diff --git a/getssl b/getssl
index 773a6fd..a585f06 100755
--- a/getssl
+++ b/getssl
@@ -147,10 +147,12 @@
 # 2016-10-31 fix warning message if cert doesn't exist (1.75)
 # 2016-10-31 remove only specified DNS token #161 (1.76)
 # 2016-11-03 Reduce long lines, and remove echo from update (1.77)
+# 2016-11-05 added TOKEN_USER_ID (to set ownership of token files )
+# 2016-11-05 updated style to work with latest shellcheck (1.78)
 # ----------------------------------------------------------------------------------------
 
 PROGNAME=${0##*/}
-VERSION="1.77"
+VERSION="1.78"
 
 # defaults
 CODE_LOCATION="https://raw.githubusercontent.com/srvrco/getssl/master/getssl"
@@ -229,8 +231,7 @@ check_challenge_completion() { # checks with the ACME server if our challenge is
   fi
 
   # loop "forever" to keep checking for a response from the ACME server.
-  # shellcheck disable=SC2078
-  while [ "1" ] ; do
+  while true ; do
     debug "checking"
     if ! get_cr "$uri" ; then
       error_exit "$domain:Verify error:$code"
@@ -313,6 +314,7 @@ clean_up() { # Perform pre-exit housekeeping
     # Tidy up DNS entries if things failed part way though.
     shopt -s nullglob
     for dnsfile in $TEMP_DIR/dns_verify/*; do
+      # shellcheck source=/dev/null
       . "$dnsfile"
       debug "attempting to clean up DNS entry for $d"
       eval "$DNS_DEL_COMMAND" "$d" "$auth_key"
@@ -333,11 +335,19 @@ copy_file_to_location() { # copies a file, using scp if required.
     debug "copying from $from to $to"
     if [[ "${to:0:4}" == "ssh:" ]] ; then
       debug "using scp scp -q $from ${to:4}"
-      scp -q "$from" "${to:4}" >/dev/null 2>&1
-      if [ $? -gt 0 ]; then
+      if ! scp -q "$from" "${to:4}" >/dev/null 2>&1 ; then
         error_exit "problem copying file to the server using scp.
         scp $from ${to:4}"
       fi
+      debug "userid $TOKEN_USER_ID"
+      if [[ ! -z "$TOKEN_USER_ID" ]]; then
+        servername=$(echo "$to" | awk -F":" '{print $2}')
+        tofile=$(echo "$to" | awk -F":" '{print $3}')
+        debug "servername $servername"
+        debug "file $tofile"
+        # shellcheck disable=SC2029
+        ssh "$servername" "chown $TOKEN_USER_ID $tofile"
+      fi
     elif [[ "${to:0:4}" == "ftp:" ]] ; then
       if [[ "$cert" != "challenge token" ]] ; then
         error_exit "ftp is not a sercure method for copying certificates or keys"
@@ -378,14 +388,15 @@ copy_file_to_location() { # copies a file, using scp if required.
 			put $fromfile
 			_EOF
     else
-      mkdir -p "$(dirname "$to")"
-      if [ $? -gt 0 ]; then
+      if ! mkdir -p "$(dirname "$to")" ; then
         error_exit "cannot create ACL directory $(basename "$to")"
       fi
-      cp -p "$from" "$to"
-      if [ $? -ne 0 ]; then
+      if ! cp -p "$from" "$to" ; then
         error_exit "cannot copy $from to $to"
       fi
+      if [[ ! -z "$TOKEN_USER_ID" ]]; then
+        chown "$TOKEN_USER_ID" "$to"
+      fi
     fi
     debug "copied $from to $to"
   fi
@@ -700,7 +711,8 @@ help_message() { # print out the help message
 }
 
 hex2bin() { # Remove spaces, add leading zero, escape as hex string and parse with printf
-  printf -- "$(cat | os_esed -e 's/[[:space:]]//g' -e 's/^(.(.{2})*)$/0\1/' -e 's/(.{2})/\\x\1/g')"
+#  printf -- "$(cat | os_esed -e 's/[[:space:]]//g' -e 's/^(.(.{2})*)$/0\1/' -e 's/(.{2})/\\x\1/g')"
+  echo -e -n "$(cat | os_esed -e 's/[[:space:]]//g' -e 's/^(.(.{2})*)$/0\1/' -e 's/(.{2})/\\x\1/g')"
 }
 
 info() { # write out info as long as the quiet flag has not been set.
@@ -783,8 +795,7 @@ reload_service() {  # Runs a command to reload services ( via ssh if needed)
       sleep 2
     else
       debug "running reload command $RELOAD_CMD"
-      eval "$RELOAD_CMD"
-      if [ $? -gt 0 ]; then
+      if ! eval "$RELOAD_CMD" ; then
         error_exit "error running $RELOAD_CMD"
       fi
     fi
@@ -868,7 +879,7 @@ send_signed_request() { # Sends a request to the ACME server, signed with your p
       response=$($CURL -X POST --data "$body" "$url")
     fi
 
-    responseHeaders=$(sed 's/\r//g' "$CURL_HEADER")
+    responseHeaders=$(cat "$CURL_HEADER")
     debug responseHeaders "$responseHeaders"
     debug response  "$response"
     code=$(awk ' $1 ~ "^HTTP" {print $2}' "$CURL_HEADER" | tail -1)
@@ -1187,6 +1198,7 @@ fi
 # read any variables from config in working directory
 if [ -s "$WORKING_DIR/getssl.cfg" ]; then
   debug "reading config from $WORKING_DIR/getssl.cfg"
+  # shellcheck source=/dev/null
   . "$WORKING_DIR/getssl.cfg"
 fi
 
@@ -1293,6 +1305,7 @@ fi
 # read any variables from config in domain directory
 if [ -s "$DOMAIN_DIR/getssl.cfg" ]; then
   debug "reading config from $DOMAIN_DIR/getssl.cfg"
+  # shellcheck source=/dev/null
   . "$DOMAIN_DIR/getssl.cfg"
 fi
 
@@ -1541,7 +1554,6 @@ for d in $alldomains; do
   else
     DOMAIN_ACL="${ACL[$dn]}"
   fi
-  debug "domain $d has location ${DOMAIN_ACL}"
 
   # check if we have the information needed to place the challenge
   if [[ $VALIDATE_VIA_DNS == "true" ]]; then
@@ -1554,6 +1566,8 @@ for d in $alldomains; do
   else
     if [ -z "${DOMAIN_ACL}" ]; then
       error_exit "ACL location not specified for domain $d in $DOMAIN_DIR/getssl.cfg"
+    else
+      debug "domain $d has ACL = ${DOMAIN_ACL}"
     fi
   fi
 
@@ -1569,9 +1583,10 @@ for d in $alldomains; do
   if [[ $response_status == "valid" ]]; then
     info "$d is already validated"
     if [[ "$DEACTIVATE_AUTH" == "true" ]]; then
-      deactivate_url=$(echo "$responseHeaders" | awk ' $1 ~ "^Location" {print $2}')
-      deactivate_url_list="$deactivate_url_list $deactivate_url"
-      debug "url added to deactivate list $deactivate_url"
+      deactivate_url="$(echo "$responseHeaders" | awk ' $1 ~ "^Location" {print $2}' | tr -d "\r")"
+      deactivate_url_list+=" $deactivate_url "
+      debug "url added to deactivate list ${deactivate_url}"
+      debug "deactivate list is now $deactivate_url_list"
     fi
     # increment domain-counter
     let dn=dn+1;
@@ -1597,8 +1612,7 @@ for d in $alldomains; do
       debug auth_key "$auth_key"
 
       debug "adding dns via command: $DNS_ADD_COMMAND $d $auth_key"
-      eval "$DNS_ADD_COMMAND" "$d" "$auth_key"
-      if [ $? -gt 0 ]; then
+      if ! eval "$DNS_ADD_COMMAND" "$d" "$auth_key" ; then
         error_exit "DNS_ADD_COMMAND failed for domain $d"
       fi
 
@@ -1694,6 +1708,7 @@ if [[ $VALIDATE_VIA_DNS == "true" ]]; then
   for dnsfile in $TEMP_DIR/dns_verify/*; do
     if [ -e "$dnsfile" ]; then
       debug "loading DNSfile: $dnsfile"
+      # shellcheck source=/dev/null
       . "$dnsfile"
 
       # check for token at public dns server, waiting for a valid response.
@@ -1739,6 +1754,7 @@ if [[ $VALIDATE_VIA_DNS == "true" ]]; then
   for dnsfile in $TEMP_DIR/dns_verify/*; do
     if [ -e "$dnsfile" ]; then
       debug "loading DNSfile: $dnsfile"
+      # shellcheck source=/dev/null
       . "$dnsfile"
 
       check_challenge_completion "$uri" "$d" "$keyauthorization"
@@ -1833,7 +1849,7 @@ reload_service
 
 # deactivate authorizations
 if [[ "$DEACTIVATE_AUTH" == "true" ]]; then
-  debug "in deactivate list should be $deactivate_url_list"
+  debug "in deactivate list is $deactivate_url_list"
   for deactivate_url in $deactivate_url_list; do
     debug "deactivating  $deactivate_url"
     send_signed_request "$deactivate_url" "{\"resource\": \"authz\", \"status\": \"deactivated\"}"