - can be used with or without domain(s)
+  -X  --experimental tag Allow upgrade to a specified version of getssl
   -U, --nocheck      Do not check if a more recent version is available
+  -v  --version      Display current version of getssl
   -w working_dir "Working directory"
+    --preferred-chain "chain" Use an alternate chain for the certificate
 ```
 
 ## Getting started
@@ -149,9 +174,39 @@ Change the server in your config file to get a fully valid certificate.
 dns. The certificate can be used (and checked with getssl) on alternate
 ports.
 
+## Detailed guide to getting started with more examples
+
+[Guide to getting a certificate for example.com and www.example.com](https://github.com/srvrco/getssl/wiki/Guide-to-getting-a-certificate-for-example.com-and-www.example.com)
+
+## Wildcard certificates
+
+`getssl` supports creating wildcard certificates, i.e. _*.example.com_ which allows a single certificate to be used for any domain under *example.com*, e.g. *www.example.com*, *mail.example.com*.  These must be validated using the dns-01 method.
+
+A *partial* example `getssl.cfg` file is:
+
+```sh
+VALIDATE_VIA_DNS=true
+export CPANEL_USERNAME=''
+export CPANEL_URL='https://www.cpanel.host:2083'
+export CPANEL_APITOKEN='1ABC2DEF3GHI4JKL5MNO6PQR7STU8VWX9YZA'
+DNS_ADD_COMMAND=/home/root/getssl/dns_scripts/dns_add_cpanel
+DNS_DEL_COMMAND=/home/root/getssl/dns_scripts/dns_del_cpanel
+```
+
+Create the wildcard certificate (need to use quotes to prevent globbing):
+
+```sh
+getssl "*.example.domain"
+```
+
+You can renew the certificate using `getssl -a` to renew all configured certificates.
+
+You can also specify additional domains in the `SANS` line, e.g. `SANS="www.test.example.com"`.
+This cannot contain any of the domains which would be covered by the wildcard certificate.
+
 ## Automating updates
 
-I use the following cron
+I use the following **cron** job
 
 ```cron
 23  5 * * * /root/scripts/getssl -u -a -q
@@ -174,12 +229,12 @@ command line).
 Within the **working directory** is a config file `getssl.cfg` which is a
 simple bash file containing variables, an example of which is:
 
-```getssl
+```sh
 # Uncomment and modify any variables you need
 # The staging server is best for testing (hence set as default)
-CA="https://acme-staging.api.letsencrypt.org"
+CA="https://acme-staging-v02.api.letsencrypt.org"
 # This server issues full certificates, however has rate limits
-#CA="https://acme-v01.api.letsencrypt.org"
+#CA="https://acme-v02.api.letsencrypt.org"
 
 AGREEMENT="https://letsencrypt.org/documents/LE-SA-v1.0.1-July-27-2015.pdf"
 
@@ -200,15 +255,15 @@ then, within the **working directory** there will be a folder for each
 certificate (based on its domain name). Within that folder will be a
 config file (again called `getssl.cfg`). An example of which is:
 
-```getssl
+```sh
 # Uncomment and modify any variables you need
 # see https://github.com/srvrco/getssl/wiki/Config-variables for details
 # see https://github.com/srvrco/getssl/wiki/Example-config-files for example configs
 #
 # The staging server is best for testing
-#CA="https://acme-staging.api.letsencrypt.org"
+#CA="https://acme-staging-v02.api.letsencrypt.org"
 # This server issues full certificates, however has rate limits
-#CA="https://acme-v01.api.letsencrypt.org"
+#CA="https://acme-v02.api.letsencrypt.org"
 
 #AGREEMENT="https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf"
 
@@ -239,7 +294,9 @@ DOMAIN_KEY_LOCATION="ssh:server5:/etc/ssl/domain.key"
 #DOMAIN_PEM_LOCATION="" this is the domain_key. domain cert and CA cert
 
 
-# The command needed to reload apache / nginx or whatever you use
+# The command needed to reload apache / nginx or whatever you use.
+# Several (ssh) commands may be given using a bash array:
+# RELOAD_CMD=('ssh:sshuserid@server5:systemctl reload httpd' 'logger getssl for server5 efficient.')
 RELOAD_CMD="service apache2 reload"
 
 # Define the server type. This can be https, ftp, ftpi, imap, imaps, pop3, pop3s, smtp,
@@ -270,12 +327,12 @@ Multiple locations can be defined for a file by separating the locations with a
 A typical config file for `example.com` and `www.example.com` on the
 same server would be:
 
-```getssl
+```sh
 # uncomment and modify any variables you need
 # The staging server is best for testing
-CA="https://acme-staging.api.letsencrypt.org"
+CA="https://acme-staging-v02.api.letsencrypt.org"
 # This server issues full certificates, however has rate limits
-#CA="https://acme-v01.api.letsencrypt.org"
+#CA="https://acme-v02.api.letsencrypt.org"
 
 # additional domains - this could be multiple domains / subdomains in a comma separated list
 SANS="www.example.com"
@@ -325,7 +382,7 @@ Usage: `getssl -r path/to/cert path/to/key [CA_server]`
 You need to specify both the certificate you want to revoke, and the
 account or private domain key which was used to sign / obtain the
 original certificate. The `CA_server` is an optional parameter and
-defaults to Let's Encrypt ("<https://acme-v01.api.letsencrypt.org>") as
+defaults to Let's Encrypt ("<https://acme-v02.api.letsencrypt.org>") as
 that is currently the only Certificate Authority using the ACME
 protocol.
 
@@ -337,6 +394,34 @@ key (different of course, don't use the same key for both). prime256v1
 secp521r1 (NIST P-521) is included in the code, but not currently
 supported by Let's Encrypt).
 
+## Preferred Chain
+
+If a CA offers multiple chains then it is possible to select which chain
+is used by using the `PREFERRED_CHAIN` variable in `getssl.cfg` or specifying
+ `--preferred-chain` in the call to `getssl`
+
+This uses wildcard matching so requesting "X1" returns the first certificate
+returned by the CA which contains the text "X1",  Note you may need to escape
+any characters which special characters, e.g.
+` PREFERRED_CHAIN="\(STAGING\) Doctored Durian Root CA X3"`
+
+* Staging options are: "(STAGING) Doctored Durian Root CA X3" and "(STAGING) Pretend Pear X1"
+* Production options are: "ISRG Root X1" and "ISRG Root X2"
+
+## Include Root certificate in full chain
+
+Some servers, including those that use Java keystores, will not accept a server certificate if it cannot valid the full chain of signers.
+
+Specifically, Nutanix Prism (Element and Central) will not accept the `fullchain.crt` until the root CA's certificate has been appended to it manually.
+
+If your application requires the full chain, i.e. including the
+root certificate of the CA, then this can be included in the `fullchain.crt` file by
+adding the following line to `getssl.cfg`
+
+```sh
+FULL_CHAIN_INCLUDE_ROOT="true"
+```
+
 ## Issues / problems / help
 
 If you have any issues, please log them at <https://github.com/srvrco/getssl/issues>

dns_scripts/00GoDaddy-README.txt

@@ -0,0 +1,63 @@
+Using GoDaddy DNS for LetsEncrypt domain validation.
+
+Quick guide to setting up getssl for domain validation of
+GoDaddy DNS domains.
+
+There are two prerequisites to using getssl with GoDaddy DNS:
+
+1) Obtain an API access key from developer.godaddy.com
+   At first sign-up, you will be required to take a "test" key.
+   This is NOT what you need.  Accept it, then get a "Production"
+   key.  At this writing, there is no charge - but you must have
+   a GoDaddy customer account.
+
+   You must get the API key for the account which owns the domain
+   that you want to get certificates for.  If the domains that you
+   manage are owned by more than one account, get a key for each.
+
+   The access key consists of a "Key" and a "Secret".  You need
+   both.
+
+2) Obtain JSON.sh - https://github.com/dominictarr/JSON.sh
+
+With those in hand, the installation procedure is:
+
+1) Put JSON.sh in the getssl DNS scripts directory 
+   Default: /usr/share/getssl/dns_scripts
+
+2) Open your config file (the global file in ~/.getssl/getssl.cfg
+   or the per-account file in ~/.getssl/example.net/getssl.cfg
+
+3) Set the following options:
+   VALIDATE_VIA_DNS="true"
+   DNS_ADD_COMMAND="/usr/share/getssl/dns_scripts/dns_add_godaddy"
+   DNS_DEL_COMMAND="/usr/share/getssl/dns_scripts/dns_del_godaddy"
+   # The API key for your account/this domain
+   export GODADDY_KEY="..." GODADDY_SECRET="..."
+   # The base domain name(s) in which the challege records are stored
+   # E.g. if www.example.net is in the example.net zone:
+   export GODADDY_BASE="example.com example.net"
+
+ 4) Set any other options that you wish (per the standard
+   directions.)  Use the test CA to make sure that
+   everything is setup correctly.
+
+That's it.  getssl example.net will now validate with DNS.
+
+To trace record additions and removals, run getssl as
+GODADDY_TRACE=Y getssl example.net
+
+There are additional options, which are documented in the
+*godaddy" files and dns_godaddy -h.
+
+Copyright (C) 2017, 2018 Timothe Litt  litt at acm _dot org
+
+This sofware may be freely used providing this notice is included with
+all copies.  The name of the author may not be used to endorse
+any other product or derivative work.  No warranty is provided
+and the user assumes all responsibility for use of this software.
+
+Report any issues to https://github.com/tlhackque/getssl/issues.
+
+Enjoy.
+

dns_scripts/Azure-README.txt

@@ -0,0 +1,26 @@
+Using Azure for LetsEncrypt domain verification
+
+Guide for using Azure for LetsEncrypt domain verification.
+
+Prerequisites:
+- Azure CLI tools installed - see https://docs.microsoft.com/en-us/cli/azure/install-azure-cli
+- Logged in with azure-cli - i.e. azure login
+
+Ensure dns_add_azure and dns_del_azure scripts are called when the DNS is validated by modifying the .getssl.cfg:
+
+VALIDATE_VIA_DNS=true
+DNS_ADD_COMMAND=dns_scripts/dns_add_azure # n.b use valid path
+DNS_DEL_COMMAND=dns_scripts/dns_del_azure
+
+The dns_add_azure and dns_del_azure scripts assume that the following environment variables are added to the configuration file:
+
+- AZURE_RESOURCE_GROUP - the name of the resource group that contains the DNS zone 
+- AZURE_ZONE_ID - a comma-separated list of valid DNS zones. this allows the same certificate to be used across multiple top-level domains
+- AZURE_SUBSCRIPTION_ID - the name or ID of the subscription that AZURE_RESOURCE_GROUP is part of
+
+Each of these variables can be included in the .getssl.cfg, e.g:
+
+export AZURE_RESOURCE_GROUP=my-resource-group
+export AZURE_ZONE_ID=example.com,anotherdomain.com
+export AZURE_SUBSCRIPTION_ID=my-azure-subscriptin 
+

dns_scripts/Cloudflare-README.md

@@ -0,0 +1,52 @@
+## Using Cloudflare DNS for LetsEncrypt domain validation
+
+### Enabling the scripts
+
+Set the following options in `getssl.cfg` (either global or domain-specific):
+
+```
+VALIDATE_VIA_DNS="true"
+DNS_ADD_COMMAND="/usr/share/getssl/dns_scripts/dns_add_cloudflare"
+DNS_DEL_COMMAND="/usr/share/getssl/dns_scripts/dns_del_cloudflare"
+```
+
+### Authentication
+
+There are 2 methods of authenticating with Cloudflare:
+
+1. API Keys - Account level, all-purpose tokens
+2. API Tokens - Scoped and permissioned access to resources
+
+Both are configured from your profile in the [Cloudflare dashboard][1]
+
+[1]: https://dash.cloudflare.com/profile/api-tokens
+
+#### API Keys
+
+The **Zone ID** for the domain will be searched for programmatically.
+
+Set the following options in `getssl.cfg`:
+
+```
+export CF_EMAIL="..." # Cloudflare account email address
+export CF_KEY="..."   # Global API Key
+```
+
+#### API Tokens
+
+Cloudflare provides a template for creating an API Token with access to edit
+zone records.  Tokens must be created with at least '**DNS:Edit** permissions
+for the domain to add/delete records.
+
+The API requires higher privileges to be able to list zones, therefore this
+method also requires the **Zone ID** from the Overview tab in the Cloudflare
+Dashboard.
+
+Set the following options in the domain-specific `getssl.cfg`
+
+```
+export CF_API_TOKEN="..."
+export CF_ZONE_ID="..."
+```
+
+__Note__: API Keys will be used instead if also configured 

dns_scripts/DNS_IONOS.md

@@ -0,0 +1,9 @@
+# Do DNS-01 verification using IONOS DNS API
+
+The getting started guide explains how to obtain API Keys https://developer.hosting.ionos.de/docs/getstarted
+
+All API Documentation can be found here https://developer.hosting.ionos.de/docs/dns
+
+JSON processing in bash is ... hard. So I choose `jq` to do the heavylifting. Other authors choose python so if
+you think I did a bad decision feel free to implement this whith python/perl/ruby...
+

dns_scripts/dns_add_azure

@@ -0,0 +1,40 @@
+#!/usr/bin/env bash
+# Set the TXT DNS record with azure-cli
+fulldomain="${1}"
+token="${2}"
+
+if [[ -z "$AZURE_RESOURCE_GROUP" ]]; then
+  echo "AZURE_RESOURCE_GROUP is not set. Unable to set TXT records."
+  exit 2
+fi
+if [[ -z "$AZURE_ZONE_ID" ]]; then
+  echo "AZURE_ZONE_ID is not set. Unable to set TXT records."
+  exit 2
+fi
+if [[ -z "$AZURE_SUBSCRIPTION_ID" ]]; then 
+  echo "AZURE_SUBSCRIPTION_ID is not set. Unable to set TXT records."
+  exit 2
+fi
+
+# Determine which zone ID to use from AZURE_ZONE_IDs
+# Convert the comma-separated list of AZURE_ZONE_IDs into an array and loop
+IFS=',' read -ra zone_ids <<< "$AZURE_ZONE_ID"
+for item in "${zone_ids[@]}"; do 
+  # If the full domain ends with the current zone ID
+  [[ "$fulldomain" =~ .*"${item}"$ ]] && zone_id="$item"
+done
+
+if [ -z "$zone_id" ]; then 
+  echo "${fulldomain} does not match any of the zone IDs specified by ${AZURE_ZONE_ID[@]}"
+  exit 2
+fi
+
+az account set --subscription "$AZURE_SUBSCRIPTION_ID"
+# Determine the recordset by removing the zone_id from the full domain and prefixing
+# with _acme-challenge.
+recordset="_acme-challenge.${fulldomain/.$zone_id/}"
+# The fulldomain should not be included in the recordset. It is used for subdomains.
+# E.g. domain = *.sub.example.com the recordset is _acme-challenge.sub
+#      domain = example.com the record set is _acme-challenge
+[[ "$recordset" == "_acme-challenge.$fulldomain" ]] && recordset="_acme-challenge"
+az network dns record-set txt add-record -g "$AZURE_RESOURCE_GROUP" -z "$zone_id" -n "$recordset" -v "$token"

dns_scripts/dns_add_challtestsrv

@@ -4,4 +4,4 @@
 fulldomain="${1}"
 token="${2}"
 
-curl -X POST -d "{\"host\":\"_acme-challenge.${fulldomain}.\", \"value\": \"${token}\"}" http://10.30.50.3:8055/set-txt
+curl --silent -X POST -d "{\"host\":\"_acme-challenge.${fulldomain}.\", \"value\": \"${token}\"}" http://10.30.50.3:8055/set-txt

dns_scripts/dns_add_cloudflare

@@ -1,9 +1,11 @@
 #!/usr/bin/env bash
-# need to add your email address and API key to cloudflare below or set as env variables
+# either configure here or export environment variables in getssl.cfg
 email=${CF_EMAIL:-''}
 key=${CF_KEY:-''}
+api_token=${CF_API_TOKEN:-''}
+zone_id=${CF_ZONE_ID:-''}
 
-# This script adds a token to cloudflare DNS for the ACME challenge
+# This script adds a TXT record to cloudflare DNS for the ACME challenge
 # usage dns_add_cloudflare "domain name"  "token"
 # return codes are;
 # 0 - success
@@ -14,7 +16,11 @@ key=${CF_KEY:-''}
 fulldomain="${1}"
 token="${2}"
 API='https://api.cloudflare.com/client/v4/zones'
-curl_params=( -H "X-Auth-Email: $email" -H "X-Auth-Key: $key" -H 'Content-Type: application/json' )
+if [[ -z "$api_token" ]]; then
+  curl_params=( -H "X-Auth-Email: $email" -H "X-Auth-Key: $key" -H 'Content-Type: application/json' )
+else
+  curl_params=( -H "Authorization: Bearer $api_token" -H 'Content-Type: application/json' )
+fi
 
 # check initial parameters
 
@@ -28,84 +34,88 @@ if [[ -z "$token" ]]; then
   exit 1
 fi
 
-if [[ -z "$email" ]]; then
-  echo "CF_EMAIL (email) parameter not set"
-  exit 1
-fi
+if [[ -z "$api_token" ]]; then
+  if [[ -z "$email" ]]; then
+    echo "CF_EMAIL (email) parameter not set"
+    exit 1
+  fi
 
-if [[ -z "$key" ]]; then
-  echo "CF_KEY (key) parameter not set"
-  exit 1
+  if [[ -z "$key" ]]; then
+    echo "CF_KEY (key) parameter not set"
+    exit 1
+  fi
 fi
 
 
-# get a list of all domain names from cloudflare
-# If you have a lot, you may need add "&page=1&per_page=1000" and/or "&status=active"
-resp=$(curl --silent "${curl_params[@]}" -X GET "$API")
-re='"result":\[(([^][]*\[[^][]*])*[^][]*)]' # find result section
-if [[ "${resp// }" =~ $re ]]; then
-  resp="${BASH_REMATCH[1]}"
-fi
-
-# iterate through all sections to obtain a list of domains
-while [[ "$resp" ]]; do
-  re='[^}{]*\{(([^}{]*\{[^}{]*})*[^}{]*)}(.*)'
-  if [[ "$resp" =~ $re ]]; then
-    first="${BASH_REMATCH[1]}"
-    resp="${BASH_REMATCH[3]}"
+if [[ -z "$zone_id" ]]; then
+  # get a list of all domain names from cloudflare
+  # If you have a lot, you may need add "&page=1&per_page=1000" and/or "&status=active"
+  resp=$(curl --silent "${curl_params[@]}" -X GET "$API")
+  re='"result":\[(([^][]*\[[^][]*])*[^][]*)]' # find result section
+  if [[ "${resp// }" =~ $re ]]; then
+    resp="${BASH_REMATCH[1]}"
   fi
-  # remove subsections - leave only domain level
-  while [[ "$first" =~ (.*)[\[\{][^]\{\}[]*[\]\}](.*) ]]; do
-    first="${BASH_REMATCH[1]}${BASH_REMATCH[2]}"
-  done
-  re='"name":"([^"]*)"'
-  if [[ "$first" =~ $re ]]; then
-    domains=( "${domains[@]}" "${BASH_REMATCH[1]}" )
-  else
-    echo "Error getting domain name"
-    exit 2
-  fi
-  re='"id":"([^"]*)"'
-  if [[ "$first" =~ $re ]]; then
-    ids=( "${ids[@]}" "${BASH_REMATCH[1]}" )
-  else
-    echo "Error getting domain id"
-    exit 2
-  fi
-done
 
-# split required domain name into an array
-dnarray=(${fulldomain//./ })
-# get number of parts in required domain name
-NumParts=${#dnarray[@]}
-# build a test domain name, starting with the largest, and reduce it
-# until a match is found, set domain = first ( longest) match.
-domain=""
-i=1
-while [ $i -lt "$NumParts" ]; do
-  testdomain="${dnarray[i-1]}"
-  for ((j=i; j<NumParts; j++)); do
-    testdomain+=".${dnarray[j]}"
-  done
-  # loop through domains at cloudflare
-  for k in "${!domains[@]}"; do
-    # if match found, then set domain and domain_id
-    if [[ "$testdomain" == "${domains[k]}" ]]; then
-      domain="$testdomain"
-      domain_id=${ids[k]}
-      i="$NumParts"
+  # iterate through all sections to obtain a list of domains
+  while [[ "$resp" ]]; do
+    re='[^}{]*\{(([^}{]*\{[^}{]*})*[^}{]*)}(.*)'
+    if [[ "$resp" =~ $re ]]; then
+      first="${BASH_REMATCH[1]}"
+      resp="${BASH_REMATCH[3]}"
+    fi
+    # remove subsections - leave only domain level
+    while [[ "$first" =~ (.*)[\[\{][^]\{\}[]*[\]\}](.*) ]]; do
+      first="${BASH_REMATCH[1]}${BASH_REMATCH[2]}"
+    done
+    re='"name":"([^"]*)"'
+    if [[ "$first" =~ $re ]]; then
+      domains=( "${domains[@]}" "${BASH_REMATCH[1]}" )
+    else
+      echo "Error getting domain name"
+      exit 2
     fi
+    re='"id":"([^"]*)"'
+    if [[ "$first" =~ $re ]]; then
+      ids=( "${ids[@]}" "${BASH_REMATCH[1]}" )
+    else
+      echo "Error getting domain id"
+      exit 2
+    fi
+  done
+
+  # split required domain name into an array
+  dnarray=(${fulldomain//./ })
+  # get number of parts in required domain name
+  NumParts=${#dnarray[@]}
+  # build a test domain name, starting with the largest, and reduce it
+  # until a match is found, set domain = first ( longest) match.
+  domain=""
+  i=1
+  while [ $i -lt "$NumParts" ]; do
+    testdomain="${dnarray[i-1]}"
+    for ((j=i; j<NumParts; j++)); do
+      testdomain+=".${dnarray[j]}"
+    done
+    # loop through domains at cloudflare
+    for k in "${!domains[@]}"; do
+      # if match found, then set domain and zone_id
+      if [[ "$testdomain" == "${domains[k]}" ]]; then
+        domain="$testdomain"
+        zone_id=${ids[k]}
+        i="$NumParts"
+      fi
+    done
+    ((i++))
   done
-  ((i++))
-done
 
-if [[ -z "$domain" ]]; then
-  echo 'domain name not found on your cloudflare account'
-  exit 3
+  if [[ -z "$domain" ]]; then
+    echo 'domain name not found on your cloudflare account'
+    exit 3
+  fi
 fi
 
 txt_record="_acme-challenge.${fulldomain%.$domain}"
-resp=$(curl --silent "${curl_params[@]}" -X POST "$API/$domain_id/dns_records" \
+resp=$(curl --silent "${curl_params[@]}" -X POST "$API/$zone_id/dns_records" \
   --data "{\"type\":\"TXT\",\"name\":\"${txt_record}\",\"content\":\"$token\",\"ttl\":300}")
 
 # if it failed (success:false) then give error message

dns_scripts/dns_add_cpanel

@@ -0,0 +1,76 @@
+#!/usr/bin/env bash
+
+# Need to add your email address and API key to cpanel below or set as env variables
+user=${CPANEL_USERNAME:-''}
+password=${CPANEL_PASSWORD:-''}
+url=${CPANEL_URL:-''} # e.g. https://www.cpanel-host.test:2083
+apitoken=${CPANEL_APITOKEN:-''}
+
+fulldomain="${1}"
+token="${2}"
+
+# Check initial parameters
+if [[ -z "$fulldomain" ]]; then
+    echo "DNS script requires full domain name as first parameter"
+    exit 1
+fi
+if [[ -z "$token" ]]; then
+    echo "DNS script requires challenge token as second parameter"
+    exit 1
+fi
+if [[ -z "$user" ]]; then
+    echo "CPANEL_USERNAME (username) parameter not set"
+    exit 1
+fi
+if [[ -z "$apitoken" ]] && [[ -z "$password" ]]; then
+    echo "Must set either CPANEL_APITOKEN or CPANEL_PASSWORD in dns script, environment variable or getssl.cfg"
+    exit 1
+fi
+if [[ -z "$url" ]]; then
+    echo "CPANEL_URL (url) parameter not set"
+    exit 1
+fi
+
+# Setup
+request_func="${url}/json-api/cpanel?cpanel_jsonapi_apiversion=2&cpanel_jsonapi_module=ZoneEdit"
+if [[ -n $apitoken ]]; then
+  curl_params=( -H "Authorization: cpanel $user:$apitoken" )
+else
+  auth_string=$(echo -ne "$user:$password" | base64 --wrap 0)
+  curl_params=( -H "Authorization: Basic $auth_string" )
+fi
+
+# Check if domain is a CNAME
+res=$(dig CNAME "$fulldomain")
+domain=$(echo "$res"| awk '$4 ~ "CNAME" {print $5}' |sed 's/\.$//g')
+if [[ -n "$domain" ]]; then
+  name=".${fulldomain%.$domain}"
+else
+  domain=$fulldomain
+  name=""
+fi
+
+# Check to see if challenge dns entry already exists (update or delete?)
+request_params="&cpanel_jsonapi_func=fetchzone_records&domain=${domain}&type=TXT&name=_acme-challenge.${fulldomain}."
+resp=$(curl --silent "${curl_params[@]}" "$request_func$request_params")
+if [[ "$resp" = *\"error\":* ]]; then
+  echo -n "cpanel fetchzone records failed: "
+  echo "$resp" | awk -F"error" '{ print $2 }' | awk -F\" '{ print $3 }'
+  exit 1
+fi
+
+# If no existing record, create a new TXT record, otherwise edit the existing record
+if [[ "$resp" == *\"data\":[]* ]]; then
+  request_params="&cpanel_jsonapi_func=add_zone_record&domain=$domain&type=TXT&name=_acme-challenge$name&txtdata=$token"
+else
+  # shellcheck disable=SC2001
+  line=$(echo "$resp" | sed -e 's/.*line":\([0-9]*\),.*/\1/')
+  request_params="&cpanel_jsonapi_func=edit_zone_record&domain=$domain&type=TXT&name=_acme-challenge$name&txtdata=${token}&line=${line}"
+fi
+resp=$(curl --silent "${curl_params[@]}" "$request_func$request_params")
+
+if [[ "$resp" = *\"status\":0* ]]; then
+  echo -n "cpanel edit zone record failed: "
+  echo "$resp" | awk -F"statusmsg" '{ print $2 }' | awk -F\" '{ print $3 }'
+  exit 1
+fi

dns_scripts/dns_add_del_aliyun.sh

@@ -0,0 +1,185 @@
+#!/bin/bash
+#https://blog.aymar.cn
+#https://protocol.aymar.cn
+PROGNAME=${0##*/}
+VERSION="2021年3月22日 16:07:05"
+Ali_API="https://dns.aliyuncs.com/"
+_timestamp=$(date -u  +"%Y-%m-%dT%H%%3A%M%%3A%SZ")
+__debug="0"
+__delete="0"
+
+#Wildcard certificates
+#A partial example getssl.cfg file is:
+#VALIDATE_VIA_DNS=true
+#DNS_ADD_COMMAND=/root/.getssl/dns_add_del_aliyun.sh
+#DNS_DEL_COMMAND=/root/.getssl/dns_add_del_aliyun.sh
+
+# either configure KeyId & KeySecret here or export environment variables in getssl.cfg
+AccessKeyId=${ALI_KeyId:-''}
+AccessKeySecret=${ALI_KeySecret:-''}
+
+usage() { # print out the program usage
+  echo "Usage: $PROGNAME  [-a|--add <Domain Name> <RecordValue>]  [-d|--delete <Full.DomainName.com>] [-s|--search <Full.DomainName.com> ]  [-h|--help]  [-t|--type]  "\
+  "[-q|--quiet] [-c|--check] [-S|--status] [-l|--lock #] [-T|--ttl] [-u|--update] [-w|--weight] [-L|--Line]"
+}
+
+help_message() { # print out the help message
+  cat <<- _EOF_
+	$PROGNAME Version. $VERSION
+	$(usage)
+
+	Options:
+	  -a, --add          Add Domain Record    域名 ip (默认类型TXT）
+	  -d, --delete       Delete Domain Record 域名    (默认类型TXT）
+	  -s, --search       Search Domain Record 域名
+	  -t, --type         Record Type          类型（A、MX、CNAME、TXT、REDIRECT_URL、FORWORD_URL、NS、AAAA、SRV）
+	_EOF_
+}
+
+_arg_check(){
+  [ -z "$1" ] || _arg_count=$1
+  shift
+  [ ${#} -lt $_arg_count ] && help_message && exit 1 || (echo $2 | grep "^-") && help_message && exit 1
+  #If the number of arguments <$_ARG_COUNT print help and exit, and if the second argument begins with “-” print help and exit
+  return 0
+}
+
+#[ ${#} -lt 2 ] && help_message && exit 1     #Same as below
+#[ -z "$2" ] && help_message && exit 1        #Same as below
+_arg_check 2  $@
+
+_debug (){
+  if [ "$__debug" -eq 1 ]; then
+    echo -e "\033[1;31m # debug: $(date "+%m %d %T") | Func: ${FUNCNAME[@]} | Line:${BASH_LINENO[@]} \033[0m"  "\n $@ "  #"Current FUNCNAME ${FUNCNAME}  #$LINENO "  #"$(($RANDOM%10))"
+  fi
+  return 0
+}
+
+_requires() {
+  _cmds=''                                # Check if the commands exists
+  if [[ "$#" -gt 0 ]]; then
+    for i in "$@"; do
+      if eval type type >/dev/null 2>&1; then
+        eval type "$i" >/dev/null 2>&1
+      elif command >/dev/null 2>&1; then
+        command -v "$i" >/dev/null 2>&1
+      else
+        which "$i" >/dev/null 2>&1
+      fi
+      #[ "$?" -eq 0  ] &&   _debug "checking for $i exists = ok" || _cmds=$_cmds"$i: "
+      #shellcheck disable=SC2181
+      if [ "$?" -eq 0  ]; then
+        #_debug "checking for $i exists = ok"
+        continue
+      else
+        _cmds=$_cmds"$i: "
+      fi
+    done
+  else
+    echo  "Usage: _requires [command] "
+    return 1
+  fi
+  [ -n "$_cmds" ] && { echo -e "\033[1;31m $_cmds command not found \033[0m" && return 1 ;} || return 0
+}
+
+_requires openssl
+
+#shellcheck disable=SC2120
+_hex_dump() {  #ascii hex
+  local _str=''
+  [ $# -gt 0 ] &&  _str=$@ || read _str
+  local _str_len=${#_str}
+  local i=1
+  while [ "$i" -le "$_str_len" ]; do
+    local _str_c="$(printf "%s" "$_str" | cut -c "$i")"
+    printf " %02x" "'$_str_c"
+    i=$(($i + 1))
+  done
+  #printf "%s" " 0a"
+}
+
+_urlencode() {
+  local length="${#1}"
+  local i=''
+    for i in $(awk "BEGIN { for ( i=0; i<$length; i++ ) print i }")
+    do
+      #local _strc="$(printf "%s" "$1" | cut -c "$i")" #i=1; i<=$length; i++
+      local _strc="${1:$i:1}"
+      case $_strc in [a-zA-Z0-9.~_-]) printf "%s" "$_strc" ;; *) printf "%%%02X" "'$_strc" ;;
+      esac
+  done
+}
+
+_signature(){
+  signature=''
+  _hexkey=$(printf "%s" "$AccessKeySecret&" | _hex_dump |sed 's/ //g')
+  #signature=$(printf "%s" "GET&%2F&$(_urlencode "$query")" | openssl dgst -sha1 -hmac $(printf "%s" "$AccessKeySecret&" | _hex_dump |sed 's/ //g'| xxd -r -p ) -binary | openssl base64 -e)
+  signature=$(printf "%s" "GET&%2F&$(_urlencode "$query")" | openssl dgst -sha1 -mac HMAC -macopt "hexkey:$_hexkey" -binary | openssl base64 -e)
+  signature=$(_urlencode "$signature")
+}
+
+_query() {
+  [ -n "$__type" ] && { [[ "$_Action" = "AddDomainRecord" ]] && _Type="$__type" || { [ "$_Action" = "DescribeDomainRecords" ] && _TypeKeyWord="$__type"; } ; }
+  query=''
+  [ -n $AccessKeyId ]   && query=$query'AccessKeyId='$AccessKeyId
+                           query=$query'&Action='"$1"
+  [ -z $_DomainNames ]  || query=$query'&DomainName='$_DomainNames
+                           query=$query'&Format=json'
+  [ -z $_RR ]           || query=$query'&RR='$_RR
+  [ -z $_RRKeyWord ]    || query=$query'&RRKeyWord='$_RRKeyWord
+  [ -z $_RecordId ]     || query=$query'&RecordId='$_RecordId
+                           query=$query'&SignatureMethod=HMAC-SHA1'
+                           query=$query"&SignatureNonce=$(date +"%s%N")"
+                           query=$query'&SignatureVersion=1.0'
+                           query=$query'&Timestamp='$_timestamp
+  [ -z $_Type ]         || query=$query'&Type='$_Type
+  [ -z $_TypeKeyWord ]  || query=$query'&TypeKeyWord='$_TypeKeyWord
+  [ -z $_Value ]        || query=$query'&Value='$_Value
+  [ -z $_ValueKeyWord ] || query=$query'&ValueKeyWord='$_ValueKeyWord
+                           query=$query'&Version=2015-01-09'
+  #_debug "$query"
+  _signature
+  return 0
+}
+
+_Get_RecordIds(){
+  _Action="DescribeDomainRecords"
+  _query $_Action $_DomainNames
+  url="${Ali_API}?${query}&Signature=${signature}"
+  _debug $url
+  _RecordIds=$(curl -k -s $url | grep -Po  'RecordId[": "]+\K[^"]+') &&  __delete="1"            #RecordId requisite
+  _debug  $_RecordIds
+  return 0
+}
+
+__type='TXT'
+_DomainNames=$(printf "%s" $1| awk -F"." '{if(NF>=2){print $(NF-1)"."$NF}}')  #awk -F\. '{print $(NF-1) FS $NF}')     #requisite
+_RRKeyWord="_acme-challenge"
+
+_Get_RecordIds
+
+_RRKeyWord=''
+_TypeKeyWord=''
+_ValueKeyWord=''
+
+if [ "$__delete" = "1" ];then
+  _Action="DeleteDomainRecord"                                      #Action requisite
+  _DomainNames=''
+  for _RecordId in ${_RecordIds[@]}                                 #Delete multiple txt domain record
+  do
+    _debug "_RecordId" $_RecordId
+    _query  $_Action $_RecordId
+    url="${Ali_API}?${query}&Signature=${signature}"
+    _debug $url
+    curl -k -s $url && ( echo -e "\n\033[1;32m Aliyun DNS record _acme-challenge.$1 has been deleted  \033[0m")
+  done
+else
+  _Action="AddDomainRecord"                                 #requisite
+  _RR=$(printf "_acme-challenge.%s" $1| awk -F'.' '{if(NF>2){gsub("."$(NF-1)"."$NF,"");print}}')            #requisite
+  _Value=$2                                                 #requisite
+  _query  $_Action $_DomainNames
+  url="${Ali_API}?${query}&Signature=${signature}"
+  _debug $url
+  curl -k -s $url  &&   (echo -e "\n\033[1;32m Start Checking aliyun DNS record _acme-challenge.$1 \033[0m")
+  exit 0
+fi

dns_scripts/dns_add_duckdns

@@ -10,8 +10,17 @@ fi
 
 domain="$1"
 txtvalue="$2"
+i=1
+
+response=$(curl --retry 5 --silent "https://www.duckdns.org/update?domains=${domain}&token=${token}&txt=${txtvalue}")
+
+while [[ "${response}" == *"502 Bad Gateway"* ]] && [ $i -le 5 ]; do
+    echo "Retrying Bad Gateway response (attempt $i of 5)"
+    sleep 5
+    i=$((i+1))
+    response=$(curl --retry 5 --silent "https://www.duckdns.org/update?domains=${domain}&token=${token}&txt=${txtvalue}")
+done
 
-response=$(curl --silent "https://www.duckdns.org/update?domains=${domain}&token=${token}&txt=${txtvalue}")
 if [ "$response" != "OK" ]; then
     echo "Failed to update TXT record for ${domain} at duckdns.org (is the TOKEN valid?)"
     echo "Response: $response"

dns_scripts/dns_add_dynu

@@ -0,0 +1,72 @@
+#!/usr/bin/env bash
+# Need to add your API key below or set as env variable
+apikey=${DYNU_API_KEY:-''}
+
+# This script adds a token to dynu.com DNS for the ACME challenge
+# usage dns_add_dynu "domain name" "token"
+# return codes are;
+# 0 - success
+# 1 - error in input
+# 2 - error within internal processing
+# 3 - error in result ( domain not found in dynu.com etc)
+
+fulldomain="${1}"
+token="${2}"
+
+API='https://api.dynu.com/v2/dns'
+
+# Check initial parameters
+if [[ -z "$fulldomain" ]]; then
+  echo "DNS script requires full domain name as first parameter"
+  exit 1
+fi
+if [[ -z "$token" ]]; then
+  echo "DNS script requires challenge token as second parameter"
+  exit 1
+fi
+
+curl_params=( -H "accept: application/json" -H "API-Key: $apikey" -H 'Content-Type: application/json' )
+
+# Get domain id
+# curl -X GET https://api.dynu.com/v2/dns/getroot/ubuntu-getssl.freeddns.org
+resp=$(curl --silent "${curl_params[@]}" -X GET "$API/getroot/${fulldomain}")
+
+# Match domain id
+re="\"id\":([^,]*),\"domainName\":\"${fulldomain}\""
+if [[ "$resp" =~ $re ]]; then
+  domain_id="${BASH_REMATCH[1]}"
+fi
+
+if [[ -z "$domain_id" ]]; then
+  echo 'Domain name not found on your Dynu account'
+  exit 3
+fi
+
+# Check for existing _acme-challenge TXT record
+# curl -X GET "https://api.dynu.com/v2/dns/record/_acme-challenge.ubuntu-getssl.freeddns.org?recordType=TXT"
+resp=$(curl --silent "${curl_params[@]}" -X GET "${API}/record/_acme-challenge.${fulldomain}?recordType=TXT")
+re="\"id\":([^,]*)"
+if [[ "$resp" =~ $re ]]; then
+  record_id="${BASH_REMATCH[1]}"
+fi
+
+if [[ -z "$record_id" ]]; then
+  # Add new TXT challenge record
+  resp=$(curl --silent \
+    "${curl_params[@]}" \
+    -X POST "${API}/${domain_id}/record" \
+    --data "{\"nodeName\":\"_acme-challenge\",\"recordType\":\"TXT\",\"state\":\"true\",\"textData\":\"$token\"}")
+else
+  # Update existing record
+  # curl -X POST https://api.dynu.com/v2/dns/9329328/record/7082063 -d "{\"nodeName\":\"_acme-challenge\",\"recordType\":\"TXT\",\"state\":\"true\",\"textData\":\"Test2\"}"
+  resp=$(curl --silent \
+    "${curl_params[@]}" \
+    -X POST "${API}/${domain_id}/record/${record_id}" \
+    --data "{\"nodeName\":\"_acme-challenge\",\"recordType\":\"TXT\",\"state\":\"true\",\"textData\":\"$token\"}")
+fi
+
+# If adding record failed (exception:) then print error message
+if [[ "$resp" != *"\"statusCode\":200"* ]]; then
+  echo "Error: DNS challenge not added: unknown error - ${resp}"
+  exit 3
+fi

dns_scripts/dns_add_godaddy

@@ -1,6 +1,6 @@
 #!/bin/bash
 
-# Copyright (2017) Timothe Litt  litt at acm _dot org
+# Copyright (C) 2017, 2018 Timothe Litt  litt at acm _dot org
 
 # Add token to GoDaddy dns using dns_godaddy
 
@@ -36,5 +36,6 @@ fi
 
 export GODADDY_KEY
 export GODADDY_SECRET
+export GODADDY_BASE
 
 $GODADDY_SCRIPT -q add "${fulldomain}" "_acme-challenge.${fulldomain}." "${token}"

dns_scripts/dns_add_ionos

@@ -0,0 +1,54 @@
+#!/usr/bin/bash
+#
+# Called as
+#
+#  eval "${DNS_ADD_COMMAND}" "${lower_d}" "${auth_key}"
+#
+
+# See https://developer.hosting.ionos.de/docs/getstarted how to generate
+# an API Key consisting of prefix and key
+#
+# see DNS API Doc here https://developer.hosting.ionos.de/docs/dns
+#
+
+API_KEY="X-API-Key: <prefix>.<key>"
+API_URL="https://api.hosting.ionos.com/dns/v1"
+
+# TODO: check $1,$2 not empty
+
+DNS_RR=$1
+DNS_SECRET=$2
+
+
+# get zone id:
+curl -s -X GET "$API_URL/zones" -H "accept: application/json" -H "Content-Type: application/json" -H "$API_KEY" \
+       	| jq -r 'map([.name, .id] | join (";")) | .[]' >/tmp/$$.zones
+
+ZONE=$DNS_RR
+
+do=true
+while $do; do
+  ZONE_ID=$(awk -F\; '/^'"$ZONE"';/{print $2}' </tmp/$$.zones)
+  if [  -z "$ZONE_ID" ]; then
+    ZONE=$(echo "$ZONE" | cut -d'.' -f2-)
+    # check that it has at minimum one '.'. This check is incomplete
+    # when dealing with .co.nz etc Zones
+    DOTS=$(echo "$ZONE" | awk -F. '{ print NF -1 }')
+    if [ $DOTS -le 0 ]; then
+      echo "No ZoneID found for $1"
+      echo "Zones found with API"
+      cat /tmp/$$.zones
+      rm -f /tmp/$$.zones
+      exit 1
+    fi
+  else
+    break
+    do=false  # Never reached
+  fi
+done
+
+
+# create record
+curl -X POST "$API_URL/zones/$ZONE_ID/records" -H "accept: application/json" -H "Content-Type: application/json" -H "$API_KEY" -d '[ { "name": "_acme-challenge.'$DNS_RR'", "type": "TXT", "content": "'$DNS_SECRET'", "ttl": 60, "prio": 100, "disabled": false } ]'
+
+rm -f /tmp/$$.zones

dns_scripts/dns_add_nsupdate

@@ -21,8 +21,9 @@ if [ -n "${DNS_NSUPDATE_KEYFILE}" ]; then
   options="-k ${DNS_NSUPDATE_KEYFILE}"
 fi
 
+cmd=
 if [ -n "${DNS_SERVER}" ]; then
-        cmd+="server ${DNS_SERVER}\n"
+  cmd+="server ${DNS_SERVER}\n"
 fi
 
 cmd+="update add  ${DNS_ZONE:-"_acme-challenge.${fulldomain}."} 300 in TXT \"${token}\"\n"

dns_scripts/dns_add_ovh

@@ -5,9 +5,9 @@ challenge="$2"
 
 # Please, do not forget to ask for your credentials at https://eu.api.ovh.com/createToken/
 # permissions needed are /domain/zone/* in GET,POST,DELETE
-applicationKey="YourAK"
-applicationSecret="YourAS"
-consumerKey="YourCK"
+applicationKey=${OVH_APPLICATION_KEY:-''}
+applicationSecret=${OVH_APPLICATION_SECRET:-''}
+consumerKey=${OVH_CONSUMER_KEY:-''}
 
 topDomain=${domains[2]}
 subDomain=${domains[1]%%.}

dns_scripts/dns_del_azure

@@ -0,0 +1,38 @@
+#!/usr/bin/env bash
+# Remove the TXT DNS record with azure-cli
+fulldomain="${1}"
+if [[ -z "$AZURE_RESOURCE_GROUP" ]]; then
+  echo "AZURE_RESOURCE_GROUP is not set. Unable to set TXT records."
+  exit 2
+fi
+if [[ -z "$AZURE_ZONE_ID" ]]; then
+  echo "AZURE_ZONE_ID is not set. Unable to set TXT records."
+  exit 2
+fi
+if [[ -z "$AZURE_SUBSCRIPTION_ID" ]]; then 
+  echo "AZURE_SUBSCRIPTION_ID is not set. Unable to set TXT records."
+  exit 2
+fi
+
+# Determine which zone ID to use from AZURE_ZONE_IDs
+# Convert the comma-separated list of AZURE_ZONE_IDs into an array and loop
+IFS=',' read -ra zone_ids <<< "$AZURE_ZONE_ID"
+for item in "${zone_ids[@]}"; do 
+  # If the full domain ends with the current zone ID
+  [[ "$fulldomain" =~ .*"${item}"$ ]] && zone_id="$item"
+done
+
+if [ -z "$zone_id" ]; then 
+  echo "${fulldomain} does not match any of the zone IDs specified by ${AZURE_ZONE_ID[@]}"
+  exit 2
+fi
+
+az account set --subscription "$AZURE_SUBSCRIPTION_ID"
+# Determine the recordset by removing the zone_id from the full domain and prefixing
+# with _acme-challenge.
+recordset="_acme-challenge.${fulldomain/.$zone_id/}"
+# The fulldomain should not be included in the recordset. It is used for subdomains.
+# E.g. domain = *.sub.example.com the recordset is _acme-challenge.sub
+#      domain = example.com the record set is _acme-challenge
+[[ "$recordset" == "_acme-challenge.$fulldomain" ]] && recordset="_acme-challenge"
+az network dns record-set txt delete --yes -g "$AZURE_RESOURCE_GROUP" -z "$zone_id" -n "$recordset"

dns_scripts/dns_del_cloudflare

@@ -1,9 +1,11 @@
 #!/usr/bin/env bash
-# need to add your email address and API key to cloudflare below or set as env variables
+# either configure here or export environment variables in getssl.cfg
 email=${CF_EMAIL:-''}
 key=${CF_KEY:-''}
+api_token=${CF_API_TOKEN:-''}
+zone_id=${CF_ZONE_ID:-''}
 
-# This script removes a token from cloudflare DNS for the ACME challenge
+# This script removes a TXT record from cloudflare DNS for the ACME challenge
 # usage dns_del_cloudflare "domain name"  "token (optional)"
 # if token is not specified, then all tokens are removed.
 # return codes are;
@@ -15,7 +17,11 @@ key=${CF_KEY:-''}
 fulldomain="${1}"
 token="${2}"
 API='https://api.cloudflare.com/client/v4/zones'
-curl_params=( -H "X-Auth-Email: $email" -H "X-Auth-Key: $key" -H 'Content-Type: application/json' )
+if [[ -z "$api_token" ]]; then
+  curl_params=( -H "X-Auth-Email: $email" -H "X-Auth-Key: $key" -H 'Content-Type: application/json' )
+else
+  curl_params=( -H "Authorization: Bearer $api_token" -H 'Content-Type: application/json' )
+fi
 
 # check initial parameters
 
@@ -24,83 +30,87 @@ if [[ -z "$fulldomain" ]]; then
   exit 1
 fi
 
-if [[ -z "$email" ]]; then
-  echo "CF_EMAIL (email) parameter not set"
-  exit 1
-fi
+if [[ -z "$api_token" ]]; then
+  if [[ -z "$email" ]]; then
+    echo "CF_EMAIL (email) parameter not set"
+    exit 1
+  fi
 
-if [[ -z "$key" ]]; then
-  echo "CF_KEY (key) parameter not set"
-  exit 1
+  if [[ -z "$key" ]]; then
+    echo "CF_KEY (key) parameter not set"
+    exit 1
+  fi
 fi
 
 
-# get a list of all domain names from cloudflare
-# If you have a lot, you may need add "&page=1&per_page=1000" and/or "&status=active"
-resp=$(curl --silent "${curl_params[@]}" -X GET "$API")
-re='"result":\[(([^][]*\[[^][]*])*[^][]*)]' # find result section
-if [[ "${resp// }" =~ $re ]]; then
-  resp="${BASH_REMATCH[1]}"
-fi
-
-# iterate through all sections to obtain a list of domains
-while [[ "$resp" ]]; do
-  re='[^}{]*\{(([^}{]*\{[^}{]*})*[^}{]*)}(.*)'
-  if [[ "$resp" =~ $re ]]; then
-    first="${BASH_REMATCH[1]}"
-    resp="${BASH_REMATCH[3]}"
-  fi
-  # remove subsections - leave only domain level
-  while [[ "$first" =~ (.*)[\[\{][^]\{\}[]*[\]\}](.*) ]]; do
-    first="${BASH_REMATCH[1]}${BASH_REMATCH[2]}"
-  done
-  re='"name":"([^"]*)"'
-  if [[ "$first" =~ $re ]]; then
-    domains=( "${domains[@]}" "${BASH_REMATCH[1]}" )
-  else
-    echo "Error getting domain name"
-    exit 2
+if [[ -z "$zone_id" ]]; then
+  # get a list of all domain names from cloudflare
+  # If you have a lot, you may need add "&page=1&per_page=1000" and/or "&status=active"
+  resp=$(curl --silent "${curl_params[@]}" -X GET "$API")
+  re='"result":\[(([^][]*\[[^][]*])*[^][]*)]' # find result section
+  if [[ "${resp// }" =~ $re ]]; then
+    resp="${BASH_REMATCH[1]}"
   fi
-  re='"id":"([^"]*)"'
-  if [[ "$first" =~ $re ]]; then
-    ids=( "${ids[@]}" "${BASH_REMATCH[1]}" )
-  else
-    echo "Error getting domain id"
-    exit 2
-  fi
-done
 
-# split required domain name into an array
-dnarray=(${fulldomain//./ })
-# get number of parts in required domain name
-NumParts=${#dnarray[@]}
-# build a test domain name, starting with the largest, and reduce it
-# until a match is found, set domain = first ( longest) match.
-domain=""
-i=1
-while [ $i -lt "$NumParts" ]; do
-  testdomain="${dnarray[i-1]}"
-  for ((j=i; j<NumParts; j++)); do
-    testdomain+=".${dnarray[j]}"
-  done
-  # loop through domains at cloudflare
-  for k in "${!domains[@]}"; do
-    # if match found, then set domain and domain_id
-    if [[ "$testdomain" == "${domains[k]}" ]]; then
-      domain="$testdomain"
-      domain_id=${ids[k]}
-      i="$NumParts"
+  # iterate through all sections to obtain a list of domains
+  while [[ "$resp" ]]; do
+    re='[^}{]*\{(([^}{]*\{[^}{]*})*[^}{]*)}(.*)'
+    if [[ "$resp" =~ $re ]]; then
+      first="${BASH_REMATCH[1]}"
+      resp="${BASH_REMATCH[3]}"
+    fi
+    # remove subsections - leave only domain level
+    while [[ "$first" =~ (.*)[\[\{][^]\{\}[]*[\]\}](.*) ]]; do
+      first="${BASH_REMATCH[1]}${BASH_REMATCH[2]}"
+    done
+    re='"name":"([^"]*)"'
+    if [[ "$first" =~ $re ]]; then
+      domains=( "${domains[@]}" "${BASH_REMATCH[1]}" )
+    else
+      echo "Error getting domain name"
+      exit 2
+    fi
+    re='"id":"([^"]*)"'
+    if [[ "$first" =~ $re ]]; then
+      ids=( "${ids[@]}" "${BASH_REMATCH[1]}" )
+    else
+      echo "Error getting domain id"
+      exit 2
     fi
   done
-  ((i++))
-done
 
-if [[ -z "$domain" ]]; then
-  echo 'domain name not found on your cloudflare account'
-  exit 3
+  # split required domain name into an array
+  dnarray=(${fulldomain//./ })
+  # get number of parts in required domain name
+  NumParts=${#dnarray[@]}
+  # build a test domain name, starting with the largest, and reduce it
+  # until a match is found, set domain = first ( longest) match.
+  domain=""
+  i=1
+  while [ $i -lt "$NumParts" ]; do
+    testdomain="${dnarray[i-1]}"
+    for ((j=i; j<NumParts; j++)); do
+      testdomain+=".${dnarray[j]}"
+    done
+    # loop through domains at cloudflare
+    for k in "${!domains[@]}"; do
+      # if match found, then set domain and zone_id
+      if [[ "$testdomain" == "${domains[k]}" ]]; then
+        domain="$testdomain"
+        zone_id=${ids[k]}
+        i="$NumParts"
+      fi
+    done
+    ((i++))
+  done
+
+  if [[ -z "$domain" ]]; then
+    echo 'domain name not found on your cloudflare account'
+    exit 3
+  fi
 fi
 
-curl_request="$API/$domain_id/dns_records?type=TXT&name=_acme-challenge.$fulldomain"
+curl_request="$API/$zone_id/dns_records?type=TXT&name=_acme-challenge.$fulldomain"
 if [[ ! -z "$token" ]]; then # if token specified, then use it
   curl_request+="&content=$token"
 fi
@@ -131,7 +141,7 @@ while [[ "$resp" ]]; do # iterate through records returned
     echo "Error: domain ID not found"
     exit 2
   fi
-  respd=$(curl --silent "${curl_params[@]}" -X DELETE "$API/$domain_id/dns_records/$id")
+  respd=$(curl --silent "${curl_params[@]}" -X DELETE "$API/$zone_id/dns_records/$id")
   if [[ "${respd// }" == *'"success":false'* ]]; then
     re='"message":"([^"]+)"'
     if [[ "$respd" =~ $re ]]; then

dns_scripts/dns_del_cpanel

@@ -0,0 +1,69 @@
+#!/usr/bin/env bash
+
+# Need to add your email address and API key to cpanel below or set as env variables
+user=${CPANEL_USERNAME:-''}
+password=${CPANEL_PASSWORD:-''}
+url=${CPANEL_URL:-''} # e.g. https://www.cpanel-host.test:2083
+apitoken=${CPANEL_APITOKEN:-''}
+
+fulldomain="${1}"
+
+# Check initial parameters
+if [[ -z "$fulldomain" ]]; then
+    echo "DNS script requires full domain name as first parameter"
+    exit 1
+fi
+if [[ -z "$user" ]]; then
+    echo "CPANEL_USERNAME (username) parameter not set"
+    exit 1
+fi
+if [[ -z "$apitoken" ]] && [[ -z "$password" ]]; then
+    echo "Must set either CPANEL_APITOKEN or CPANEL_PASSWORD in dns script, environment variable or getssl.cfg"
+    exit 1
+fi
+if [[ -z "$url" ]]; then
+    echo "CPANEL_URL (url) parameter not set"
+    exit 1
+fi
+
+# Setup
+request_func="${url}/json-api/cpanel?cpanel_jsonapi_apiversion=2&cpanel_jsonapi_module=ZoneEdit"
+if [[ -n $apitoken ]]; then
+  curl_params=( -H "Authorization: cpanel $user:$apitoken" )
+else
+  auth_string=$(echo -ne "$user:$password" | base64 --wrap 0)
+  curl_params=( -H "Authorization: Basic $auth_string" )
+fi
+
+# Check if domain is a CNAME
+res=$(dig CNAME "$fulldomain")
+domain=$(echo "$res"| awk '$4 ~ "CNAME" {print $5}' |sed 's/\.$//g')
+if [[ -n "$domain" ]]; then
+  name=".${fulldomain%.$domain}"
+else
+  domain=$fulldomain
+  name=""
+fi
+
+# Find line number of existing record
+request_params="&cpanel_jsonapi_func=fetchzone_records&domain=${domain}&type=TXT&name=_acme-challenge.${fulldomain}."
+resp=$(curl --silent "${curl_params[@]}" "$request_func$request_params")
+if [[ "$resp" = *\"error\":* ]]; then
+  echo -n "cpanel fetchzone records failed: "
+  echo "$resp" | awk -F"error" '{ print $2 }' | awk -F\" '{ print $3 }'
+  exit 1
+fi
+
+# shellcheck disable=SC2001
+line=$(echo "$resp" | sed -e 's/.*line":\([0-9]*\),.*/\1/')
+if [[ "$line" != "" ]]; then
+  # Delete the challenge token
+  request_params="&cpanel_jsonapi_func=remove_zone_record&domain=$domain&type=TXT&name=_acme-challenge$name&line=$line"
+  resp=$(curl --silent "${curl_params[@]}" "$request_func$request_params")
+fi
+
+if [[ "$resp" = *\"status\":0* ]]; then
+  echo -n "cpanel remove zone record failed: "
+  echo "$resp" | awk -F"statusmsg" '{ print $2 }' | awk -F\" '{ print $3 }'
+  exit 1
+fi

dns_scripts/dns_del_duckdns

@@ -3,8 +3,17 @@
 # need to add your Token for duckdns below
 token=${DUCKDNS_TOKEN:-}
 domain="$1"
+i=1
+
+response=$(curl --retry 5 --silent "https://www.duckdns.org/update?domains=${domain}&token=${token}&txt=&clear=true")
+
+while [[ "${response}" == *"502 Bad Gateway"* ]] && [ $i -le 5 ]; do
+    echo "Retrying Bad Gateway response (attempt $i of 5)"
+    sleep 5
+    i=$((i+1))
+    response=$(curl --retry 5 --silent "https://www.duckdns.org/update?domains=${domain}&token=${token}&txt=&clear=true")
+done
 
-response=$(curl --silent "https://www.duckdns.org/update?domains=${domain}&token=${token}&txt=&clear=true")
 if [ "$response" != "OK" ]; then
     echo "Failed to update TXT record for ${domain} at duckdns.org (is the TOKEN valid?)"
     echo "$response"

dns_scripts/dns_del_dynu

@@ -0,0 +1,71 @@
+#!/usr/bin/env bash
+# Need to add your API key below or set as env variable
+apikey=${DYNU_API_KEY:-''}
+
+# This script deletes the _acme-challenge TXT record from the dynu.com DNS entry for the domain
+# usage dns_del_dynu "domain name"
+# return codes are;
+# 0 - success
+# 1 - error in input
+# 2 - error within internal processing
+# 3 - error in result ( domain not found in dynu.com etc)
+
+# After deleting the TXT record from Dynu.com it takes over 30 minutes to add a new TXT record!
+# This doesn't happen when updating the TXT record, just for delete then add
+# As this is used for testing, changed the delete to a no-op.
+
+exit 0
+
+fulldomain="${1}"
+
+API='https://api.dynu.com/v2/dns'
+
+# Check initial parameters
+if [[ -z "$fulldomain" ]]; then
+  echo "DNS script requires full domain name as first parameter"
+  exit 1
+fi
+if [[ -z "$apikey" ]]; then
+  echo "DNS script requires apikey environment variable to be set"
+  exit 1
+fi
+
+curl_params=( -H "accept: application/json" -H "API-Key: $apikey" -H 'Content-Type: application/json' )
+
+# Get domain id
+# curl -X GET https://api.dynu.com/v2/dns/getroot/ubuntu-getssl.freeddns.org
+resp=$(curl --silent "${curl_params[@]}" -X GET "$API/getroot/${fulldomain}")
+
+# Match domain id
+re="\"id\":([^,]*),\"domainName\":\"${fulldomain}\""
+if [[ "$resp" =~ $re ]]; then
+  domain_id="${BASH_REMATCH[1]}"
+fi
+
+if [[ -z "$domain_id" ]]; then
+  echo 'Domain name not found on your Dynu account'
+  exit 3
+fi
+
+# Check for existing _acme-challenge TXT record
+# curl -X GET "https://api.dynu.com/v2/dns/record/_acme-challenge.ubuntu-getssl.freeddns.org?recordType=TXT"
+resp=$(curl --silent "${curl_params[@]}" -X GET "${API}/record/_acme-challenge.${fulldomain}?recordType=TXT")
+re="\"id\":([^,]*)"
+if [[ "$resp" =~ $re ]]; then
+  record_id="${BASH_REMATCH[1]}"
+fi
+
+if [[ -z "$record_id" ]]; then
+  echo "No _acme-challenge.${fulldomain} TXT record found"
+  exit 0
+fi
+
+resp=$(curl --silent \
+  "${curl_params[@]}" \
+  -X DELETE "${API}/${domain_id}/record/${record_id}")
+
+# If adding record failed (exception:) then print error message
+if [[ "$resp" != *"\"statusCode\":200"* ]]; then
+  echo "Error: DNS challenge not added: unknown error - ${resp}"
+  exit 3
+fi

dns_scripts/dns_del_godaddy

@@ -1,6 +1,6 @@
 #!/bin/bash
 
-# Copyright (2017) Timothe Litt  litt at acm _dot org
+# Copyright (C) 2017,2018 Timothe Litt  litt at acm _dot org
 
 # Remove token from GoDaddy dns using dns_godaddy
 
@@ -24,7 +24,7 @@ token="$2"
 
 [ -z "$GODADDY_SCRIPT" ] && GODADDY_SCRIPT="/usr/share/getssl/dns_scripts/dns_godaddy"
 [[ "$GODADDY_SCRIPT" =~ ^~ ]] && \
-    eval 'GODADDY_SCRIPT=`readlink -nf ' "$GODADDY_SCRIPT" '`'
+    eval 'GODADDY_SCRIPT=`readlink -nf ' $GODADDY_SCRIPT '`'
 
 if ! [ -x "$GODADDY_SCRIPT" ]; then
     echo "$GODADDY_SCRIPT: not found.  Please install, softlink or set GODADDY_SCRIPT to its full path"
@@ -34,5 +34,6 @@ fi
 
 export GODADDY_KEY
 export GODADDY_SECRET
+export GODADDY_BASE
 
 $GODADDY_SCRIPT -q del "${fulldomain}" "_acme-challenge.${fulldomain}." "${token}"

dns_scripts/dns_del_ionos

@@ -0,0 +1,23 @@
+#!/usr/bin/bash
+#
+# Called as
+#
+# eval "${DNS_DEL_COMMAND}" "${lower_d}" "${auth_key}"
+#
+# See https://developer.hosting.ionos.de/docs/getstarted how to generate
+# an API Key consisting of prefix and key
+#
+# see DNS API Doc here https://developer.hosting.ionos.de/docs/dns
+#
+
+API_KEY="X-API-Key: <prefix>.<key>"
+API_URL="https://api.hosting.ionos.com/dns/v1"
+
+# get zone id:
+ZONE_ID=$(curl -s -X GET "$API_URL/zones" -H "accept: application/json" -H "Content-Type: application/json" -H "$API_KEY" | jq -r '.[].id')
+
+RECORD_ID=$(curl -s -X GET "$API_URL/zones/$ZONE_ID?recordName=_acme-challenge.$1&recordType=TXT" -H "$API_KEY" -H "Accept: application/json" | jq -r '.["records"][]["id"]')
+
+# delete record
+curl -X DELETE "$API_URL/zones/$ZONE_ID/records/$RECORD_ID" -H "accept: application/json" -H "Content-Type: application/json" -H "$API_KEY"
+

dns_scripts/dns_del_nsupdate

@@ -21,8 +21,9 @@ if [ -n "${DNS_NSUPDATE_KEYFILE}" ]; then
   options="-k ${DNS_NSUPDATE_KEYFILE}"
 fi
 
+cmd=
 if [ -n "${DNS_SERVER}" ]; then
-        cmd+="server ${DNS_SERVER}\n"
+  cmd+="server ${DNS_SERVER}\n"
 fi
 
 cmd+="update delete  ${DNS_ZONE:-"_acme-challenge.${fulldomain}."} 300 in TXT \"${token}\"\n"

dns_scripts/dns_del_ovh

@@ -5,9 +5,9 @@ domains=($(echo "$1"|sed -e 's/^\(\([a-zA-Z0-9.-]*\?\)\.\)*\([a-zA-Z0-9-]\+\.[a-
 
 # Please, do not forget to ask for your credentials at https://eu.api.ovh.com/createToken/
 # permissions needed are /domain/zone/* in GET,POST,DELETE
-applicationKey="YourAK"
-applicationSecret="YourAS"
-consumerKey="YourCK"
+applicationKey=${OVH_APPLICATION_KEY:-''}
+applicationSecret=${OVH_APPLICATION_SECRET:-''}
+consumerKey=${OVH_CONSUMER_KEY:-''}
 
 topDomain=${domains[2]}
 subDomain=${domains[1]%%.}

dns_scripts/dns_godaddy

@@ -1,8 +1,8 @@
 #!/bin/bash
 
-# Copyright (2017) Timothe Litt  litt at acm _dot org
+# Copyright (C) 2017,2018 Timothe Litt  litt at acm _dot org
 
-VERSION="1.0.1"
+VERSION="1.0.3"
 PROG="`basename $0`"
 
 # This script is used to update TXT records in GoDaddy DNS server
@@ -31,6 +31,7 @@ DEBUG="$GODADDY_DEBUG"
 
 while getopts 'dhj:k:s:t:qv' opt; do
     case $opt in
+        b) GODADDY_BASE="$OPTARG"                      ;;
         d) DEBUG="Y"                                   ;;
         j) JSON="$OPTARG"                              ;;
         k) GODADDY_KEY="$OPTARG"                       ;;
@@ -72,6 +73,9 @@ Arguments:
     For minimal trace output (to override -q), define GODADDY_TRACE="y".
 
 Options
+    -b    Domain name(s) in which challenge records are stored
+          E.g. often, www.example.net is stored in example.net.
+          Default from GODADDY_BASE
     -d    Provide debugging output - all requests and responses
     -h    This help.
     -j:   Location of JSON.sh Default `dirname $0`/JSON.sh, or
@@ -84,6 +88,7 @@ Options
     All output, except for this help text, is to stderr.
 
 Environment variables
+    GODADDY_BASE    Domain name(s) in which challenge records are stored
     GODADDY_JSON    location of the JSOH.sh script
     GODADDY_KEY     default API key
     GODADDY_SCRIPT  location of this script, default location of JSON.sh
@@ -92,7 +97,7 @@ Environment variables
     GODADDY_TFILE   appends protocol trace to file. Overrides -t
 
 BUGS
-    Due to a limitation of the gOdADDY API, deleting the last TXT record
+    Due to a limitation of the GoDaddy API, deleting the last TXT record
     would be too risky for my taste.  So in that case, I replace it with
     _dummy.record_.domain.  TXT "Ihis record is not used".  This record is
     not automatically deleted by this script, though it's perfectly OK to
@@ -207,9 +212,25 @@ if [ "$op" = "add" ]; then
 
     while [[ "$domain" =~ [^.]+\.[^.]+ ]]; do
 
-        url="$API/$domain/records/TXT/$name"
+        reqname="$name"
+        # The API doesn't trim the base domain from the name (it used to)
+        # If specified, remove any listed base.
+        if [ -n "$GODADDY_BASE" ]; then
+            for GDB in $GODADDY_BASE; do
+                gdb="`echo "$GDB" | sed -e's/\\.$//;s/\\./\\\\./g;'`"
+                gdb="^(.+)\\.$gdb\\.?$"
+                if [[ "$name" =~ $gdb ]]; then
+                    reqname="${BASH_REMATCH[1]}"
+                    break;
+                fi
+            done
+        else
+            eval 'reqname="$''{name%'"'.$domain.'}"'"'
+        fi
+
+        url="$API/$domain/records/TXT/$reqname"
 
-        request='{"data":"'$data'","ttl":'$ttl'}'
+        request='[{"data":"'$data'","ttl":'$ttl'}]'
         [ -n "$DEBUG" ] && cat >&2 <<EOF
 Add request to: $url
 --------
@@ -333,7 +354,7 @@ Old TXT RRSET:
 $current
 EOF
 
-# Remove the desired record.  The name must be relative.
+# Remove the desired record.  The name must be relative. Order varies.
 
 eval 'name="$''{name%'"'.$domain.'}"'"'
 
@@ -341,6 +362,10 @@ match="$(printf '"name":"%s","data":"%s","ttl":' "$name" "$data")"
 cmd="$(printf 'echo %s%s%s | grep -v %s%s%s' "'" "$current" "'" "'" "$match" "'")"
 eval 'new="$('"$cmd"')"'
 
+match="$(printf '"data":"%s","name":"%s","ttl":' "$data" "$name")"
+cmd="$(printf 'echo %s%s%s | grep -v %s%s%s' "'" "$current" "'" "'" "$match" "'")"
+eval 'new="$('"$cmd"')"'
+
 if [ "$new" = "$base" ]; then
     [ -n "$VERB" ] && echo "$domain: $name TXT \"$data\" does not exist" >&2
     exit 1 # Intent was to change DNS, so this is an error

dns_scripts/dns_route53.py

@@ -31,7 +31,7 @@ for zone in response['HostedZones']:
     if not zone['Config']['PrivateZone']:
         zone_list[zone['Name']] = zone['Id']
 
-for key in sorted(zone_list.iterkeys(), key=len, reverse=True):
+for key in sorted(zone_list.keys(), key=len, reverse=True):
     if ".{z}".format(z=key) in ".{z}.".format(z=fqdn):
        zone_id = zone_list[key]
 
@@ -70,7 +70,7 @@ if action == 'UPSERT':
         try:
             my_resolver = dns.resolver.Resolver(configure=False)
             my_resolver.nameservers = ['8.8.8.8', '8.8.4.4']
-            results = my_resolver.query(challenge_fqdn, 'TXT')
+            results = my_resolver.resolve(challenge_fqdn, 'TXT')
             data = str(results.response.answer[0][0]).strip('\"')
             if data == challenge:
                 print("found {f} entry".format(f=challenge_fqdn))

docker-compose.yml

@@ -7,6 +7,7 @@ services:
     environment:
       # with Go 1.13.x which defaults TLS 1.3 to on
       GODEBUG: "tls13=1"
+      PEBBLE_ALTERNATE_ROOTS: 2
     ports:
       - 14000:14000  # HTTPS ACME API
       - 15000:15000  # HTTPS Management API

other_scripts/cpanel_cert_upload

@@ -14,12 +14,12 @@ rawurlencode() {
   local pos c o
 
   for (( pos=0 ; pos<strlen ; pos++ )); do
-     c=${string:$pos:1}
-     case "$c" in
-        [-_.~a-zA-Z0-9] ) o="${c}" ;;
-        * )               printf -v o '%%%02x' "'$c"
-     esac
-     encoded+="${o}"
+    c=${string:$pos:1}
+    case "$c" in
+      [-_.~a-zA-Z0-9] ) o="${c}" ;;
+      * )               printf -v o '%%%02x' "'$c"
+    esac
+    encoded+="${o}"
   done
   echo "${encoded}"
 }

test/0-test-curl-error.bats

@@ -0,0 +1,29 @@
+#! /usr/bin/env bats
+
+load '/bats-support/load.bash'
+load '/bats-assert/load.bash'
+load '/getssl/test/test_helper.bash'
+
+
+# This is run for every test
+teardown() {
+    [ -n "$BATS_TEST_COMPLETED" ] || touch $BATS_RUN_TMPDIR/failed.skip
+}
+
+setup() {
+    [ ! -f $BATS_RUN_TMPDIR/failed.skip ] || skip "skipping tests after first failure"
+    #export CURL_CA_BUNDLE=/root/pebble-ca-bundle.crt
+}
+
+
+@test "Run getssl without pebble certificates to check the error message" {
+    if [ -n "$STAGING" ]; then
+        skip "Using staging server, skipping internal test"
+    fi
+    CONFIG_FILE="getssl-http01.cfg"
+    setup_environment
+    init_getssl
+    create_certificate
+    refute_line "getssl: unknown API version"
+    assert_failure
+}

test/1-simple-http01-dig.bats

@@ -0,0 +1,42 @@
+#! /usr/bin/env bats
+
+load '/bats-support/load.bash'
+load '/bats-assert/load.bash'
+load '/getssl/test/test_helper.bash'
+
+
+# This is run for every test
+setup() {
+    [ ! -f $BATS_RUN_TMPDIR/failed.skip ] || skip "skipping tests after first failure"
+    export CURL_CA_BUNDLE=/root/pebble-ca-bundle.crt
+    if [ -f /usr/bin/host ]; then
+        mv /usr/bin/host /usr/bin/host.getssl.bak
+    fi
+    if [ -f /usr/bin/nslookup ]; then
+        mv /usr/bin/nslookup /usr/bin/nslookup.getssl.bak
+    fi
+}
+
+
+teardown() {
+    [ -n "$BATS_TEST_COMPLETED" ] || touch $BATS_RUN_TMPDIR/failed.skip
+    if [ -f /usr/bin/host.getssl.bak ]; then
+        mv /usr/bin/host.getssl.bak /usr/bin/host
+    fi
+    if [ -f /usr/bin/nslookup.getssl.bak ]; then
+        mv /usr/bin/nslookup.getssl.bak /usr/bin/nslookup
+    fi
+}
+
+
+@test "Create new certificate using HTTP-01 verification (dig)" {
+    if [ -n "$STAGING" ]; then
+        skip "Using staging server, skipping internal test"
+    fi
+    CONFIG_FILE="getssl-http01.cfg"
+    setup_environment
+    init_getssl
+    create_certificate
+    assert_success
+    check_output_for_errors
+}

test/1-simple-http01-nslookup.bats

@@ -0,0 +1,42 @@
+#! /usr/bin/env bats
+
+load '/bats-support/load.bash'
+load '/bats-assert/load.bash'
+load '/getssl/test/test_helper.bash'
+
+
+# This is run for every test
+setup() {
+    [ ! -f $BATS_RUN_TMPDIR/failed.skip ] || skip "skipping tests after first failure"
+    export CURL_CA_BUNDLE=/root/pebble-ca-bundle.crt
+    if [ -f /usr/bin/dig ]; then
+        mv /usr/bin/dig /usr/bin/dig.getssl.bak
+    fi
+    if [ -f /usr/bin/host ]; then
+        mv /usr/bin/host /usr/bin/host.getssl.bak
+    fi
+}
+
+
+teardown() {
+    [ -n "$BATS_TEST_COMPLETED" ] || touch $BATS_RUN_TMPDIR/failed.skip
+    if [ -f /usr/bin/dig.getssl.bak ]; then
+        mv /usr/bin/dig.getssl.bak /usr/bin/dig
+    fi
+    if [ -f /usr/bin/host.getssl.bak ]; then
+        mv /usr/bin/host.getssl.bak /usr/bin/host
+    fi
+}
+
+
+@test "Create new certificate using HTTP-01 verification (nslookup)" {
+    if [ -n "$STAGING" ]; then
+        skip "Using staging server, skipping internal test"
+    fi
+    CONFIG_FILE="getssl-http01.cfg"
+    setup_environment
+    init_getssl
+    create_certificate
+    assert_success
+    check_output_for_errors
+}

test/1-simple-http01-two-acl.bats

@@ -0,0 +1,31 @@
+#! /usr/bin/env bats
+
+load '/bats-support/load.bash'
+load '/bats-assert/load.bash'
+load '/getssl/test/test_helper.bash'
+
+
+# This is run for every test
+teardown() {
+    [ -n "$BATS_TEST_COMPLETED" ] || touch $BATS_RUN_TMPDIR/failed.skip
+}
+
+setup() {
+    [ ! -f $BATS_RUN_TMPDIR/failed.skip ] || skip "skipping tests after first failure"
+    export CURL_CA_BUNDLE=/root/pebble-ca-bundle.crt
+}
+
+
+@test "Check that can install challenge token to multiple locations when using HTTP-01 verification" {
+    if [ -n "$STAGING" ]; then
+        skip "Using staging server, skipping internal test"
+    fi
+    CONFIG_FILE="getssl-http01-two-acl.cfg"
+    setup_environment
+    init_getssl
+    create_certificate
+    assert_success
+    assert_output --partial "to /var/www/html/.well-known/acme-challenge"
+    assert_output --partial "to /var/webroot/html/.well-known/acme-challenge"
+    check_output_for_errors
+}

test/1-simple-http01.bats

@@ -6,12 +6,17 @@ load '/getssl/test/test_helper.bash'
 
 
 # This is run for every test
+teardown() {
+    [ -n "$BATS_TEST_COMPLETED" ] || touch $BATS_RUN_TMPDIR/failed.skip
+}
+
 setup() {
+    [ ! -f $BATS_RUN_TMPDIR/failed.skip ] || skip "skipping tests after first failure"
     export CURL_CA_BUNDLE=/root/pebble-ca-bundle.crt
 }
 
 
-@test "Create new certificate using HTTP-01 verification" {
+@test "Create new certificate using HTTP-01 verification (any dns tool)" {
     if [ -n "$STAGING" ]; then
         skip "Using staging server, skipping internal test"
     fi
@@ -20,20 +25,16 @@ setup() {
     init_getssl
     create_certificate
     assert_success
-    refute_output --regexp '[Ff][Aa][Ii][Ll][Ee][Dd]'
-    refute_output --regexp '[Ee][Rr][Rr][Oo][Rr]'
-    refute_output --regexp '[Ww][Aa][Rr][Nn][Ii][Nn][Gg]'
+    check_output_for_errors
 }
 
 
-@test "Force renewal of certificate using HTTP-01" {
+@test "Force renewal of certificate using HTTP-01 (any dns tool)" {
     if [ -n "$STAGING" ]; then
         skip "Using staging server, skipping internal test"
     fi
-    run ${CODE_DIR}/getssl -f $GETSSL_HOST
+    run ${CODE_DIR}/getssl -U -d -f $GETSSL_HOST
     assert_success
-    refute_output --regexp '[Ff][Aa][Ii][Ll][Ee][Dd]'
-    refute_output --regexp '[Ee][Rr][Rr][Oo][Rr]'
-    refute_output --regexp '[Ww][Aa][Rr][Nn][Ii][Nn][Gg]'
+    check_output_for_errors
     cleanup_environment
 }

test/10-mixed-case.bats

@@ -0,0 +1,46 @@
+#! /usr/bin/env bats
+
+load '/bats-support/load.bash'
+load '/bats-assert/load.bash'
+load '/getssl/test/test_helper.bash'
+
+
+# This is run for every test
+teardown() {
+    [ -n "$BATS_TEST_COMPLETED" ] || touch $BATS_RUN_TMPDIR/failed.skip
+}
+
+setup() {
+    [ ! -f $BATS_RUN_TMPDIR/failed.skip ] || skip "skipping tests after first failure"
+    if [ -z "$STAGING" ]; then
+        export CURL_CA_BUNDLE=/root/pebble-ca-bundle.crt
+    fi
+}
+
+@test "Check that HTTP-01 verification works if the domain is not lowercase" {
+    if [ -n "$STAGING" ]; then
+        skip "Using staging server, skipping internal test"
+    fi
+
+    CONFIG_FILE="getssl-http01.cfg"
+    GETSSL_CMD_HOST=$(echo $GETSSL_HOST | tr a-z A-Z)
+
+    setup_environment
+    init_getssl
+    create_certificate
+
+    assert_success
+    check_output_for_errors
+}
+
+@test "Check that DNS-01 verification works if the domain is not lowercase" {
+    CONFIG_FILE="getssl-dns01.cfg"
+
+    GETSSL_CMD_HOST=$(echo $GETSSL_HOST | tr a-z A-Z)
+    setup_environment
+
+    init_getssl
+    create_certificate
+    assert_success
+    check_output_for_errors
+}

test/11-test--install.bats

@@ -0,0 +1,68 @@
+#! /usr/bin/env bats
+
+load '/bats-support/load.bash'
+load '/bats-assert/load.bash'
+load '/getssl/test/test_helper.bash'
+
+
+# This is run for every test
+teardown() {
+    [ -n "$BATS_TEST_COMPLETED" ] || touch $BATS_RUN_TMPDIR/failed.skip
+}
+
+setup() {
+    [ ! -f $BATS_RUN_TMPDIR/failed.skip ] || skip "skipping tests after first failure"
+    export CURL_CA_BUNDLE=/root/pebble-ca-bundle.crt
+}
+
+@test "Check that config files in /etc/getssl works" {
+    if [ -n "$STAGING" ]; then
+        skip "Using staging server, skipping internal test"
+    fi
+
+    CONFIG_FILE="getssl-http01.cfg"
+    setup_environment
+
+    # Fail if not running in docker and /etc/getssl already exists
+    refute [ -d /etc/getssl ]
+
+    # Create /etc/getssl/$DOMAIN
+    mkdir -p /etc/getssl/${GETSSL_CMD_HOST}
+
+    # Copy the config file to /etc/getssl
+    cp "${CODE_DIR}/test/test-config/${CONFIG_FILE}" "/etc/getssl/${GETSSL_CMD_HOST}/getssl.cfg"
+    cp "${CODE_DIR}/test/test-config/getssl-etc-template.cfg" "/etc/getssl/getssl.cfg"
+
+    # Run getssl
+    run ${CODE_DIR}/getssl -U -d "$GETSSL_CMD_HOST"
+
+    assert_success
+    check_output_for_errors
+    assert_line --partial 'Verification completed, obtaining certificate.'
+    assert_line --partial 'Requesting certificate'
+    refute [ -d '$HOME/.getssl' ]
+}
+
+
+@test "Check that --install doesn't call the ACME server" {
+    # NOTE that this test depends on the previous test!
+    if [ -n "$STAGING" ]; then
+        skip "Using staging server, skipping internal test"
+    fi
+
+    CONFIG_FILE="getssl-http01.cfg"
+
+    # Run getssl
+    run ${CODE_DIR}/getssl -U -d --install "$GETSSL_CMD_HOST"
+
+    assert_success
+    check_output_for_errors
+    refute_line --partial 'Verification completed, obtaining certificate.'
+    refute_line --partial 'Requesting certificate'
+    assert_line --partial 'copying domain certificate to'
+    assert_line --partial 'copying private key to'
+    assert_line --partial 'copying CA certificate to'
+
+    # Cleanup previous test
+    rm -rf /etc/getssl
+}

test/11-test-no-domain-storage.bats

@@ -0,0 +1,27 @@
+#! /usr/bin/env bats
+
+load '/bats-support/load.bash'
+load '/bats-assert/load.bash'
+load '/getssl/test/test_helper.bash'
+
+
+setup() {
+    [ ! -f $BATS_RUN_TMPDIR/failed.skip ] || skip "skipping tests after first failure"
+}
+teardown() {
+    [ -n "$BATS_TEST_COMPLETED" ] || touch $BATS_RUN_TMPDIR/failed.skip
+}
+
+@test "Check that if domain storage isn't set getssl doesn't try to delete /tmp" {
+    if [ -n "$STAGING" ]; then
+        skip "Using staging server, skipping internal test"
+    fi
+    CONFIG_FILE="getssl-http01-no-domain-storage.cfg"
+    setup_environment
+    mkdir ${INSTALL_DIR}/.getssl
+    cp "${CODE_DIR}/test/test-config/${CONFIG_FILE}" "${INSTALL_DIR}/.getssl/getssl.cfg"
+    run ${CODE_DIR}/getssl -U -d -a
+    assert_success
+    check_output_for_errors
+    assert_line --partial 'Not going to delete TEMP_DIR ///tmp as it appears to be /tmp'
+}

test/12-auto-upgrade-v1.bats

@@ -0,0 +1,85 @@
+#! /usr/bin/env bats
+
+load '/bats-support/load.bash'
+load '/bats-assert/load.bash'
+load '/getssl/test/test_helper.bash'
+
+
+setup() {
+    [ ! -f $BATS_RUN_TMPDIR/failed.skip ] || skip "skipping tests after first failure"
+}
+
+
+teardown() {
+    [ -n "$BATS_TEST_COMPLETED" ] || touch $BATS_RUN_TMPDIR/failed.skip
+}
+
+
+@test "Check that auto upgrade to v2 doesn't change pebble url" {
+    if [ -n "$STAGING" ]; then
+        skip "Using staging server, skipping internal test"
+    fi
+    CONFIG_FILE="getssl-upgrade-test-pebble.cfg"
+    setup_environment
+    mkdir ${INSTALL_DIR}/.getssl
+    cp "${CODE_DIR}/test/test-config/${CONFIG_FILE}" "${INSTALL_DIR}/.getssl/getssl.cfg"
+    run ${CODE_DIR}/getssl -U -d --check-config "$GETSSL_CMD_HOST"
+    assert_success
+    assert_line --partial 'Using certificate issuer: https://pebble:14000/dir'
+}
+
+
+@test "Check that auto upgrade to v2 doesn't change v2 staging url" {
+    if [ -n "$STAGING" ]; then
+        skip "Using staging server, skipping internal test"
+    fi
+    CONFIG_FILE="getssl-upgrade-test-v2-staging.cfg"
+    setup_environment
+    mkdir ${INSTALL_DIR}/.getssl
+    cp "${CODE_DIR}/test/test-config/${CONFIG_FILE}" "${INSTALL_DIR}/.getssl/getssl.cfg"
+    run ${CODE_DIR}/getssl -U -d --check-config "$GETSSL_CMD_HOST"
+    assert_success
+    assert_line --partial 'Using certificate issuer: https://acme-staging-v02.api.letsencrypt.org/directory'
+}
+
+
+@test "Check that auto upgrade to v2 doesn't change v2 prod url" {
+    if [ -n "$STAGING" ]; then
+        skip "Using staging server, skipping internal test"
+    fi
+    CONFIG_FILE="getssl-upgrade-test-v2-prod.cfg"
+    setup_environment
+    mkdir ${INSTALL_DIR}/.getssl
+    cp "${CODE_DIR}/test/test-config/${CONFIG_FILE}" "${INSTALL_DIR}/.getssl/getssl.cfg"
+    run ${CODE_DIR}/getssl -U -d --check-config "$GETSSL_CMD_HOST"
+    assert_success
+    assert_line --partial 'Using certificate issuer: https://acme-v02.api.letsencrypt.org/directory'
+}
+
+
+@test "Check that auto upgrade to v2 changes v1 staging to v2 staging url" {
+    if [ -n "$STAGING" ]; then
+        skip "Using staging server, skipping internal test"
+    fi
+    CONFIG_FILE="getssl-upgrade-test-v1-staging.cfg"
+    setup_environment
+    mkdir ${INSTALL_DIR}/.getssl
+    cp "${CODE_DIR}/test/test-config/${CONFIG_FILE}" "${INSTALL_DIR}/.getssl/getssl.cfg"
+    run ${CODE_DIR}/getssl -U -d --check-config "$GETSSL_CMD_HOST"
+    assert_success
+    assert_line --partial 'Using certificate issuer: https://acme-staging-v02.api.letsencrypt.org/directory'
+}
+
+
+@test "Check that auto upgrade to v2 changes v1 prod to v2 prod url" {
+    if [ -n "$STAGING" ]; then
+        skip "Using staging server, skipping internal test"
+    fi
+    CONFIG_FILE="getssl-upgrade-test-v1-prod.cfg"
+    setup_environment
+    mkdir ${INSTALL_DIR}/.getssl
+    cp "${CODE_DIR}/test/test-config/${CONFIG_FILE}" "${INSTALL_DIR}/.getssl/getssl.cfg"
+    run ${CODE_DIR}/getssl -U -d --check-config "$GETSSL_CMD_HOST"
+    assert_success
+    assert_line --partial 'Using certificate issuer: https://acme-v02.api.letsencrypt.org/directory'
+}

test/13-notify-valid.bats

@@ -0,0 +1,50 @@
+#! /usr/bin/env bats
+
+load '/bats-support/load.bash'
+load '/bats-assert/load.bash'
+load '/getssl/test/test_helper.bash'
+
+
+# This is run for every test
+teardown() {
+    [ -n "$BATS_TEST_COMPLETED" ] || touch $BATS_RUN_TMPDIR/failed.skip
+}
+
+setup() {
+    [ ! -f $BATS_RUN_TMPDIR/failed.skip ] || skip "skipping tests after first failure"
+    export CURL_CA_BUNDLE=/root/pebble-ca-bundle.crt
+}
+
+
+@test "Create certificate to check valid exit code" {
+    if [ -n "$STAGING" ]; then
+        skip "Using staging server, skipping internal test"
+    fi
+    CONFIG_FILE="getssl-http01.cfg"
+    setup_environment
+    init_getssl
+    create_certificate
+    assert_success
+    check_output_for_errors
+}
+
+
+@test "Check no-renewal needed exits with normal exit code" {
+    if [ -n "$STAGING" ]; then
+        skip "Using staging server, skipping internal test"
+    fi
+    run ${CODE_DIR}/getssl -U -d $GETSSL_HOST
+    assert_success
+    check_output_for_errors
+}
+
+
+@test "Check no-renewal needed returns 2 if requested" {
+    if [ -n "$STAGING" ]; then
+        skip "Using staging server, skipping internal test"
+    fi
+    run ${CODE_DIR}/getssl -U -d --notify-valid $GETSSL_HOST
+    assert [ $status == 2 ]
+    check_output_for_errors
+    cleanup_environment
+}

test/14-test-revoke.bats

@@ -0,0 +1,49 @@
+#! /usr/bin/env bats
+
+load '/bats-support/load.bash'
+load '/bats-assert/load.bash'
+load '/getssl/test/test_helper.bash'
+
+
+# This is run for every test
+teardown() {
+    [ -n "$BATS_TEST_COMPLETED" ] || touch $BATS_RUN_TMPDIR/failed.skip
+}
+
+setup() {
+    [ ! -f $BATS_RUN_TMPDIR/failed.skip ] || skip "skipping tests after first failure"
+    if [ -z "$STAGING" ]; then
+        export CURL_CA_BUNDLE=/root/pebble-ca-bundle.crt
+    fi
+}
+
+
+@test "Create certificate to check revoke" {
+    if [ -n "$STAGING" ]; then
+        CONFIG_FILE="getssl-dns01.cfg"
+    else
+        CONFIG_FILE="getssl-http01.cfg"
+    fi
+    . "${CODE_DIR}/test/test-config/${CONFIG_FILE}"
+    setup_environment
+    init_getssl
+    create_certificate
+    assert_success
+    check_output_for_errors
+}
+
+
+@test "Check we can revoke a certificate" {
+    if [ -n "$STAGING" ]; then
+        CONFIG_FILE="getssl-dns01.cfg"
+    else
+        CONFIG_FILE="getssl-http01.cfg"
+    fi
+    . "${CODE_DIR}/test/test-config/${CONFIG_FILE}"
+    CERT=${INSTALL_DIR}/.getssl/${GETSSL_CMD_HOST}/${GETSSL_CMD_HOST}.crt
+    KEY=${INSTALL_DIR}/.getssl/${GETSSL_CMD_HOST}/${GETSSL_CMD_HOST}.key
+
+    run ${CODE_DIR}/getssl -U -d --revoke $CERT $KEY $CA
+    assert_success
+    check_output_for_errors
+}

test/15-test-revoke-no-suffix.bats

@@ -0,0 +1,55 @@
+#! /usr/bin/env bats
+
+load '/bats-support/load.bash'
+load '/bats-assert/load.bash'
+load '/getssl/test/test_helper.bash'
+
+
+# This is run for every test
+teardown() {
+    [ -n "$BATS_TEST_COMPLETED" ] || touch $BATS_RUN_TMPDIR/failed.skip
+}
+
+setup() {
+    [ ! -f $BATS_RUN_TMPDIR/failed.skip ] || skip "skipping tests after first failure"
+    if [ -z "$STAGING" ]; then
+        export CURL_CA_BUNDLE=/root/pebble-ca-bundle.crt
+    fi
+}
+
+
+@test "Create certificate to check revoke (no suffix)" {
+    if [ -n "$STAGING" ]; then
+        CONFIG_FILE="getssl-dns01.cfg"
+    else
+        CONFIG_FILE="getssl-http01-no-suffix.cfg"
+    fi
+
+    . "${CODE_DIR}/test/test-config/${CONFIG_FILE}"
+    setup_environment
+    init_getssl
+
+    echo 'CA="https://acme-staging-v02.api.letsencrypt.org"' > ${INSTALL_DIR}/.getssl/${GETSSL_CMD_HOST}/getssl_test_specific.cfg
+
+    create_certificate
+    assert_success
+    check_output_for_errors
+}
+
+
+@test "Check we can revoke a certificate (no suffix)" {
+    if [ -n "$STAGING" ]; then
+        CONFIG_FILE="getssl-dns01.cfg"
+    else
+        CONFIG_FILE="getssl-http01.cfg"
+    fi
+    echo 'CA="https://acme-staging-v02.api.letsencrypt.org"' > ${INSTALL_DIR}/.getssl/${GETSSL_CMD_HOST}/getssl_test_specific.cfg
+
+    . "${CODE_DIR}/test/test-config/${CONFIG_FILE}"
+    CERT=${INSTALL_DIR}/.getssl/${GETSSL_CMD_HOST}/${GETSSL_CMD_HOST}.crt
+    KEY=${INSTALL_DIR}/.getssl/${GETSSL_CMD_HOST}/${GETSSL_CMD_HOST}.key
+
+    run ${CODE_DIR}/getssl -U -d --revoke $CERT $KEY $CA
+    assert_success
+    check_output_for_errors
+}

test/16-test-bad-acl.bats

@@ -0,0 +1,28 @@
+#! /usr/bin/env bats
+
+load '/bats-support/load.bash'
+load '/bats-assert/load.bash'
+load '/getssl/test/test_helper.bash'
+
+
+# This is run for every test
+teardown() {
+    [ -n "$BATS_TEST_COMPLETED" ] || touch $BATS_RUN_TMPDIR/failed.skip
+}
+
+setup() {
+    [ ! -f $BATS_RUN_TMPDIR/failed.skip ] || skip "skipping tests after first failure"
+    export CURL_CA_BUNDLE=/root/pebble-ca-bundle.crt
+}
+
+
+@test "Test behaviour if ACL= line has a space" {
+    if [ -n "$STAGING" ]; then
+        skip "Using staging server, skipping internal test"
+    fi
+    CONFIG_FILE="getssl-http01-bad-acl.cfg"
+    setup_environment
+    init_getssl
+    create_certificate
+    assert_failure
+}

test/17-test-spaces-in-sans-dns01.bats

@@ -0,0 +1,101 @@
+#! /usr/bin/env bats
+
+load '/bats-support/load.bash'
+load '/bats-assert/load.bash'
+load '/getssl/test/test_helper.bash'
+
+
+# This is run for every test
+setup() {
+    [ ! -f $BATS_RUN_TMPDIR/failed.skip ] || skip "skipping tests after first failure"
+}
+
+
+teardown() {
+    [ -n "$BATS_TEST_COMPLETED" ] || touch $BATS_RUN_TMPDIR/failed.skip
+}
+
+
+setup_file() {
+    # Add hosts to DNS (also need to be added as aliases in docker-compose.yml)
+    if [ -z "$STAGING" ]; then
+        export CURL_CA_BUNDLE=/root/pebble-ca-bundle.crt
+        for prefix in a b c; do
+            curl --silent -X POST -d '{"host":"'$prefix.$GETSSL_HOST'", "addresses":["'$GETSSL_IP'"]}' http://10.30.50.3:8055/add-a
+        done
+    fi
+}
+
+
+teardown_file() {
+    if [ -z "$STAGING" ]; then
+        for prefix in a b c; do
+            curl --silent -X POST -d '{"host":"'$prefix.$GETSSL_HOST'"}' http://10.30.50.3:8055/clear-a
+        done
+    fi
+}
+
+
+@test "Test behaviour if SANS line is space separated instead of comma separated (dns01)" {
+    if [ -n "$STAGING" ]; then
+        skip "Using staging server, skipping internal test"
+    fi
+    CONFIG_FILE="getssl-dns01-spaces-sans.cfg"
+    setup_environment
+
+    init_getssl
+    create_certificate
+    assert_success
+    check_output_for_errors
+}
+
+
+@test "Test renewal if SANS line is space separated instead of comma separated (dns01)" {
+    if [ -n "$STAGING" ]; then
+        skip "Using staging server, skipping internal test"
+    fi
+    run ${CODE_DIR}/getssl -U -d -f $GETSSL_HOST
+    assert_success
+    check_output_for_errors
+    cleanup_environment
+}
+
+
+@test "Test behaviour if SANS line is space separated and IGNORE_DIRECTORY_DOMAIN (dns01)" {
+    if [ -n "$STAGING" ]; then
+        skip "Using staging server, skipping internal test"
+    fi
+    CONFIG_FILE="getssl-dns01-spaces-sans-and-ignore-dir-domain.cfg"
+    setup_environment
+
+    init_getssl
+    create_certificate
+    assert_success
+    check_output_for_errors
+}
+
+
+@test "Test renewal if SANS line is space separated and IGNORE_DIRECTORY_DOMAIN (dns01)" {
+    if [ -n "$STAGING" ]; then
+        skip "Using staging server, skipping internal test"
+    fi
+    run ${CODE_DIR}/getssl -U -d -f $GETSSL_HOST
+    assert_success
+    check_output_for_errors
+    cleanup_environment
+}
+
+
+@test "Test behaviour if SANS line is comma and space separated (dns01)" {
+    if [ -n "$STAGING" ]; then
+        skip "Using staging server, skipping internal test"
+    fi
+    CONFIG_FILE="getssl-dns01-spaces-and-commas-sans.cfg"
+    setup_environment
+
+    init_getssl
+    create_certificate
+    assert_success
+    check_output_for_errors
+    cleanup_environment
+}

test/17-test-spaces-in-sans-http01.bats

@@ -0,0 +1,101 @@
+#! /usr/bin/env bats
+
+load '/bats-support/load.bash'
+load '/bats-assert/load.bash'
+load '/getssl/test/test_helper.bash'
+
+
+# This is run for every test
+setup() {
+    [ ! -f $BATS_RUN_TMPDIR/failed.skip ] || skip "skipping tests after first failure"
+}
+
+
+teardown() {
+    [ -n "$BATS_TEST_COMPLETED" ] || touch $BATS_RUN_TMPDIR/failed.skip
+}
+
+
+setup_file() {
+    # Add hosts to DNS (also need to be added as aliases in docker-compose.yml)
+    if [ -z "$STAGING" ]; then
+        export CURL_CA_BUNDLE=/root/pebble-ca-bundle.crt
+        for prefix in a b c; do
+            curl --silent -X POST -d '{"host":"'$prefix.$GETSSL_HOST'", "addresses":["'$GETSSL_IP'"]}' http://10.30.50.3:8055/add-a
+        done
+    fi
+}
+
+
+teardown_file() {
+    if [ -z "$STAGING" ]; then
+        for prefix in a b c; do
+            curl --silent -X POST -d '{"host":"'$prefix.$GETSSL_HOST'"}' http://10.30.50.3:8055/clear-a
+        done
+    fi
+}
+
+
+@test "Test behaviour if SANS line is space separated instead of comma separated (http01)" {
+    if [ -n "$STAGING" ]; then
+        skip "Using staging server, skipping internal test"
+    fi
+    CONFIG_FILE="getssl-http01-spaces-sans.cfg"
+    setup_environment
+
+    init_getssl
+    create_certificate
+    assert_success
+    check_output_for_errors
+}
+
+
+@test "Test renewal if SANS line is space separated instead of comma separated (http01)" {
+    if [ -n "$STAGING" ]; then
+        skip "Using staging server, skipping internal test"
+    fi
+    run ${CODE_DIR}/getssl -U -d -f $GETSSL_HOST
+    assert_success
+    check_output_for_errors
+    cleanup_environment
+}
+
+
+@test "Test behaviour if SANS line is space separated and IGNORE_DIRECTORY_DOMAIN (http01)" {
+    if [ -n "$STAGING" ]; then
+        skip "Using staging server, skipping internal test"
+    fi
+    CONFIG_FILE="getssl-http01-spaces-sans-and-ignore-dir-domain.cfg"
+    setup_environment
+
+    init_getssl
+    create_certificate
+    assert_success
+    check_output_for_errors
+}
+
+
+@test "Test renewal if SANS line is space separated and IGNORE_DIRECTORY_DOMAIN (http01)" {
+    if [ -n "$STAGING" ]; then
+        skip "Using staging server, skipping internal test"
+    fi
+    run ${CODE_DIR}/getssl -U -d -f $GETSSL_HOST
+    assert_success
+    check_output_for_errors
+    cleanup_environment
+}
+
+
+@test "Test behaviour if SANS line is comma and space separated (http01)" {
+    if [ -n "$STAGING" ]; then
+        skip "Using staging server, skipping internal test"
+    fi
+    CONFIG_FILE="getssl-http01-spaces-and-commas-sans.cfg"
+    setup_environment
+
+    init_getssl
+    create_certificate
+    assert_success
+    check_output_for_errors
+    cleanup_environment
+}

test/18-retry-dns-add.bats

@@ -0,0 +1,42 @@
+#! /usr/bin/env bats
+
+load '/bats-support/load.bash'
+load '/bats-assert/load.bash'
+load '/getssl/test/test_helper.bash'
+
+# This is run for every test
+teardown() {
+    [ -n "$BATS_TEST_COMPLETED" ] || touch $BATS_RUN_TMPDIR/failed.skip
+}
+
+setup() {
+    [ ! -f $BATS_RUN_TMPDIR/failed.skip ] || skip "skipping tests after first failure"
+    export CURL_CA_BUNDLE=/root/pebble-ca-bundle.crt
+}
+
+
+@test "Check retry add dns command if dns isn't updated" {
+    if [ -n "$STAGING" ]; then
+        skip "Running internal tests, skipping external test"
+    fi
+
+    CONFIG_FILE="getssl-dns01.cfg"
+
+    setup_environment
+    init_getssl
+
+    cat <<- EOF > ${INSTALL_DIR}/.getssl/${GETSSL_CMD_HOST}/getssl_test_specific.cfg
+DNS_ADD_COMMAND="/getssl/test/dns_add_fail"
+
+# Speed up the test by reducing the number or retries and the wait between retries.
+DNS_WAIT=2
+DNS_WAIT_COUNT=11
+DNS_EXTRA_WAIT=0
+CHECK_ALL_AUTH_DNS="false"
+CHECK_PUBLIC_DNS_SERVER="false"
+DNS_WAIT_RETRY_ADD="true"
+EOF
+    create_certificate
+    assert_failure
+    assert_line --partial "Retrying adding DNS via command"
+}

test/19-test-add-to-sans.bats

@@ -0,0 +1,177 @@
+#! /usr/bin/env bats
+
+load '/bats-support/load.bash'
+load '/bats-assert/load.bash'
+load '/getssl/test/test_helper.bash'
+
+
+# This is run for every test
+setup() {
+    [ ! -f $BATS_RUN_TMPDIR/failed.skip ] || skip "skipping tests after first failure"
+}
+
+teardown() {
+    [ -n "$BATS_TEST_COMPLETED" ] || touch $BATS_RUN_TMPDIR/failed.skip
+}
+
+
+setup_file() {
+    if [ -z "$STAGING" ]; then
+        export CURL_CA_BUNDLE=/root/pebble-ca-bundle.crt
+        curl --silent -X POST -d '{"host":"a.'$GETSSL_HOST'", "addresses":["'$GETSSL_IP'"]}' http://10.30.50.3:8055/add-a
+    fi
+}
+
+
+teardown_file() {
+    if [ -z "$STAGING" ]; then
+        curl --silent -X POST -d '{"host":"a.'$GETSSL_HOST'", "addresses":["'$GETSSL_IP'"]}' http://10.30.50.3:8055/clear-a
+    fi
+}
+
+
+@test "Create certificate to check can add to SANS" {
+    if [ -n "$STAGING" ]; then
+        skip "Not trying on staging server yet"
+    fi
+    CONFIG_FILE="getssl-dns01.cfg"
+    setup_environment
+    init_getssl
+
+    create_certificate
+    assert_success
+    check_output_for_errors
+}
+
+
+@test "Check that if the SANS doesn't change, we don't re-create the certificate (single domain)" {
+    if [ -n "$STAGING" ]; then
+        skip "Not trying on staging server yet"
+    fi
+    CONFIG_FILE="getssl-dns01.cfg"
+
+    . "${CODE_DIR}/test/test-config/${CONFIG_FILE}"
+    CERT=${INSTALL_DIR}/.getssl/${GETSSL_CMD_HOST}/${GETSSL_CMD_HOST}.crt
+
+    create_certificate
+    assert_success
+    check_output_for_errors
+
+    # As the SANS list didn't change, a new certificate isn't needed
+    refute_line --partial "does not match domains requested"
+    refute_line --partial "does not have the same domains as the config - re-create-csr"
+    refute_line --partial "certificate installed OK on server"
+    assert_line --partial 'certificate is valid for more than'
+
+    # Check that the SAN list in the certificate matches the expected value
+    SAN_IN_CERT=$(openssl x509 -in "$CERT" -noout -text | grep "DNS:" | sed 's/^ *//g')
+    SAN_EXPECTED="DNS:${GETSSL_HOST}"
+    if [[ "$SAN_IN_CERT" != "$SAN_EXPECTED" ]]; then
+        echo "# SAN_IN_CERT=$SAN_IN_CERT"
+        echo "# SAN_EXPECTED=$SAN_EXPECTED"
+    fi
+    [ "${SAN_IN_CERT}" = "$SAN_EXPECTED" ]
+}
+
+
+@test "Check certificate is recreated if we add a new domain to SANS" {
+    if [ -n "$STAGING" ]; then
+        skip "Not trying on staging server yet"
+    fi
+    CONFIG_FILE="getssl-dns01.cfg"
+
+    cat <<- EOF > ${INSTALL_DIR}/.getssl/${GETSSL_CMD_HOST}/getssl_test_specific.cfg
+SANS="a.${GETSSL_HOST}"
+EOF
+
+    . "${CODE_DIR}/test/test-config/${CONFIG_FILE}"
+    CERT=${INSTALL_DIR}/.getssl/${GETSSL_CMD_HOST}/${GETSSL_CMD_HOST}.crt
+
+    create_certificate
+    assert_success
+    check_output_for_errors
+
+    # As the SANS list changed, a new certificate is needed
+    assert_line --partial "does not match domains requested"
+    assert_line --partial "does not have the same domains as the config - re-create-csr"
+    assert_line --partial "certificate installed OK on server"
+    refute_line --partial 'certificate is valid for more than'
+
+    # Check that the SAN list in the certificate matches the expected value
+    SAN_IN_CERT=$(openssl x509 -in "$CERT" -noout -text | grep "DNS:" | sed 's/^ *//g')
+    SAN_EXPECTED="DNS:${GETSSL_HOST}, DNS:a.${GETSSL_HOST}"
+    if [[ "$SAN_IN_CERT" != "$SAN_EXPECTED" ]]; then
+        echo "# SAN_IN_CERT=$SAN_IN_CERT"
+        echo "# SAN_EXPECTED=$SAN_EXPECTED"
+    fi
+    [ "${SAN_IN_CERT}" = "$SAN_EXPECTED" ]
+}
+
+
+@test "Check that if the SANS doesn't change, we don't re-create the certificate (multiple domains)" {
+    if [ -n "$STAGING" ]; then
+        skip "Not trying on staging server yet"
+    fi
+    CONFIG_FILE="getssl-dns01.cfg"
+
+    cat <<- EOF > ${INSTALL_DIR}/.getssl/${GETSSL_CMD_HOST}/getssl_test_specific.cfg
+SANS="a.${GETSSL_HOST}"
+EOF
+
+    . "${CODE_DIR}/test/test-config/${CONFIG_FILE}"
+    CERT=${INSTALL_DIR}/.getssl/${GETSSL_CMD_HOST}/${GETSSL_CMD_HOST}.crt
+
+    create_certificate
+    assert_success
+    check_output_for_errors
+
+    # As the SANS list didn't change, a new certificate isn't needed
+    refute_line --partial "does not match domains requested"
+    refute_line --partial "does not have the same domains as the config - re-create-csr"
+    refute_line --partial "certificate installed OK on server"
+    assert_line --partial 'certificate is valid for more than'
+
+    # Check that the SAN list in the certificate matches the expected value
+    SAN_IN_CERT=$(openssl x509 -in "$CERT" -noout -text | grep "DNS:" | sed 's/^ *//g')
+    SAN_EXPECTED="DNS:${GETSSL_HOST}, DNS:a.${GETSSL_HOST}"
+    if [[ "$SAN_IN_CERT" != "$SAN_EXPECTED" ]]; then
+        echo "# SAN_IN_CERT=$SAN_IN_CERT"
+        echo "# SAN_EXPECTED=$SAN_EXPECTED"
+    fi
+    [ "${SAN_IN_CERT}" = "$SAN_EXPECTED" ]
+}
+
+
+@test "Check that if the SANS doesn't change, we don't re-create the certificate (reordered domains)" {
+    if [ -n "$STAGING" ]; then
+        skip "Not trying on staging server yet"
+    fi
+    CONFIG_FILE="getssl-dns01.cfg"
+
+    cat <<- EOF > ${INSTALL_DIR}/.getssl/${GETSSL_CMD_HOST}/getssl_test_specific.cfg
+IGNORE_DIRECTORY_DOMAIN="true"
+SANS="a.${GETSSL_HOST}, ${GETSSL_HOST}"
+EOF
+
+    . "${CODE_DIR}/test/test-config/${CONFIG_FILE}"
+    CERT=${INSTALL_DIR}/.getssl/${GETSSL_CMD_HOST}/${GETSSL_CMD_HOST}.crt
+
+    create_certificate
+    assert_success
+    check_output_for_errors
+
+    # As the SANS list didn't change, a new certificate isn't needed
+    refute_line --partial "does not match domains requested"
+    refute_line --partial "does not have the same domains as the config - re-create-csr"
+    refute_line --partial "certificate installed OK on server"
+    assert_line --partial 'certificate is valid for more than'
+
+    # Check that the SAN list in the certificate matches the expected value
+    SAN_IN_CERT=$(openssl x509 -in "$CERT" -noout -text | grep "DNS:" | sed 's/^ *//g')
+    SAN_EXPECTED="DNS:${GETSSL_HOST}, DNS:a.${GETSSL_HOST}"
+    if [[ "$SAN_IN_CERT" != "$SAN_EXPECTED" ]]; then
+        echo "# SAN_IN_CERT=$SAN_IN_CERT"
+        echo "# SAN_EXPECTED=$SAN_EXPECTED"
+    fi
+    [ "${SAN_IN_CERT}" = "$SAN_EXPECTED" ]
+}

test/2-simple-dns01-dig.bats

@@ -5,38 +5,55 @@ load '/bats-assert/load.bash'
 load '/getssl/test/test_helper.bash'
 
 
-# This is run for every test
-setup() {
-    export CURL_CA_BUNDLE=/root/pebble-ca-bundle.crt
+setup_file() {
+    if [ -z "$STAGING" ]; then
+        export CURL_CA_BUNDLE=/root/pebble-ca-bundle.crt
+    fi
+    if [ -f /usr/bin/host ]; then
+        mv /usr/bin/host /usr/bin/host.getssl.bak
+    fi
+    if [ -f /usr/bin/nslookup ]; then
+        mv /usr/bin/nslookup /usr/bin/nslookup.getssl.bak
+    fi
 }
 
 
-@test "Create new certificate using DNS-01 verification (dig)" {
-    if [ -n "$STAGING" ]; then
-        skip "Using staging server, skipping internal test"
+teardown_file() {
+    if [ -f /usr/bin/host.getssl.bak ]; then
+        mv /usr/bin/host.getssl.bak /usr/bin/host
     fi
+    if [ -f /usr/bin/nslookup.getssl.bak ]; then
+        mv /usr/bin/nslookup.getssl.bak /usr/bin/nslookup
+    fi
+}
+
+
+setup() {
+    [ ! -f $BATS_RUN_TMPDIR/failed.skip ] || skip "skipping tests after first failure"
+}
+
+
+teardown() {
+    [ -n "$BATS_TEST_COMPLETED" ] || touch $BATS_RUN_TMPDIR/failed.skip
+}
 
+
+@test "Create new certificate using DNS-01 verification (dig)" {
     CONFIG_FILE="getssl-dns01.cfg"
+
     setup_environment
     init_getssl
-    create_certificate -d
+    create_certificate
     assert_success
     assert_output --partial "dig"
-    refute_output --regexp '[Ff][Aa][Ii][Ll][Ee][Dd]'
-    refute_output --regexp '[^:][Ee][Rr][Rr][Oo][Rr][^:]'  # don't fail for :error:badNonce
-    refute_output --regexp '[Ww][Aa][Rr][Nn][Ii][Nn][Gg]'
+    check_output_for_errors
 }
 
 
 @test "Force renewal of certificate using DNS-01 (dig)" {
-    if [ -n "$STAGING" ]; then
-        skip "Using staging server, skipping internal test"
-    fi
-    run ${CODE_DIR}/getssl -d -f $GETSSL_HOST
+    run ${CODE_DIR}/getssl -U -d -f $GETSSL_HOST
     assert_success
     assert_output --partial "dig"
-    refute_output --regexp '[Ff][Aa][Ii][Ll][Ee][Dd]'
-    refute_output --regexp '[^:][Ee][Rr][Rr][Oo][Rr][^:]'  # don't fail for :error:badNonce
-    refute_output --regexp '[Ww][Aa][Rr][Nn][Ii][Nn][Gg]'
+    check_output_for_errors
     cleanup_environment
 }

test/2-simple-dns01-nslookup.bats

@@ -7,28 +7,37 @@ load '/getssl/test/test_helper.bash'
 
 # This is run for every test
 setup() {
-    export CURL_CA_BUNDLE=/root/pebble-ca-bundle.crt
-    mv /usr/bin/dig /usr/bin/dig.getssl.bak
+    [ ! -f $BATS_RUN_TMPDIR/failed.skip ] || skip "skipping tests after first failure"
+    if [ -z "$STAGING" ]; then
+        export CURL_CA_BUNDLE=/root/pebble-ca-bundle.crt
+    fi
+    if [ -f /usr/bin/dig ]; then
+        mv /usr/bin/dig /usr/bin/dig.getssl.bak
+    fi
+    if [ -f /usr/bin/host ]; then
+        mv /usr/bin/host /usr/bin/host.getssl.bak
+    fi
 }
 
 
 teardown() {
-    mv /usr/bin/dig.getssl.bak /usr/bin/dig
+    [ -n "$BATS_TEST_COMPLETED" ] || touch $BATS_RUN_TMPDIR/failed.skip
+    if [ -f /usr/bin/dig.getssl.bak ]; then
+        mv /usr/bin/dig.getssl.bak /usr/bin/dig
+    fi
+    if [ -f /usr/bin/host.getssl.bak ]; then
+        mv /usr/bin/host.getssl.bak /usr/bin/host
+    fi
 }
 
 
 @test "Create new certificate using DNS-01 verification (nslookup)" {
-    if [ -n "$STAGING" ]; then
-        skip "Using staging server, skipping internal test"
-    fi
-
     CONFIG_FILE="getssl-dns01.cfg"
+
     setup_environment
     init_getssl
-    create_certificate -d
+    create_certificate
     assert_success
     assert_output --partial "nslookup"
-    refute_output --regexp '[Ff][Aa][Ii][Ll][Ee][Dd]'
-    refute_output --regexp '[^:][Ee][Rr][Rr][Oo][Rr][^:]'  # don't fail for :error:badNonce
-    refute_output --regexp '[Ww][Aa][Rr][Nn][Ii][Nn][Gg]'
+    check_output_for_errors "debug"
 }

test/20-wildcard-simple.bats

@@ -0,0 +1,69 @@
+#! /usr/bin/env bats
+
+load '/bats-support/load.bash'
+load '/bats-assert/load.bash'
+load '/getssl/test/test_helper.bash'
+
+
+# This is run for every test
+teardown() {
+    [ -n "$BATS_TEST_COMPLETED" ] || touch $BATS_RUN_TMPDIR/failed.skip
+}
+
+setup() {
+    [ ! -f $BATS_RUN_TMPDIR/failed.skip ] || skip "skipping tests after first failure"
+    if [ -z "$STAGING" ]; then
+        export CURL_CA_BUNDLE=/root/pebble-ca-bundle.crt
+    fi
+}
+
+
+@test "Create wildcard certificate" {
+    CONFIG_FILE="getssl-dns01.cfg"
+
+    GETSSL_CMD_HOST="*.${GETSSL_HOST}"
+    setup_environment
+    init_getssl
+    create_certificate
+    assert_success
+    check_output_for_errors
+}
+
+
+@test "Check CHECK_REMOTE works for wildcard certificates" {
+    if [ -n "$STAGING" ]; then
+        skip "Using staging server, skipping internal test"
+    fi
+
+    run ${CODE_DIR}/getssl -U -d "*.$GETSSL_HOST"
+    assert_success
+    assert_line --partial "certificate is valid for more than"
+    check_output_for_errors
+}
+
+
+@test "Force renewal of wildcard certificate" {
+    if [ -n "$STAGING" ]; then
+        skip "Using staging server, skipping internal test"
+    fi
+
+    run ${CODE_DIR}/getssl -U -d -f "*.$GETSSL_HOST"
+    assert_success
+    refute_line --partial "certificate is valid for more than"
+    check_output_for_errors
+}
+
+
+@test "Check renewal of near-expiration wildcard certificate" {
+    if [ -n "$STAGING" ]; then
+        skip "Using staging server, skipping internal test"
+    fi
+
+    echo "RENEW_ALLOW=2000" >> "${INSTALL_DIR}/.getssl/*.${GETSSL_HOST}/getssl.cfg"
+
+    run ${CODE_DIR}/getssl -U -d "*.$GETSSL_HOST"
+    assert_success
+    refute_line --partial "certificate is valid for more than"
+    check_output_for_errors
+    cleanup_environment
+}

test/21-wildcard-dual-rsa.bats

@@ -0,0 +1,79 @@
+#! /usr/bin/env bats
+
+load '/bats-support/load.bash'
+load '/bats-assert/load.bash'
+load '/getssl/test/test_helper.bash'
+
+
+# This is run for every test
+teardown() {
+    [ -n "$BATS_TEST_COMPLETED" ] || touch $BATS_RUN_TMPDIR/failed.skip
+}
+
+setup() {
+    [ ! -f $BATS_RUN_TMPDIR/failed.skip ] || skip "skipping tests after first failure"
+    if [ -z "$STAGING" ]; then
+        export CURL_CA_BUNDLE=/root/pebble-ca-bundle.crt
+    fi
+}
+
+
+@test "Create secp384r1 wildcard certificate" {
+    CONFIG_FILE="getssl-dns01.cfg"
+
+    GETSSL_CMD_HOST="*.${GETSSL_HOST}"
+
+    setup_environment
+    init_getssl
+
+    cat <<- EOF > ${INSTALL_DIR}/.getssl/${GETSSL_CMD_HOST}/getssl_test_specific.cfg
+ACCOUNT_KEY_TYPE="secp384r1"
+PRIVATE_KEY_ALG="secp384r1"
+EOF
+
+    create_certificate
+    assert_success
+    check_output_for_errors
+    run openssl x509 -noout -text -in "${INSTALL_DIR}/.getssl/${GETSSL_CMD_HOST}/${GETSSL_CMD_HOST}.crt"
+    assert_line --partial "Public Key Algorithm: id-ecPublicKey"
+    cleanup_environment
+}
+
+
+@test "Create dual certificates using DNS-01 verification" {
+    CONFIG_FILE="getssl-dns01.cfg"
+
+    GETSSL_CMD_HOST="*.${GETSSL_HOST}"
+
+    setup_environment
+    init_getssl
+
+    cat <<- EOF > ${INSTALL_DIR}/.getssl/${GETSSL_CMD_HOST}/getssl_test_specific.cfg
+DUAL_RSA_ECDSA="true"
+ACCOUNT_KEY_TYPE="prime256v1"
+PRIVATE_KEY_ALG="prime256v1"
+EOF
+
+    check_nginx
+    if [ "$OLD_NGINX" = "false" ]; then
+        echo 'RELOAD_CMD="cp /getssl/test/test-config/nginx-ubuntu-dual-certs ${NGINX_CONFIG} && /getssl/test/restart-nginx"' >> ${INSTALL_DIR}/.getssl/${GETSSL_CMD_HOST}/getssl_test_specific.cfg
+    else
+        echo 'CHECK_REMOTE="false"' >> ${INSTALL_DIR}/.getssl/${GETSSL_CMD_HOST}/getssl_test_specific.cfg
+    fi
+
+    create_certificate
+    assert_success
+    check_output_for_errors
+    check_certificates
+    assert [ -e "${INSTALL_DIR}/.getssl/${GETSSL_CMD_HOST}/chain.ec.crt" ]
+    assert [ -e "${INSTALL_DIR}/.getssl/${GETSSL_CMD_HOST}/fullchain.ec.crt" ]
+    assert [ -e "${INSTALL_DIR}/.getssl/${GETSSL_CMD_HOST}/${GETSSL_CMD_HOST}.ec.crt" ]
+
+    run openssl x509 -noout -text -in "${INSTALL_DIR}/.getssl/${GETSSL_CMD_HOST}/${GETSSL_CMD_HOST}.crt"
+    assert_line --partial "Public Key Algorithm: rsaEncryption"
+
+    run openssl x509 -noout -text -in "${INSTALL_DIR}/.getssl/${GETSSL_CMD_HOST}/${GETSSL_CMD_HOST}.ec.crt"
+    assert_line --partial "Public Key Algorithm: id-ecPublicKey"
+
+    cleanup_environment
+}

test/22-wildcard-dual-rsa-ecdsa-copy-2-locations.bats

@@ -0,0 +1,66 @@
+#! /usr/bin/env bats
+
+load '/bats-support/load.bash'
+load '/bats-assert/load.bash'
+load '/getssl/test/test_helper.bash'
+
+
+# These are run for every test, not once per file
+teardown() {
+    [ -n "$BATS_TEST_COMPLETED" ] || touch $BATS_RUN_TMPDIR/failed.skip
+}
+
+setup() {
+    [ ! -f $BATS_RUN_TMPDIR/failed.skip ] || skip "skipping tests after first failure"
+    if [ -z "$STAGING" ]; then
+        export CURL_CA_BUNDLE=/root/pebble-ca-bundle.crt
+    fi
+}
+
+
+@test "Create dual certificates (one wildcard) and copy RSA and ECDSA chain and key to two locations" {
+    CONFIG_FILE="getssl-dns01.cfg"
+
+    GETSSL_CMD_HOST="*.${GETSSL_HOST}"
+
+    setup_environment
+    init_getssl
+
+    cat <<- 'EOF' > ${INSTALL_DIR}/.getssl/${GETSSL_CMD_HOST}/getssl_test_specific.cfg
+DUAL_RSA_ECDSA="true"
+ACCOUNT_KEY_TYPE="prime256v1"
+PRIVATE_KEY_ALG="prime256v1"
+DOMAIN_KEY_LOCATION="/etc/nginx/pki/private/server.key;/root/a.${GETSSL_HOST}/server.key"
+DOMAIN_CHAIN_LOCATION="/etc/nginx/pki/domain-chain.crt;/root/a.${GETSSL_HOST}/domain-chain.crt" # this is the domain cert and CA cert
+EOF
+
+    check_nginx
+    if [ "$OLD_NGINX" = "false" ]; then
+        echo 'RELOAD_CMD="cp /getssl/test/test-config/nginx-ubuntu-dual-certs ${NGINX_CONFIG} && /getssl/test/restart-nginx"' >> ${INSTALL_DIR}/.getssl/${GETSSL_CMD_HOST}/getssl_test_specific.cfg
+    else
+        echo 'CHECK_REMOTE="false"' >> ${INSTALL_DIR}/.getssl/${GETSSL_CMD_HOST}/getssl_test_specific.cfg
+    fi
+
+    create_certificate
+    assert_success
+    check_output_for_errors
+
+    if [ "$OLD_NGINX" = "false" ]; then
+        assert_line --partial "rsa certificate installed OK on server"
+        assert_line --partial "prime256v1 certificate installed OK on server"
+    fi
+
+    # Check that the RSA chain and key have been copied to both locations
+    assert [ -e "/etc/nginx/pki/domain-chain.crt" ]
+    assert [ -e "/root/a.${GETSSL_HOST}/domain-chain.crt" ]
+    assert [ -e "/etc/nginx/pki/private/server.key" ]
+    assert [ -e "/root/a.${GETSSL_HOST}/server.key" ]
+
+    # Check that the ECDSA chain and key have been copied to both locations
+    assert [ -e "/etc/nginx/pki/domain-chain.ec.crt" ]
+    assert [ -e "/root/a.${GETSSL_HOST}/domain-chain.ec.crt" ]
+    assert [ -e "/etc/nginx/pki/private/server.ec.key" ]
+    assert [ -e "/root/a.${GETSSL_HOST}/server.ec.key" ]
+
+    cleanup_environment
+}

test/23-wildcard-check-globbing.bats

@@ -0,0 +1,51 @@
+#! /usr/bin/env bats
+
+load '/bats-support/load.bash'
+load '/bats-assert/load.bash'
+load '/getssl/test/test_helper.bash'
+
+
+# This is run for every test
+teardown() {
+    [ -n "$BATS_TEST_COMPLETED" ] || touch $BATS_RUN_TMPDIR/failed.skip
+}
+
+setup() {
+    [ ! -f $BATS_RUN_TMPDIR/failed.skip ] || skip "skipping tests after first failure"
+    if [ -z "$STAGING" ]; then
+        export CURL_CA_BUNDLE=/root/pebble-ca-bundle.crt
+    fi
+}
+
+
+@test "Check for globbing for wildcard domains" {
+    if [ -n "$STAGING" ]; then
+        skip "Using staging server, skipping internal test"
+    else
+        CONFIG_FILE="getssl-dns01.cfg"
+    fi
+
+    GETSSL_CMD_HOST="*.${GETSSL_HOST}"
+    setup_environment
+
+    init_getssl
+
+    # Create a directory in /root which looks like a domain so that if glob expansion is performed a certificate for the wrong domain will be created
+    mkdir -p "${INSTALL_DIR}/a.${GETSSL_HOST}"
+
+    create_certificate
+    assert_success
+    check_output_for_errors
+}
+
+
+@test "Force renewal of wildcard certificate" {
+    if [ -n "$STAGING" ]; then
+        skip "Not trying on staging server yet"
+    fi
+
+    run ${CODE_DIR}/getssl -U -d -f "*.$GETSSL_HOST"
+    assert_success
+    refute_line --partial "certificate is valid for more than"
+    check_output_for_errors
+}

test/24-wildcard-sans.bats

@@ -0,0 +1,74 @@
+#! /usr/bin/env bats
+
+load '/bats-support/load.bash'
+load '/bats-assert/load.bash'
+load '/getssl/test/test_helper.bash'
+
+
+# This is run for every test
+setup() {
+    [ ! -f $BATS_RUN_TMPDIR/failed.skip ] || skip "skipping tests after first failure"
+}
+
+
+teardown() {
+    [ -n "$BATS_TEST_COMPLETED" ] || touch $BATS_RUN_TMPDIR/failed.skip
+}
+
+
+setup_file() {
+    if [ -z "$STAGING" ]; then
+        export CURL_CA_BUNDLE=/root/pebble-ca-bundle.crt
+        curl --silent -X POST -d '{"host":"wild-'$GETSSL_HOST'", "addresses":["'$GETSSL_IP'"]}' http://10.30.50.3:8055/add-a
+    fi
+}
+
+
+teardown_file() {
+    if [ -z "$STAGING" ]; then
+        curl --silent -X POST -d '{"host":"wild-'$GETSSL_HOST'", "addresses":["'$GETSSL_IP'"]}' http://10.30.50.3:8055/clear-a
+    fi
+}
+
+
+@test "Check can create certificate for wildcard domain as arg and non-wildcard in SANS" {
+    CONFIG_FILE="getssl-dns01.cfg"
+
+    # Staging server generates an error if try to create a certificate for *.domain and a.domain
+    # so create for *.wild-domain and a.domain instead
+    GETSSL_CMD_HOST="*.wild-${GETSSL_HOST}"
+    setup_environment
+    init_getssl
+
+    echo 'SANS="${GETSSL_HOST}"' > ${INSTALL_DIR}/.getssl/${GETSSL_CMD_HOST}/getssl_test_specific.cfg
+    if [ -n "$STAGING" ]; then
+        echo 'CHECK_REMOTE="false"' >> ${INSTALL_DIR}/.getssl/${GETSSL_CMD_HOST}/getssl_test_specific.cfg
+    fi
+
+    create_certificate
+    assert_success
+    check_output_for_errors
+    run openssl x509 -noout -text -in "${INSTALL_DIR}/.getssl/${GETSSL_CMD_HOST}/${GETSSL_CMD_HOST}.crt"
+    # verify certificate is for wildcard domain with non-wildcard domain in the Subject Alternative Name list
+    assert_output --regexp "Subject: CN[ ]?=[ ]?\*.wild-${GETSSL_HOST}"
+    assert_output --partial "DNS:${GETSSL_HOST}"
+}
+
+
+@test "Check can create certificate for non-wildcard domain as arg and wildcard in SANS" {
+    CONFIG_FILE="getssl-dns01.cfg"
+
+    GETSSL_CMD_HOST="${GETSSL_HOST}"
+    setup_environment
+    init_getssl
+
+    echo 'SANS="*.wild-${GETSSL_HOST}"' > ${INSTALL_DIR}/.getssl/${GETSSL_CMD_HOST}/getssl_test_specific.cfg
+
+    create_certificate
+    assert_success
+    check_output_for_errors
+    run openssl x509 -noout -text -in "${INSTALL_DIR}/.getssl/${GETSSL_CMD_HOST}/${GETSSL_CMD_HOST}.crt"
+    # verify certificate is for non-wildcard domain with wildcard domain in the Subject Alternative Name list
+    assert_output --regexp "Subject: CN[ ]?=[ ]?${GETSSL_HOST}"
+    assert_output --partial "DNS:*.wild-${GETSSL_HOST}"
+}

test/25-wildcard-all.bats

@@ -0,0 +1,47 @@
+#! /usr/bin/env bats
+
+load '/bats-support/load.bash'
+load '/bats-assert/load.bash'
+load '/getssl/test/test_helper.bash'
+
+
+# This is run for every test
+teardown() {
+    [ -n "$BATS_TEST_COMPLETED" ] || touch $BATS_RUN_TMPDIR/failed.skip
+}
+
+setup() {
+    [ ! -f $BATS_RUN_TMPDIR/failed.skip ] || skip "skipping tests after first failure"
+    if [ -z "$STAGING" ]; then
+        export CURL_CA_BUNDLE=/root/pebble-ca-bundle.crt
+    fi
+}
+
+
+@test "Check can create certificate for wildcard domain using --all" {
+    if [ -n "$STAGING" ]; then
+        skip "Using staging server, skipping internal test"
+    else
+        CONFIG_FILE="getssl-dns01.cfg"
+    fi
+
+    GETSSL_CMD_HOST="*.${GETSSL_HOST}"
+    setup_environment
+    # Create .getssl directory and .getssl/*.{host} directory
+    init_getssl
+    cp "${CODE_DIR}/test/test-config/${CONFIG_FILE}" "${INSTALL_DIR}/.getssl/*.${GETSSL_HOST}/getssl.cfg"
+
+    # create another domain in the .getssl directory
+    run ${CODE_DIR}/getssl -U -d -c "a.${GETSSL_HOST}"
+    cp "${CODE_DIR}/test/test-config/${CONFIG_FILE}" "${INSTALL_DIR}/.getssl/a.${GETSSL_HOST}/getssl.cfg"
+
+    # Create a directory in /root which looks like a domain so that if glob expansion is performed the wildcard certificate won't be created
+    mkdir -p "${INSTALL_DIR}/a.${GETSSL_HOST}"
+
+    run ${CODE_DIR}/getssl -U -d --all
+
+    assert_success
+    assert_line --partial "Certificate saved in /root/.getssl/*.${GETSSL_HOST}/*.${GETSSL_HOST}"
+    assert_line --partial "Certificate saved in /root/.getssl/a.${GETSSL_HOST}/a.${GETSSL_HOST}"
+    check_output_for_errors
+}

test/26-wildcard-revoke.bats

@@ -0,0 +1,46 @@
+#! /usr/bin/env bats
+
+load '/bats-support/load.bash'
+load '/bats-assert/load.bash'
+load '/getssl/test/test_helper.bash'
+
+
+# This is run for every test
+teardown() {
+    [ -n "$BATS_TEST_COMPLETED" ] || touch $BATS_RUN_TMPDIR/failed.skip
+}
+
+setup() {
+    [ ! -f $BATS_RUN_TMPDIR/failed.skip ] || skip "skipping tests after first failure"
+    if [ -z "$STAGING" ]; then
+        export CURL_CA_BUNDLE=/root/pebble-ca-bundle.crt
+    fi
+}
+
+
+@test "Create certificate to check wildcard revoke" {
+    CONFIG_FILE="getssl-dns01.cfg"
+
+    GETSSL_CMD_HOST="*.${GETSSL_HOST}"
+    setup_environment
+    init_getssl
+    create_certificate
+    assert_success
+    check_output_for_errors
+}
+
+
+@test "Check we can revoke a wildcard certificate" {
+    CONFIG_FILE="getssl-dns01.cfg"
+    . "${CODE_DIR}/test/test-config/${CONFIG_FILE}"
+
+    GETSSL_CMD_HOST="*.${GETSSL_HOST}"
+
+    CERT=${INSTALL_DIR}/.getssl/${GETSSL_CMD_HOST}/${GETSSL_CMD_HOST}.crt
+    KEY=${INSTALL_DIR}/.getssl/${GETSSL_CMD_HOST}/${GETSSL_CMD_HOST}.key
+
+    run ${CODE_DIR}/getssl -U -d --revoke $CERT $KEY $CA
+    assert_line --partial "certificate revoked"
+    assert_success
+    check_output_for_errors
+}

test/27-wildcard-existing-cert.bats

@@ -0,0 +1,50 @@
+#! /usr/bin/env bats
+
+load '/bats-support/load.bash'
+load '/bats-assert/load.bash'
+load '/getssl/test/test_helper.bash'
+
+
+# This is run for every test
+teardown() {
+    [ -n "$BATS_TEST_COMPLETED" ] || touch $BATS_RUN_TMPDIR/failed.skip
+}
+
+setup() {
+    [ ! -f $BATS_RUN_TMPDIR/failed.skip ] || skip "skipping tests after first failure"
+    if [ -z "$STAGING" ]; then
+        export CURL_CA_BUNDLE=/root/pebble-ca-bundle.crt
+    fi
+}
+
+
+@test "Check that new creating a new configuration files uses details from existing certificate" {
+    if [ -n "$STAGING" ]; then
+        skip "Using staging server, skipping internal test"
+    else
+        CONFIG_FILE="getssl-dns01.cfg"
+    fi
+
+    # Create and install certificate for wildcard + another domain
+    GETSSL_CMD_HOST="*.${GETSSL_HOST}"
+    setup_environment
+    init_getssl
+
+    echo 'SANS="a.${GETSSL_HOST}"' > ${INSTALL_DIR}/.getssl/${GETSSL_CMD_HOST}/getssl_test_specific.cfg
+
+    create_certificate
+    assert_success
+    check_output_for_errors
+
+    # Delete configuration
+    rm -r ${INSTALL_DIR}/.getssl
+
+    # Create configuration
+    run ${CODE_DIR}/getssl -U -d -c "${GETSSL_CMD_HOST}"
+
+    # Assert that the newly created configuration contains the additional domain in SANS
+    # if this fails then error in tests will be "grep failed" - this means SANS did not hold the expected value
+    # eg   SANS="a.centos7.getssl.test"
+    grep -q "SANS=\"a.${GETSSL_HOST}\"" ${INSTALL_DIR}/.getssl/${GETSSL_CMD_HOST}/getssl.cfg
+    assert_success
+}

test/28-wildcard-error-http01-validation.bats

@@ -0,0 +1,36 @@
+#! /usr/bin/env bats
+
+load '/bats-support/load.bash'
+load '/bats-assert/load.bash'
+load '/getssl/test/test_helper.bash'
+
+
+# This is run for every test
+teardown() {
+    [ -n "$BATS_TEST_COMPLETED" ] || touch $BATS_RUN_TMPDIR/failed.skip
+}
+
+setup() {
+    [ ! -f $BATS_RUN_TMPDIR/failed.skip ] || skip "skipping tests after first failure"
+    if [ -z "$STAGING" ]; then
+        export CURL_CA_BUNDLE=/root/pebble-ca-bundle.crt
+    fi
+}
+
+
+@test "Check that trying to create a wildcard certificate using http-01 validation shows an error message" {
+    if [ -n "$STAGING" ]; then
+        skip "Internal test, no need to test on staging server"
+    else
+        CONFIG_FILE="getssl-http01.cfg"
+    fi
+
+    # Try and create a wildcard certificate using http-01 validation
+    GETSSL_CMD_HOST="*.${GETSSL_HOST}"
+    setup_environment
+    init_getssl
+
+    create_certificate
+    assert_failure
+    assert_line --partial "cannot use http-01 validation for wildcard domains"
+}

test/29-check-mktemp-failure.bats

@@ -0,0 +1,52 @@
+#! /usr/bin/env bats
+
+load '/bats-support/load.bash'
+load '/bats-assert/load.bash'
+load '/getssl/test/test_helper.bash'
+
+
+# This is run for every test
+teardown() {
+    [ -n "$BATS_TEST_COMPLETED" ] || touch $BATS_RUN_TMPDIR/failed.skip
+}
+
+setup() {
+    [ ! -f $BATS_RUN_TMPDIR/failed.skip ] || skip "skipping tests after first failure"
+    if [ -z "$STAGING" ]; then
+        export CURL_CA_BUNDLE=/root/pebble-ca-bundle.crt
+    fi
+}
+
+
+@test "Check that getssl -c fails with an error message if mktemp fails" {
+    if [ -n "$STAGING" ]; then
+        skip "Internal test, no need to test on staging server"
+    else
+        CONFIG_FILE="getssl-http01.cfg"
+    fi
+
+    # set TMPDIR to an invalid directory and check for failure
+    export TMPDIR=/getssl.invalid.directory
+    setup_environment
+    run ${CODE_DIR}/getssl -U -d -c "$GETSSL_CMD_HOST"
+    assert_failure
+    assert_line --partial "mktemp failed"
+}
+
+
+@test "Check that getssl fails with an error message if mktemp fails" {
+    if [ -n "$STAGING" ]; then
+        skip "Internal test, no need to test on staging server"
+    else
+        CONFIG_FILE="getssl-http01.cfg"
+    fi
+
+    setup_environment
+    init_getssl
+
+    # set TMPDIR to an invalid directory and check for failure
+    export TMPDIR=/getssl.invalid.directory
+    create_certificate
+    assert_failure
+    assert_line --partial "mktemp failed"
+}

test/3-dual-rsa-ecdsa.bats

@@ -6,7 +6,12 @@ load '/getssl/test/test_helper.bash'
 
 
 # This is run for every test
+teardown() {
+    [ -n "$BATS_TEST_COMPLETED" ] || touch $BATS_RUN_TMPDIR/failed.skip
+}
+
 setup() {
+    [ ! -f $BATS_RUN_TMPDIR/failed.skip ] || skip "skipping tests after first failure"
     export CURL_CA_BUNDLE=/root/pebble-ca-bundle.crt
 }
 
@@ -15,11 +20,39 @@ setup() {
     if [ -n "$STAGING" ]; then
         skip "Using staging server, skipping internal test"
     fi
-    CONFIG_FILE="getssl-http01-dual-rsa-ecdsa.cfg"
+
+    check_nginx
+    if [ "$OLD_NGINX" = "false" ]; then
+        CONFIG_FILE="getssl-http01-dual-rsa-ecdsa.cfg"
+    else
+        CONFIG_FILE="getssl-http01-dual-rsa-ecdsa-old-nginx.cfg"
+    fi
+
     setup_environment
     init_getssl
     create_certificate
     assert_success
+    check_output_for_errors
+    check_certificates
+    assert [ -e "${INSTALL_DIR}/.getssl/${GETSSL_CMD_HOST}/chain.ec.crt" ]
+    assert [ -e "${INSTALL_DIR}/.getssl/${GETSSL_CMD_HOST}/fullchain.ec.crt" ]
+    assert [ -e "${INSTALL_DIR}/.getssl/${GETSSL_CMD_HOST}/${GETSSL_CMD_HOST}.ec.crt" ]
+}
+
+
+@test "Check renewal test works for dual certificates using HTTP-01" {
+    if [ -n "$STAGING" ]; then
+        skip "Using staging server, skipping internal test"
+    fi
+    check_nginx
+    run ${CODE_DIR}/getssl -U -d $GETSSL_HOST
+
+    if [ "$OLD_NGINX" = "false" ]; then
+        assert_line --partial "certificate on server is same as the local cert"
+    else
+        assert_line --partial "certificate is valid for more than 30 days"
+    fi
+    assert_success
 }
 
 
@@ -27,19 +60,33 @@ setup() {
     if [ -n "$STAGING" ]; then
         skip "Using staging server, skipping internal test"
     fi
-    run ${CODE_DIR}/getssl -f $GETSSL_HOST
+    run ${CODE_DIR}/getssl -U -f $GETSSL_HOST
     assert_success
+    check_output_for_errors
 }
 
+
 @test "Create dual certificates using DNS-01 verification" {
     if [ -n "$STAGING" ]; then
         skip "Using staging server, skipping internal test"
     fi
-    CONFIG_FILE="getssl-dns01-dual-rsa-ecdsa.cfg"
+
+    check_nginx
+    if [ "$OLD_NGINX" = "false" ]; then
+        CONFIG_FILE="getssl-dns01-dual-rsa-ecdsa.cfg"
+    else
+        CONFIG_FILE="getssl-dns01-dual-rsa-ecdsa-old-nginx.cfg"
+    fi
+
     setup_environment
     init_getssl
     create_certificate
     assert_success
+    check_output_for_errors
+    check_certificates
+    assert [ -e "${INSTALL_DIR}/.getssl/${GETSSL_CMD_HOST}/chain.ec.crt" ]
+    assert [ -e "${INSTALL_DIR}/.getssl/${GETSSL_CMD_HOST}/fullchain.ec.crt" ]
+    assert [ -e "${INSTALL_DIR}/.getssl/${GETSSL_CMD_HOST}/${GETSSL_CMD_HOST}.ec.crt" ]
 }
 
 
@@ -47,7 +94,8 @@ setup() {
     if [ -n "$STAGING" ]; then
         skip "Using staging server, skipping internal test"
     fi
-    run ${CODE_DIR}/getssl -f $GETSSL_HOST
+    run ${CODE_DIR}/getssl -U -f $GETSSL_HOST
     assert_success
+    check_output_for_errors
     cleanup_environment
 }

test/30-handle-dig-failure.bats

@@ -0,0 +1,46 @@
+#! /usr/bin/env bats
+
+load '/bats-support/load.bash'
+load '/bats-assert/load.bash'
+load '/getssl/test/test_helper.bash'
+
+
+# This is run for every test
+setup() {
+    [ ! -f $BATS_RUN_TMPDIR/failed.skip ] || skip "skipping tests after first failure"
+    export CURL_CA_BUNDLE=/root/pebble-ca-bundle.crt
+    if [ -f /usr/bin/drill ]; then
+        mv /usr/bin/drill /usr/bin/drill.getssl.bak
+    fi
+    if [ -f /usr/bin/dig ]; then
+        chmod -x /usr/bin/dig
+    fi
+}
+
+
+teardown() {
+    [ -n "$BATS_TEST_COMPLETED" ] || touch $BATS_RUN_TMPDIR/failed.skip
+    if [ -f /usr/bin/drill.getssl.bak ]; then
+        mv /usr/bin/drill.getssl.bak /usr/bin/drill
+    fi
+    if [ -f /usr/bin/dig ]; then
+        chmod +x /usr/bin/dig
+    fi
+}
+
+
+@test "Test that if dig exists but errors HAS_DIG is not set" {
+    if [ -n "$STAGING" ]; then
+        skip "Using staging server, skipping internal test"
+    fi
+    if [ ! -f /usr/bin/dig ]; then
+        skip "dig not installed, skipping dig test"
+    fi
+    CONFIG_FILE="getssl-http01.cfg"
+    setup_environment
+    init_getssl
+    create_certificate
+    assert_success
+    refute_line --partial "HAS DIG_OR_DRILL=dig"
+    check_output_for_errors
+}

test/31-test-posix-error.bats

@@ -0,0 +1,30 @@
+#! /usr/bin/env bats
+
+load '/bats-support/load.bash'
+load '/bats-assert/load.bash'
+load '/getssl/test/test_helper.bash'
+
+
+# This is run for every test
+teardown() {
+    [ -n "$BATS_TEST_COMPLETED" ] || touch $BATS_RUN_TMPDIR/failed.skip
+}
+
+setup() {
+    [ ! -f $BATS_RUN_TMPDIR/failed.skip ] || skip "skipping tests after first failure"
+    export CURL_CA_BUNDLE=/root/pebble-ca-bundle.crt
+}
+
+
+@test "Test that running in POSIX mode shows an error" {
+    # v2.31 uses read to create an array in the get_auth_dns function which causes a parse error in posix mode
+    # Could be re-written to not use this functionality if it causes for required.
+    if [ -n "$STAGING" ]; then
+        skip "Using staging server, skipping internal test"
+    fi
+
+    run bash --posix "${CODE_DIR}/getssl" -U -d
+    assert_failure
+    assert_line --partial "getssl: Running with POSIX mode enabled is not supported"
+    check_output_for_errors
+}

test/32-test-upgrade.bats

@@ -0,0 +1,192 @@
+#! /usr/bin/env bats
+
+load '/bats-support/load.bash'
+load '/bats-assert/load.bash'
+load '/getssl/test/test_helper.bash'
+
+LIMIT_API="https://api.github.com/rate_limit"
+
+# Quota generally shouldn't be an issue - except for tests
+# Rate limits are per-IP address
+check_github_quota() {
+  local need remaining reset limits now
+  need="$1"
+  while true ; do
+    limits="$(curl ${_NOMETER:---silent} --user-agent "$CURL_USERAGENT" -H 'Accept: application/vnd.github.v3+json' "$LIMIT_API" | sed -e's/\("[^:]*": *\("[^""]*",\|[^,]*[,}]\)\)/\r\n\1/g' | sed -ne'/"core":/,/}/p')"
+    errcode=$?
+    if [[ $errcode -eq 60 ]]; then
+      error_exit "curl needs updating, your version does not support SNI (multiple SSL domains on a single IP)"
+    elif [[ $errcode -gt 0 ]]; then
+      error_exit "curl error checking releases: $errcode"
+    fi
+    limits="$(sed -e's/^ *//g' <<<"${limits}")"
+    remaining="$(sed -e'/^"remaining": *[0-9]/!d;s/^"remaining": *\([0-9][0-9]*\).*$/\1/' <<<"${limits}")"
+    reset="$(sed -e'/^"reset": *[0-9]/!d;s/^"reset": *\([0-9][0-9]*\).*$/\1/' <<<"${limits}")"
+    if [[ "$remaining" -ge "$need" ]] ; then return 0 ; fi
+    limit="$(sed -e'/^"limit": *[0-9]/!d;s/^"limit": *\([0-9][0-9]*\).*$/\1/' <<<"${limits}")"
+    if [[ "$limit" -lt "$need" ]] ; then
+      error_exit "GitHub API request $need exceeds limit $limit"
+    fi
+    now="$(date +%s)"
+    while [[ "$now" -lt "$reset" ]] ; do
+      info "sleeping $(( "$reset" - "$now" )) seconds for GitHub quota"
+      sleep "$(( "$reset" - "$now" ))"
+      now="$(date +%s)"
+   done
+  done
+}
+
+
+setup_file() {
+    if [ -f $BATS_RUN_TMPDIR/failed.skip ]; then
+        echo "# Skipping setup due to previous test failure" >&3
+        return 0
+    fi
+    local n
+    # Not every tag reflects a stable release.  Ask GitHub for the releases & identify the last two.
+    # This is sorted by creation date of the release tag, not the publication date.  This matches
+    # GitHub's releases/latest, which is how getssl determines what's available.
+    # This is expensive, so do it only once
+
+    . "${CODE_DIR}/getssl" -U --source
+    check_github_quota 7
+    export RELEASES="$(mktemp 2>/dev/null || mktemp -t getssl.XXXXXX)"
+    if [ -z "$RELEASES" ]; then
+        echo "# mktemp failed" >&3
+        return 1
+    fi
+    if ! curl ${_NOMETER:---silent} --user-agent "$CURL_USERAGENT" \
+        -H 'Accept: application/vnd.github.v3+json' "${RELEASE_API%/latest}" | \
+        jq 'map(select((.draft or .prerelease)|not))|sort_by(.created_at)|reverse' >"$RELEASES" ; then
+        errcode="$?"
+        echo "# Failed to download release information from ${RELEASE_API%/latest} $errcode" >&3
+        return "$errcode"
+    fi
+    n="$(jq '.|length' <$RELEASES)"
+    if [[ "$n" < 2 ]]; then
+        echo "# Fewer than 2 ($n) stable releases detected in ${RELEASE_API%/latest}, can not run upgrade tests" >&3
+        return 0
+    fi
+    CURRENT_TAG="$(jq -r '.[0].tag_name' <"$RELEASES")"
+    export CURRENT_TAG="${CURRENT_TAG:1}"
+    PREVIOUS_TAG="$(jq -r '.[1].tag_name' <"$RELEASES")"
+    export PREVIOUS_TAG="${PREVIOUS_TAG:1}"
+}
+
+teardown_file() {
+    [ -n "$RELEASES" ] && rm -f "$RELEASES"
+    true
+}
+
+# This is run for every test
+setup() {
+    [ ! -f $BATS_RUN_TMPDIR/failed.skip ] || skip "skipping tests after first failure"
+    [ -z "$PREVIOUS_TAG" ] && skip "Skipping upgrade test because no previous release detected"
+
+    export CURL_CA_BUNDLE=/root/pebble-ca-bundle.crt
+
+    # Turn off warning about detached head
+    git config --global advice.detachedHead false
+    if [[ -n "${GITHUB_REPOSITORY}" ]] ; then
+      _REPO="https://github.com/${GITHUB_REPOSITORY}.git"
+    else
+      _REPO="https://github.com/srvrco/getssl.git"
+    fi
+    run git clone "${_REPO}" "$INSTALL_DIR/upgrade-getssl"
+
+
+    cd "$INSTALL_DIR/upgrade-getssl"
+
+    # The version in the file, which we will overwrite
+    FILE_VERSION=$(awk -F'"' '/^VERSION=/{print $2}' "$CODE_DIR/getssl")
+    # If FILE_VERSION > CURRENT_TAG then either we are testing a push to master or the last version wasn't released
+}
+
+
+teardown() {
+    [ -n "$BATS_TEST_COMPLETED" ] || touch $BATS_RUN_TMPDIR/failed.skip
+    [ -d "$INSTALL_DIR/upgrade-getssl" ] && rm -r "$INSTALL_DIR/upgrade-getssl"
+    true
+}
+
+
+@test "Test that we are told that a newer version is available" {
+    if [ -n "$STAGING" ]; then
+        skip "Using staging server, skipping internal test"
+    fi
+
+    cd "$INSTALL_DIR/upgrade-getssl"
+    git checkout tags/v${PREVIOUS_TAG}
+
+    CONFIG_FILE="getssl-http01.cfg"
+    setup_environment
+    init_getssl
+    cp "${CODE_DIR}/test/test-config/${CONFIG_FILE}" "${INSTALL_DIR}/.getssl/${GETSSL_CMD_HOST}/getssl.cfg"
+
+    # Overwrite checked out getssl-script with copy of new one, but write the previous version into the copy
+    # Note that this way we mock downgrading getssl and are testing the upgrading of the version in development
+    cp "$CODE_DIR/getssl" "$INSTALL_DIR/upgrade-getssl/"
+    sed -i -e "s/VERSION=\"${FILE_VERSION}\"/VERSION=\"${PREVIOUS_TAG}\"/" "$INSTALL_DIR/upgrade-getssl/getssl"
+
+    run "$INSTALL_DIR/upgrade-getssl/getssl" -d --check-config ${GETSSL_CMD_HOST}
+    assert_success
+
+    # Check for current tag or file version otherwise push to master fails on a new version (or if the tag hasn't been updated)
+    assert_line --regexp "A more recent version \(v(${CURRENT_TAG}|${FILE_VERSION})\) than .* of getssl is available, please update"
+    # output can contain "error" in release description
+    check_output_for_errors
+}
+
+
+@test "Test that we can upgrade to the newer version" {
+    if [ -n "$STAGING" ]; then
+        skip "Using staging server, skipping internal test"
+    fi
+
+    cd "$INSTALL_DIR/upgrade-getssl"
+    git checkout tags/v${CURRENT_TAG}
+
+    CONFIG_FILE="getssl-http01.cfg"
+    setup_environment
+    init_getssl
+    cp "${CODE_DIR}/test/test-config/${CONFIG_FILE}" "${INSTALL_DIR}/.getssl/${GETSSL_CMD_HOST}/getssl.cfg"
+
+    # Overwrite checked out getssl-script with copy of new one, but write the previous version into the copy
+    # Note that this way we mock downgrading getssl and are testing the upgrading of the version in development
+    cp "$CODE_DIR/getssl" "$INSTALL_DIR/upgrade-getssl/"
+    sed -i -e "s/VERSION=\"${FILE_VERSION}\"/VERSION=\"${PREVIOUS_TAG}\"/" "$INSTALL_DIR/upgrade-getssl/getssl"
+
+    run "$INSTALL_DIR/upgrade-getssl/getssl" -d --check-config --upgrade ${GETSSL_CMD_HOST}
+    assert_success
+
+    # Check for current tag or file version otherwise push to master fails on a new version (or if the tag hasn't been updated)
+    assert_line --regexp "Installed v(${CURRENT_TAG}|${FILE_VERSION}), restarting"
+    assert_line --partial "Configuration check successful"
+}
+
+
+@test "Test that we can upgrade to the newer version when invoking as \"bash ./getssl\"" {
+    # Note that `bash getssl` will fail if the CWD isn't in the PATH and an upgrade occurs
+    if [ -n "$STAGING" ]; then
+        skip "Using staging server, skipping internal test"
+    fi
+
+    cd "$INSTALL_DIR/upgrade-getssl"
+    git checkout tags/v${PREVIOUS_TAG}
+
+    CONFIG_FILE="getssl-http01.cfg"
+    setup_environment
+    init_getssl
+    cp "${CODE_DIR}/test/test-config/${CONFIG_FILE}" "${INSTALL_DIR}/.getssl/${GETSSL_CMD_HOST}/getssl.cfg"
+
+    # Overwrite checked out getssl-script with copy of new one, but write the previous version into the copy
+    # Note that this way we mock downgrading getssl and are testing the upgrading of the version in development
+    cp "$CODE_DIR/getssl" "$INSTALL_DIR/upgrade-getssl/"
+    sed -i -e "s/VERSION=\"${FILE_VERSION}\"/VERSION=\"${PREVIOUS_TAG}\"/" "$INSTALL_DIR/upgrade-getssl/getssl"
+
+    run bash ./getssl -d --check-config --upgrade ${GETSSL_CMD_HOST}
+    assert_success
+
+    # Check for current tag or file version otherwise push to master fails on a new version (or if the tag hasn't been updated)
+    assert_line --regexp "Installed v(${CURRENT_TAG}|${FILE_VERSION}), restarting"
+}

test/33-ftp.bats

@@ -0,0 +1,73 @@
+#! /usr/bin/env bats
+
+load '/bats-support/load.bash'
+load '/bats-assert/load.bash'
+load '/getssl/test/test_helper.bash'
+
+
+# This is run for every test
+setup() {
+    [ ! -f $BATS_RUN_TMPDIR/failed.skip ] || skip "skipping tests after first failure"
+    export CURL_CA_BUNDLE=/root/pebble-ca-bundle.crt
+    if [ -n "${VSFTPD_CONF}" ]; then
+        cp $VSFTPD_CONF ${VSFTPD_CONF}.getssl
+
+        # enable passive and disable active mode
+        # https://www.pixelstech.net/article/1364817664-FTP-active-mode-and-passive-mode
+        cat <<- _FTP >> $VSFTPD_CONF
+pasv_enable=NO
+_FTP
+
+        ${CODE_DIR}/test/restart-ftpd start
+    fi
+}
+
+
+teardown() {
+    [ -n "$BATS_TEST_COMPLETED" ] || touch $BATS_RUN_TMPDIR/failed.skip
+    if [ -n "${VSFTPD_CONF}" ]; then
+        cp ${VSFTPD_CONF}.getssl $VSFTPD_CONF
+        ${CODE_DIR}/test/restart-ftpd stop
+    fi
+}
+
+
+@test "Use FTP to create challenge file" {
+    if [ -n "$STAGING" ]; then
+        skip "Using staging server, skipping internal test"
+    fi
+
+    if [[ ! -d /var/www/html/.well-known/acme-challenge ]]; then
+        mkdir -p /var/www/html/.well-known/acme-challenge
+    fi
+
+    # Always change ownership and permissions in case previous tests created the directories as root
+    chgrp -R www-data /var/www/html/.well-known
+    chmod -R g+w /var/www/html/.well-known
+
+    CONFIG_FILE="getssl-http01.cfg"
+    setup_environment
+    init_getssl
+
+    cat <<- EOF > ${INSTALL_DIR}/.getssl/${GETSSL_CMD_HOST}/getssl_test_specific.cfg
+ACL="ftp:ftpuser:ftpuser:${GETSSL_CMD_HOST}:/var/www/html/.well-known/acme-challenge"
+EOF
+
+    if [[ "$GETSSL_OS" = "alpine" ]]; then
+        cat <<- EOF2 >> ${INSTALL_DIR}/.getssl/${GETSSL_CMD_HOST}/getssl_test_specific.cfg
+FTP_OPTIONS="set ftp:passive-mode off"
+EOF2
+    elif [[ "$FTP_PASSIVE_DEFAULT" == "true" ]]; then
+        cat <<- EOF3 >> ${INSTALL_DIR}/.getssl/${GETSSL_CMD_HOST}/getssl_test_specific.cfg
+FTP_OPTIONS="passive"
+EOF3
+    fi
+
+    create_certificate
+    assert_success
+    assert_line --partial "ftp:ftpuser:ftpuser:"
+    if [[ "$GETSSL_OS" != "alpine" ]] && [[ "$FTP_PASSIVE_DEFAULT" == "true" ]]; then
+        assert_line --partial "Passive mode off"
+    fi
+    check_output_for_errors
+}

test/34-ftp-passive.bats

@@ -0,0 +1,73 @@
+#! /usr/bin/env bats
+
+load '/bats-support/load.bash'
+load '/bats-assert/load.bash'
+load '/getssl/test/test_helper.bash'
+
+
+# This is run for every test
+setup() {
+    [ ! -f $BATS_RUN_TMPDIR/failed.skip ] || skip "skipping tests after first failure"
+    export CURL_CA_BUNDLE=/root/pebble-ca-bundle.crt
+    if [ -n "${VSFTPD_CONF}" ]; then
+        cp $VSFTPD_CONF ${VSFTPD_CONF}.getssl
+
+        # enable passive and disable active mode
+        # https://www.pixelstech.net/article/1364817664-FTP-active-mode-and-passive-mode
+        cat <<- _FTP >> $VSFTPD_CONF
+pasv_enable=YES
+pasv_max_port=10100
+pasv_min_port=10090
+connect_from_port_20=NO
+_FTP
+
+        ${CODE_DIR}/test/restart-ftpd start
+    fi
+}
+
+
+teardown() {
+    [ -n "$BATS_TEST_COMPLETED" ] || touch $BATS_RUN_TMPDIR/failed.skip
+    if [ -n "${VSFTPD_CONF}" ]; then
+        cp ${VSFTPD_CONF}.getssl $VSFTPD_CONF
+        ${CODE_DIR}/test/restart-ftpd stop
+    fi
+}
+
+
+@test "Use Passive FTP to create challenge file" {
+    if [ -n "$STAGING" ]; then
+        skip "Using staging server, skipping internal test"
+    fi
+
+    if [[ ! -d /var/www/html/.well-known/acme-challenge ]]; then
+        mkdir -p /var/www/html/.well-known/acme-challenge
+    fi
+
+    # Always change ownership and permissions in case previous tests created the directories as root
+    chgrp -R www-data /var/www/html/.well-known
+    chmod -R g+w /var/www/html/.well-known
+
+    CONFIG_FILE="getssl-http01.cfg"
+    setup_environment
+    init_getssl
+
+    cat <<- EOF > ${INSTALL_DIR}/.getssl/${GETSSL_CMD_HOST}/getssl_test_specific.cfg
+ACL="ftp:ftpuser:ftpuser:${GETSSL_CMD_HOST}:/var/www/html/.well-known/acme-challenge"
+EOF
+    if [[ "$FTP_PASSIVE_DEFAULT" == "false" ]]; then
+        cat <<- EOF3 >> ${INSTALL_DIR}/.getssl/${GETSSL_CMD_HOST}/getssl_test_specific.cfg
+FTP_OPTIONS="passive"
+EOF3
+    fi
+
+    create_certificate
+    assert_success
+    assert_line --partial "ftp:ftpuser:ftpuser:"
+    if [[ "$FTP_PASSIVE_DEFAULT" == "false" ]]; then
+        assert_line --partial "Passive mode on"
+    else
+        refute_line --partial "Passive mode off"
+    fi
+    check_output_for_errors
+}

test/35-preferred-chain.bats

@@ -0,0 +1,116 @@
+#! /usr/bin/env bats
+
+load '/bats-support/load.bash'
+load '/bats-assert/load.bash'
+load '/getssl/test/test_helper.bash'
+
+
+# This is run for every test
+teardown() {
+    [ -n "$BATS_TEST_COMPLETED" ] || touch $BATS_RUN_TMPDIR/failed.skip
+}
+
+setup() {
+    [ ! -f $BATS_RUN_TMPDIR/failed.skip ] || skip "skipping tests after first failure"
+    if [ -z "$STAGING" ]; then
+        export CURL_CA_BUNDLE=/root/pebble-ca-bundle.crt
+    fi
+}
+
+
+@test "Use PREFERRED_CHAIN to select an alternate root" {
+    if [ -n "$STAGING" ]; then
+        PREFERRED_CHAIN="\(STAGING\) Pretend Pear X1"
+        CHECK_CHAIN="(STAGING) Pretend Pear X1"
+    else
+        PREFERRED_CHAIN=$(curl --silent https://pebble:15000/roots/2 | openssl x509 -text -noout | grep "Issuer:" | awk -F"CN *= *" '{ print $2 }')
+        PREFERRED_CHAIN="${PREFERRED_CHAIN# }" # remove leading whitespace
+        CHECK_CHAIN=$PREFERRED_CHAIN
+    fi
+
+    CONFIG_FILE="getssl-dns01.cfg"
+    setup_environment
+    init_getssl
+
+    cat <<- EOF > ${INSTALL_DIR}/.getssl/${GETSSL_CMD_HOST}/getssl_test_specific.cfg
+PREFERRED_CHAIN="${PREFERRED_CHAIN}"
+EOF
+
+    create_certificate
+    assert_success
+    check_output_for_errors
+
+    issuer=$(openssl crl2pkcs7 -nocrl -certfile "${INSTALL_DIR}/.getssl/${GETSSL_CMD_HOST}/fullchain.crt" | openssl pkcs7 -print_certs -text -noout | grep Issuer: | tail -1 | awk -F"CN=" '{ print $2 }')
+    # verify certificate is issued by preferred chain root
+    if [[ "${CHECK_CHAIN}" != "$issuer" ]]; then
+        echo "# PREFERRED_CHAIN=$PREFERRED_CHAIN"
+        echo "# issuer=$issuer"
+    fi
+
+    [ "${CHECK_CHAIN}" = "$issuer" ]
+}
+
+
+@test "Use PREFERRED_CHAIN to select the default root" {
+    if [ -n "$STAGING" ]; then
+        PREFERRED_CHAIN="\(STAGING\) Doctored Durian Root CA X3"
+        CHECK_CHAIN="(STAGING) Doctored Durian Root CA X3"
+    else
+        PREFERRED_CHAIN=$(curl --silent https://pebble:15000/roots/0 | openssl x509 -text -noout | grep Issuer: | awk -F"CN *= *" '{ print $2 }')
+        PREFERRED_CHAIN="${PREFERRED_CHAIN# }" # remove leading whitespace
+        CHECK_CHAIN=$PREFERRED_CHAIN
+    fi
+
+    CONFIG_FILE="getssl-dns01.cfg"
+    setup_environment
+    init_getssl
+
+    cat <<- EOF > ${INSTALL_DIR}/.getssl/${GETSSL_CMD_HOST}/getssl_test_specific.cfg
+PREFERRED_CHAIN="${PREFERRED_CHAIN}"
+EOF
+
+    create_certificate
+    assert_success
+    check_output_for_errors
+
+    issuer=$(openssl crl2pkcs7 -nocrl -certfile "${INSTALL_DIR}/.getssl/${GETSSL_CMD_HOST}/fullchain.crt" | openssl pkcs7 -print_certs -text -noout | grep Issuer: | tail -1 | awk -F"CN=" '{ print $2 }')
+    # verify certificate is issued by preferred chain root
+    if [[ "${CHECK_CHAIN}" != "$issuer" ]]; then
+        echo "# PREFERRED_CHAIN=$PREFERRED_CHAIN"
+        echo "# issuer=$issuer"
+    fi
+    [ "${CHECK_CHAIN}" = "$issuer" ]
+}
+
+
+@test "Use PREFERRED_CHAIN to select an alternate root by suffix" {
+    if [ -n "$STAGING" ]; then
+        FULL_PREFERRED_CHAIN="(STAGING) Pretend Pear X1"
+    else
+        FULL_PREFERRED_CHAIN=$(curl --silent https://pebble:15000/roots/2 | openssl x509 -text -noout | grep "Issuer:" | awk -F"CN *= *" '{ print $2 }')
+        FULL_PREFERRED_CHAIN="${FULL_PREFERRED_CHAIN# }" # remove leading whitespace
+    fi
+
+    # Take the last word from FULL_PREFERRED_CHAIN as the chain to use
+    PREFERRED_CHAIN="${FULL_PREFERRED_CHAIN##* }"
+    CONFIG_FILE="getssl-dns01.cfg"
+    setup_environment
+    init_getssl
+
+    cat <<- EOF > ${INSTALL_DIR}/.getssl/${GETSSL_CMD_HOST}/getssl_test_specific.cfg
+PREFERRED_CHAIN="${PREFERRED_CHAIN}"
+EOF
+
+    create_certificate
+    assert_success
+    check_output_for_errors
+
+    issuer=$(openssl crl2pkcs7 -nocrl -certfile "${INSTALL_DIR}/.getssl/${GETSSL_CMD_HOST}/fullchain.crt" | openssl pkcs7 -print_certs -text -noout | grep Issuer: | tail -1 | awk -F"CN=" '{ print $2 }')
+    # verify certificate is issued by preferred chain root
+    if [[ "${FULL_PREFERRED_CHAIN}" != "$issuer" ]]; then
+        echo "# PREFERRED_CHAIN=$PREFERRED_CHAIN"
+        echo "# FULL_PREFERRED_CHAIN=$FULL_PREFERRED_CHAIN"
+        echo "# issuer=$issuer"
+    fi
+    [ "${FULL_PREFERRED_CHAIN}" = "$issuer" ]
+}

test/36-full-chain-inc-root.bats

@@ -0,0 +1,99 @@
+#! /usr/bin/env bats
+
+load '/bats-support/load.bash'
+load '/bats-assert/load.bash'
+load '/getssl/test/test_helper.bash'
+
+
+# This is run for every test
+teardown() {
+    [ -n "$BATS_TEST_COMPLETED" ] || touch $BATS_RUN_TMPDIR/failed.skip
+}
+
+setup() {
+    [ ! -f $BATS_RUN_TMPDIR/failed.skip ] || skip "skipping tests after first failure"
+    if [ -z "$STAGING" ]; then
+        export CURL_CA_BUNDLE=/root/pebble-ca-bundle.crt
+    fi
+}
+
+
+@test "Use FULL_CHAIN_INCLUDE_ROOT to include the root certificate in the fullchain" {
+    CONFIG_FILE="getssl-dns01.cfg"
+    setup_environment
+    init_getssl
+
+    cat <<- EOF > ${INSTALL_DIR}/.getssl/${GETSSL_CMD_HOST}/getssl_test_specific.cfg
+FULL_CHAIN_INCLUDE_ROOT="true"
+EOF
+
+    create_certificate
+    assert_success
+    check_output_for_errors
+
+    if [ -n "$STAGING" ]; then
+        PREFERRED_CHAIN="(STAGING) Doctored Durian Root CA X3"
+    else
+        # pebble doesn't support CA Issuers so the fullchain.crt will just contain the certificate (code path means it won't contain the intermediate cert in this case)
+        # This is testing that requesting FULL_CHAIN_INCLUDE_ROOT doesn't fail if there is no CA Issuers in the certificate
+        PREFERRED_CHAIN=$(openssl crl2pkcs7 -nocrl -certfile "${INSTALL_DIR}/.getssl/${GETSSL_CMD_HOST}/${GETSSL_CMD_HOST}.crt" | openssl pkcs7 -print_certs -text -noout | grep Subject: | tail -1 | awk -F"CN=" '{ print $2 }')
+    fi
+
+    final_issuer=$(openssl crl2pkcs7 -nocrl -certfile "${INSTALL_DIR}/.getssl/${GETSSL_CMD_HOST}/fullchain.crt" | openssl pkcs7 -print_certs -text -noout | grep Subject: | tail -1 | awk -F"CN=" '{ print $2 }')
+
+    # verify certificate includes the chain root
+    if [[ "${PREFERRED_CHAIN}" != "$final_issuer" ]]; then
+        echo "# PREFERRED_CHAIN=$PREFERRED_CHAIN"
+        echo "# final_issuer=$final_issuer"
+    fi
+    [ "${PREFERRED_CHAIN}" = "$final_issuer" ]
+}
+
+
+@test "Use FULL_CHAIN_INCLUDE_ROOT with dual certificates" {
+    if [ -n "$STAGING" ]; then
+        PREFERRED_CHAIN="(STAGING) Doctored Durian Root CA X3"
+    fi
+
+    CONFIG_FILE="getssl-dns01.cfg"
+    setup_environment
+    init_getssl
+
+    cat <<- EOF > ${INSTALL_DIR}/.getssl/${GETSSL_CMD_HOST}/getssl_test_specific.cfg
+FULL_CHAIN_INCLUDE_ROOT="true"
+DUAL_RSA_ECDSA="true"
+ACCOUNT_KEY_TYPE="prime256v1"
+PRIVATE_KEY_ALG="prime256v1"
+CHECK_REMOTE="false"
+EOF
+
+    create_certificate
+    assert_success
+    check_output_for_errors
+    check_certificates
+    assert [ -e "${INSTALL_DIR}/.getssl/${GETSSL_CMD_HOST}/chain.ec.crt" ]
+    assert [ -e "${INSTALL_DIR}/.getssl/${GETSSL_CMD_HOST}/fullchain.ec.crt" ]
+    assert [ -e "${INSTALL_DIR}/.getssl/${GETSSL_CMD_HOST}/${GETSSL_CMD_HOST}.ec.crt" ]
+
+    if [ -n "$STAGING" ]; then
+        PREFERRED_CHAIN="(STAGING) Doctored Durian Root CA X3"
+    else
+        # pebble doesn't support CA Issuers so the fullchain.crt will just contain the certificate (code path means it won't contain the intermediate cert in this case)
+        # This is testing that requesting FULL_CHAIN_INCLUDE_ROOT doesn't fail if there is no CA Issuers in the certificate
+        PREFERRED_CHAIN=$(openssl crl2pkcs7 -nocrl -certfile "${INSTALL_DIR}/.getssl/${GETSSL_CMD_HOST}/${GETSSL_CMD_HOST}.crt" | openssl pkcs7 -print_certs -text -noout | grep Subject: | tail -1 | awk -F"CN=" '{ print $2 }')
+    fi
+
+    # verify both rsa and ecdsa certificates include the chain root
+    final_issuer=$(openssl crl2pkcs7 -nocrl -certfile "${INSTALL_DIR}/.getssl/${GETSSL_CMD_HOST}/fullchain.crt" | openssl pkcs7 -print_certs -text -noout | grep Subject: | tail -1 | awk -F"CN=" '{ print $2 }')
+    if [[ "${PREFERRED_CHAIN}" != "$final_issuer" ]]; then
+        echo "# PREFERRED_CHAIN=$PREFERRED_CHAIN"
+        echo "# final_issuer=$final_issuer"
+    fi
+    [ "${PREFERRED_CHAIN}" = "$final_issuer" ]
+    ecdsa_final_issuer=$(openssl crl2pkcs7 -nocrl -certfile "${INSTALL_DIR}/.getssl/${GETSSL_CMD_HOST}/fullchain.ec.crt" | openssl pkcs7 -print_certs -text -noout | grep Subject: | tail -1 | awk -F"CN=" '{ print $2 }')
+    if [[ "$PREFERRED_CHAIN" != "$ecdsa_final_issuer" ]]; then
+        echo "# PREFERRED_CHAIN=$PREFERRED_CHAIN"
+        echo "# ecdsa_final_issuer=$ecdsa_final_issuer"
+    fi
+    [ "${PREFERRED_CHAIN}" = "$ecdsa_final_issuer" ]
+}

test/37-idn.bats

@@ -0,0 +1,81 @@
+#! /usr/bin/env bats
+
+load '/bats-support/load.bash'
+load '/bats-assert/load.bash'
+load '/getssl/test/test_helper.bash'
+
+# This is run for every test
+setup() {
+    [ ! -f $BATS_RUN_TMPDIR/failed.skip ] || skip "skipping tests after first failure"
+    GETSSL_CMD_HOST=${GETSSL_IDN_HOST}
+
+    # use the test description to move tools we don't want to test out of the way
+    DNS_TOOL=${BATS_TEST_DESCRIPTION##*:}
+    for tool in dig drill host nslookup
+    do
+        if [[ "$tool" != "$DNS_TOOL" && -f /usr/bin/$tool ]]; then
+            mv /usr/bin/$tool /usr/bin/${tool}.getssl
+        fi
+    done
+}
+
+teardown() {
+    [ -n "$BATS_TEST_COMPLETED" ] || touch $BATS_RUN_TMPDIR/failed.skip
+    # use the test description to move tools we didn't want to test back
+    DNS_TOOL=${BATS_TEST_DESCRIPTION##*-}
+    for tool in dig drill host nslookup
+    do
+        if [[ "$tool" != "$DNS_TOOL" && -f /usr/bin/${tool}.getssl ]]; then
+            mv /usr/bin/${tool}.getssl /usr/bin/${tool}
+        fi
+    done
+}
+
+setup_file() {
+    if [ -z "$STAGING" ]; then
+        export CURL_CA_BUNDLE=/root/pebble-ca-bundle.crt
+        curl --silent -X POST -d '{"host":"'$GETSSL_IDN_HOST'", "addresses":["'$GETSSL_IP'"]}' http://10.30.50.3:8055/add-a
+    fi
+}
+
+teardown_file() {
+    if [ -z "$STAGING" ]; then
+        curl --silent -X POST -d '{"host":"'$GETSSL_IDN_HOST'", "addresses":["'$GETSSL_IP'"]}' http://10.30.50.3:8055/clear-a
+    fi
+}
+
+@test "Check that DNS-01 verification works if the domain is idn:dig" {
+    if [ -n "$STAGING" ]; then
+        skip "Using staging server, skipping internal test"
+    fi
+
+    CONFIG_FILE="getssl-dns01.cfg"
+
+    setup_environment
+    init_getssl
+    create_certificate
+
+    assert_success
+    assert_output --partial "dig"
+    check_output_for_errors
+}
+
+@test "Check that DNS-01 verification works if the domain is idn:drill" {
+    if [ -n "$STAGING" ]; then
+        skip "Using staging server, skipping internal test"
+    fi
+    if [ ! -f /usr/bin/drill ]; then
+        # Can't find drill package for centos8 / rockylinux8
+        skip "Drill not installed on this system"
+    fi
+
+    CONFIG_FILE="getssl-dns01.cfg"
+
+    setup_environment
+    init_getssl
+    create_certificate
+
+    assert_success
+    assert_output --partial "drill"
+    check_output_for_errors
+}

test/38-idn-http01-check-noidnout.bats

@@ -0,0 +1,49 @@
+#! /usr/bin/env bats
+
+load '/bats-support/load.bash'
+load '/bats-assert/load.bash'
+load '/getssl/test/test_helper.bash'
+
+setup() {
+    [ ! -f $BATS_RUN_TMPDIR/failed.skip ] || skip "skipping tests after first failure"
+    GETSSL_CMD_HOST=$GETSSL_IDN_HOST
+}
+
+teardown() {
+    [ -n "$BATS_TEST_COMPLETED" ] || touch $BATS_RUN_TMPDIR/failed.skip
+}
+
+setup_file() {
+    if [ -z "$STAGING" ]; then
+        export CURL_CA_BUNDLE=/root/pebble-ca-bundle.crt
+        curl --silent -X POST -d '{"host":"'$GETSSL_IDN_HOST'", "addresses":["'$GETSSL_IP'"]}' http://10.30.50.3:8055/add-a
+    fi
+}
+
+teardown_file() {
+    if [ -z "$STAGING" ]; then
+        curl --silent -X POST -d '{"host":"'$GETSSL_IDN_HOST'", "addresses":["'$GETSSL_IP'"]}' http://10.30.50.3:8055/clear-a
+
+    fi
+}
+
+@test "Ensure noidnout in check_config isn't passed to host and nslookup (HTTP-01)" {
+    if [ -n "$STAGING" ]; then
+        skip "Using staging server, skipping internal test"
+    fi
+    CONFIG_FILE="getssl-http01.cfg"
+    setup_environment
+    init_getssl
+    cat <<- EOF > ${INSTALL_DIR}/.getssl/${GETSSL_CMD_HOST}/getssl_test_specific.cfg
+SANS="${GETSSL_HOST}"
+USE_SINGLE_ACL="true"
+EOF
+
+    create_certificate --check-config
+
+    assert_success
+    refute_output --partial "DNS lookup using host  +noidnout"
+    refute_output --partial "DNS lookup using nslookup  +noidnout"
+    refute_output --partial "+noidnout $GETSSL_HOST"
+    check_output_for_errors
+}

test/39-private-key-alg-changed.bats

@@ -0,0 +1,88 @@
+#! /usr/bin/env bats
+
+load '/bats-support/load.bash'
+load '/bats-assert/load.bash'
+load '/getssl/test/test_helper.bash'
+
+
+# This is run for every test
+teardown() {
+    [ -n "$BATS_TEST_COMPLETED" ] || touch $BATS_RUN_TMPDIR/failed.skip
+}
+
+setup() {
+    [ ! -f $BATS_RUN_TMPDIR/failed.skip ] || skip "skipping tests after first failure"
+    export CURL_CA_BUNDLE=/root/pebble-ca-bundle.crt
+}
+
+teardown_file() {
+    cleanup_environment
+}
+
+@test "Create new certificate to create a private key" {
+    if [ -n "$STAGING" ]; then
+        skip "Using staging server, skipping internal test"
+    fi
+    CONFIG_FILE="getssl-http01.cfg"
+    setup_environment
+    init_getssl
+    create_certificate
+    assert_success
+    check_output_for_errors
+    # save a coy of the private key
+    cp "${INSTALL_DIR}/.getssl/${GETSSL_CMD_HOST}/${GETSSL_CMD_HOST}.key" "${INSTALL_DIR}/.getssl/${GETSSL_CMD_HOST}/${GETSSL_CMD_HOST}.key.orig"
+}
+
+@test "Renew certificate (not force) and check nothing happens and key doesn't change" {
+    if [ -n "$STAGING" ]; then
+        skip "Using staging server, skipping internal test"
+    fi
+
+    ORIG_KEY_HASH="$(cat ${INSTALL_DIR}/.getssl/${GETSSL_CMD_HOST}/${GETSSL_CMD_HOST}.key | sha256sum)"
+
+    run ${CODE_DIR}/getssl -U -d $GETSSL_HOST
+    assert_success
+    assert_line --partial "certificate is valid for more than 30 days"
+    check_output_for_errors
+
+    NEW_KEY_HASH="$(cat ${INSTALL_DIR}/.getssl/${GETSSL_CMD_HOST}/${GETSSL_CMD_HOST}.key  | sha256sum)"
+
+    assert [ "$NEW_KEY_HASH" == "$ORIG_KEY_HASH" ]
+}
+
+@test "Force renewal and check key hasn't changed" {
+    if [ -n "$STAGING" ]; then
+        skip "Using staging server, skipping internal test"
+    fi
+    ORIG_KEY_HASH="$(cat ${INSTALL_DIR}/.getssl/${GETSSL_CMD_HOST}/${GETSSL_CMD_HOST}.key | sha256sum)"
+
+    run ${CODE_DIR}/getssl -U -d -f $GETSSL_HOST
+    assert_success
+    check_output_for_errors
+
+    NEW_KEY_HASH="$(cat ${INSTALL_DIR}/.getssl/${GETSSL_CMD_HOST}/${GETSSL_CMD_HOST}.key  | sha256sum)"
+
+    assert [ "$NEW_KEY_HASH" == "$ORIG_KEY_HASH" ]
+}
+
+@test "Change key algorithm, force renewal, and check key has changed" {
+    if [ -n "$STAGING" ]; then
+        skip "Using staging server, skipping internal test"
+    fi
+
+    ORIG_KEY_HASH="$(cat ${INSTALL_DIR}/.getssl/${GETSSL_CMD_HOST}/${GETSSL_CMD_HOST}.key | sha256sum)"
+
+    cat <<- 'EOF' > ${INSTALL_DIR}/.getssl/${GETSSL_CMD_HOST}/getssl_test_specific.cfg
+PRIVATE_KEY_ALG="prime256v1"
+EOF
+
+    run ${CODE_DIR}/getssl -U -d $GETSSL_HOST
+    assert_success
+    refute_line --partial "certificate is valid for more than 30 days"
+
+    check_output_for_errors
+
+    NEW_KEY_HASH="$(cat ${INSTALL_DIR}/.getssl/${GETSSL_CMD_HOST}/${GETSSL_CMD_HOST}.key  | sha256sum)"
+
+    assert [ "$NEW_KEY_HASH" != "$ORIG_KEY_HASH" ]
+}

test/4-more-than-10-hosts.bats

@@ -6,8 +6,34 @@ load '/getssl/test/test_helper.bash'
 
 
 # This is run for every test
+teardown() {
+    [ -n "$BATS_TEST_COMPLETED" ] || touch $BATS_RUN_TMPDIR/failed.skip
+}
+
+
 setup() {
-    export CURL_CA_BUNDLE=/root/pebble-ca-bundle.crt
+    [ ! -f $BATS_RUN_TMPDIR/failed.skip ] || skip "skipping tests after first failure"
+}
+
+
+setup_file() {
+    if [ -z "$STAGING" ]; then
+        export CURL_CA_BUNDLE=/root/pebble-ca-bundle.crt
+        # Add 11 hosts to DNS (also need to be added as aliases in docker-compose.yml)
+        for prefix in a b c d e f g h i j k; do
+            curl --silent -X POST -d '{"host":"'$prefix.$GETSSL_HOST'", "addresses":["'$GETSSL_IP'"]}' http://10.30.50.3:8055/add-a
+        done
+    fi
+}
+
+
+teardown_file() {
+    # Remove all the dns aliases
+    if [ -n "$STAGING" ]; then
+        for prefix in a b c d e f g h i j k; do
+            curl --silent -X POST -d '{"host":"'$prefix.$GETSSL_HOST'"}' http://10.30.50.3:8055/clear-a
+        done
+    fi
 }
 
 
@@ -18,17 +44,10 @@ setup() {
     CONFIG_FILE="getssl-http01-10-hosts.cfg"
     setup_environment
 
-    # Add 11 hosts to DNS (also need to be added as aliases in docker-compose.yml)
-    for prefix in a b c d e f g h i j k; do
-        curl --silent -X POST -d '{"host":"'$prefix.$GETSSL_HOST'", "addresses":["'$GETSSL_IP'"]}' http://10.30.50.3:8055/add-a
-    done
-
     init_getssl
     create_certificate
     assert_success
-    refute_output --regexp '[Ff][Aa][Ii][Ll][Ee][Dd]'
-    refute_output --regexp '[Ee][Rr][Rr][Oo][Rr]'
-    refute_output --regexp '[Ww][Aa][Rr][Nn][Ii][Nn][Gg]'
+    check_output_for_errors
 }
 
 
@@ -36,14 +55,8 @@ setup() {
     if [ -n "$STAGING" ]; then
         skip "Using staging server, skipping internal test"
     fi
-    run ${CODE_DIR}/getssl -f $GETSSL_HOST
+    run ${CODE_DIR}/getssl -U -d -f $GETSSL_HOST
     assert_success
-    refute_output --regexp '[Ff][Aa][Ii][Ll][Ee][Dd]'
-    refute_output --regexp '[Ee][Rr][Rr][Oo][Rr]'
-    refute_output --regexp '[Ww][Aa][Rr][Nn][Ii][Nn][Gg]'
-    # Remove all the dns aliases
+    check_output_for_errors
     cleanup_environment
-    for prefix in a b c d e f g h i j k; do
-        curl --silent -X POST -d '{"host":"'$prefix.$GETSSL_HOST'"}' http://10.30.50.3:8055/clear-a
-    done
 }

test/5-secp384-http01.bats

@@ -6,7 +6,12 @@ load '/getssl/test/test_helper.bash'
 
 
 # This is run for every test
+teardown() {
+    [ -n "$BATS_TEST_COMPLETED" ] || touch $BATS_RUN_TMPDIR/failed.skip
+}
+
 setup() {
+    [ ! -f $BATS_RUN_TMPDIR/failed.skip ] || skip "skipping tests after first failure"
     export CURL_CA_BUNDLE=/root/pebble-ca-bundle.crt
 }
 
@@ -20,6 +25,7 @@ setup() {
     init_getssl
     create_certificate
     assert_success
+    check_output_for_errors
 }
 
 
@@ -27,8 +33,9 @@ setup() {
     if [ -n "$STAGING" ]; then
         skip "Using staging server, skipping internal test"
     fi
-    run ${CODE_DIR}/getssl -f $GETSSL_HOST
+    run ${CODE_DIR}/getssl -U -d -f $GETSSL_HOST
     assert_success
+    check_output_for_errors
 }
 
 
@@ -41,6 +48,7 @@ setup() {
     init_getssl
     create_certificate
     assert_success
+    check_output_for_errors
 }
 
 
@@ -48,6 +56,7 @@ setup() {
     if [ -n "$STAGING" ]; then
         skip "Using staging server, skipping internal test"
     fi
-    run ${CODE_DIR}/getssl -f $GETSSL_HOST
+    run ${CODE_DIR}/getssl -U -d -f $GETSSL_HOST
     assert_success
+    check_output_for_errors
 }

test/6-dual-rsa-ecdsa-copy-2-locations.bats

@@ -7,6 +7,16 @@ load '/getssl/test/test_helper.bash'
 
 # These are run for every test, not once per file
 setup() {
+    [ ! -f $BATS_RUN_TMPDIR/failed.skip ] || skip "skipping tests after first failure"
+}
+
+
+teardown() {
+    [ -n "$BATS_TEST_COMPLETED" ] || touch $BATS_RUN_TMPDIR/failed.skip
+}
+
+
+setup_file() {
     if [ -z "$STAGING" ]; then
         export CURL_CA_BUNDLE=/root/pebble-ca-bundle.crt
         curl --silent -X POST -d '{"host":"'a.$GETSSL_HOST'", "addresses":["'$GETSSL_IP'"]}' http://10.30.50.3:8055/add-a
@@ -14,7 +24,7 @@ setup() {
 }
 
 
-teardown() {
+teardown_file() {
     if [ -z "$STAGING" ]; then
         curl --silent -X POST -d '{"host":"'a.$GETSSL_HOST'"}' http://10.30.50.3:8055/clear-a
     fi
@@ -25,13 +35,25 @@ teardown() {
     if [ -n "$STAGING" ]; then
         skip "Using staging server, skipping internal test"
     fi
-    CONFIG_FILE="getssl-http01-dual-rsa-ecdsa-2-locations.cfg"
+
+    check_nginx
+    if [ "$OLD_NGINX" = "false" ]; then
+        CONFIG_FILE="getssl-http01-dual-rsa-ecdsa-2-locations.cfg"
+    else
+        CONFIG_FILE="getssl-http01-dual-rsa-ecdsa-2-locations-old-nginx.cfg"
+    fi
+
     setup_environment
     mkdir -p /root/a.${GETSSL_HOST}
 
     init_getssl
     create_certificate
     assert_success
+    check_output_for_errors
+    if [ "$OLD_NGINX" = "false" ]; then
+        assert_line --partial "rsa certificate installed OK on server"
+        assert_line --partial "prime256v1 certificate installed OK on server"
+    fi
 
     # Check that the RSA chain and key have been copied to both locations
     assert [ -e "/etc/nginx/pki/domain-chain.crt" ]
@@ -45,3 +67,25 @@ teardown() {
     assert [ -e "/etc/nginx/pki/private/server.ec.key" ]
     assert [ -e "/root/a.${GETSSL_HOST}/server.ec.key" ]
 }
+
+
+@test "Create dual certificates and copy to two locations but not returned by server" {
+    if [ -n "$STAGING" ]; then
+        skip "Using staging server, skipping internal test"
+    fi
+
+    check_nginx
+    if [ "$OLD_NGINX" = "false" ]; then
+        CONFIG_FILE="getssl-http01-dual-rsa-ecdsa-2-locations-wrong-nginx.cfg"
+    else
+        skip "Skipping as old nginx servers cannot return both certificates"
+    fi
+
+    setup_environment
+    mkdir -p /root/a.${GETSSL_HOST}
+
+    init_getssl
+    create_certificate
+    assert_failure
+    assert_line --partial "prime256v1 certificate obtained but not installed on server"
+}

test/7-duckdns-dns01.bats

@@ -1,34 +0,0 @@
-#! /usr/bin/env bats
-
-load '/bats-support/load.bash'
-load '/bats-assert/load.bash'
-load '/getssl/test/test_helper.bash'
-
-
-
-@test "Create new certificate using staging server and DuckDNS" {
-    if [ -z "$STAGING" ]; then
-        skip "Running internal tests, skipping external test"
-    fi
-    CONFIG_FILE="getssl-duckdns01.cfg"
-
-    setup_environment
-    init_getssl
-    create_certificate
-    assert_success
-    refute_output --regexp '[Ff][Aa][Ii][Ll][Ee][Dd]'
-    refute_output --regexp '[Ee][Rr][Rr][Oo][Rr]'
-    refute_output --regexp '[Ww][Aa][Rr][Nn][Ii][Nn][Gg]'
-}
-
-@test "Force renewal of certificate using staging server and DuckDNS" {
-    if [ -z "$STAGING" ]; then
-        skip "Running internal tests, skipping external test"
-    fi
-    run ${CODE_DIR}/getssl -f $GETSSL_HOST
-    assert_success
-    refute_output --regexp '[Ff][Aa][Ii][Ll][Ee][Dd]'
-    refute_output --regexp '[Ee][Rr][Rr][Oo][Rr]'
-    refute_output --regexp '[Ww][Aa][Rr][Nn][Ii][Nn][Gg]'
-    cleanup_environment
-}

test/7-test-renewal.bats

@@ -0,0 +1,107 @@
+#! /usr/bin/env bats
+
+load '/bats-support/load.bash'
+load '/bats-assert/load.bash'
+load '/getssl/test/test_helper.bash'
+
+
+# This is run for every test
+setup() {
+    [ ! -f $BATS_RUN_TMPDIR/failed.skip ] || skip "skipping tests after first failure"
+}
+
+
+teardown() {
+    [ -n "$BATS_TEST_COMPLETED" ] || touch $BATS_RUN_TMPDIR/failed.skip
+}
+
+
+setup_file() {
+    if [ -z "$STAGING" ]; then
+        export CURL_CA_BUNDLE=/root/pebble-ca-bundle.crt
+        curl --silent -X POST -d '{"host":"a.'$GETSSL_HOST'", "addresses":["'$GETSSL_IP'"]}' http://10.30.50.3:8055/add-a
+        curl --silent -X POST -d '{"host":"b.'$GETSSL_HOST'", "addresses":["'$GETSSL_IP'"]}' http://10.30.50.3:8055/add-a
+    fi
+}
+
+
+teardown_file() {
+    if [ -z "$STAGING" ]; then
+        curl --silent -X POST -d '{"host":"a.'$GETSSL_HOST'", "addresses":["'$GETSSL_IP'"]}' http://10.30.50.3:8055/clear-a
+        curl --silent -X POST -d '{"host":"b.'$GETSSL_HOST'", "addresses":["'$GETSSL_IP'"]}' http://10.30.50.3:8055/clear-a
+    fi
+}
+
+
+@test "Create certificate to check renewal" {
+    if [ -n "$STAGING" ]; then
+        skip "Not testing renewal on staging server"
+    fi
+    CONFIG_FILE="getssl-dns01.cfg"
+    setup_environment
+    init_getssl
+
+    create_certificate
+    assert_success
+    check_output_for_errors
+}
+
+
+@test "Check that trying to renew a certificate which doesn't need renewing doesn't do anything" {
+    if [ -n "$STAGING" ]; then
+        skip "Not trying on staging server yet"
+    fi
+
+    CONFIG_FILE="getssl-dns01.cfg"
+    . "${CODE_DIR}/test/test-config/${CONFIG_FILE}"
+    CERT=${INSTALL_DIR}/.getssl/${GETSSL_CMD_HOST}/${GETSSL_CMD_HOST}.crt
+    ORIGINAL_ENDDATE=$(openssl x509 -in "$CERT" -noout -enddate 2>/dev/null| cut -d= -f 2-)
+
+    create_certificate
+    assert_success
+    check_output_for_errors
+
+    # Check that getssl didn't renew the certificate
+    refute_line --partial "certificate needs renewal"
+    assert_line --partial 'certificate is valid for more than'
+
+    # Check that the end date in the certificate hasn't changed
+    UPDATED_ENDDATE=$(openssl x509 -in "$CERT" -noout -enddate 2>/dev/null| cut -d= -f 2-)
+    if [[ "$ORIGINAL_ENDDATE" != "$UPDATED_ENDDATE" ]]; then
+        echo "# ORIGINAL_ENDDATE=$ORIGINAL_ENDDATE"
+        echo "# UPDATED_ENDDATE =$UPDATED_ENDDATE"
+    fi
+    [[ "$ORIGINAL_ENDDATE" = "$UPDATED_ENDDATE" ]]
+}
+
+
+
+@test "Check that we can renew a certificate which does need renewing" {
+    if [ -n "$STAGING" ]; then
+        skip "Not trying on staging server yet"
+    fi
+
+    CONFIG_FILE="getssl-dns01.cfg"
+    cat <<- EOF > ${INSTALL_DIR}/.getssl/${GETSSL_CMD_HOST}/getssl_test_specific.cfg
+RENEW_ALLOW=2000
+EOF
+
+    . "${CODE_DIR}/test/test-config/${CONFIG_FILE}"
+    CERT=${INSTALL_DIR}/.getssl/${GETSSL_CMD_HOST}/${GETSSL_CMD_HOST}.crt
+    ORIGINAL_ENDDATE=$(openssl x509 -in "$CERT" -noout -enddate 2>/dev/null| cut -d= -f 2-)
+
+    create_certificate
+    assert_success
+    check_output_for_errors
+
+    # Check that getssl didn't renew the certificate
+    refute_line --partial 'certificate is valid for more than'
+
+    # Check that the end date in the certificate hasn't changed
+    UPDATED_ENDDATE=$(openssl x509 -in "$CERT" -noout -enddate 2>/dev/null| cut -d= -f 2-)
+    if [[ "$ORIGINAL_ENDDATE" = "$UPDATED_ENDDATE" ]]; then
+        echo "# ORIGINAL_ENDDATE=$ORIGINAL_ENDDATE"
+        echo "# UPDATED_ENDDATE =$UPDATED_ENDDATE"
+    fi
+    [[ "$ORIGINAL_ENDDATE" != "$UPDATED_ENDDATE" ]]
+}

test/8-duckdns-ecdsa.bats

@@ -1,70 +0,0 @@
-#! /usr/bin/env bats
-
-load '/bats-support/load.bash'
-load '/bats-assert/load.bash'
-load '/getssl/test/test_helper.bash'
-
-
-
-
-@test "Create new certificate using staging server and prime256v1" {
-    if [ -z "$STAGING" ]; then
-        skip "Running internal tests, skipping external test"
-    fi
-    CONFIG_FILE="getssl-duckdns01.cfg"
-
-    setup_environment
-    init_getssl
-    sed -e 's/rsa/prime256v1/g' < "${CODE_DIR}/test/test-config/${CONFIG_FILE}" > "${INSTALL_DIR}/.getssl/${GETSSL_HOST}/getssl.cfg"
-    run ${CODE_DIR}/getssl -d "$GETSSL_HOST"
-    assert_success
-    refute_output --regexp '[Ff][Aa][Ii][Ll][Ee][Dd]'
-    refute_output --regexp '[^:][Ee][Rr][Rr][Oo][Rr][^:]'
-    refute_output --regexp '[Ww][Aa][Rr][Nn][Ii][Nn][Gg]'
-}
-
-
-@test "Force renewal of certificate using staging server and prime256v1" {
-    if [ -z "$STAGING" ]; then
-        skip "Running internal tests, skipping external test"
-    fi
-    run ${CODE_DIR}/getssl -d -f $GETSSL_HOST
-    assert_success
-    refute_output --regexp '[Ff][Aa][Ii][Ll][Ee][Dd]'
-    refute_output --regexp '[^:][Ee][Rr][Rr][Oo][Rr][^:]'
-    refute_output --regexp '[Ww][Aa][Rr][Nn][Ii][Nn][Gg]'
-    cleanup_environment
-}
-
-
-@test "Create new certificate using staging server and secp384r1" {
-    if [ -z "$STAGING" ]; then
-        skip "Running internal tests, skipping external test"
-    fi
-    CONFIG_FILE="getssl-duckdns01.cfg"
-
-    setup_environment
-    init_getssl
-    sed -e 's/rsa/secp384r1/g' < "${CODE_DIR}/test/test-config/${CONFIG_FILE}" > "${INSTALL_DIR}/.getssl/${GETSSL_HOST}/getssl.cfg"
-    run ${CODE_DIR}/getssl -d "$GETSSL_HOST"
-    assert_success
-    refute_output --regexp '[Ff][Aa][Ii][Ll][Ee][Dd]'
-    refute_output --regexp '[^:][Ee][Rr][Rr][Oo][Rr][^:]'
-    refute_output --regexp '[Ww][Aa][Rr][Nn][Ii][Nn][Gg]'
-}
-
-
-@test "Force renewal of certificate using staging server and secp384r1" {
-    if [ -z "$STAGING" ]; then
-        skip "Running internal tests, skipping external test"
-    fi
-    run ${CODE_DIR}/getssl -d -f $GETSSL_HOST
-    assert_success
-    refute_output --regexp '[Ff][Aa][Ii][Ll][Ee][Dd]'
-    refute_output --regexp '[^:][Ee][Rr][Rr][Oo][Rr][^:]'
-    refute_output --regexp '[Ww][Aa][Rr][Nn][Ii][Nn][Gg]'
-    cleanup_environment
-}
-
-
-# Note letsencrypt doesn't support ECDSA curve P-521 as it's being deprecated

test/8-staging-ecdsa.bats

@@ -0,0 +1,70 @@
+#! /usr/bin/env bats
+
+load '/bats-support/load.bash'
+load '/bats-assert/load.bash'
+load '/getssl/test/test_helper.bash'
+
+
+setup() {
+    [ ! -f $BATS_RUN_TMPDIR/failed.skip ] || skip "skipping tests after first failure"
+}
+
+
+teardown() {
+    [ -n "$BATS_TEST_COMPLETED" ] || touch $BATS_RUN_TMPDIR/failed.skip
+}
+
+
+@test "Create new certificate using staging server and prime256v1" {
+    if [ -z "$STAGING" ]; then
+        skip "Running local tests this is a staging server test"
+    fi
+    CONFIG_FILE="getssl-dns01.cfg"
+
+    setup_environment
+    init_getssl
+    sed -e 's/rsa/prime256v1/g' < "${CODE_DIR}/test/test-config/${CONFIG_FILE}" > "${INSTALL_DIR}/.getssl/${GETSSL_HOST}/getssl.cfg"
+    run ${CODE_DIR}/getssl -U -d "$GETSSL_HOST"
+    assert_success
+    check_output_for_errors
+}
+
+
+@test "Force renewal of certificate using staging server and prime256v1" {
+    if [ -z "$STAGING" ]; then
+        skip "Running local tests this is a staging server test"
+    fi
+    run ${CODE_DIR}/getssl -U -d -f $GETSSL_HOST
+    assert_success
+    check_output_for_errors
+    cleanup_environment
+}
+
+
+@test "Create new certificate using staging server and secp384r1" {
+    if [ -z "$STAGING" ]; then
+        skip "Running local tests this is a staging server test"
+    fi
+    CONFIG_FILE="getssl-dns01.cfg"
+
+    setup_environment
+    init_getssl
+    sed -e 's/rsa/secp384r1/g' < "${CODE_DIR}/test/test-config/${CONFIG_FILE}" > "${INSTALL_DIR}/.getssl/${GETSSL_HOST}/getssl.cfg"
+    run ${CODE_DIR}/getssl -U -d "$GETSSL_HOST"
+    assert_success
+    check_output_for_errors
+}
+
+
+@test "Force renewal of certificate using staging server and secp384r1" {
+    if [ -z "$STAGING" ]; then
+        skip "Running local tests this is a staging server test"
+    fi
+    run ${CODE_DIR}/getssl -U -d -f $GETSSL_HOST
+    assert_success
+    check_output_for_errors
+    cleanup_environment
+}
+
+
+# Note letsencrypt doesn't support ECDSA curve P-521 as it's being deprecated

test/9-multiple-domains-dns01.bats

@@ -0,0 +1,73 @@
+#! /usr/bin/env bats
+
+load '/bats-support/load.bash'
+load '/bats-assert/load.bash'
+load '/getssl/test/test_helper.bash'
+
+
+# This is run for every test
+setup() {
+    [ ! -f $BATS_RUN_TMPDIR/failed.skip ] || skip "skipping tests after first failure"
+}
+
+teardown() {
+    [ -n "$BATS_TEST_COMPLETED" ] || touch $BATS_RUN_TMPDIR/failed.skip
+}
+
+
+setup_file() {
+    # Add top level domain from SANS to DNS
+    if [ -z "$STAGING" ]; then
+        export CURL_CA_BUNDLE=/root/pebble-ca-bundle.crt
+        curl --silent -X POST -d '{"host":"getssl.test", "addresses":["'$GETSSL_IP'"]}' http://10.30.50.3:8055/add-a
+    fi
+}
+
+
+teardown_file() {
+    if [ -z "$STAGING" ]; then
+        curl --silent -X POST -d '{"host":"getssl.tst"}' http://10.30.50.3:8055/clear-a
+    fi
+}
+
+
+@test "Create certificates for multi-level domains using DNS-01 verification" {
+    # This tests we can create a certificate for <os>.getssl.test and getssl.test (in SANS)
+    if [ -n "$STAGING" ]; then
+        skip "Using staging server, skipping internal test"
+    fi
+    CONFIG_FILE="getssl-dns01-multiple-domains.cfg"
+    setup_environment
+
+    init_getssl
+    create_certificate
+    assert_success
+    check_output_for_errors
+}
+
+
+@test "Force renewal of multi-level domains using DNS-01" {
+    # This tests we can renew a certificate for <os>.getssl.test and getssl.test (in SANS)
+    if [ -n "$STAGING" ]; then
+        skip "Using staging server, skipping internal test"
+    fi
+    run ${CODE_DIR}/getssl -U -d -f $GETSSL_HOST
+    assert_success
+    check_output_for_errors
+    cleanup_environment
+}
+
+
+@test "Test IGNORE_DIRECTORY_DOMAIN using DNS-01 verification" {
+    # This tests we can create a certificate for getssl.test and <os>.getssl.test (*both* in SANS)
+    if [ -n "$STAGING" ]; then
+        skip "Using staging server, skipping internal test"
+    fi
+    CONFIG_FILE="getssl-dns01-ignore-directory-domain.cfg"
+    setup_environment
+
+    init_getssl
+    create_certificate
+    assert_success
+    check_output_for_errors
+}

test/9-test--all.bats

@@ -0,0 +1,37 @@
+#! /usr/bin/env bats
+
+load '/bats-support/load.bash'
+load '/bats-assert/load.bash'
+load '/getssl/test/test_helper.bash'
+
+
+# This is run for every test
+teardown() {
+    [ -n "$BATS_TEST_COMPLETED" ] || touch $BATS_RUN_TMPDIR/failed.skip
+}
+
+setup() {
+    [ ! -f $BATS_RUN_TMPDIR/failed.skip ] || skip "skipping tests after first failure"
+    export CURL_CA_BUNDLE=/root/pebble-ca-bundle.crt
+    export PATH=$PATH:/getssl
+}
+
+
+@test "Create new certificate using --all" {
+    if [ -n "$STAGING" ]; then
+        skip "Using staging server, skipping internal test"
+    fi
+
+    # Setup
+    CONFIG_FILE="getssl-http01.cfg"
+    setup_environment
+    init_getssl
+    cp "${CODE_DIR}/test/test-config/${CONFIG_FILE}" "${INSTALL_DIR}/.getssl/${GETSSL_HOST}/getssl.cfg"
+
+    # Run test
+    run ${CODE_DIR}/getssl -U -d --all
+
+    # Check success conditions
+    assert_success
+    check_output_for_errors
+}

test/Dockerfile-alpine

@@ -2,21 +2,32 @@ FROM alpine:latest
 
 # Note this image uses busybox awk instead of gawk
 
-RUN apk --no-cache add supervisor openssl git curl bind-tools wget nginx bash
+RUN apk --no-cache add supervisor openssl git curl bind-tools drill wget nginx bash lftp vsftpd openssh-server jq
 
 WORKDIR /root
 
 # Create nginx directories in standard places
-RUN mkdir /run/nginx
-RUN mkdir /etc/nginx/pki
-RUN mkdir /etc/nginx/pki/private
+RUN mkdir -p /run/nginx
+RUN mkdir -p /etc/nginx/pki/private
+
+# Setup ftp
+ENV VSFTPD_CONF=/etc/vsftpd.conf
+ENV FTP_PASSIVE_DEFAULT=true
+COPY ./test/test-config/vsftpd.conf /etc/vsftpd.conf
+RUN echo "seccomp_sandbox=NO" >> /etc/vsftpd.conf
+RUN adduser -D ftpuser
+RUN echo 'ftpuser:ftpuser' | chpasswd
+RUN adduser ftpuser www-data
+RUN adduser root www-data
+RUN chown -R ftpuser.www-data /var/www
+RUN chmod g+w -R /var/www
 
 # BATS (Bash Automated Testings)
-RUN git clone https://github.com/bats-core/bats-core.git /bats-core
-RUN git clone https://github.com/jasonkarns/bats-support /bats-support
-RUN git clone https://github.com/jasonkarns/bats-assert-1 /bats-assert
+RUN git clone --depth 1 https://github.com/bats-core/bats-core.git /bats-core --branch v1.2.1
+RUN git clone --depth 1 https://github.com/bats-core/bats-support /bats-support
+RUN git clone --depth 1 https://github.com/bats-core/bats-assert /bats-assert
 RUN /bats-core/install.sh /usr/local
 
 # Use supervisord to run nginx in the background
 COPY ./test/test-config/alpine-supervisord.conf /etc/supervisord.conf
-CMD tail -f /dev/null
+CMD [ "tail", "-f", "/dev/null" ]

test/Dockerfile-bash4-0

@@ -0,0 +1,34 @@
+FROM bash:4.0
+
+# https://hub.docker.com/_/bash
+
+RUN apk --no-cache add supervisor openssl git curl bind-tools drill wget nginx lftp vsftpd openssh-server jq
+
+WORKDIR /root
+
+# Create nginx directories in standard places
+RUN mkdir -p /run/nginx
+RUN mkdir -p /etc/nginx/pki
+RUN mkdir -p /etc/nginx/pki/private
+
+# Setup ftp
+ENV VSFTPD_CONF=/etc/vsftpd.conf
+ENV FTP_PASSIVE_DEFAULT=true
+COPY ./test/test-config/vsftpd.conf /etc/vsftpd.conf
+RUN echo "seccomp_sandbox=NO" >> /etc/vsftpd.conf
+RUN adduser -D ftpuser
+RUN echo 'ftpuser:ftpuser' | chpasswd
+RUN adduser ftpuser www-data
+RUN adduser root www-data
+RUN chown -R ftpuser.www-data /var/www
+RUN chmod g+w -R /var/www
+
+# BATS (Bash Automated Testings)
+RUN git clone https://github.com/bats-core/bats-core.git /bats-core --branch v1.2.1
+RUN git clone https://github.com/bats-core/bats-support /bats-support
+RUN git clone https://github.com/bats-core/bats-assert /bats-assert
+RUN /bats-core/install.sh /usr/local
+
+# Use supervisord to run nginx in the background
+COPY ./test/test-config/alpine-supervisord.conf /etc/supervisord.conf
+CMD tail -f /dev/null

test/Dockerfile-bash4-2

@@ -0,0 +1,34 @@
+FROM bash:4.2
+
+# https://hub.docker.com/_/bash
+
+RUN apk --no-cache add supervisor openssl git curl bind-tools drill wget nginx lftp vsftpd openssh-server jq
+
+WORKDIR /root
+
+# Create nginx directories in standard places
+RUN mkdir -p /run/nginx
+RUN mkdir -p /etc/nginx/pki
+RUN mkdir -p /etc/nginx/pki/private
+
+# Setup ftp
+ENV VSFTPD_CONF=/etc/vsftpd.conf
+ENV FTP_PASSIVE_DEFAULT=true
+COPY ./test/test-config/vsftpd.conf /etc/vsftpd.conf
+RUN echo "seccomp_sandbox=NO" >> /etc/vsftpd.conf
+RUN adduser -D ftpuser
+RUN echo 'ftpuser:ftpuser' | chpasswd
+RUN adduser ftpuser www-data
+RUN adduser root www-data
+RUN chown -R ftpuser.www-data /var/www
+RUN chmod g+w -R /var/www
+
+# BATS (Bash Automated Testings)
+RUN git clone https://github.com/bats-core/bats-core.git /bats-core --branch v1.2.1
+RUN git clone https://github.com/bats-core/bats-support /bats-support
+RUN git clone https://github.com/bats-core/bats-assert /bats-assert
+RUN /bats-core/install.sh /usr/local
+
+# Use supervisord to run nginx in the background
+COPY ./test/test-config/alpine-supervisord.conf /etc/supervisord.conf
+CMD tail -f /dev/null

test/Dockerfile-bash5-0

@@ -0,0 +1,34 @@
+FROM bash:5.0
+
+# https://hub.docker.com/_/bash
+
+RUN apk --no-cache add supervisor openssl git curl bind-tools drill wget nginx lftp vsftpd openssh-server jq
+
+WORKDIR /root
+
+# Create nginx directories in standard places
+RUN mkdir -p /run/nginx
+RUN mkdir -p /etc/nginx/pki
+RUN mkdir -p /etc/nginx/pki/private
+
+# Setup ftp
+ENV VSFTPD_CONF=/etc/vsftpd.conf
+ENV FTP_PASSIVE_DEFAULT=true
+COPY ./test/test-config/vsftpd.conf /etc/vsftpd.conf
+RUN echo "seccomp_sandbox=NO" >> /etc/vsftpd.conf
+RUN adduser -D ftpuser
+RUN echo 'ftpuser:ftpuser' | chpasswd
+RUN adduser ftpuser www-data
+RUN adduser root www-data
+RUN chown -R ftpuser.www-data /var/www
+RUN chmod g+w -R /var/www
+
+# BATS (Bash Automated Testings)
+RUN git clone https://github.com/bats-core/bats-core.git /bats-core --branch v1.2.1
+RUN git clone https://github.com/bats-core/bats-support /bats-support
+RUN git clone https://github.com/bats-core/bats-assert /bats-assert
+RUN /bats-core/install.sh /usr/local
+
+# Use supervisord to run nginx in the background
+COPY ./test/test-config/alpine-supervisord.conf /etc/supervisord.conf
+CMD tail -f /dev/null

test/Dockerfile-centos6

@@ -1,24 +1,47 @@
 FROM centos:centos6
 
 # Note this image uses gawk
+# Note if you are running this using WSL2 you need to put the following lines in %userprofile%\.wslconfig
+# [wsl2]
+# kernelCommandLine = vsyscall=emulate
+
+# Centos 6 is EOL and is no longer available from the usual mirrors, so switch to https://vault.centos.org
+RUN sed -i 's/enabled=1/enabled=0/g' /etc/yum/pluginconf.d/fastestmirror.conf && \
+    sed -i 's/^mirrorlist/#mirrorlist/g' /etc/yum.repos.d/*.repo && \
+    sed -i 's;^#baseurl=http://mirror;baseurl=https://vault;g' /etc/yum.repos.d/*.repo
 
 # Update and install required software
-RUN yum -y update
 RUN yum -y install epel-release
-RUN yum -y install git curl dnsutils wget nginx
+RUN yum -y install git curl dnsutils ldns wget nginx jq
+RUN yum -y install ftp vsftpd
+RUN yum -y install openssh-server
+
+# Setup ftp
+ENV VSFTPD_CONF=/etc/vsftpd/vsftpd.conf
+ENV FTP_PASSIVE_DEFAULT=true
+COPY test/test-config/vsftpd.conf /etc/vsftpd/vsftpd.conf
+RUN adduser ftpuser
+RUN echo 'ftpuser:ftpuser' | chpasswd
+RUN adduser www-data
+RUN usermod -G www-data ftpuser
+RUN usermod -G www-data root
+RUN mkdir -p /var/www/.well-known/acme-challenge
+RUN chown -R www-data.www-data /var/www
+RUN chmod g+w -R /var/www
 
 WORKDIR /root
-RUN mkdir /etc/nginx/pki
-RUN mkdir /etc/nginx/pki/private
+RUN mkdir -p /etc/nginx/pki/private
 COPY ./test/test-config/nginx-ubuntu-no-ssl /etc/nginx/conf.d/default.conf
 
 # BATS (Bash Automated Testings)
-RUN git clone https://github.com/bats-core/bats-core.git /bats-core
-RUN git clone https://github.com/jasonkarns/bats-support /bats-support
-RUN git clone https://github.com/jasonkarns/bats-assert-1 /bats-assert
+RUN git clone https://github.com/bats-core/bats-core.git /bats-core # --branch v1.2.1
+RUN git clone https://github.com/bats-core/bats-support /bats-support
+RUN git clone https://github.com/bats-core/bats-assert /bats-assert
 RUN /bats-core/install.sh /usr/local
+# Hack to disable BATS pretty formatter which stopped working on centos6
+ENV CI=yes
 
 EXPOSE 80 443
 
 # Run eternal loop - for testing
-CMD tail -f /dev/null
+CMD [ "tail", "-f", "/dev/null" ]

test/Dockerfile-centos7

@@ -0,0 +1,37 @@
+FROM centos:centos7
+
+# Update and install required software
+RUN yum -y update
+RUN yum -y install epel-release
+RUN yum -y install git curl ldns bind-utils wget which nginx jq
+RUN yum -y install ftp vsftpd
+RUN yum -y install openssh-server
+
+# Set locale
+ENV LANG en_US.UTF-8
+ENV LANGUAGE en_US:en
+ENV LC_ALL en_US.UTF-8
+
+WORKDIR /root
+RUN mkdir -p /etc/nginx/pki/private
+COPY ./test/test-config/nginx-ubuntu-no-ssl /etc/nginx/conf.d/default.conf
+COPY ./test/test-config/nginx-centos7.conf /etc/nginx/nginx.conf
+
+# Setup ftp
+ENV VSFTPD_CONF=/etc/vsftpd/vsftpd.conf
+ENV FTP_PASSIVE_DEFAULT=true
+COPY test/test-config/vsftpd.conf /etc/vsftpd/vsftpd.conf
+RUN adduser ftpuser
+RUN echo 'ftpuser:ftpuser' | chpasswd
+RUN adduser www-data
+RUN usermod -G www-data ftpuser
+RUN usermod -G www-data root
+RUN mkdir -p /var/www/.well-known/acme-challenge
+RUN chown -R www-data.www-data /var/www
+RUN chmod g+w -R /var/www
+
+# BATS (Bash Automated Testings)
+RUN git clone --depth 1 https://github.com/bats-core/bats-core.git /bats-core --branch v1.2.1
+RUN git clone --depth 1 https://github.com/bats-core/bats-support /bats-support
+RUN git clone --depth 1 https://github.com/bats-core/bats-assert /bats-assert
+RUN /bats-core/install.sh /usr/local

test/Dockerfile-centos7-duckdns

@@ -5,24 +5,29 @@ FROM centos:centos7
 # Update and install required software
 RUN yum -y update
 RUN yum -y install epel-release
-RUN yum -y install git curl bind-utils wget which nginx
+RUN yum -y install git curl bind-utils ldns wget which nginx jq
+
+# Set locale
+ENV LANG en_US.UTF-8
+ENV LANGUAGE en_US:en
+ENV LC_ALL en_US.UTF-8
 
 ENV staging "true"
-ENV DUCKDNS_TOKEN 1d616aa9-b8e4-4bb4-b312-3289de82badb
+ENV dynamic_dns "dynu"
+#ENV DUCKDNS_TOKEN 
 
 WORKDIR /root
-RUN mkdir /etc/nginx/pki
-RUN mkdir /etc/nginx/pki/private
+RUN mkdir -p /etc/nginx/pki/private
 COPY ./test/test-config/nginx-ubuntu-no-ssl /etc/nginx/conf.d/default.conf
 COPY ./test/test-config/nginx-centos7.conf /etc/nginx/nginx.conf
 
 # BATS (Bash Automated Testings)
-RUN git clone https://github.com/bats-core/bats-core.git /bats-core
-RUN git clone https://github.com/jasonkarns/bats-support /bats-support
-RUN git clone https://github.com/jasonkarns/bats-assert-1 /bats-assert
+RUN git clone --depth 1 https://github.com/bats-core/bats-core.git /bats-core --branch v1.2.1
+RUN git clone --depth 1 https://github.com/bats-core/bats-support /bats-support
+RUN git clone --depth 1 https://github.com/bats-core/bats-assert /bats-assert
 RUN /bats-core/install.sh /usr/local
 
 EXPOSE 80 443
 
 # Run eternal loop - for testing
-CMD tail -f /dev/null
+CMD [ "tail", "-f", "/dev/null" ]

test/Dockerfile-centos7-dynu

@@ -0,0 +1,34 @@
+FROM centos:centos7
+
+# Note this image uses gawk
+
+# Update and install required software
+RUN yum -y update
+RUN yum -y install epel-release
+RUN yum -y install git curl bind-utils ldns wget which nginx jq
+
+# Set locale
+ENV LANG en_US.UTF-8
+ENV LANGUAGE en_US:en
+ENV LC_ALL en_US.UTF-8
+
+ENV staging "true"
+ENV dynamic_dns "duckdns"
+#ENV DYNU_API_KEY 
+
+WORKDIR /root
+RUN mkdir -p /etc/nginx/pki
+RUN mkdir -p /etc/nginx/pki/private
+COPY ./test/test-config/nginx-ubuntu-no-ssl /etc/nginx/conf.d/default.conf
+COPY ./test/test-config/nginx-centos7.conf /etc/nginx/nginx.conf
+
+# BATS (Bash Automated Testings)
+RUN git clone https://github.com/bats-core/bats-core.git /bats-core --branch v1.2.1
+RUN git clone https://github.com/bats-core/bats-support /bats-support
+RUN git clone https://github.com/bats-core/bats-assert /bats-assert
+RUN /bats-core/install.sh /usr/local
+
+EXPOSE 80 443
+
+# Run eternal loop - for testing
+CMD tail -f /dev/null

test/Dockerfile-centos8

@@ -0,0 +1,40 @@
+FROM centos:centos8
+
+# Note this image does not have drill
+
+# Update and install required software
+RUN yum -y update
+RUN yum -y install glibc-all-langpacks
+RUN yum -y install epel-release
+RUN yum -y install git curl bind-utils wget which nginx jq
+RUN yum -y install ftp vsftpd
+RUN yum -y install openssh-server
+
+# Set locale
+ENV LANG en_US.UTF-8
+ENV LANGUAGE en_US:en
+ENV LC_ALL en_US.UTF-8
+
+WORKDIR /root
+RUN mkdir -p /etc/nginx/pki/private
+COPY ./test/test-config/nginx-ubuntu-no-ssl /etc/nginx/conf.d/default.conf
+COPY ./test/test-config/nginx-centos7.conf /etc/nginx/nginx.conf
+
+# Setup ftp
+ENV VSFTPD_CONF=/etc/vsftpd/vsftpd.conf
+ENV FTP_PASSIVE_DEFAULT=true
+COPY test/test-config/vsftpd.conf /etc/vsftpd/vsftpd.conf
+RUN adduser ftpuser
+RUN echo 'ftpuser:ftpuser' | chpasswd
+RUN adduser www-data
+RUN usermod -G www-data ftpuser
+RUN usermod -G www-data root
+RUN mkdir -p /var/www/.well-known/acme-challenge
+RUN chown -R www-data.www-data /var/www
+RUN chmod g+w -R /var/www
+
+# BATS (Bash Automated Testings)
+RUN git clone --depth 1 https://github.com/bats-core/bats-core.git /bats-core --branch v1.2.1
+RUN git clone --depth 1 https://github.com/bats-core/bats-support /bats-support
+RUN git clone --depth 1 https://github.com/bats-core/bats-assert /bats-assert
+RUN /bats-core/install.sh /usr/local

test/Dockerfile-debian

@@ -4,17 +4,36 @@ FROM debian:latest
 
 # Update and install required software
 RUN apt-get update --fix-missing
-RUN apt-get install -y git curl dnsutils wget nginx-light
+RUN apt-get install -y git curl dnsutils ldnsutils wget nginx-light jq
+RUN apt-get install -y ftp vsftpd
+RUN apt-get install -y openssh-server
+RUN apt-get install -y locales # for idn testing
+
+# Set locale
+RUN sed -i '/en_US.UTF-8/s/^# //g' /etc/locale.gen && locale-gen
+ENV LANG en_US.UTF-8
+ENV LANGUAGE en_US:en
+ENV LC_ALL en_US.UTF-8
 
 WORKDIR /root
-RUN mkdir /etc/nginx/pki
-RUN mkdir /etc/nginx/pki/private
+RUN mkdir -p /etc/nginx/pki/private
+
+# Setup ftp
+ENV VSFTPD_CONF=/etc/vsftpd.conf
+ENV FTP_PASSIVE_DEFAULT=false
+COPY test/test-config/vsftpd.conf /etc/vsftpd.conf
+RUN adduser ftpuser
+RUN echo 'ftpuser:ftpuser' | chpasswd
+RUN adduser ftpuser www-data
+RUN adduser root www-data
+RUN chown -R www-data.www-data /var/www
+RUN chmod g+w -R /var/www
 
 # BATS (Bash Automated Testings)
-RUN git clone https://github.com/bats-core/bats-core.git /bats-core
-RUN git clone https://github.com/jasonkarns/bats-support /bats-support
-RUN git clone https://github.com/jasonkarns/bats-assert-1 /bats-assert
+RUN git clone --depth 1 https://github.com/bats-core/bats-core.git /bats-core --branch v1.2.1
+RUN git clone --depth 1 https://github.com/bats-core/bats-support /bats-support
+RUN git clone --depth 1 https://github.com/bats-core/bats-assert /bats-assert
 RUN /bats-core/install.sh /usr/local
 
 # Run eternal loop - for testing
-CMD tail -f /dev/null
+CMD [ "tail", "-f", "/dev/null" ]

test/Dockerfile-rockylinux8

@@ -0,0 +1,38 @@
+FROM rockylinux/rockylinux:8
+
+# Update and install required software
+RUN yum -y update
+RUN yum -y install epel-release
+RUN yum -y install git curl bind-utils wget which nginx jq
+RUN yum -y install ftp vsftpd
+RUN yum -y install openssh-server
+RUN yum -y install glibc-locale-source glibc-langpack-en # for en_US.UTF-8 support
+
+# Set locale
+ENV LANG en_US.UTF-8
+ENV LANGUAGE en_US:en
+ENV LC_ALL en_US.UTF-8
+
+WORKDIR /root
+RUN mkdir -p /etc/nginx/pki/private
+COPY ./test/test-config/nginx-ubuntu-no-ssl /etc/nginx/conf.d/default.conf
+COPY ./test/test-config/nginx-centos7.conf /etc/nginx/nginx.conf
+
+# Setup ftp
+ENV VSFTPD_CONF=/etc/vsftpd/vsftpd.conf
+ENV FTP_PASSIVE_DEFAULT=true
+COPY test/test-config/vsftpd.conf /etc/vsftpd/vsftpd.conf
+RUN adduser ftpuser
+RUN echo 'ftpuser:ftpuser' | chpasswd
+RUN adduser www-data
+RUN usermod -G www-data ftpuser
+RUN usermod -G www-data root
+RUN mkdir -p /var/www/.well-known/acme-challenge
+RUN chown -R www-data.www-data /var/www
+RUN chmod g+w -R /var/www
+
+# BATS (Bash Automated Testings)
+RUN git clone --depth 1 https://github.com/bats-core/bats-core.git /bats-core --branch v1.2.1
+RUN git clone --depth 1 https://github.com/bats-core/bats-support /bats-support
+RUN git clone --depth 1 https://github.com/bats-core/bats-assert /bats-assert
+RUN /bats-core/install.sh /usr/local