Bot Updating Package Versions

Remove defunct cloudxns plugin

.github/workflows/call_invalid_helper.yml

@@ -0,0 +1,12 @@
+name: Comment on invalid interaction
+on:
+  issues:
+    types:
+      - labeled
+jobs:
+  add-comment-on-invalid:
+    if: github.event.label.name == 'invalid'
+    permissions:
+      issues: write
+    uses: linuxserver/github-workflows/.github/workflows/invalid-interaction-helper.yml@v1
+    secrets: inherit

Dockerfile

@@ -107,7 +107,6 @@ RUN \
     certbot-dns-aliyun \
     certbot-dns-azure \
     certbot-dns-cloudflare \
-    certbot-dns-cloudxns \
     certbot-dns-cpanel \
     certbot-dns-desec \
     certbot-dns-digitalocean \

Dockerfile.aarch64

@@ -107,7 +107,6 @@ RUN \
     certbot-dns-aliyun \
     certbot-dns-azure \
     certbot-dns-cloudflare \
-    certbot-dns-cloudxns \
     certbot-dns-cpanel \
     certbot-dns-desec \
     certbot-dns-digitalocean \

Dockerfile.armhf

@@ -107,7 +107,6 @@ RUN \
     certbot-dns-aliyun \
     certbot-dns-azure \
     certbot-dns-cloudflare \
-    certbot-dns-cloudxns \
     certbot-dns-cpanel \
     certbot-dns-desec \
     certbot-dns-digitalocean \

README.md

@@ -214,7 +214,7 @@ Container images are configured using parameters passed at runtime (such as thos
 | `-e VALIDATION=http` | Certbot validation method to use, options are `http` or `dns` (`dns` method also requires `DNSPLUGIN` variable set). |
 | `-e SUBDOMAINS=www,` | Subdomains you'd like the cert to cover (comma separated, no spaces) ie. `www,ftp,cloud`. For a wildcard cert, set this *exactly* to `wildcard` (wildcard cert is available via `dns` validation only) |
 | `-e CERTPROVIDER=` | Optionally define the cert provider. Set to `zerossl` for ZeroSSL certs (requires existing [ZeroSSL account](https://app.zerossl.com/signup) and the e-mail address entered in `EMAIL` env var). Otherwise defaults to Let's Encrypt. |
-| `-e DNSPLUGIN=cloudflare` | Required if `VALIDATION` is set to `dns`. Options are `acmedns`, `aliyun`, `azure`, `cloudflare`, `cloudxns`, `cpanel`, `desec`, `digitalocean`, `directadmin`, `dnsimple`, `dnsmadeeasy`, `dnspod`, `do`, `domeneshop`, `duckdns`, `dynu`, `gandi`, `gehirn`, `godaddy`, `google`, `he`, `hetzner`, `infomaniak`, `inwx`, `ionos`, `linode`, `loopia`, `luadns`, `netcup`, `njalla`, `nsone`, `ovh`, `porkbun`, `rfc2136`, `route53`, `sakuracloud`, `standalone`, `transip`, and `vultr`. Also need to enter the credentials into the corresponding ini (or json for some plugins) file under `/config/dns-conf`. |
+| `-e DNSPLUGIN=cloudflare` | Required if `VALIDATION` is set to `dns`. Options are `acmedns`, `aliyun`, `azure`, `cloudflare`, `cpanel`, `desec`, `digitalocean`, `directadmin`, `dnsimple`, `dnsmadeeasy`, `dnspod`, `do`, `domeneshop`, `duckdns`, `dynu`, `gandi`, `gehirn`, `godaddy`, `google`, `he`, `hetzner`, `infomaniak`, `inwx`, `ionos`, `linode`, `loopia`, `luadns`, `netcup`, `njalla`, `nsone`, `ovh`, `porkbun`, `rfc2136`, `route53`, `sakuracloud`, `standalone`, `transip`, and `vultr`. Also need to enter the credentials into the corresponding ini (or json for some plugins) file under `/config/dns-conf`. |
 | `-e PROPAGATION=` | Optionally override (in seconds) the default propagation time for the dns plugins. |
 | `-e EMAIL=` | Optional e-mail address used for cert expiration notifications (Required for ZeroSSL). |
 | `-e ONLY_SUBDOMAINS=false` | If you wish to get certs only for certain subdomains, but not the main domain (main domain may be hosted on another machine and cannot be validated), set this to `true` |
@@ -335,6 +335,7 @@ Once registered you can define the dockerfile to use with `-f Dockerfile.aarch64
 
 ## Versions
 
+* **03.12.22:** - Remove defunct cloudxns plugin.
 * **22.11.22:** - Pin acme to the same version as certbot.
 * **22.11.22:** - Pin certbot to 1.32.0 until plugin compatibility improves.
 * **05.11.22:** - Update acmedns plugin handling.

package_versions.txt

@@ -211,7 +211,7 @@ py3-toml-0.10.2-r2
 py3-tomli-1.2.2-r0
 py3-urllib3-1.26.7-r0
 py3-webencodings-0.5.1-r4
-python3-3.9.15-r0
+python3-3.9.16-r0
 readline-8.1.1-r0
 s6-ipcserver-2.11.0.0-r0
 scanelf-1.3.3-r0

readme-vars.yml

@@ -51,7 +51,7 @@ opt_param_usage_include_env: true
 opt_param_env_vars:
   - { env_var: "SUBDOMAINS", env_value: "www,", desc: "Subdomains you'd like the cert to cover (comma separated, no spaces) ie. `www,ftp,cloud`. For a wildcard cert, set this *exactly* to `wildcard` (wildcard cert is available via `dns` validation only)" }
   - { env_var: "CERTPROVIDER", env_value: "", desc: "Optionally define the cert provider. Set to `zerossl` for ZeroSSL certs (requires existing [ZeroSSL account](https://app.zerossl.com/signup) and the e-mail address entered in `EMAIL` env var). Otherwise defaults to Let's Encrypt." }
-  - { env_var: "DNSPLUGIN", env_value: "cloudflare", desc: "Required if `VALIDATION` is set to `dns`. Options are `acmedns`, `aliyun`, `azure`, `cloudflare`, `cloudxns`, `cpanel`, `desec`, `digitalocean`, `directadmin`, `dnsimple`, `dnsmadeeasy`, `dnspod`, `do`, `domeneshop`, `duckdns`, `dynu`, `gandi`, `gehirn`, `godaddy`, `google`, `he`, `hetzner`, `infomaniak`, `inwx`, `ionos`, `linode`, `loopia`, `luadns`, `netcup`, `njalla`, `nsone`, `ovh`, `porkbun`, `rfc2136`, `route53`, `sakuracloud`, `standalone`, `transip`, and `vultr`. Also need to enter the credentials into the corresponding ini (or json for some plugins) file under `/config/dns-conf`." }
+  - { env_var: "DNSPLUGIN", env_value: "cloudflare", desc: "Required if `VALIDATION` is set to `dns`. Options are `acmedns`, `aliyun`, `azure`, `cloudflare`, `cpanel`, `desec`, `digitalocean`, `directadmin`, `dnsimple`, `dnsmadeeasy`, `dnspod`, `do`, `domeneshop`, `duckdns`, `dynu`, `gandi`, `gehirn`, `godaddy`, `google`, `he`, `hetzner`, `infomaniak`, `inwx`, `ionos`, `linode`, `loopia`, `luadns`, `netcup`, `njalla`, `nsone`, `ovh`, `porkbun`, `rfc2136`, `route53`, `sakuracloud`, `standalone`, `transip`, and `vultr`. Also need to enter the credentials into the corresponding ini (or json for some plugins) file under `/config/dns-conf`." }
   - { env_var: "PROPAGATION", env_value: "", desc: "Optionally override (in seconds) the default propagation time for the dns plugins." }
   - { env_var: "EMAIL", env_value: "", desc: "Optional e-mail address used for cert expiration notifications (Required for ZeroSSL)." }
   - { env_var: "ONLY_SUBDOMAINS", env_value: "false", desc: "If you wish to get certs only for certain subdomains, but not the main domain (main domain may be hosted on another machine and cannot be validated), set this to `true`" }
@@ -157,6 +157,7 @@ app_setup_nginx_reverse_proxy_block: ""
 
 # changelog
 changelogs:
+  - { date: "03.12.22:", desc: "Remove defunct cloudxns plugin."}
   - { date: "22.11.22:", desc: "Pin acme to the same version as certbot."}
   - { date: "22.11.22:", desc: "Pin certbot to 1.32.0 until plugin compatibility improves."}
   - { date: "05.11.22:", desc: "Update acmedns plugin handling."}

root/app/le-renew.sh

@@ -1,4 +1,5 @@
 #!/usr/bin/with-contenv bash
+# shellcheck shell=bash
 
 echo "<------------------------------------------------->"
 echo

root/defaults/dns-conf/cloudxns.ini

@@ -1,4 +0,0 @@
-# Instructions: https://github.com/certbot/certbot/blob/master/certbot-dns-cloudxns/certbot_dns_cloudxns/__init__.py#L20
-# Replace with your values
-dns_cloudxns_api_key = 1234567890abcdef1234567890abcdef
-dns_cloudxns_secret_key = 1122334455667788

root/defaults/etc/letsencrypt/renewal-hooks/deploy/10-default

@@ -1,4 +1,5 @@
 #!/usr/bin/with-contenv bash
+# shellcheck shell=bash
 
 cd /config/keys/letsencrypt || exit 1
 openssl pkcs12 -export -out privkey.pfx -inkey privkey.pem -in cert.pem -certfile chain.pem -passout pass:

root/defaults/etc/letsencrypt/renewal-hooks/post/10-nginx

@@ -1,13 +1,15 @@
 #!/usr/bin/with-contenv bash
+# shellcheck shell=bash
 
+# shellcheck source=/dev/null
 . /config/.donoteditthisfile.conf
 
-if [ ! "$ORIGVALIDATION" = "dns" ] && [ ! "$ORIGVALIDATION" = "duckdns" ]; then
+if [[ ! "${ORIGVALIDATION}" = "dns" ]] && [[ ! "${ORIGVALIDATION}" = "duckdns" ]]; then
-	if ps aux | grep 's6-supervise nginx' | grep -v grep >/dev/null; then
+	if pgrep -f "s6-supervise nginx" >/dev/null; then
 		s6-svc -u /run/service/nginx
 	fi
 else
-	if ps aux | grep [n]ginx: >/dev/null; then
+	if pgrep -f "nginx:" >/dev/null; then
 		s6-svc -h /run/service/nginx
 	fi
 fi

root/defaults/etc/letsencrypt/renewal-hooks/pre/10-nginx

@@ -1,9 +1,11 @@
 #!/usr/bin/with-contenv bash
+# shellcheck shell=bash
 
+# shellcheck source=/dev/null
 . /config/.donoteditthisfile.conf
 
-if [ ! "$ORIGVALIDATION" = "dns" ] && [ ! "$ORIGVALIDATION" = "duckdns" ]; then
+if [[ ! "${ORIGVALIDATION}" = "dns" ]] && [[ ! "${ORIGVALIDATION}" = "duckdns" ]]; then
-	if ps aux | grep [n]ginx: >/dev/null; then
+	if pgrep -f "nginx:" >/dev/null; then
 		s6-svc -d /run/service/nginx
 	fi
 fi

root/etc/cont-init.d/30-test-run

@@ -1,4 +1,5 @@
 #!/usr/bin/with-contenv bash
+# shellcheck shell=bash
 
 # Echo init finish for test runs
 if [[ -n "${TEST_RUN}" ]]; then

root/etc/cont-init.d/31-require-url

@@ -1,4 +1,5 @@
 #!/usr/bin/with-contenv bash
+# shellcheck shell=bash
 
 # check to make sure that the required variables are set
 if [[ -z "${URL}" ]]; then

root/etc/cont-init.d/40-folders

@@ -1,4 +1,5 @@
 #!/usr/bin/with-contenv bash
+# shellcheck shell=bash
 
 # make our folders and links
 mkdir -p \

root/etc/cont-init.d/41-samples

@@ -1,4 +1,5 @@
 #!/usr/bin/with-contenv bash
+# shellcheck shell=bash
 
 # samples are removed on init by the nginx base
 

root/etc/cont-init.d/42-fail2ban

@@ -1,4 +1,5 @@
 #!/usr/bin/with-contenv bash
+# shellcheck shell=bash
 
 # copy/update the fail2ban config defaults to/in /config
 cp -R /defaults/fail2ban/filter.d /config/fail2ban/

root/etc/cont-init.d/43-crontabs

@@ -1,4 +1,5 @@
 #!/usr/bin/with-contenv bash
+# shellcheck shell=bash
 
 # copy crontabs if needed
 if [[ ! -f /config/crontabs/root ]]; then

root/etc/cont-init.d/45-nginx

@@ -1,4 +1,5 @@
 #!/usr/bin/with-contenv bash
+# shellcheck shell=bash
 
 # copy default config files if they don't exist
 if [[ ! -f /config/nginx/proxy.conf ]]; then

root/etc/cont-init.d/50-certbot

@@ -1,4 +1,5 @@
 #!/usr/bin/with-contenv bash
+# shellcheck shell=bash
 
 # Display variables for troubleshooting
 echo -e "Variables set:\\n\
@@ -18,12 +19,12 @@ STAGING=${STAGING}\\n"
 # Sanitize variables
 SANED_VARS=(DNSPLUGIN EMAIL EXTRA_DOMAINS ONLY_SUBDOMAINS STAGING SUBDOMAINS URL VALIDATION CERTPROVIDER)
 for i in "${SANED_VARS[@]}"; do
-    export echo "$i"="${!i//\"/}"
+    export echo "${i}"="${!i//\"/}"
-    export echo "$i"="$(echo "${!i}" | tr '[:upper:]' '[:lower:]')"
+    export echo "${i}"="$(echo "${!i}" | tr '[:upper:]' '[:lower:]')"
 done
 
 # check to make sure DNSPLUGIN is selected if dns validation is used
-if [[ "$VALIDATION" = "dns" ]] && [[ ! "$DNSPLUGIN" =~ ^(acmedns|aliyun|azure|cloudflare|cloudxns|cpanel|desec|digitalocean|directadmin|dnsimple|dnsmadeeasy|dnspod|do|domeneshop|duckdns|dynu|gandi|gehirn|godaddy|google|he|hetzner|infomaniak|inwx|ionos|linode|loopia|luadns|netcup|njalla|nsone|ovh|porkbun|rfc2136|route53|sakuracloud|standalone|transip|vultr)$ ]]; then
+if [[ "${VALIDATION}" = "dns" ]] && [[ ! "${DNSPLUGIN}" =~ ^(acmedns|aliyun|azure|cloudflare|cpanel|desec|digitalocean|directadmin|dnsimple|dnsmadeeasy|dnspod|do|domeneshop|duckdns|dynu|gandi|gehirn|godaddy|google|he|hetzner|infomaniak|inwx|ionos|linode|loopia|luadns|netcup|njalla|nsone|ovh|porkbun|rfc2136|route53|sakuracloud|standalone|transip|vultr)$ ]]; then
     echo "Please set the DNSPLUGIN variable to a valid plugin name. See docker info for more details."
     sleep infinity
 fi
@@ -46,34 +47,34 @@ cp -nR /defaults/etc/letsencrypt/renewal-hooks/* /config/etc/letsencrypt/renewal
 chown -R abc:abc /config/etc/letsencrypt/renewal-hooks
 
 # create original config file if it doesn't exist, move non-hidden legacy file to hidden
-if [ -f "/config/donoteditthisfile.conf" ]; then
+if [[ -f "/config/donoteditthisfile.conf" ]]; then
     mv /config/donoteditthisfile.conf /config/.donoteditthisfile.conf
 fi
-if [ ! -f "/config/.donoteditthisfile.conf" ]; then
+if [[ ! -f "/config/.donoteditthisfile.conf" ]]; then
-    echo -e "ORIGURL=\"$URL\" ORIGSUBDOMAINS=\"$SUBDOMAINS\" ORIGONLY_SUBDOMAINS=\"$ONLY_SUBDOMAINS\" ORIGEXTRA_DOMAINS=\"$EXTRA_DOMAINS\" ORIGVALIDATION=\"$VALIDATION\" ORIGDNSPLUGIN=\"$DNSPLUGIN\" ORIGPROPAGATION=\"$PROPAGATION\" ORIGSTAGING=\"$STAGING\" ORIGCERTPROVIDER=\"$CERTPROVIDER\" ORIGEMAIL=\"$EMAIL\"" >/config/.donoteditthisfile.conf
+    echo -e "ORIGURL=\"${URL}\" ORIGSUBDOMAINS=\"${SUBDOMAINS}\" ORIGONLY_SUBDOMAINS=\"${ONLY_SUBDOMAINS}\" ORIGEXTRA_DOMAINS=\"${EXTRA_DOMAINS}\" ORIGVALIDATION=\"${VALIDATION}\" ORIGDNSPLUGIN=\"${DNSPLUGIN}\" ORIGPROPAGATION=\"${PROPAGATION}\" ORIGSTAGING=\"${STAGING}\" ORIGCERTPROVIDER=\"${CERTPROVIDER}\" ORIGEMAIL=\"${EMAIL}\"" >/config/.donoteditthisfile.conf
     echo "Created .donoteditthisfile.conf"
 fi
 
 # load original config settings
-# shellcheck disable=SC1091
+# shellcheck source=/dev/null
 . /config/.donoteditthisfile.conf
 
 # set default validation to http
-if [ -z "$VALIDATION" ]; then
+if [[ -z "${VALIDATION}" ]]; then
     VALIDATION="http"
     echo "VALIDATION parameter not set; setting it to http"
 fi
 
 # set duckdns validation to dns
-if [ "$VALIDATION" = "duckdns" ]; then
+if [[ "${VALIDATION}" = "duckdns" ]]; then
     VALIDATION="dns"
     DNSPLUGIN="duckdns"
-    if [ -n "$DUCKDNSTOKEN" ] && ! grep -q "dns_duckdns_token=${DUCKDNSTOKEN}$" /config/dns-conf/duckdns.ini;then
+    if [[ -n "${DUCKDNSTOKEN}" ]] && ! grep -q "dns_duckdns_token=${DUCKDNSTOKEN}$" /config/dns-conf/duckdns.ini; then
         sed -i "s|^dns_duckdns_token=.*|dns_duckdns_token=${DUCKDNSTOKEN}|g" /config/dns-conf/duckdns.ini
     fi
 fi
-if [ "$VALIDATION" = "dns" ] && [ "$DNSPLUGIN" = "duckdns" ]; then
+if [[ "${VALIDATION}" = "dns" ]] && [[ "${DNSPLUGIN}" = "duckdns" ]]; then
-    if [ "$SUBDOMAINS" = "wildcard" ]; then
+    if [[ "${SUBDOMAINS}" = "wildcard" ]]; then
         echo "the resulting certificate will only cover the subdomains due to a limitation of duckdns, so it is advised to set the root location to use www.subdomain.duckdns.org"
         export ONLY_SUBDOMAINS=true
     else
@@ -84,16 +85,16 @@ if [ "$VALIDATION" = "dns" ] && [ "$DNSPLUGIN" = "duckdns" ]; then
 fi
 
 # if zerossl is selected or staging is set to true, use the relevant server
-if [ "$CERTPROVIDER" = "zerossl" ] && [ "$STAGING" = "true" ]; then
+if [[ "${CERTPROVIDER}" = "zerossl" ]] && [[ "${STAGING}" = "true" ]]; then
     echo "ZeroSSL does not support staging mode, ignoring STAGING variable"
 fi
-if [ "$CERTPROVIDER" = "zerossl" ] && [ -n "$EMAIL" ]; then
+if [[ "${CERTPROVIDER}" = "zerossl" ]] && [[ -n "${EMAIL}" ]]; then
-    echo "ZeroSSL is selected as the cert provider, registering cert with $EMAIL"
+    echo "ZeroSSL is selected as the cert provider, registering cert with ${EMAIL}"
     ACMESERVER="https://acme.zerossl.com/v2/DV90"
-elif [ "$CERTPROVIDER" = "zerossl" ] && [ -z "$EMAIL" ]; then
+elif [[ "${CERTPROVIDER}" = "zerossl" ]] && [[ -z "${EMAIL}" ]]; then
     echo "ZeroSSL is selected as the cert provider, but the e-mail address has not been entered. Please visit https://zerossl.com, register a new account and set the account e-mail address in the EMAIL environment variable"
     sleep infinity
-elif [ "$STAGING" = "true" ]; then
+elif [[ "${STAGING}" = "true" ]]; then
     echo "NOTICE: Staging is active"
     echo "Using Let's Encrypt as the cert provider"
     ACMESERVER="https://acme-staging-v02.api.letsencrypt.org/directory"
@@ -103,46 +104,46 @@ else
 fi
 
 # figuring out url only vs url & subdomains vs subdomains only
-if [ -n "$SUBDOMAINS" ]; then
+if [[ -n "${SUBDOMAINS}" ]]; then
     echo "SUBDOMAINS entered, processing"
-    if [ "$SUBDOMAINS" = "wildcard" ]; then
+    if [[ "${SUBDOMAINS}" = "wildcard" ]]; then
-        if [ "$ONLY_SUBDOMAINS" = true ]; then
+        if [[ "${ONLY_SUBDOMAINS}" = true ]]; then
             export URL_REAL="-d *.${URL}"
-            echo "Wildcard cert for only the subdomains of $URL will be requested"
+            echo "Wildcard cert for only the subdomains of ${URL} will be requested"
         else
             export URL_REAL="-d *.${URL} -d ${URL}"
-            echo "Wildcard cert for $URL will be requested"
+            echo "Wildcard cert for ${URL} will be requested"
         fi
     else
         echo "SUBDOMAINS entered, processing"
-        for job in $(echo "$SUBDOMAINS" | tr "," " "); do
+        for job in $(echo "${SUBDOMAINS}" | tr "," " "); do
-            export SUBDOMAINS_REAL="$SUBDOMAINS_REAL -d ${job}.${URL}"
+            export SUBDOMAINS_REAL="${SUBDOMAINS_REAL} -d ${job}.${URL}"
         done
-        if [ "$ONLY_SUBDOMAINS" = true ]; then
+        if [[ "${ONLY_SUBDOMAINS}" = true ]]; then
-            URL_REAL="$SUBDOMAINS_REAL"
+            URL_REAL="${SUBDOMAINS_REAL}"
             echo "Only subdomains, no URL in cert"
         else
             URL_REAL="-d ${URL}${SUBDOMAINS_REAL}"
         fi
-        echo "Sub-domains processed are: $SUBDOMAINS_REAL"
+        echo "Sub-domains processed are: ${SUBDOMAINS_REAL}"
     fi
 else
     echo "No subdomains defined"
-    URL_REAL="-d $URL"
+    URL_REAL="-d ${URL}"
 fi
 
 # add extra domains
-if [ -n "$EXTRA_DOMAINS" ]; then
+if [[ -n "${EXTRA_DOMAINS}" ]]; then
     echo "EXTRA_DOMAINS entered, processing"
-    for job in $(echo "$EXTRA_DOMAINS" | tr "," " "); do
+    for job in $(echo "${EXTRA_DOMAINS}" | tr "," " "); do
-        export EXTRA_DOMAINS_REAL="$EXTRA_DOMAINS_REAL -d ${job}"
+        export EXTRA_DOMAINS_REAL="${EXTRA_DOMAINS_REAL} -d ${job}"
     done
-    echo "Extra domains processed are: $EXTRA_DOMAINS_REAL"
+    echo "Extra domains processed are: ${EXTRA_DOMAINS_REAL}"
-    URL_REAL="$URL_REAL $EXTRA_DOMAINS_REAL"
+    URL_REAL="${URL_REAL} ${EXTRA_DOMAINS_REAL}"
 fi
 
 # figuring out whether to use e-mail and which
-if [[ $EMAIL == *@* ]]; then
+if [[ ${EMAIL} == *@* ]]; then
     echo "E-mail address entered: ${EMAIL}"
     EMAILPARAM="-m ${EMAIL} --no-eff-email"
 else
@@ -151,34 +152,34 @@ else
 fi
 
 # setting the validation method to use
-if [ "$VALIDATION" = "dns" ]; then
+if [[ "${VALIDATION}" = "dns" ]]; then
-    if [ "$DNSPLUGIN" = "route53" ]; then
+    if [[ "${DNSPLUGIN}" = "route53" ]]; then
-        if [ -n "$PROPAGATION" ]; then PROPAGATIONPARAM="--dns-${DNSPLUGIN}-propagation-seconds ${PROPAGATION}"; fi
+        if [[ -n "${PROPAGATION}" ]]; then PROPAGATIONPARAM="--dns-${DNSPLUGIN}-propagation-seconds ${PROPAGATION}"; fi
         PREFCHAL="--dns-${DNSPLUGIN} ${PROPAGATIONPARAM}"
-    elif [[ "$DNSPLUGIN" =~ ^(azure|gandi)$ ]]; then
+    elif [[ "${DNSPLUGIN}" =~ ^(azure|gandi)$ ]]; then
-        if [ -n "$PROPAGATION" ]; then echo "${DNSPLUGIN} dns plugin does not support setting propagation time"; fi
+        if [[ -n "${PROPAGATION}" ]]; then echo "${DNSPLUGIN} dns plugin does not support setting propagation time"; fi
         PREFCHAL="-a dns-${DNSPLUGIN} --dns-${DNSPLUGIN}-credentials /config/dns-conf/${DNSPLUGIN}.ini"
-    elif [[ "$DNSPLUGIN" =~ ^(duckdns)$ ]]; then
+    elif [[ "${DNSPLUGIN}" =~ ^(duckdns)$ ]]; then
-        if [ -n "$PROPAGATION" ]; then PROPAGATIONPARAM="--dns-${DNSPLUGIN}-propagation-seconds ${PROPAGATION}"; fi
+        if [[ -n "${PROPAGATION}" ]]; then PROPAGATIONPARAM="--dns-${DNSPLUGIN}-propagation-seconds ${PROPAGATION}"; fi
         PREFCHAL="-a dns-${DNSPLUGIN} --dns-${DNSPLUGIN}-credentials /config/dns-conf/${DNSPLUGIN}.ini --dns-duckdns-no-txt-restore ${PROPAGATIONPARAM}"
-    elif [[ "$DNSPLUGIN" =~ ^(google)$ ]]; then
+    elif [[ "${DNSPLUGIN}" =~ ^(google)$ ]]; then
-        if [ -n "$PROPAGATION" ]; then PROPAGATIONPARAM="--dns-${DNSPLUGIN}-propagation-seconds ${PROPAGATION}"; fi
+        if [[ -n "${PROPAGATION}" ]]; then PROPAGATIONPARAM="--dns-${DNSPLUGIN}-propagation-seconds ${PROPAGATION}"; fi
         PREFCHAL="--dns-${DNSPLUGIN} --dns-${DNSPLUGIN}-credentials /config/dns-conf/${DNSPLUGIN}.json ${PROPAGATIONPARAM}"
-    elif [[ "$DNSPLUGIN" =~ ^(acmedns|aliyun|cpanel|desec|dnspod|do|domeneshop|dynu|godaddy|he|hetzner|infomaniak|inwx|ionos|loopia|netcup|njalla|porkbun|transip|vultr)$ ]]; then
+    elif [[ "${DNSPLUGIN}" =~ ^(acmedns|aliyun|cpanel|desec|dnspod|do|domeneshop|dynu|godaddy|he|hetzner|infomaniak|inwx|ionos|loopia|netcup|njalla|porkbun|transip|vultr)$ ]]; then
-        if [ -n "$PROPAGATION" ]; then PROPAGATIONPARAM="--dns-${DNSPLUGIN}-propagation-seconds ${PROPAGATION}"; fi
+        if [[ -n "${PROPAGATION}" ]]; then PROPAGATIONPARAM="--dns-${DNSPLUGIN}-propagation-seconds ${PROPAGATION}"; fi
         PREFCHAL="-a dns-${DNSPLUGIN} --dns-${DNSPLUGIN}-credentials /config/dns-conf/${DNSPLUGIN}.ini ${PROPAGATIONPARAM}"
-    elif [[ "$DNSPLUGIN" =~ ^(standalone)$ ]]; then
+    elif [[ "${DNSPLUGIN}" =~ ^(standalone)$ ]]; then
-        if [ -n "$PROPAGATION" ]; then echo "standalone dns plugin does not support setting propagation time"; fi
+        if [[ -n "${PROPAGATION}" ]]; then echo "standalone dns plugin does not support setting propagation time"; fi
         PREFCHAL="-a dns-${DNSPLUGIN}"
-    elif [[ "$DNSPLUGIN" =~ ^(directadmin)$ ]]; then
+    elif [[ "${DNSPLUGIN}" =~ ^(directadmin)$ ]]; then
-        if [ -n "$PROPAGATION" ]; then PROPAGATIONPARAM="--${DNSPLUGIN}-propagation-seconds ${PROPAGATION}"; fi
+        if [[ -n "${PROPAGATION}" ]]; then PROPAGATIONPARAM="--${DNSPLUGIN}-propagation-seconds ${PROPAGATION}"; fi
         PREFCHAL="-a ${DNSPLUGIN} --${DNSPLUGIN}-credentials /config/dns-conf/${DNSPLUGIN}.ini ${PROPAGATIONPARAM}"
     else
-        if [ -n "$PROPAGATION" ]; then PROPAGATIONPARAM="--dns-${DNSPLUGIN}-propagation-seconds ${PROPAGATION}"; fi
+        if [[ -n "${PROPAGATION}" ]]; then PROPAGATIONPARAM="--dns-${DNSPLUGIN}-propagation-seconds ${PROPAGATION}"; fi
         PREFCHAL="--dns-${DNSPLUGIN} --dns-${DNSPLUGIN}-credentials /config/dns-conf/${DNSPLUGIN}.ini ${PROPAGATIONPARAM}"
     fi
     echo "${VALIDATION} validation via ${DNSPLUGIN} plugin is selected"
-elif [ "$VALIDATION" = "tls-sni" ]; then
+elif [[ "${VALIDATION}" = "tls-sni" ]]; then
     PREFCHAL="--standalone --preferred-challenges http"
     echo "*****tls-sni validation has been deprecated, attempting http validation instead"
 else
@@ -188,69 +189,69 @@ fi
 
 # setting the symlink for key location
 rm -rf /config/keys/letsencrypt
-if [ "$ONLY_SUBDOMAINS" = "true" ] && [ ! "$SUBDOMAINS" = "wildcard" ]; then
+if [[ "${ONLY_SUBDOMAINS}" = "true" ]] && [[ ! "${SUBDOMAINS}" = "wildcard" ]]; then
-    DOMAIN="$(echo "$SUBDOMAINS" | tr ',' ' ' | awk '{print $1}').${URL}"
+    DOMAIN="$(echo "${SUBDOMAINS}" | tr ',' ' ' | awk '{print $1}').${URL}"
-    ln -s ../etc/letsencrypt/live/"$DOMAIN" /config/keys/letsencrypt
+    ln -s ../etc/letsencrypt/live/"${DOMAIN}" /config/keys/letsencrypt
 else
-    ln -s ../etc/letsencrypt/live/"$URL" /config/keys/letsencrypt
+    ln -s ../etc/letsencrypt/live/"${URL}" /config/keys/letsencrypt
 fi
 
 # checking for changes in cert variables, revoking certs if necessary
-if [ ! "$URL" = "$ORIGURL" ] || [ ! "$SUBDOMAINS" = "$ORIGSUBDOMAINS" ] || [ ! "$ONLY_SUBDOMAINS" = "$ORIGONLY_SUBDOMAINS" ] || [ ! "$EXTRA_DOMAINS" = "$ORIGEXTRA_DOMAINS" ] || [ ! "$VALIDATION" = "$ORIGVALIDATION" ] || [ ! "$DNSPLUGIN" = "$ORIGDNSPLUGIN" ] || [ ! "$PROPAGATION" = "$ORIGPROPAGATION" ] || [ ! "$STAGING" = "$ORIGSTAGING" ] || [ ! "$CERTPROVIDER" = "$ORIGCERTPROVIDER" ]; then
+if [[ ! "${URL}" = "${ORIGURL}" ]] || [[ ! "${SUBDOMAINS}" = "${ORIGSUBDOMAINS}" ]] || [[ ! "${ONLY_SUBDOMAINS}" = "${ORIGONLY_SUBDOMAINS}" ]] || [[ ! "${EXTRA_DOMAINS}" = "${ORIGEXTRA_DOMAINS}" ]] || [[ ! "${VALIDATION}" = "${ORIGVALIDATION}" ]] || [[ ! "${DNSPLUGIN}" = "${ORIGDNSPLUGIN}" ]] || [[ ! "${PROPAGATION}" = "${ORIGPROPAGATION}" ]] || [[ ! "${STAGING}" = "${ORIGSTAGING}" ]] || [[ ! "${CERTPROVIDER}" = "${ORIGCERTPROVIDER}" ]]; then
     echo "Different validation parameters entered than what was used before. Revoking and deleting existing certificate, and an updated one will be created"
-    if [ "$ORIGONLY_SUBDOMAINS" = "true" ] && [ ! "$ORIGSUBDOMAINS" = "wildcard" ]; then
+    if [[ "${ORIGONLY_SUBDOMAINS}" = "true" ]] && [[ ! "${ORIGSUBDOMAINS}" = "wildcard" ]]; then
-        ORIGDOMAIN="$(echo "$ORIGSUBDOMAINS" | tr ',' ' ' | awk '{print $1}').${ORIGURL}"
+        ORIGDOMAIN="$(echo "${ORIGSUBDOMAINS}" | tr ',' ' ' | awk '{print $1}').${ORIGURL}"
     else
-        ORIGDOMAIN="$ORIGURL"
+        ORIGDOMAIN="${ORIGURL}"
     fi
-    if [ "$ORIGCERTPROVIDER" = "zerossl" ] && [ -n "$ORIGEMAIL" ]; then
+    if [[ "${ORIGCERTPROVIDER}" = "zerossl" ]] && [[ -n "${ORIGEMAIL}" ]]; then
-        REV_EAB_CREDS=$(curl -s https://api.zerossl.com/acme/eab-credentials-email --data "email=$ORIGEMAIL")
+        REV_EAB_CREDS=$(curl -s https://api.zerossl.com/acme/eab-credentials-email --data "email=${ORIGEMAIL}")
-        REV_ZEROSSL_EAB_KID=$(echo "$REV_EAB_CREDS" | python3 -c "import sys, json; print(json.load(sys.stdin)['eab_kid'])")
+        REV_ZEROSSL_EAB_KID=$(echo "${REV_EAB_CREDS}" | python3 -c "import sys, json; print(json.load(sys.stdin)['eab_kid'])")
-        REV_ZEROSSL_EAB_HMAC_KEY=$(echo "$REV_EAB_CREDS" | python3 -c "import sys, json; print(json.load(sys.stdin)['eab_hmac_key'])")
+        REV_ZEROSSL_EAB_HMAC_KEY=$(echo "${REV_EAB_CREDS}" | python3 -c "import sys, json; print(json.load(sys.stdin)['eab_hmac_key'])")
-        if [ -z "$REV_ZEROSSL_EAB_KID" ] || [ -z "$REV_ZEROSSL_EAB_HMAC_KEY" ]; then
+        if [[ -z "${REV_ZEROSSL_EAB_KID}" ]] || [[ -z "${REV_ZEROSSL_EAB_HMAC_KEY}" ]]; then
             echo "Unable to retrieve EAB credentials from ZeroSSL. Check the outgoing connections to api.zerossl.com and dns. Sleeping."
             sleep infinity
         fi
         REV_ACMESERVER="https://acme.zerossl.com/v2/DV90 --eab-kid ${REV_ZEROSSL_EAB_KID} --eab-hmac-key ${REV_ZEROSSL_EAB_HMAC_KEY}"
-    elif [ "$ORIGSTAGING" = "true" ]; then
+    elif [[ "${ORIGSTAGING}" = "true" ]]; then
         REV_ACMESERVER="https://acme-staging-v02.api.letsencrypt.org/directory"
     else
         REV_ACMESERVER="https://acme-v02.api.letsencrypt.org/directory"
     fi
-    if [[ -f /config/etc/letsencrypt/live/"$ORIGDOMAIN"/fullchain.pem ]]; then
+    if [[ -f /config/etc/letsencrypt/live/"${ORIGDOMAIN}"/fullchain.pem ]]; then
-        certbot revoke --non-interactive --cert-path /config/etc/letsencrypt/live/"$ORIGDOMAIN"/fullchain.pem --server $REV_ACMESERVER
+        certbot revoke --non-interactive --cert-path /config/etc/letsencrypt/live/"${ORIGDOMAIN}"/fullchain.pem --server ${REV_ACMESERVER}
     fi
     rm -rf /config/etc/letsencrypt/{accounts,archive,live,renewal}
 fi
 
 # saving new variables
-echo -e "ORIGURL=\"$URL\" ORIGSUBDOMAINS=\"$SUBDOMAINS\" ORIGONLY_SUBDOMAINS=\"$ONLY_SUBDOMAINS\" ORIGEXTRA_DOMAINS=\"$EXTRA_DOMAINS\" ORIGVALIDATION=\"$VALIDATION\" ORIGDNSPLUGIN=\"$DNSPLUGIN\" ORIGPROPAGATION=\"$PROPAGATION\" ORIGSTAGING=\"$STAGING\" ORIGCERTPROVIDER=\"$CERTPROVIDER\" ORIGEMAIL=\"$EMAIL\"" >/config/.donoteditthisfile.conf
+echo -e "ORIGURL=\"${URL}\" ORIGSUBDOMAINS=\"${SUBDOMAINS}\" ORIGONLY_SUBDOMAINS=\"${ONLY_SUBDOMAINS}\" ORIGEXTRA_DOMAINS=\"${EXTRA_DOMAINS}\" ORIGVALIDATION=\"${VALIDATION}\" ORIGDNSPLUGIN=\"${DNSPLUGIN}\" ORIGPROPAGATION=\"${PROPAGATION}\" ORIGSTAGING=\"${STAGING}\" ORIGCERTPROVIDER=\"${CERTPROVIDER}\" ORIGEMAIL=\"${EMAIL}\"" >/config/.donoteditthisfile.conf
 
 # alter extension for error message
-if [ "$DNSPLUGIN" = "google" ]; then
+if [[ "${DNSPLUGIN}" = "google" ]]; then
-    FILENAME="$DNSPLUGIN.json"
+    FILENAME="${DNSPLUGIN}.json"
 else
-    FILENAME="$DNSPLUGIN.ini"
+    FILENAME="${DNSPLUGIN}.ini"
 fi
 
 # Check if the cert is using the old LE root cert, revoke and regen if necessary
-if [ -f "/config/keys/letsencrypt/chain.pem" ] && { [ "${CERTPROVIDER}" == "letsencrypt" ] || [ "${CERTPROVIDER}" == "" ]; } && [ "${STAGING}" != "true" ] && ! openssl x509 -in /config/keys/letsencrypt/chain.pem -noout -issuer | grep -q "ISRG Root X"; then
+if [[ -f "/config/keys/letsencrypt/chain.pem" ]] && { [[ "${CERTPROVIDER}" == "letsencrypt" ]] || [[ "${CERTPROVIDER}" == "" ]]; } && [[ "${STAGING}" != "true" ]] && ! openssl x509 -in /config/keys/letsencrypt/chain.pem -noout -issuer | grep -q "ISRG Root X"; then
     echo "The cert seems to be using the old LE root cert, which is no longer valid. Deleting and revoking."
     REV_ACMESERVER="https://acme-v02.api.letsencrypt.org/directory"
-    if [[ -f /config/etc/letsencrypt/live/"$ORIGDOMAIN"/fullchain.pem ]]; then
+    if [[ -f /config/etc/letsencrypt/live/"${ORIGDOMAIN}"/fullchain.pem ]]; then
-        certbot revoke --non-interactive --cert-path /config/etc/letsencrypt/live/"$ORIGDOMAIN"/fullchain.pem --server $REV_ACMESERVER
+        certbot revoke --non-interactive --cert-path /config/etc/letsencrypt/live/"${ORIGDOMAIN}"/fullchain.pem --server ${REV_ACMESERVER}
     fi
     rm -rf /config/etc/letsencrypt/{accounts,archive,live,renewal}
 fi
 
 # generating certs if necessary
-if [ ! -f "/config/keys/letsencrypt/fullchain.pem" ]; then
+if [[ ! -f "/config/keys/letsencrypt/fullchain.pem" ]]; then
-    if [ "$CERTPROVIDER" = "zerossl" ] && [ -n "$EMAIL" ]; then
+    if [[ "${CERTPROVIDER}" = "zerossl" ]] && [[ -n "${EMAIL}" ]]; then
         echo "Retrieving EAB from ZeroSSL"
-        EAB_CREDS=$(curl -s https://api.zerossl.com/acme/eab-credentials-email --data "email=$EMAIL")
+        EAB_CREDS=$(curl -s https://api.zerossl.com/acme/eab-credentials-email --data "email=${EMAIL}")
-        ZEROSSL_EAB_KID=$(echo "$EAB_CREDS" | python3 -c "import sys, json; print(json.load(sys.stdin)['eab_kid'])")
+        ZEROSSL_EAB_KID=$(echo "${EAB_CREDS}" | python3 -c "import sys, json; print(json.load(sys.stdin)['eab_kid'])")
-        ZEROSSL_EAB_HMAC_KEY=$(echo "$EAB_CREDS" | python3 -c "import sys, json; print(json.load(sys.stdin)['eab_hmac_key'])")
+        ZEROSSL_EAB_HMAC_KEY=$(echo "${EAB_CREDS}" | python3 -c "import sys, json; print(json.load(sys.stdin)['eab_hmac_key'])")
-        if [ -z "$ZEROSSL_EAB_KID" ] || [ -z "$ZEROSSL_EAB_HMAC_KEY" ]; then
+        if [[ -z "${ZEROSSL_EAB_KID}" ]] || [[ -z "${ZEROSSL_EAB_HMAC_KEY}" ]]; then
             echo "Unable to retrieve EAB credentials from ZeroSSL. Check the outgoing connections to api.zerossl.com and dns. Sleeping."
             sleep infinity
         fi
@@ -258,9 +259,9 @@ if [ ! -f "/config/keys/letsencrypt/fullchain.pem" ]; then
     fi
     echo "Generating new certificate"
     # shellcheck disable=SC2086
-    certbot certonly --non-interactive --renew-by-default --server $ACMESERVER $ZEROSSL_EAB $PREFCHAL --rsa-key-size 4096 $EMAILPARAM --agree-tos $URL_REAL
+    certbot certonly --non-interactive --renew-by-default --server ${ACMESERVER} ${ZEROSSL_EAB} ${PREFCHAL} --rsa-key-size 4096 ${EMAILPARAM} --agree-tos ${URL_REAL}
-    if [ ! -d /config/keys/letsencrypt ]; then
+    if [[ ! -d /config/keys/letsencrypt ]]; then
-        if [ "$VALIDATION" = "dns" ]; then
+        if [[ "${VALIDATION}" = "dns" ]]; then
             echo "ERROR: Cert does not exist! Please see the validation error above. Make sure you entered correct credentials into the /config/dns-conf/${FILENAME} file."
         else
             echo "ERROR: Cert does not exist! Please see the validation error above. The issue may be due to incorrect dns or port forwarding settings. Please fix your settings and recreate the container"
@@ -274,7 +275,7 @@ else
 fi
 
 # if certbot generated key exists, remove self-signed cert and replace it with symlink to live cert
-if [ -d /config/keys/letsencrypt ]; then
+if [[ -d /config/keys/letsencrypt ]]; then
     rm -rf /config/keys/cert.crt
     ln -s ./letsencrypt/fullchain.pem /config/keys/cert.crt
     rm -rf /config/keys/cert.key

root/etc/cont-init.d/55-permissions

@@ -1,4 +1,5 @@
 #!/usr/bin/with-contenv bash
+# shellcheck shell=bash
 
 # permissions
 chown -R abc:abc \

root/etc/cont-init.d/60-renew

@@ -1,7 +1,8 @@
 #!/usr/bin/with-contenv bash
+# shellcheck shell=bash
 
 # Check if the cert is expired or expires within a day, if so, renew
-if openssl x509 -in /config/keys/letsencrypt/fullchain.pem -noout -checkend 86400 >/dev/null; then 
+if openssl x509 -in /config/keys/letsencrypt/fullchain.pem -noout -checkend 86400 >/dev/null; then
     echo "The cert does not expire within the next day. Letting the cron script handle the renewal attempts overnight (2:08am)."
 else
     echo "The cert is either expired or it expires within the next day. Attempting to renew. This could take up to 10 minutes."

root/etc/cont-init.d/70-outdated

@@ -1,4 +1,5 @@
 #!/usr/bin/with-contenv bash
+# shellcheck shell=bash
 
 if [[ -f /config/nginx/geoip2.conf ]]; then
     echo "/config/nginx/geoip2.conf exists.

root/etc/services.d/fail2ban/run

@@ -1,4 +1,5 @@
 #!/usr/bin/with-contenv bash
+# shellcheck shell=bash
 
 exec \
     fail2ban-client -x -f start