{
    use strict;
    use warnings;
    use esmith::ConfigDB;

    my $configDB = esmith::ConfigDB->open_ro or die("can't open Config DB");

    my $letsencryptStatus = $configDB->get_prop( 'letsencrypt', 'status' )
        || 'disabled';

    # Default to v2 as v1 no longer supported for new certs. At the moment (Oct 2020) v1 still supported for renewing certs.

    my $letsencryptAPI = $configDB->get_prop( 'letsencrypt', 'API' )
        || '2';

    $OUT .= "#!/bin/bash\n";

    if ( $letsencryptStatus eq 'disabled' ) {
        $OUT .= "letsencrypt is disabled";
    }
    else {
        # We should only be here if we are not disabled
        if ( $letsencryptStatus eq 'test' ) {

            # Use staging directory for testing
            # Once you are sure you have the settings right then change

            # If it's v1 then use v1, if v2 or auto then use v2 staging
            if ( $letsencryptAPI eq '1' ) {
                $OUT .= "CA=\"https://acme-staging.api.letsencrypt.org/directory\"\n";
            }
            elsif ( ( $letsencryptAPI eq '2' ) || ( $letsencryptAPI eq 'auto' ) ) {
                $OUT .= "CA=\"https://acme-staging-v02.api.letsencrypt.org/directory\"\n";
            }
        }

        elsif ( $letsencryptStatus ne 'test' ) {

            # Real server - default settings are in the the main dehydrated file
            # Only use this once you are sure things are OK or you will hit a rate limit.

            # If it's v1 then use v1, if v2 then v2, if auto accept the defaults in the main file
            if ( $letsencryptAPI eq '1' ) {
                $OUT .= "CA=\"https://acme-v01.api.letsencrypt.org/directory\"\n";
            }
            elsif ( $letsencryptAPI eq '2' ) {
                $OUT .= "CA=\"https://acme-v02.api.letsencrypt.org/directory\"\n";
            }
        }

        $OUT .= "WELLKNOWN=\"/home/e-smith/files/ibays/Primary/html/.well-known/acme-challenge\"\n";

        # Hook Script always enabled
        $OUT .= "HOOK=\"/usr/bin/hook-script.sh\"\n";

        # Base directory for account key, generated certificates and list of domains (default: $SCRIPTDIR -- uses config directory if undefined)
        #BASEDIR=$SCRIPTDIR

        $OUT .= "BASEDIR=\"/etc/dehydrated\"\n";

        # Location of private account key (default: $BASEDIR/private_key.pem)
        #PRIVATE_KEY="${BASEDIR}/private_key.pem"

        my $letsencryptKeysize = $configDB->get_prop( 'letsencrypt', 'keysize' )
            || '';
        if ( $letsencryptKeysize ne '' ) {

            # Default keysize for private keys (default: 4096)
            $OUT .= "KEYSIZE=\"4096\"\n";
        }

        my $letsencryptEmail = $configDB->get_prop( 'letsencrypt', 'email' ) || '';
        if ( $letsencryptEmail ne '' ) {

            # E-mail to use during the registration (default: <unset>)
            $OUT .= "CONTACT_EMAIL=$letsencryptEmail\n";
        }

        # API version - auto | 1 | 2
        if ( $letsencryptAPI eq '1' ) {
            $OUT .= "API=\"1\"\n";
        }
        elsif ( $letsencryptAPI eq '2' ) {
            $OUT .= "API=\"2\"\n";
        }
        else {
            $OUT .= "API=\"auto\"\n";
        }
    }
}
