When FULL_CHAIN_INCLUDE_ROOT is set, DOMAIN_CHAIN_LOCATION was sending just the intermediate and server cert. Copying $FULL_CHAIN instead of $CERT_FILE+$CA_CERT fixes this.

Add manual upgrade instructions for v2.43

Fix upgrade url issue

Add pre and post upgrade sanity checks
Fixes #718

Use `latest` tag instead of `master` in installation instructions

Fix -preferred-chain argument (#712)
Show help if no domain specified (#705)

Show help if no domain specified (#705)

Tests for pr706 and fix276

Add debug statement to investigate failures when running in github actions

Force new certificate if key alg changes (fixes #276)

delete key file when key alg has changed

dns_scripts for Azure CLI

Temporarily revert changes to upgrade using `make`

Reduce test noise

Remove credentials from test repository, support dns tests from forks, improve upgrades, fix cUrl version checks

getssl uses cURL's version to determine what command
options are valid.

The previous shortcuts will fail when curl V8.10 is
released.  (8.9 is greater than 8.10).  V8 is planned
for release, in part to avoid a minor version of 100,
which also would fail.

check_version() will compare full or partial version
strings by component, and is true if $1 is at least $2.

Upgrade test checks for "error" in output.

But release descriptions can have "fix error in ..."

Don't run this check.  Checking that a new version is detected suffices.

Use hard-coded default credentials for srvrco when GitHub secrets are
not installed.

This is a security issue for srvrco, but a fix seems to be difficult.

Use the GitHub release data to decide if an upgrade is available.

Only download the release if a newer stable release is published.

Install the full release - including the DNS scripts (requires "make")

Don't check for upgrades when restarting.

Remove --keep logic - only 1 old version is kept, only if make isn't available.
Old versions are availablel from the repo; if you have local changes, --upgrade doesn't make sense.

Can upgrade (or downgrade) to any tagged release with --experimental vx.yy

Note that GitHub API requests are rate-limited; this shouldn't be an issue
unless getssl is run more than ~60 times/hr.  If the limit is exceeded,
getssl will sleep until the limit is reset.  The limit is per-IP address.

The tests have been modified to only check for updates in the tests that
verify the check for updates logic.  This has the side effect of not
doing MANY pointless checks for updates in the tests...

Document the accounts and repo-specific domain names required to run the dynamic DNS tests.

Also document the GitHub "secrets" that must be stored for CI testing to work.

Avoids having to push, e.g. when adding a tag or updating credentials.

For now, srvrco is excluded.

The domain name will be <repo>-<os>-getssl.<duckdns.org|freedns.org>

Must be added to accounts on these services.

Some versions of nginx create directories, so use -p with mkdir.

Note: To add the secrets to your repository on GitHub

Goto Actions -> Settings -> Secrets

New Repository Secret

Add DUCKDNS_TOKEN
Add DYNU_API_KEY

Prefer API V2 when both offered in a single directory, improve test error reports

Verify that a unified directory, API V2 is selected.

Only run cURL once to determine it's version.

The first fail logic seems scoped to a single test file.

Set the flag globally.
Since the tests run in a container, cleanup is automagic.

Various test tweaks to allow for skipping tests & null strings.

From https://github.com/sstephenson/bats/issues/135 via @timkimber

The test harness will suppress output unless an error occurs.

Upgrade testing was failing in forked repos CI because the
source repo was hard-coded.  Use the CI environment to use
the fork's repo.

This doesn't happen with Let'sEncrypt, but it does with at least
one other CA.  The ACME spec allows it.

Fix copy_file_to_location failures with ssh, missing ftps://

More breadcrumbs.

debug() does this, but the automated tests aren't run with -d.
This also ensures that there is a breadcrumb if error_exit is
called without a preceding debug().

It's really hard to follow the breadcrumbs for debug when there
aren't any.

--insecure is almost always a bad idea.  In this case, it
is required for compatibility with Let's Encrypt.

Replace the less obvious '-k' with '--insecure' in the cURL
command, and document why it is used in the comments,

Prevent fallback to insecure when a secure protocol is requested.