Home Explore Project
Register Sign In
linux
/
acme.sh
3
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Browse Source

Merge remote-tracking branch 'upstream/master'

raidenii 8 years ago
parent
7b32bbfc26 c53f36a777
commit
4964e075df
1 changed files with 169 additions and 43 deletions
Unified View Show Diff Stats
  1. 169 43
      acme.sh

+ 169 - 43
acme.sh
View File 

@@ -366,6 +366,7 @@ _hasfield() {
 
   return 1 #not contains
 
   return 1 #not contains
 
 }
 
 }
 
 
 
+# str index [sep]
 
 _getfield() {
 
 _getfield() {
 
   _str="$1"
 
   _str="$1"
 
   _findex="$2"
 
   _findex="$2"
 
@@ -1152,7 +1153,7 @@ _ss() {
 
 
 
   if _exists "ss"; then
 
   if _exists "ss"; then
 
     _debug "Using: ss"
 
     _debug "Using: ss"
 
-    ss -ntpl | grep ":$_port "
 
+    ss -ntpl 2>/dev/null | grep ":$_port "
 
     return 0
 
     return 0
 
   fi
 
   fi
 
 
 
@@ -1281,7 +1282,7 @@ createDomainKey() {
 
 
 
   _initpath "$domain" "$_cdl"
 
   _initpath "$domain" "$_cdl"
 
 
 
-  if [ ! -f "$CERT_KEY_PATH" ] || ([ "$FORCE" ] && ! [ "$IS_RENEW" ]); then
 
+  if [ ! -f "$CERT_KEY_PATH" ] || ([ "$FORCE" ] && ! [ "$IS_RENEW" ]) || [ "$Le_ForceNewDomainKey" = "1" ]; then
 
     if _createkey "$_cdl" "$CERT_KEY_PATH"; then
 
     if _createkey "$_cdl" "$CERT_KEY_PATH"; then
 
       _savedomainconf Le_Keylength "$_cdl"
 
       _savedomainconf Le_Keylength "$_cdl"
 
       _info "The domain key is here: $(__green $CERT_KEY_PATH)"
 
       _info "The domain key is here: $(__green $CERT_KEY_PATH)"
 
@@ -2196,7 +2197,9 @@ _initAPI() {
 
     export ACME_KEY_CHANGE="https://acme-v01.api.letsencrypt.org/acme/key-change"
 
     export ACME_KEY_CHANGE="https://acme-v01.api.letsencrypt.org/acme/key-change"
 
     export ACME_NEW_AUTHZ="https://acme-v01.api.letsencrypt.org/acme/new-authz"
 
     export ACME_NEW_AUTHZ="https://acme-v01.api.letsencrypt.org/acme/new-authz"
 
     export ACME_NEW_ORDER="https://acme-v01.api.letsencrypt.org/acme/new-cert"
 
     export ACME_NEW_ORDER="https://acme-v01.api.letsencrypt.org/acme/new-cert"
 
+    export ACME_NEW_ORDER_RES="new-cert"
 
     export ACME_NEW_ACCOUNT="https://acme-v01.api.letsencrypt.org/acme/new-reg"
 
     export ACME_NEW_ACCOUNT="https://acme-v01.api.letsencrypt.org/acme/new-reg"
 
+    export ACME_NEW_ACCOUNT_RES="new-reg"
 
     export ACME_REVOKE_CERT="https://acme-v01.api.letsencrypt.org/acme/revoke-cert"
 
     export ACME_REVOKE_CERT="https://acme-v01.api.letsencrypt.org/acme/revoke-cert"
 
   fi
 
   fi
 
 
 
@@ -2216,16 +2219,22 @@ _initAPI() {
 
     export ACME_NEW_AUTHZ
 
     export ACME_NEW_AUTHZ
 
 
 
     ACME_NEW_ORDER=$(echo "$response" | _egrep_o 'new-cert" *: *"[^"]*"' | cut -d '"' -f 3)
 
     ACME_NEW_ORDER=$(echo "$response" | _egrep_o 'new-cert" *: *"[^"]*"' | cut -d '"' -f 3)
 
+    ACME_NEW_ORDER_RES="new-cert"
 
     if [ -z "$ACME_NEW_ORDER" ]; then
 
     if [ -z "$ACME_NEW_ORDER" ]; then
 
       ACME_NEW_ORDER=$(echo "$response" | _egrep_o 'new-order" *: *"[^"]*"' | cut -d '"' -f 3)
 
       ACME_NEW_ORDER=$(echo "$response" | _egrep_o 'new-order" *: *"[^"]*"' | cut -d '"' -f 3)
 
+      ACME_NEW_ORDER_RES="new-order"
 
     fi
 
     fi
 
     export ACME_NEW_ORDER
 
     export ACME_NEW_ORDER
 
+    export ACME_NEW_ORDER_RES
 
 
 
     ACME_NEW_ACCOUNT=$(echo "$response" | _egrep_o 'new-reg" *: *"[^"]*"' | cut -d '"' -f 3)
 
     ACME_NEW_ACCOUNT=$(echo "$response" | _egrep_o 'new-reg" *: *"[^"]*"' | cut -d '"' -f 3)
 
+    ACME_NEW_ACCOUNT_RES="new-reg"
 
     if [ -z "$ACME_NEW_ACCOUNT" ]; then
 
     if [ -z "$ACME_NEW_ACCOUNT" ]; then
 
       ACME_NEW_ACCOUNT=$(echo "$response" | _egrep_o 'new-account" *: *"[^"]*"' | cut -d '"' -f 3)
 
       ACME_NEW_ACCOUNT=$(echo "$response" | _egrep_o 'new-account" *: *"[^"]*"' | cut -d '"' -f 3)
 
+      ACME_NEW_ACCOUNT_RES="new-account"
 
     fi
 
     fi
 
     export ACME_NEW_ACCOUNT
 
     export ACME_NEW_ACCOUNT
 
+    export ACME_NEW_ACCOUNT_RES
 
 
 
     ACME_REVOKE_CERT=$(echo "$response" | _egrep_o 'revoke-cert" *: *"[^"]*"' | cut -d '"' -f 3)
 
     ACME_REVOKE_CERT=$(echo "$response" | _egrep_o 'revoke-cert" *: *"[^"]*"' | cut -d '"' -f 3)
 
     export ACME_REVOKE_CERT
 
     export ACME_REVOKE_CERT
 
@@ -2999,9 +3008,9 @@ _on_issue_err() {
 
   fi
 
   fi
 
 
 
   #trigger the validation to flush the pending authz
 
   #trigger the validation to flush the pending authz
 
+  _debug2 "_chk_vlist" "$_chk_vlist"
 
   if [ "$_chk_vlist" ]; then
 
   if [ "$_chk_vlist" ]; then
 
     (
 
     (
 
-      _debug2 "_chk_vlist" "$_chk_vlist"
 
       _debug2 "start to deactivate authz"
 
       _debug2 "start to deactivate authz"
 
       ventries=$(echo "$_chk_vlist" | tr "$dvsep" ' ')
 
       ventries=$(echo "$_chk_vlist" | tr "$dvsep" ' ')
 
       for ventry in $ventries; do
 
       for ventry in $ventries; do
 
@@ -3073,14 +3082,13 @@ _regAccount() {
 
   _initpath
 
   _initpath
 
   _reg_length="$1"
 
   _reg_length="$1"
 
 
 
+  mkdir -p "$CA_DIR"
 
   if [ ! -f "$ACCOUNT_KEY_PATH" ] && [ -f "$_OLD_ACCOUNT_KEY" ]; then
 
   if [ ! -f "$ACCOUNT_KEY_PATH" ] && [ -f "$_OLD_ACCOUNT_KEY" ]; then
 
-    mkdir -p "$CA_DIR"
 
     _info "mv $_OLD_ACCOUNT_KEY to $ACCOUNT_KEY_PATH"
 
     _info "mv $_OLD_ACCOUNT_KEY to $ACCOUNT_KEY_PATH"
 
     mv "$_OLD_ACCOUNT_KEY" "$ACCOUNT_KEY_PATH"
 
     mv "$_OLD_ACCOUNT_KEY" "$ACCOUNT_KEY_PATH"
 
   fi
 
   fi
 
 
 
   if [ ! -f "$ACCOUNT_JSON_PATH" ] && [ -f "$_OLD_ACCOUNT_JSON" ]; then
 
   if [ ! -f "$ACCOUNT_JSON_PATH" ] && [ -f "$_OLD_ACCOUNT_JSON" ]; then
 
-    mkdir -p "$CA_DIR"
 
     _info "mv $_OLD_ACCOUNT_JSON to $ACCOUNT_JSON_PATH"
 
     _info "mv $_OLD_ACCOUNT_JSON to $ACCOUNT_JSON_PATH"
 
     mv "$_OLD_ACCOUNT_JSON" "$ACCOUNT_JSON_PATH"
 
     mv "$_OLD_ACCOUNT_JSON" "$ACCOUNT_JSON_PATH"
 
   fi
 
   fi
 
@@ -3097,7 +3105,7 @@ _regAccount() {
 
   fi
 
   fi
 
   _initAPI
 
   _initAPI
 
   _updateTos=""
 
   _updateTos=""
 
-  _reg_res="new-reg"
 
+  _reg_res="$ACME_NEW_ACCOUNT_RES"
 
   while true; do
 
   while true; do
 
     _debug AGREEMENT "$AGREEMENT"
 
     _debug AGREEMENT "$AGREEMENT"
 
 
 
@@ -3127,7 +3135,7 @@ _regAccount() {
 
 
 
       _accUri="$(echo "$responseHeaders" | grep "^Location:" | _head_n 1 | cut -d ' ' -f 2 | tr -d "\r\n")"
 
       _accUri="$(echo "$responseHeaders" | grep "^Location:" | _head_n 1 | cut -d ' ' -f 2 | tr -d "\r\n")"
 
       _debug "_accUri" "$_accUri"
 
       _debug "_accUri" "$_accUri"
 
-
 
+      _savecaconf "ACCOUNT_URL" "$_accUri"
 
       _tos="$(echo "$responseHeaders" | grep "^Link:.*rel=\"terms-of-service\"" | _head_n 1 | _egrep_o "<.*>" | tr -d '<>')"
 
       _tos="$(echo "$responseHeaders" | grep "^Link:.*rel=\"terms-of-service\"" | _head_n 1 | _egrep_o "<.*>" | tr -d '<>')"
 
       _debug "_tos" "$_tos"
 
       _debug "_tos" "$_tos"
 
       if [ -z "$_tos" ]; then
 
       if [ -z "$_tos" ]; then
 
@@ -3148,11 +3156,14 @@ _regAccount() {
 
         return 1
 
         return 1
 
       fi
 
       fi
 
       if [ "$code" = '202' ]; then
 
       if [ "$code" = '202' ]; then
 
-        _info "Update success."
 
+        _info "Update account tos info success."
 
 
 
         CA_KEY_HASH="$(__calcAccountKeyHash)"
 
         CA_KEY_HASH="$(__calcAccountKeyHash)"
 
         _debug "Calc CA_KEY_HASH" "$CA_KEY_HASH"
 
         _debug "Calc CA_KEY_HASH" "$CA_KEY_HASH"
 
         _savecaconf CA_KEY_HASH "$CA_KEY_HASH"
 
         _savecaconf CA_KEY_HASH "$CA_KEY_HASH"
 
+      elif [ "$code" = '403' ]; then
 
+        _err "It seems that the account key is already deactivated, please use a new account key."
 
+        return 1
 
       else
 
       else
 
         _err "Update account error."
 
         _err "Update account error."
 
         return 1
 
         return 1
 
@@ -3165,6 +3176,68 @@ _regAccount() {
 
 
 
 }
 
 }
 
 
 
+#Implement deactivate account
 
+deactivateaccount() {
 
+  _initpath
 
+
 
+  if [ ! -f "$ACCOUNT_KEY_PATH" ] && [ -f "$_OLD_ACCOUNT_KEY" ]; then
 
+    _info "mv $_OLD_ACCOUNT_KEY to $ACCOUNT_KEY_PATH"
 
+    mv "$_OLD_ACCOUNT_KEY" "$ACCOUNT_KEY_PATH"
 
+  fi
 
+
 
+  if [ ! -f "$ACCOUNT_JSON_PATH" ] && [ -f "$_OLD_ACCOUNT_JSON" ]; then
 
+    _info "mv $_OLD_ACCOUNT_JSON to $ACCOUNT_JSON_PATH"
 
+    mv "$_OLD_ACCOUNT_JSON" "$ACCOUNT_JSON_PATH"
 
+  fi
 
+
 
+  if [ ! -f "$ACCOUNT_KEY_PATH" ]; then
 
+    _err "Account key is not found at: $ACCOUNT_KEY_PATH"
 
+    return 1
 
+  fi
 
+
 
+  _accUri=$(_readcaconf "ACCOUNT_URL")
 
+  _debug _accUri "$_accUri"
 
+
 
+  if [ -z "$_accUri" ]; then
 
+    _err "The account url is empty, please run '--update-account' first to update the account info first,"
 
+    _err "Then try again."
 
+    return 1
 
+  fi
 
+
 
+  if ! _calcjwk "$ACCOUNT_KEY_PATH"; then
 
+    return 1
 
+  fi
 
+  _initAPI
 
+
 
+  if _send_signed_request "$_accUri" "{\"resource\": \"reg\", \"status\":\"deactivated\"}" && _contains "$response" '"deactivated"'; then
 
+    _info "Deactivate account success for $_accUri."
 
+    _accid=$(echo "$response" | _egrep_o "\"id\" *: *[^,]*," | cut -d : -f 2 | tr -d ' ,')
 
+  elif [ "$code" = "403" ]; then
 
+    _info "The account is already deactivated."
 
+    _accid=$(_getfield "$_accUri" "999" "/")
 
+  else
 
+    _err "Deactivate: account failed for $_accUri."
 
+    return 1
 
+  fi
 
+
 
+  _debug "Account id: $_accid"
 
+  if [ "$_accid" ]; then
 
+    _deactivated_account_path="$CA_DIR/deactivated/$_accid"
 
+    _debug _deactivated_account_path "$_deactivated_account_path"
 
+    if mkdir -p "$_deactivated_account_path"; then
 
+      _info "Moving deactivated account info to $_deactivated_account_path/"
 
+      mv "$CA_CONF" "$_deactivated_account_path/"
 
+      mv "$ACCOUNT_JSON_PATH" "$_deactivated_account_path/"
 
+      mv "$ACCOUNT_KEY_PATH" "$_deactivated_account_path/"
 
+    else
 
+      _err "Can not create dir: $_deactivated_account_path, try to remove the deactivated account key."
 
+      rm -f "$CA_CONF"
 
+      rm -f "$ACCOUNT_JSON_PATH"
 
+      rm -f "$ACCOUNT_KEY_PATH"
 
+    fi
 
+  fi
 
+}
 
+
 
 # domain folder  file
 
 # domain folder  file
 
 _findHook() {
 
 _findHook() {
 
   _hookdomain="$1"
 
   _hookdomain="$1"
 
@@ -3355,7 +3428,7 @@ issue() {
 
   else
 
   else
 
     _key=$(_readdomainconf Le_Keylength)
 
     _key=$(_readdomainconf Le_Keylength)
 
     _debug "Read key length:$_key"
 
     _debug "Read key length:$_key"
 
-    if [ ! -f "$CERT_KEY_PATH" ] || [ "$_key_length" != "$_key" ]; then
 
+    if [ ! -f "$CERT_KEY_PATH" ] || [ "$_key_length" != "$_key" ] || [ "$Le_ForceNewDomainKey" = "1" ]; then
 
       if ! createDomainKey "$_main_domain" "$_key_length"; then
 
       if ! createDomainKey "$_main_domain" "$_key_length"; then
 
         _err "Create domain key error."
 
         _err "Create domain key error."
 
         _clearup
 
         _clearup
 
@@ -3498,7 +3571,7 @@ issue() {
 
 
 
         if [ "$?" != "0" ]; then
 
         if [ "$?" != "0" ]; then
 
           _clearup
 
           _clearup
 
-          _on_issue_err "$_post_hook"
 
+          _on_issue_err "$_post_hook" "$vlist"
 
           return 1
 
           return 1
 
         fi
 
         fi
 
         dnsadded='1'
 
         dnsadded='1'
 
@@ -3510,7 +3583,7 @@ issue() {
 
       _debug "Dns record not added yet, so, save to $DOMAIN_CONF and exit."
 
       _debug "Dns record not added yet, so, save to $DOMAIN_CONF and exit."
 
       _err "Please add the TXT records to the domains, and retry again."
 
       _err "Please add the TXT records to the domains, and retry again."
 
       _clearup
 
       _clearup
 
-      _on_issue_err "$_post_hook"
 
+      _on_issue_err "$_post_hook" "$vlist"
 
       return 1
 
       return 1
 
     fi
 
     fi
 
 
 
@@ -3761,7 +3834,7 @@ issue() {
 
   _info "Verify finished, start to sign."
 
   _info "Verify finished, start to sign."
 
   der="$(_getfile "${CSR_PATH}" "${BEGIN_CSR}" "${END_CSR}" | tr -d "\r\n" | _url_replace)"
 
   der="$(_getfile "${CSR_PATH}" "${BEGIN_CSR}" "${END_CSR}" | tr -d "\r\n" | _url_replace)"
 
 
 
-  if ! _send_signed_request "${ACME_NEW_ORDER}" "{\"resource\": \"new-cert\", \"csr\": \"$der\"}" "needbase64"; then
 
+  if ! _send_signed_request "${ACME_NEW_ORDER}" "{\"resource\": \"$ACME_NEW_ORDER_RES\", \"csr\": \"$der\"}" "needbase64"; then
 
     _err "Sign failed."
 
     _err "Sign failed."
 
     _on_issue_err "$_post_hook"
 
     _on_issue_err "$_post_hook"
 
     return 1
 
     return 1
 
@@ -3885,6 +3958,12 @@ issue() {
 
     _cleardomainconf Le_Listen_V4
 
     _cleardomainconf Le_Listen_V4
 
   fi
 
   fi
 
 
 
+  if [ "$Le_ForceNewDomainKey" = "1" ]; then
 
+    _savedomainconf "Le_ForceNewDomainKey" "$Le_ForceNewDomainKey"
 
+  else
 
+    _cleardomainconf Le_ForceNewDomainKey
 
+  fi
 
+
 
   Le_NextRenewTime=$(_math "$Le_CertCreateTime" + "$Le_RenewalDays" \* 24 \* 60 \* 60)
 
   Le_NextRenewTime=$(_math "$Le_CertCreateTime" + "$Le_RenewalDays" \* 24 \* 60 \* 60)
 
 
 
   Le_NextRenewTimeStr=$(_time2str "$Le_NextRenewTime")
 
   Le_NextRenewTimeStr=$(_time2str "$Le_NextRenewTime")
 
@@ -4479,26 +4558,51 @@ _deactivate() {
 
   _d_type="$2"
 
   _d_type="$2"
 
   _initpath
 
   _initpath
 
 
 
-  _d_i=0
 
-  _d_max_retry=9
 
-  while [ "$_d_i" -lt "$_d_max_retry" ]; do
 
-    _info "Deactivate: $_d_domain"
 
-    _d_i="$(_math $_d_i + 1)"
 
+  if ! __get_domain_new_authz "$_d_domain"; then
 
+    _err "Can not get domain new authz token."
 
+    return 1
 
+  fi
 
 
 
-    if ! __get_domain_new_authz "$_d_domain"; then
 
-      _err "Can not get domain new authz token."
 
-      return 1
 
-    fi
 
+  authzUri="$(echo "$responseHeaders" | grep "^Location:" | _head_n 1 | cut -d ' ' -f 2 | tr -d "\r\n")"
 
+  _debug "authzUri" "$authzUri"
 
 
 
-    authzUri="$(echo "$responseHeaders" | grep "^Location:" | _head_n 1 | cut -d ' ' -f 2 | tr -d "\r\n")"
 
-    _debug "authzUri" "$authzUri"
 
+  if [ "$code" ] && [ ! "$code" = '201' ]; then
 
+    _err "new-authz error: $response"
 
+    return 1
 
+  fi
 
 
 
-    if [ ! -z "$code" ] && [ ! "$code" = '201' ]; then
 
-      _err "new-authz error: $response"
 
+  entries="$(echo "$response" | _egrep_o '{ *"type":"[^"]*", *"status": *"valid", *"uri"[^}]*')"
 
+  if [ -z "$entries" ]; then
 
+    _info "No valid entries found."
 
+    if [ -z "$thumbprint" ]; then
 
+      thumbprint="$(__calc_account_thumbprint)"
 
+    fi
 
+    _debug "Trigger validation."
 
+    vtype="$VTYPE_HTTP"
 
+    entry="$(printf "%s\n" "$response" | _egrep_o '[^\{]*"type":"'$vtype'"[^\}]*')"
 
+    _debug entry "$entry"
 
+    if [ -z "$entry" ]; then
 
+      _err "Error, can not get domain token $d"
 
       return 1
 
       return 1
 
     fi
 
     fi
 
+    token="$(printf "%s\n" "$entry" | _egrep_o '"token":"[^"]*' | cut -d : -f 2 | tr -d '"')"
 
+    _debug token "$token"
 
+
 
+    uri="$(printf "%s\n" "$entry" | _egrep_o '"uri":"[^"]*' | cut -d : -f 2,3 | tr -d '"')"
 
+    _debug uri "$uri"
 
+
 
+    keyauthorization="$token.$thumbprint"
 
+    _debug keyauthorization "$keyauthorization"
 
+    __trigger_validation "$uri" "$keyauthorization"
 
 
 
-    entry="$(printf "%s\n" "$response" | _egrep_o '{"type":"[^"]*","status":"valid","uri"[^}]*')"
 
+  fi
 
+
 
+  _d_i=0
 
+  _d_max_retry=$(echo "$entries" | wc -l)
 
+  while [ "$_d_i" -lt "$_d_max_retry" ]; do
 
+    _info "Deactivate: $_d_domain"
 
+    _d_i="$(_math $_d_i + 1)"
 
+    entry="$(echo "$entries" | sed -n "${_d_i}p")"
 
     _debug entry "$entry"
 
     _debug entry "$entry"
 
 
 
     if [ -z "$entry" ]; then
 
     if [ -z "$entry" ]; then
 
@@ -4520,16 +4624,16 @@ _deactivate() {
 
 
 
     _info "Deactivate: $_vtype"
 
     _info "Deactivate: $_vtype"
 
 
 
-    if ! _send_signed_request "$authzUri" "{\"resource\": \"authz\", \"status\":\"deactivated\"}"; then
 
+    if _send_signed_request "$authzUri" "{\"resource\": \"authz\", \"status\":\"deactivated\"}" && _contains "$response" '"deactivated"'; then
 
+      _info "Deactivate: $_vtype success."
 
+    else
 
       _err "Can not deactivate $_vtype."
 
       _err "Can not deactivate $_vtype."
 
-      return 1
 
+      break
 
     fi
 
     fi
 
 
 
-    _info "Deactivate: $_vtype success."
 
-
 
   done
 
   done
 
   _debug "$_d_i"
 
   _debug "$_d_i"
 
-  if [ "$_d_i" -lt "$_d_max_retry" ]; then
 
+  if [ "$_d_i" -eq "$_d_max_retry" ]; then
 
     _info "Deactivated success!"
 
     _info "Deactivated success!"
 
   else
 
   else
 
     _err "Deactivate failed."
 
     _err "Deactivate failed."
 
@@ -4589,9 +4693,7 @@ _detect_profile() {
 
     fi
 
     fi
 
   fi
 
   fi
 
 
 
-  if [ ! -z "$DETECTED_PROFILE" ]; then
 
-    echo "$DETECTED_PROFILE"
 
-  fi
 
+  echo "$DETECTED_PROFILE"
 
 }
 
 }
 
 
 
 _initconf() {
 
 _initconf() {
 
@@ -4679,6 +4781,8 @@ _installalias() {
 
   _setopt "$_envfile" "export LE_WORKING_DIR" "=" "\"$LE_WORKING_DIR\""
 
   _setopt "$_envfile" "export LE_WORKING_DIR" "=" "\"$LE_WORKING_DIR\""
 
   if [ "$_c_home" ]; then
 
   if [ "$_c_home" ]; then
 
     _setopt "$_envfile" "export LE_CONFIG_HOME" "=" "\"$LE_CONFIG_HOME\""
 
     _setopt "$_envfile" "export LE_CONFIG_HOME" "=" "\"$LE_CONFIG_HOME\""
 
+  else
 
+    _sed_i "/^export LE_CONFIG_HOME/d" "$_envfile"
 
   fi
 
   fi
 
   _setopt "$_envfile" "alias $PROJECT_ENTRY" "=" "\"$LE_WORKING_DIR/$PROJECT_ENTRY$_c_entry\""
 
   _setopt "$_envfile" "alias $PROJECT_ENTRY" "=" "\"$LE_WORKING_DIR/$PROJECT_ENTRY$_c_entry\""
 
 
 
@@ -4700,6 +4804,8 @@ _installalias() {
 
     _setopt "$_cshfile" "setenv LE_WORKING_DIR" " " "\"$LE_WORKING_DIR\""
 
     _setopt "$_cshfile" "setenv LE_WORKING_DIR" " " "\"$LE_WORKING_DIR\""
 
     if [ "$_c_home" ]; then
 
     if [ "$_c_home" ]; then
 
       _setopt "$_cshfile" "setenv LE_CONFIG_HOME" " " "\"$LE_CONFIG_HOME\""
 
       _setopt "$_cshfile" "setenv LE_CONFIG_HOME" " " "\"$LE_CONFIG_HOME\""
 
+    else
 
+      _sed_i "/^setenv LE_CONFIG_HOME/d" "$_cshfile"
 
     fi
 
     fi
 
     _setopt "$_cshfile" "alias $PROJECT_ENTRY" " " "\"$LE_WORKING_DIR/$PROJECT_ENTRY$_c_entry\""
 
     _setopt "$_cshfile" "alias $PROJECT_ENTRY" " " "\"$LE_WORKING_DIR/$PROJECT_ENTRY$_c_entry\""
 
     _setopt "$_csh_profile" "source \"$_cshfile\""
 
     _setopt "$_csh_profile" "source \"$_cshfile\""
 
@@ -4764,20 +4870,24 @@ install() {
 
 
 
   _info "Installing to $LE_WORKING_DIR"
 
   _info "Installing to $LE_WORKING_DIR"
 
 
 
-  if ! mkdir -p "$LE_WORKING_DIR"; then
 
-    _err "Can not create working dir: $LE_WORKING_DIR"
 
-    return 1
 
+  if [ ! -d "$LE_WORKING_DIR" ]; then
 
+    if ! mkdir -p "$LE_WORKING_DIR"; then
 
+      _err "Can not create working dir: $LE_WORKING_DIR"
 
+      return 1
 
+    fi
 
+
 
+    chmod 700 "$LE_WORKING_DIR"
 
   fi
 
   fi
 
 
 
-  chmod 700 "$LE_WORKING_DIR"
 
+  if [ ! -d "$LE_CONFIG_HOME" ]; then
 
+    if ! mkdir -p "$LE_CONFIG_HOME"; then
 
+      _err "Can not create config dir: $LE_CONFIG_HOME"
 
+      return 1
 
+    fi
 
 
 
-  if ! mkdir -p "$LE_CONFIG_HOME"; then
 
-    _err "Can not create config dir: $LE_CONFIG_HOME"
 
-    return 1
 
+    chmod 700 "$LE_CONFIG_HOME"
 
   fi
 
   fi
 
 
 
-  chmod 700 "$LE_CONFIG_HOME"
 
-
 
   cp "$PROJECT_ENTRY" "$LE_WORKING_DIR/" && chmod +x "$LE_WORKING_DIR/$PROJECT_ENTRY"
 
   cp "$PROJECT_ENTRY" "$LE_WORKING_DIR/" && chmod +x "$LE_WORKING_DIR/$PROJECT_ENTRY"
 
 
 
   if [ "$?" != "0" ]; then
 
   if [ "$?" != "0" ]; then
 
@@ -4935,6 +5045,7 @@ Commands:
 
   --toPkcs8                Convert to pkcs8 format.
 
   --toPkcs8                Convert to pkcs8 format.
 
   --update-account         Update account info.
 
   --update-account         Update account info.
 
   --register-account       Register account key.
 
   --register-account       Register account key.
 
+  --deactivate-account     Deactivate the account.
 
   --create-account-key     Create an account private key, professional use.
 
   --create-account-key     Create an account private key, professional use.
 
   --create-domain-key      Create an domain private key, professional use.
 
   --create-domain-key      Create an domain private key, professional use.
 
   --createCSR, -ccsr       Create CSR , professional use.
 
   --createCSR, -ccsr       Create CSR , professional use.
 
@@ -4995,6 +5106,7 @@ Parameters:
 
   --renew-hook                      Command to be run once for each successfully renewed certificate.
 
   --renew-hook                      Command to be run once for each successfully renewed certificate.
 
   --deploy-hook                     The hook file to deploy cert
 
   --deploy-hook                     The hook file to deploy cert
 
   --ocsp-must-staple, --ocsp        Generate ocsp must Staple extension.
 
   --ocsp-must-staple, --ocsp        Generate ocsp must Staple extension.
 
+  --always-force-new-domain-key     Generate new domain key when renewal. Otherwise, the domain key is not changed by default.
 
   --auto-upgrade   [0|1]            Valid for '--upgrade' command, indicating whether to upgrade automatically in future.
 
   --auto-upgrade   [0|1]            Valid for '--upgrade' command, indicating whether to upgrade automatically in future.
 
   --listen-v4                       Force standalone/tls server to listen at ipv4.
 
   --listen-v4                       Force standalone/tls server to listen at ipv4.
 
   --listen-v6                       Force standalone/tls server to listen at ipv6.
 
   --listen-v6                       Force standalone/tls server to listen at ipv6.
 
@@ -5214,6 +5326,9 @@ _process() {
 
       --registeraccount | --register-account)
 
       --registeraccount | --register-account)
 
         _CMD="registeraccount"
 
         _CMD="registeraccount"
 
         ;;
 
         ;;
 
+      --deactivate-account)
 
+        _CMD="deactivateaccount"
 
+        ;;
 
       --domain | -d)
 
       --domain | -d)
 
         _dvalue="$2"
 
         _dvalue="$2"
 
 
 
@@ -5475,6 +5590,14 @@ _process() {
 
       --ocsp-must-staple | --ocsp)
 
       --ocsp-must-staple | --ocsp)
 
         Le_OCSP_Staple="1"
 
         Le_OCSP_Staple="1"
 
         ;;
 
         ;;
 
+      --always-force-new-domain-key)
 
+        if [ -z "$2" ] || _startswith "$2" "-"; then
 
+          Le_ForceNewDomainKey=1
 
+        else
 
+          Le_ForceNewDomainKey="$2"
 
+          shift
 
+        fi
 
+        ;;
 
       --log | --logfile)
 
       --log | --logfile)
 
         _log="1"
 
         _log="1"
 
         _logfile="$2"
 
         _logfile="$2"
 
@@ -5621,6 +5744,9 @@ _process() {
 
     updateaccount)
 
     updateaccount)
 
       updateaccount
 
       updateaccount
 
       ;;
 
       ;;
 
+    deactivateaccount)
 
+      deactivateaccount
 
+      ;;
 
     list)
 
     list)
 
       list "$_listraw"
 
       list "$_listraw"
 
       ;;
 
       ;;