do not save aws and backupKey

it is now part of backupConfig
The controller already ensures we don't show the views here
2015-11-09 08:39:01 -08:00 · 2015-11-09 09:56:59 +01:00 · 2015-11-09 09:56:08 +01:00 · 2015-11-09 00:42:25 -08:00 · 2015-11-09 00:20:16 -08:00 · 2015-11-08 23:57:42 -08:00
79 changed files with 4451 additions and 4406 deletions
@@ -14,9 +14,9 @@ var appHealthMonitor = require('./src/apphealthmonitor.js'),
    async = require('async'),
    config = require('./src/config.js'),
    ldap = require('./src/ldap.js'),
+    simpleauth = require('./src/simpleauth.js'),
    oauthproxy = require('./src/oauthproxy.js'),
-    server = require('./src/server.js'),
-    simpleauth = require('./src/simpleauth.js');
+    server = require('./src/server.js');

 console.log();
 console.log('==========================================');
@@ -26,6 +26,7 @@ console.log();
 console.log(' Environment:                    ', config.CLOUDRON ? 'CLOUDRON' : 'TEST');
 console.log(' Version:                        ', config.version());
 console.log(' Admin Origin:                   ', config.adminOrigin());
+console.log(' Appstore token:                 ', config.token());
 console.log(' Appstore API server origin:     ', config.apiServerOrigin());
 console.log(' Appstore Web server origin:     ', config.webServerOrigin());
 console.log();
@@ -36,7 +36,12 @@ function main() {
    var processName = process.argv[2];
    console.log('Started crash notifier for', processName);

-    sendCrashNotification(processName);
+    mailer.initialize(function (error) {
+        if (error) return console.error(error);
+
+        sendCrashNotification(processName);
+    });
 }

 main();
+
@@ -1,16 +0,0 @@
-dbm = dbm || require('db-migrate');
-var type = dbm.dataType;
-
-exports.up = function(db, callback) {
-    db.runSql('ALTER TABLE apps MODIFY manifestJson TEXT', [], function (error) {
-        if (error) console.error(error);
-        callback(error);
-    });
-};
-
-exports.down = function(db, callback) {
-    db.runSql('ALTER TABLE apps MODIFY manifestJson VARCHAR(2048)', [], function (error) {
-        if (error) console.error(error);
-        callback(error);
-    });
-};
@@ -1,19 +0,0 @@
-dbm = dbm || require('db-migrate');
-var type = dbm.dataType;
-var async = require('async');
-
-exports.up = function(db, callback) {
-    async.series([
-        db.runSql.bind(db, 'ALTER TABLE apps MODIFY accessRestrictionJson TEXT'),
-        db.runSql.bind(db, 'ALTER TABLE apps MODIFY lastBackupConfigJson TEXT'),
-        db.runSql.bind(db, 'ALTER TABLE apps MODIFY oldConfigJson TEXT')
-    ], callback);
-};
-
-exports.down = function(db, callback) {
-    async.series([
-        db.runSql.bind(db, 'ALTER TABLE apps MODIFY accessRestrictionJson VARCHAR(2048)'),
-        db.runSql.bind(db, 'ALTER TABLE apps MODIFY lastBackupConfigJson VARCHAR(2048)'),
-        db.runSql.bind(db, 'ALTER TABLE apps MODIFY oldConfigJson VARCHAR(2048)')
-    ], callback);
-};
@@ -45,18 +45,18 @@ CREATE TABLE IF NOT EXISTS apps(
    runState VARCHAR(512),
    health VARCHAR(128),
    containerId VARCHAR(128),
-    manifestJson TEXT,
+    manifestJson VARCHAR(2048),
    httpPort INTEGER,                        // this is the nginx proxy port and not manifest.httpPort
    location VARCHAR(128) NOT NULL UNIQUE,
    dnsRecordId VARCHAR(512),
-    accessRestrictionJson TEXT,
+    accessRestrictionJson VARCHAR(2048),
    oauthProxy BOOLEAN DEFAULT 0,
    createdAt TIMESTAMP(2) NOT NULL DEFAULT CURRENT_TIMESTAMP,

    lastBackupId VARCHAR(128),
-    lastBackupConfigJson TEXT, // used for appstore and non-appstore installs. it's here so it's easy to do REST validation
+    lastBackupConfigJson VARCHAR(2048), // used for appstore and non-appstore installs. it's here so it's easy to do REST validation

-    oldConfigJson TEXT, // used to pass old config for apptask
+    oldConfigJson VARCHAR(2048), // used to pass old config for apptask

    PRIMARY KEY(id));

@@ -10,11 +10,10 @@
    "type": "git"
  },
  "engines": [
-    "node >=4.0.0 <=4.1.1"
+    "node >= 0.12.0"
  ],
  "dependencies": {
    "async": "^1.2.1",
-    "attempt": "^1.0.1",
    "aws-sdk": "^2.1.46",
    "body-parser": "^1.13.1",
    "bytes": "^2.1.0",
@@ -52,19 +51,18 @@
    "passport-http-bearer": "^1.0.1",
    "passport-local": "^1.0.0",
    "passport-oauth2-client-password": "^0.1.2",
-    "password-generator": "^2.0.2",
+    "password-generator": "^1.0.0",
    "proxy-middleware": "^0.13.0",
-    "safetydance": "^0.1.0",
+    "safetydance": "0.0.19",
    "semver": "^4.3.6",
    "serve-favicon": "^2.2.0",
    "split": "^1.0.0",
-    "superagent": "^1.5.0",
-    "supererror": "^0.7.1",
+    "superagent": "~0.21.0",
+    "supererror": "^0.7.0",
    "tail-stream": "https://registry.npmjs.org/tail-stream/-/tail-stream-0.2.1.tgz",
    "underscore": "^1.7.0",
-    "ursa": "^0.9.1",
    "valid-url": "^1.0.9",
-    "validator": "^4.4.0",
+    "validator": "^3.30.0",
    "x509": "^0.2.2"
  },
  "devDependencies": {
@@ -85,9 +83,9 @@
    "istanbul": "*",
    "js2xmlparser": "^1.0.0",
    "mocha": "*",
-    "nock": "^3.4.0",
+    "nock": "^2.6.0",
    "node-sass": "^3.0.0-alpha.0",
-    "redis": "^2.4.2",
+    "redis": "^0.12.1",
    "request": "^2.65.0",
    "sinon": "^1.12.2",
    "yargs": "^3.15.0"
@@ -3,17 +3,17 @@
 # If you change the infra version, be sure to put a warning
 # in the change log

-INFRA_VERSION=21
+INFRA_VERSION=20

 # WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING
 # These constants are used in the installer script as well
-BASE_IMAGE=cloudron/base:0.8.0
-MYSQL_IMAGE=cloudron/mysql:0.8.0
-POSTGRESQL_IMAGE=cloudron/postgresql:0.8.0
-MONGODB_IMAGE=cloudron/mongodb:0.8.0
-REDIS_IMAGE=cloudron/redis:0.8.0 # if you change this, fix src/addons.js as well
-MAIL_IMAGE=cloudron/mail:0.9.0
-GRAPHITE_IMAGE=cloudron/graphite:0.8.0
+BASE_IMAGE=cloudron/base:0.7.0
+MYSQL_IMAGE=cloudron/mysql:0.7.0
+POSTGRESQL_IMAGE=cloudron/postgresql:0.7.0
+MONGODB_IMAGE=cloudron/mongodb:0.7.0
+REDIS_IMAGE=cloudron/redis:0.7.0 # if you change this, fix src/addons.js as well
+MAIL_IMAGE=cloudron/mail:0.8.0
+GRAPHITE_IMAGE=cloudron/graphite:0.7.0

 MYSQL_REPO=cloudron/mysql
 POSTGRESQL_REPO=cloudron/postgresql
@@ -11,7 +11,6 @@ arg_is_custom_domain="false"
 arg_restore_key=""
 arg_restore_url=""
 arg_retire="false"
-arg_tls_config=""
 arg_tls_cert=""
 arg_tls_key=""
 arg_token=""
@@ -19,7 +18,6 @@ arg_version=""
 arg_web_server_origin=""
 arg_backup_config=""
 arg_dns_config=""
-arg_provider=""

 args=$(getopt -o "" -l "data:,retire" -n "$0" -- "$@")
 eval set -- "${args}"
@@ -32,17 +30,12 @@ while true; do
        ;;
    --data)
        # only read mandatory non-empty parameters here
-        read -r arg_api_server_origin arg_web_server_origin arg_fqdn arg_is_custom_domain arg_box_versions_url arg_version <<EOF
-        $(echo "$2" | $json apiServerOrigin webServerOrigin fqdn isCustomDomain boxVersionsUrl version | tr '\n' ' ')
+        read -r arg_api_server_origin arg_web_server_origin arg_fqdn arg_token arg_is_custom_domain arg_box_versions_url arg_version <<EOF
+        $(echo "$2" | $json apiServerOrigin webServerOrigin fqdn token isCustomDomain boxVersionsUrl version | tr '\n' ' ')
 EOF
        # read possibly empty parameters here
        arg_tls_cert=$(echo "$2" | $json tlsCert)
        arg_tls_key=$(echo "$2" | $json tlsKey)
-        arg_token=$(echo "$2" | $json token)
-        arg_provider=$(echo "$2" | $json provider)
-
-        arg_tls_config=$(echo "$2" | $json tlsConfig)
-        [[ "${arg_tls_config}" == "null" ]] && arg_tls_config=""

        arg_restore_url=$(echo "$2" | $json restore.url)
        [[ "${arg_restore_url}" == "null" ]] && arg_restore_url=""
@@ -73,7 +66,5 @@ echo "restore url: ${arg_restore_url}"
 echo "tls cert: ${arg_tls_cert}"
 echo "tls key: ${arg_tls_key}"
 echo "token: ${arg_token}"
-echo "tlsConfig: ${arg_tls_config}"
 echo "version: ${arg_version}"
 echo "web server: ${arg_web_server_origin}"
-echo "provider: ${arg_provider}"
@@ -20,7 +20,7 @@ systemctl daemon-reload
 systemctl enable cloudron.target

 ########## sudoers
-rm -f /etc/sudoers.d/yellowtent
+rm -f /etc/sudoers.d/*
 cp "${container_files}/sudoers" /etc/sudoers.d/yellowtent

 ########## collectd
@@ -1,6 +1,3 @@
-# sudo logging breaks journalctl output with very long urls (systemd bug)
-Defaults !syslog
-
 Defaults!/home/yellowtent/box/src/scripts/createappdir.sh env_keep="HOME BOX_ENV"
 yellowtent ALL=(root) NOPASSWD: /home/yellowtent/box/src/scripts/createappdir.sh

@@ -14,6 +14,4 @@ User=yellowtent
 Group=yellowtent
 MemoryLimit=200M
 TimeoutStopSec=5s
-StartLimitInterval=1
-StartLimitBurst=60

@@ -40,7 +40,6 @@ set_progress "10" "Ensuring directories"
 mkdir -p "${DATA_DIR}/box/appicons"
 mkdir -p "${DATA_DIR}/box/certs"
 mkdir -p "${DATA_DIR}/box/mail"
-mkdir -p "${DATA_DIR}/box/acme" # acme keys
 mkdir -p "${DATA_DIR}/graphite"

 mkdir -p "${DATA_DIR}/mysql"
@@ -49,7 +48,6 @@ mkdir -p "${DATA_DIR}/mongodb"
 mkdir -p "${DATA_DIR}/snapshots"
 mkdir -p "${DATA_DIR}/addons"
 mkdir -p "${DATA_DIR}/collectd/collectd.conf.d"
-mkdir -p "${DATA_DIR}/acme" # acme challenges

 # bookkeep the version as part of data
 echo "{ \"version\": \"${arg_version}\", \"boxVersionsUrl\": \"${arg_box_versions_url}\" }" > "${DATA_DIR}/box/version"
@@ -92,41 +90,31 @@ EOF

 set_progress "28" "Setup collectd"
 cp "${script_dir}/start/collectd.conf" "${DATA_DIR}/collectd/collectd.conf"
-## collectd 5.4.1 has some bug where we simply cannot get it to create df-vda1
-#mkdir -p "${DATA_DIR}/graphite/whisper/collectd/localhost/"
-## detect device, let it fail if non exists
-#[[ -b "/dev/vda1" ]] && disk_device="/dev/vda1"
-#[[ -b "/dev/xvda1" ]] && disk_device="/dev/xvda1"
-#vda1_id=$(blkid -s UUID -o value ${disk_device})
-#ln -sfF "df-disk_by-uuid_${vda1_id}" "${DATA_DIR}/graphite/whisper/collectd/localhost/df-vda1"
+# collectd 5.4.1 has some bug where we simply cannot get it to create df-vda1
+mkdir -p "${DATA_DIR}/graphite/whisper/collectd/localhost/"
+vda1_id=$(blkid -s UUID -o value /dev/vda1)
+ln -sfF "df-disk_by-uuid_${vda1_id}" "${DATA_DIR}/graphite/whisper/collectd/localhost/df-vda1"
 service collectd restart

 set_progress "30" "Setup nginx"
+# setup naked domain to use admin by default. app restoration will overwrite this config
 mkdir -p "${DATA_DIR}/nginx/applications"
-cp "${script_dir}/start/nginx/nginx.conf" "${DATA_DIR}/nginx/nginx.conf"
 cp "${script_dir}/start/nginx/mime.types" "${DATA_DIR}/nginx/mime.types"

+# generate the main nginx config file
+${BOX_SRC_DIR}/node_modules/.bin/ejs-cli -f "${script_dir}/start/nginx/nginx.ejs" \
+    -O "{ \"sourceDir\": \"${BOX_SRC_DIR}\" }" > "${DATA_DIR}/nginx/nginx.conf"
+
 # generate these for update code paths as well to overwrite splash
-admin_cert_file="${DATA_DIR}/nginx/cert/host.cert"
-admin_key_file="${DATA_DIR}/nginx/cert/host.key"
-if [[ -f "${DATA_DIR}/box/certs/${admin_fqdn}.cert" && -f "${DATA_DIR}/box/certs/${admin_fqdn}.key" ]]; then
-    admin_cert_file="${DATA_DIR}/box/certs/${admin_fqdn}.cert"
-    admin_key_file="${DATA_DIR}/box/certs/${admin_fqdn}.key"
-fi
 ${BOX_SRC_DIR}/node_modules/.bin/ejs-cli -f "${script_dir}/start/nginx/appconfig.ejs" \
-    -O "{ \"vhost\": \"${admin_fqdn}\", \"adminOrigin\": \"${admin_origin}\", \"endpoint\": \"admin\", \"sourceDir\": \"${BOX_SRC_DIR}\", \"certFilePath\": \"${admin_cert_file}\", \"keyFilePath\": \"${admin_key_file}\" }" > "${DATA_DIR}/nginx/applications/admin.conf"
+    -O "{ \"vhost\": \"${admin_fqdn}\", \"adminOrigin\": \"${admin_origin}\", \"endpoint\": \"admin\", \"sourceDir\": \"${BOX_SRC_DIR}\", \"certFilePath\": \"cert/host.cert\", \"keyFilePath\": \"cert/host.key\" }" > "${DATA_DIR}/nginx/applications/admin.conf"

 mkdir -p "${DATA_DIR}/nginx/cert"
-if [[ -f "${DATA_DIR}/box/certs/host.cert" && -f "${DATA_DIR}/box/certs/host.key" ]]; then
-    cp "${DATA_DIR}/box/certs/host.cert" "${DATA_DIR}/nginx/cert/host.cert"
-    cp "${DATA_DIR}/box/certs/host.key" "${DATA_DIR}/nginx/cert/host.key"
-else
-    echo "${arg_tls_cert}" > "${DATA_DIR}/nginx/cert/host.cert"
-    echo "${arg_tls_key}" > "${DATA_DIR}/nginx/cert/host.key"
-fi
+echo "${arg_tls_cert}" > ${DATA_DIR}/nginx/cert/host.cert
+echo "${arg_tls_key}" > ${DATA_DIR}/nginx/cert/host.key

 set_progress "33" "Changing ownership"
-chown "${USER}:${USER}" -R "${DATA_DIR}/box" "${DATA_DIR}/nginx" "${DATA_DIR}/collectd" "${DATA_DIR}/addons" "${DATA_DIR}/acme"
+chown "${USER}:${USER}" -R "${DATA_DIR}/box" "${DATA_DIR}/nginx" "${DATA_DIR}/collectd" "${DATA_DIR}/addons"
 chown "${USER}:${USER}" "${DATA_DIR}"

 set_progress "40" "Setting up infra"
@@ -146,7 +134,6 @@ cat > "${CONFIG_DIR}/cloudron.conf" <<CONF_END
    "isCustomDomain": ${arg_is_custom_domain},
    "boxVersionsUrl": "${arg_box_versions_url}",
    "adminEmail": "admin@${arg_fqdn}",
-    "provider": "${arg_provider}",
    "database": {
        "hostname": "localhost",
        "username": "root",
@@ -181,14 +168,6 @@ if [[ ! -z "${arg_dns_config}" ]]; then
        -e "REPLACE INTO settings (name, value) VALUES (\"dns_config\", '$arg_dns_config')" box
 fi

-# Add TLS Configuration
-if [[ ! -z "${arg_tls_config}" ]]; then
-    echo "Add TLS Config"
-
-    mysql -u root -p${mysql_root_password} \
-        -e "REPLACE INTO settings (name, value) VALUES (\"tls_config\", '$arg_tls_config')" box
-fi
-
 # Add webadmin oauth client
 # The domain might have changed, therefor we have to update the record
 # !!! This needs to be in sync with the webadmin, specifically login_callback.js
@@ -37,8 +37,7 @@ server {
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection $connection_upgrade;

-    # only serve up the status page if we get proxy gateway errors
-    error_page 502 503 504 @appstatus;
+    error_page 500 502 503 504 @appstatus;
    location @appstatus {
        return 307 <%= adminOrigin %>/appstatus.html?referrer=https://$host$request_uri;
    }
@@ -38,12 +38,6 @@ http {
            deny all;
        }

-        # acme challenges
-        location /.well-known/acme-challenge/ {
-            default_type text/plain;
-            alias /home/yellowtent/data/acme/;
-        }
-
        location / {
            # redirect everything to HTTPS
            return 301 https://$host$request_uri;
@@ -61,7 +55,7 @@ http {
        error_page 404 = @fallback;
        location @fallback {
            internal;
-            root /home/yellowtent/box/webadmin/dist;
+            root <%= sourceDir %>/webadmin/dist;
            rewrite ^/$ /nakeddomain.html break;
        }

@@ -325,10 +325,10 @@ function setupSimpleAuth(app, options, callback) {
            if (error) return callback(error);

            var env = [
-                'SIMPLE_AUTH_SERVER=172.17.0.1',
+                'SIMPLE_AUTH_SERVER=172.17.42.1',
                'SIMPLE_AUTH_PORT=' + config.get('simpleAuthPort'),
-                'SIMPLE_AUTH_URL=http://172.17.0.1:' + config.get('simpleAuthPort'), // obsolete, remove
-                'SIMPLE_AUTH_ORIGIN=http://172.17.0.1:' + config.get('simpleAuthPort'),
+                'SIMPLE_AUTH_URL=http://172.17.42.1:' + config.get('simpleAuthPort'), // obsolete, remove
+                'SIMPLE_AUTH_ORIGIN=http://172.17.42.1:' + config.get('simpleAuthPort'),
                'SIMPLE_AUTH_CLIENT_ID=' + id
            ];

@@ -359,9 +359,9 @@ function setupLdap(app, options, callback) {
    assert.strictEqual(typeof callback, 'function');

    var env = [
-        'LDAP_SERVER=172.17.0.1',
+        'LDAP_SERVER=172.17.42.1',
        'LDAP_PORT=' + config.get('ldapPort'),
-        'LDAP_URL=ldap://172.17.0.1:' + config.get('ldapPort'),
+        'LDAP_URL=ldap://172.17.42.1:' + config.get('ldapPort'),
        'LDAP_USERS_BASE_DN=ou=users,dc=cloudron',
        'LDAP_GROUPS_BASE_DN=ou=groups,dc=cloudron',
        'LDAP_BIND_DN=cn='+ app.id + ',ou=apps,dc=cloudron',
@@ -391,7 +391,7 @@ function setupSendMail(app, options, callback) {
    var env = [
        'MAIL_SMTP_SERVER=mail',
        'MAIL_SMTP_PORT=2500', // if you change this, change the mail container
-        'MAIL_SMTP_USERNAME=' + (app.location || app.id) + '-app', // use app.id for bare domains
+        'MAIL_SMTP_USERNAME=' + (app.location || app.id), // use app.id for bare domains
        'MAIL_DOMAIN=' + config.fqdn()
    ];

@@ -778,7 +778,7 @@ function setupRedis(app, options, callback) {
        name: 'redis-' + app.id,
        Hostname: 'redis-' + app.location,
        Tty: true,
-        Image: 'cloudron/redis:0.8.0', // if you change this, fix setup/INFRA_VERSION as well
+        Image: 'cloudron/redis:0.7.0', // if you change this, fix setup/INFRA_VERSION as well
        Cmd: null,
        Volumes: {
            '/tmp': {},
@@ -92,10 +92,8 @@ function checkAppHealth(app, callback) {
            .redirects(0)
            .timeout(HEALTHCHECK_INTERVAL)
            .end(function (error, res) {
-            if (error && !error.response) {
-                debugApp(app, 'not alive (network error): %s', error.message);
-                setHealth(app, appdb.HEALTH_UNHEALTHY, callback);
-            } else if (res.statusCode >= 400) { // 2xx and 3xx are ok
+
+            if (error || res.status >= 400) { // 2xx and 3xx are ok
                debugApp(app, 'not alive : %s', error || res.status);
                setHealth(app, appdb.HEALTH_UNHEALTHY, callback);
            } else {
@@ -112,11 +110,7 @@ function processApps(callback) {
        async.each(apps, checkAppHealth, function (error) {
            if (error) console.error(error);

-            var alive = apps
-                .filter(function (a) { return a.installationState === appdb.ISTATE_INSTALLED && a.runState === appdb.RSTATE_RUNNING && a.health === appdb.HEALTH_HEALTHY; })
-                .map(function (a) { return a.location; }).join(', ');
-
-            debug('apps alive: [%s]', alive);
+            debug('apps alive: [%s]', apps.map(function (a) { return a.location; }).join(', '));

            callback(null);
        });
@@ -157,7 +151,7 @@ function processDockerEvents() {
                debug('OOM Context: %s', context);

                // do not send mails for dev apps
-                if (error || app.appStoreId !== '') mailer.sendCrashNotification(program, context); // app can be null if it's an addon crash
+                if (app.appStoreId !== '') mailer.sendCrashNotification(program, context); // app can be null if it's an addon crash
            });
        });

@@ -48,18 +48,17 @@ var addons = require('./addons.js'),
    async = require('async'),
    backups = require('./backups.js'),
    BackupsError = require('./backups.js').BackupsError,
-    certificates = require('./certificates.js'),
    config = require('./config.js'),
    constants = require('./constants.js'),
    DatabaseError = require('./databaseerror.js'),
    debug = require('debug')('box:apps'),
-    docker = require('./docker.js'),
+    docker = require('./docker.js').connection,
    fs = require('fs'),
    manifestFormat = require('cloudron-manifestformat'),
-    once = require('once'),
    path = require('path'),
    paths = require('./paths.js'),
    safe = require('safetydance'),
+    settings = require('./settings.js'),
    semver = require('semver'),
    shell = require('./shell.js'),
    spawn = require('child_process').spawn,
@@ -73,8 +72,6 @@ var BACKUP_APP_CMD = path.join(__dirname, 'scripts/backupapp.sh'),
    RESTORE_APP_CMD = path.join(__dirname, 'scripts/restoreapp.sh'),
    BACKUP_SWAP_CMD = path.join(__dirname, 'scripts/backupswap.sh');

-var NOOP_CALLBACK = function (error) { if (error) debug(error); };
-
 function debugApp(app, args) {
    assert(!app || typeof app === 'object');

@@ -176,7 +173,7 @@ function validatePortBindings(portBindings, tcpPorts) {
        if (!Number.isInteger(portBindings[env])) return new Error(portBindings[env] + ' is not an integer');
        if (portBindings[env] <= 0 || portBindings[env] > 65535) return new Error(portBindings[env] + ' is out of range');

-        if (RESERVED_PORTS.indexOf(portBindings[env]) !== -1) return new AppsError(AppsError.PORT_RESERVED, String(portBindings[env]));
+        if (RESERVED_PORTS.indexOf(portBindings[env]) !== -1) return new AppsError(AppsError.PORT_RESERVED, + portBindings[env]);
    }

    // it is OK if there is no 1-1 mapping between values in manifest.tcpPorts and portBindings. missing values implies
@@ -288,16 +285,12 @@ function purchase(appStoreId, callback) {
    // Skip purchase if appStoreId is empty
    if (appStoreId === '') return callback(null);

-    // Skip if we don't have an appstore token
-    if (config.token() === '') return callback(null);
-
    var url = config.apiServerOrigin() + '/api/v1/apps/' + appStoreId + '/purchase';

    superagent.post(url).query({ token: config.token() }).end(function (error, res) {
-        if (error && !error.response) return callback(new AppsError(AppsError.EXTERNAL_ERROR, error));
-        if (res.statusCode === 402) return callback(new AppsError(AppsError.BILLING_REQUIRED));
-        if (res.statusCode === 404) return callback(new AppsError(AppsError.NOT_FOUND));
-        if (res.statusCode !== 201 && res.statusCode !== 200) return callback(new Error(util.format('App purchase failed. %s %j', res.status, res.body)));
+        if (error) return callback(new AppsError(AppsError.INTERNAL_ERROR, error));
+        if (res.status === 402) return callback(new AppsError(AppsError.BILLING_REQUIRED));
+        if (res.status !== 201 && res.status !== 200) return callback(new Error(util.format('App purchase failed. %s %j', res.status, res.body)));

        callback(null);
    });
@@ -343,7 +336,7 @@ function install(appId, appStoreId, manifest, location, portBindings, accessRest
        }
    }

-    error = certificates.validateCertificate(cert, key, config.appFqdn(location));
+    error = settings.validateCertificate(cert, key, config.appFqdn(location));
    if (error) return callback(new AppsError(AppsError.BAD_CERTIFICATE, error.message));

    debug('Will install app with id : ' + appId);
@@ -384,7 +377,7 @@ function configure(appId, location, portBindings, accessRestriction, oauthProxy,
    error = validateAccessRestriction(accessRestriction);
    if (error) return callback(new AppsError(AppsError.BAD_FIELD, error.message));

-    error = certificates.validateCertificate(cert, key, config.appFqdn(location));
+    error = settings.validateCertificate(cert, key, config.appFqdn(location));
    if (error) return callback(new AppsError(AppsError.BAD_CERTIFICATE, error.message));

    appdb.get(appId, function (error, app) {
@@ -500,6 +493,8 @@ function getLogs(appId, lines, follow, callback) {
        if (error && error.reason === DatabaseError.NOT_FOUND) return callback(new AppsError(AppsError.NOT_FOUND));
        if (error) return callback(new AppsError(AppsError.INTERNAL_ERROR, error));

+        if (app.installationState !== appdb.ISTATE_INSTALLED) return callback(new AppsError(AppsError.BAD_STATE, util.format('App is in %s state.', app.installationState)));
+
        var args = [ '--output=json', '--no-pager', '--lines=' + lines ];
        if (follow) args.push('--follow');
        args = args.concat(appLogFilter(app));
@@ -516,7 +511,7 @@ function getLogs(appId, lines, follow, callback) {
                monotonicTimestamp: obj.__MONOTONIC_TIMESTAMP,
                message: obj.MESSAGE,
                source: source || 'main'
-            }) + '\n';
+            });
        });

        transformStream.close = cp.kill.bind(cp, 'SIGKILL'); // closing stream kills the child process
@@ -648,42 +643,31 @@ function exec(appId, options, callback) {
        if (error && error.reason === DatabaseError.NOT_FOUND) return callback(new AppsError(AppsError.NOT_FOUND, 'No such app'));
        if (error) return callback(new AppsError(AppsError.INTERNAL_ERROR, error));

-       var createOptions = {
+        var container = docker.getContainer(app.containerId);
+
+       var execOptions = {
            AttachStdin: true,
            AttachStdout: true,
            AttachStderr: true,
-            OpenStdin: true,
-            StdinOnce: false,
-            Tty: true
+            Tty: true,
+            Cmd: cmd
        };

-        docker.createSubcontainer(app, app.id + '-exec-' + Date.now(), cmd, createOptions, function (error, container) {
+        container.exec(execOptions, function (error, exec) {
            if (error) return callback(new AppsError(AppsError.INTERNAL_ERROR, error));
-
-            container.attach({ stream: true, stdin: true, stdout: true, stderr: true }, function (error, stream) {
+            var startOptions = {
+                Detach: false,
+                Tty: true,
+                stdin: true // this is a dockerode option that enabled openStdin in the modem
+            };
+            exec.start(startOptions, function(error, stream) {
                if (error) return callback(new AppsError(AppsError.INTERNAL_ERROR, error));

-                docker.startContainer(container.id, function (error) {
-                    if (error) return callback(new AppsError(AppsError.INTERNAL_ERROR, error));
+                if (options.rows && options.columns) {
+                    exec.resize({ h: options.rows, w: options.columns }, function (error) { if (error) debug('Error resizing console', error); });
+                }

-                    if (options.rows && options.columns) {
-                        container.resize({ h: options.rows, w: options.columns }, NOOP_CALLBACK);
-                    }
-
-                    var deleteContainer = once(docker.deleteContainer.bind(null, container.id, NOOP_CALLBACK));
-
-                    container.wait(function (error) {
-                        if (error) debug('Error waiting on container', error);
-
-                        debug('exec: container finished', container.id);
-
-                        deleteContainer();
-                    });
-
-                    stream.close = deleteContainer;
-
-                    callback(null, stream);
-                });
+                return callback(null, stream);
            });
        });
    });
@@ -9,7 +9,7 @@ exports = module.exports = {
    startTask: startTask,

    // exported for testing
-    _reserveHttpPort: reserveHttpPort,
+    _getFreePort: getFreePort,
    _configureNginx: configureNginx,
    _unconfigureNginx: unconfigureNginx,
    _createVolume: createVolume,
@@ -19,6 +19,7 @@ exports = module.exports = {
    _verifyManifest: verifyManifest,
    _registerSubdomain: registerSubdomain,
    _unregisterSubdomain: unregisterSubdomain,
+    _reloadNginx: reloadNginx,
    _waitForDnsPropagation: waitForDnsPropagation
 };

@@ -35,7 +36,6 @@ var addons = require('./addons.js'),
    apps = require('./apps.js'),
    assert = require('assert'),
    async = require('async'),
-    certificates = require('./certificates.js'),
    clientdb = require('./clientdb.js'),
    config = require('./config.js'),
    database = require('./database.js'),
@@ -47,7 +47,6 @@ var addons = require('./addons.js'),
    hat = require('hat'),
    manifestFormat = require('cloudron-manifestformat'),
    net = require('net'),
-    nginx = require('./nginx.js'),
    path = require('path'),
    paths = require('./paths.js'),
    safe = require('safetydance'),
@@ -60,66 +59,87 @@ var addons = require('./addons.js'),
    uuid = require('node-uuid'),
    _ = require('underscore');

-var COLLECTD_CONFIG_EJS = fs.readFileSync(__dirname + '/collectd.config.ejs', { encoding: 'utf8' }),
+var NGINX_APPCONFIG_EJS = fs.readFileSync(__dirname + '/../setup/start/nginx/appconfig.ejs', { encoding: 'utf8' }),
+    COLLECTD_CONFIG_EJS = fs.readFileSync(__dirname + '/collectd.config.ejs', { encoding: 'utf8' }),
+    RELOAD_NGINX_CMD = path.join(__dirname, 'scripts/reloadnginx.sh'),
    RELOAD_COLLECTD_CMD = path.join(__dirname, 'scripts/reloadcollectd.sh'),
    RMAPPDIR_CMD = path.join(__dirname, 'scripts/rmappdir.sh'),
    CREATEAPPDIR_CMD = path.join(__dirname, 'scripts/createappdir.sh');

 function initialize(callback) {
-    assert.strictEqual(typeof callback, 'function');
-
    database.initialize(callback);
 }

-function debugApp(app) {
-    assert.strictEqual(typeof app, 'object');
+function debugApp(app, args) {
+    assert(!app || typeof app === 'object');

    var prefix = app ? (app.location || '(bare)') : '(no app)';
    debug(prefix + ' ' + util.format.apply(util, Array.prototype.slice.call(arguments, 1)));
 }

-function reserveHttpPort(app, callback) {
-    assert.strictEqual(typeof app, 'object');
-    assert.strictEqual(typeof callback, 'function');
-
+// We expect conflicts to not happen despite closing the port (parallel app installs, app update does not reconfigure nginx etc)
+// https://tools.ietf.org/html/rfc6056#section-3.5 says linux uses random ephemeral port allocation
+function getFreePort(callback) {
    var server = net.createServer();
    server.listen(0, function () {
        var port = server.address().port;
-        updateApp(app, { httpPort: port }, function (error) {
-            if (error) {
-                server.close();
-                return callback(error);
-            }
-
-            server.close(callback);
+        server.close(function () {
+            return callback(null, port);
        });
    });
 }

+function reloadNginx(callback) {
+    shell.sudo('reloadNginx', [ RELOAD_NGINX_CMD ], callback);
+}
+
 function configureNginx(app, callback) {
-    assert.strictEqual(typeof app, 'object');
-    assert.strictEqual(typeof callback, 'function');
-
-    var vhost = config.appFqdn(app.location);
-
-    certificates.ensureCertificate(vhost, function (error, certFilePath, keyFilePath) {
+    getFreePort(function (error, freePort) {
        if (error) return callback(error);

-        nginx.configureApp(app, certFilePath, keyFilePath, callback);
+        var sourceDir = path.resolve(__dirname, '..');
+        var endpoint = app.oauthProxy ? 'oauthproxy' : 'app';
+        var vhost = config.appFqdn(app.location);
+        var certFilePath = safe.fs.statSync(path.join(paths.APP_CERTS_DIR, vhost + '.cert')) ? path.join(paths.APP_CERTS_DIR, vhost + '.cert') : 'cert/host.cert';
+        var keyFilePath = safe.fs.statSync(path.join(paths.APP_CERTS_DIR, vhost + '.key')) ? path.join(paths.APP_CERTS_DIR, vhost + '.key') : 'cert/host.key';
+
+        var data = {
+            sourceDir: sourceDir,
+            adminOrigin: config.adminOrigin(),
+            vhost: vhost,
+            port: freePort,
+            endpoint: endpoint,
+            certFilePath: certFilePath,
+            keyFilePath: keyFilePath
+        };
+        var nginxConf = ejs.render(NGINX_APPCONFIG_EJS, data);
+
+        var nginxConfigFilename = path.join(paths.NGINX_APPCONFIG_DIR, app.id + '.conf');
+        debugApp(app, 'writing config to %s', nginxConfigFilename);
+
+        if (!safe.fs.writeFileSync(nginxConfigFilename, nginxConf)) {
+            debugApp(app, 'Error creating nginx config : %s', safe.error.message);
+            return callback(safe.error);
+        }
+
+        async.series([
+            exports._reloadNginx,
+            updateApp.bind(null, app, { httpPort: freePort })
+        ], callback);
    });
 }

 function unconfigureNginx(app, callback) {
-    assert.strictEqual(typeof app, 'object');
-    assert.strictEqual(typeof callback, 'function');
+    var nginxConfigFilename = path.join(paths.NGINX_APPCONFIG_DIR, app.id + '.conf');
+    if (!safe.fs.unlinkSync(nginxConfigFilename)) {
+        debugApp(app, 'Error removing nginx configuration : %s', safe.error.message);
+        return callback(null);
+    }

-    // TODO: maybe revoke the cert
-    nginx.unconfigureApp(app, callback);
+    exports._reloadNginx(callback);
 }

 function createContainer(app, callback) {
-    assert.strictEqual(typeof app, 'object');
-    assert.strictEqual(typeof callback, 'function');
    assert(!app.containerId); // otherwise, it will trigger volumeFrom

    debugApp(app, 'creating container');
@@ -132,9 +152,6 @@ function createContainer(app, callback) {
 }

 function deleteContainers(app, callback) {
-    assert.strictEqual(typeof app, 'object');
-    assert.strictEqual(typeof callback, 'function');
-
    debugApp(app, 'deleting containers');

    docker.deleteContainers(app.id, function (error) {
@@ -145,16 +162,10 @@ function deleteContainers(app, callback) {
 }

 function createVolume(app, callback) {
-    assert.strictEqual(typeof app, 'object');
-    assert.strictEqual(typeof callback, 'function');
-
    shell.sudo('createVolume', [ CREATEAPPDIR_CMD, app.id ], callback);
 }

 function deleteVolume(app, callback) {
-    assert.strictEqual(typeof app, 'object');
-    assert.strictEqual(typeof callback, 'function');
-
    shell.sudo('deleteVolume', [ RMAPPDIR_CMD, app.id ], callback);
 }

@@ -187,9 +198,6 @@ function removeOAuthProxyCredentials(app, callback) {
 }

 function addCollectdProfile(app, callback) {
-    assert.strictEqual(typeof app, 'object');
-    assert.strictEqual(typeof callback, 'function');
-
    var collectdConf = ejs.render(COLLECTD_CONFIG_EJS, { appId: app.id, containerId: app.containerId });
    fs.writeFile(path.join(paths.COLLECTD_APPCONFIG_DIR, app.id + '.conf'), collectdConf, function (error) {
        if (error) return callback(error);
@@ -198,9 +206,6 @@ function addCollectdProfile(app, callback) {
 }

 function removeCollectdProfile(app, callback) {
-    assert.strictEqual(typeof app, 'object');
-    assert.strictEqual(typeof callback, 'function');
-
    fs.unlink(path.join(paths.COLLECTD_APPCONFIG_DIR, app.id + '.conf'), function (error) {
        if (error && error.code !== 'ENOENT') debugApp(app, 'Error removing collectd profile', error);
        shell.sudo('removeCollectdProfile', [ RELOAD_COLLECTD_CMD ], callback);
@@ -208,9 +213,6 @@ function removeCollectdProfile(app, callback) {
 }

 function verifyManifest(app, callback) {
-    assert.strictEqual(typeof app, 'object');
-    assert.strictEqual(typeof callback, 'function');
-
    debugApp(app, 'Verifying manifest');

    var manifest = app.manifest;
@@ -224,9 +226,6 @@ function verifyManifest(app, callback) {
 }

 function downloadIcon(app, callback) {
-    assert.strictEqual(typeof app, 'object');
-    assert.strictEqual(typeof callback, 'function');
-
    debugApp(app, 'Downloading icon of %s@%s', app.appStoreId, app.manifest.version);

    var iconUrl = config.apiServerOrigin() + '/api/v1/apps/' + app.appStoreId + '/versions/' + app.manifest.version + '/icon';
@@ -235,8 +234,8 @@ function downloadIcon(app, callback) {
        .get(iconUrl)
        .buffer(true)
        .end(function (error, res) {
-            if (error && !error.response) return callback(new Error('Network error downloading icon:' + error.message));
-            if (res.statusCode !== 200) return callback(null); // ignore error. this can also happen for apps installed with cloudron-cli
+            if (error) return callback(new Error('Error downloading icon:' + error.message));
+            if (res.status !== 200) return callback(null); // ignore error. this can also happen for apps installed with cloudron-cli

            if (!safe.fs.writeFileSync(path.join(paths.APPICONS_DIR, app.id + '.png'), res.body)) return callback(new Error('Error saving icon:' + safe.error.message));

@@ -245,64 +244,46 @@ function downloadIcon(app, callback) {
 }

 function registerSubdomain(app, callback) {
-    assert.strictEqual(typeof app, 'object');
-    assert.strictEqual(typeof callback, 'function');
+    // even though the bare domain is already registered in the appstore, we still
+    // need to register it so that we have a dnsRecordId to wait for it to complete
+    async.retry({ times: 200, interval: 5000 }, function (retryCallback) {
+        debugApp(app, 'Registering subdomain location [%s]', app.location);

-    sysinfo.getIp(function (error, ip) {
-        if (error) return callback(error);
+        subdomains.add(app.location, 'A', [ sysinfo.getIp() ], function (error, changeId) {
+            if (error && (error.reason === SubdomainError.STILL_BUSY || error.reason === SubdomainError.EXTERNAL_ERROR)) return retryCallback(error); // try again

-        // even though the bare domain is already registered in the appstore, we still
-        // need to register it so that we have a dnsRecordId to wait for it to complete
-        async.retry({ times: 200, interval: 5000 }, function (retryCallback) {
-            debugApp(app, 'Registering subdomain location [%s]', app.location);
-
-            subdomains.add(app.location, 'A', [ ip ], function (error, changeId) {
-                if (error && (error.reason === SubdomainError.STILL_BUSY || error.reason === SubdomainError.EXTERNAL_ERROR)) return retryCallback(error); // try again
-
-                retryCallback(null, error || changeId);
-            });
-        }, function (error, result) {
-            if (error || result instanceof Error) return callback(error || result);
-
-            updateApp(app, { dnsRecordId: result }, callback);
+            retryCallback(null, error || changeId);
        });
+    }, function (error, result) {
+        if (error || result instanceof Error) return callback(error || result);
+
+        updateApp(app, { dnsRecordId: result }, callback);
    });
 }

 function unregisterSubdomain(app, location, callback) {
-    assert.strictEqual(typeof app, 'object');
-    assert.strictEqual(typeof location, 'string');
-    assert.strictEqual(typeof callback, 'function');
-
    // do not unregister bare domain because we show a error/cloudron info page there
    if (location === '') {
        debugApp(app, 'Skip unregister of empty subdomain');
        return callback(null);
    }

-    sysinfo.getIp(function (error, ip) {
-        if (error) return callback(error);
+    async.retry({ times: 30, interval: 5000 }, function (retryCallback) {
+        debugApp(app, 'Unregistering subdomain: %s', location);

-        async.retry({ times: 30, interval: 5000 }, function (retryCallback) {
-            debugApp(app, 'Unregistering subdomain: %s', location);
+        subdomains.remove(location, 'A', [ sysinfo.getIp() ], function (error) {
+            if (error && (error.reason === SubdomainError.STILL_BUSY || error.reason === SubdomainError.EXTERNAL_ERROR)) return retryCallback(error); // try again

-            subdomains.remove(location, 'A', [ ip ], function (error) {
-                if (error && (error.reason === SubdomainError.STILL_BUSY || error.reason === SubdomainError.EXTERNAL_ERROR)) return retryCallback(error); // try again
-
-                retryCallback(null, error);
-            });
-        }, function (error, result) {
-            if (error || result instanceof Error) return callback(error || result);
-
-            updateApp(app, { dnsRecordId: null }, callback);
+            retryCallback(null, error);
        });
+    }, function (error, result) {
+        if (error || result instanceof Error) return callback(error || result);
+
+        updateApp(app, { dnsRecordId: null }, callback);
    });
 }

 function removeIcon(app, callback) {
-    assert.strictEqual(typeof app, 'object');
-    assert.strictEqual(typeof callback, 'function');
-
    fs.unlink(path.join(paths.APPICONS_DIR, app.id + '.png'), function (error) {
        if (error && error.code !== 'ENOENT') debugApp(app, 'cannot remove icon : %s', error);
        callback(null);
@@ -310,9 +291,6 @@ function removeIcon(app, callback) {
 }

 function waitForDnsPropagation(app, callback) {
-    assert.strictEqual(typeof app, 'object');
-    assert.strictEqual(typeof callback, 'function');
-
    if (!config.CLOUDRON) {
        debugApp(app, 'Skipping dns propagation check for development');
        return callback(null);
@@ -336,10 +314,6 @@ function waitForDnsPropagation(app, callback) {

 // updates the app object and the database
 function updateApp(app, values, callback) {
-    assert.strictEqual(typeof app, 'object');
-    assert.strictEqual(typeof values, 'object');
-    assert.strictEqual(typeof callback, 'function');
-
    debugApp(app, 'updating app with values: %j', values);

    appdb.update(app.id, values, function (error) {
@@ -364,15 +338,11 @@ function updateApp(app, values, callback) {
 //   - setup the container (requires image, volumes, addons)
 //   - setup collectd (requires container id)
 function install(app, callback) {
-    assert.strictEqual(typeof app, 'object');
-    assert.strictEqual(typeof callback, 'function');
-
    async.series([
        verifyManifest.bind(null, app),

        // teardown for re-installs
        updateApp.bind(null, app, { installationProgress: '10, Cleaning up old install' }),
-        unconfigureNginx.bind(null, app),
        removeCollectdProfile.bind(null, app),
        stopApp.bind(null, app),
        deleteContainers.bind(null, app),
@@ -381,8 +351,10 @@ function install(app, callback) {
        unregisterSubdomain.bind(null, app, app.location),
        removeOAuthProxyCredentials.bind(null, app),
        // removeIcon.bind(null, app), // do not remove icon for non-appstore installs
+        unconfigureNginx.bind(null, app),

-        reserveHttpPort.bind(null, app),
+        updateApp.bind(null, app, { installationProgress: '15, Configure nginx' }),
+        configureNginx.bind(null, app),

        updateApp.bind(null, app, { installationProgress: '20, Downloading icon' }),
        downloadIcon.bind(null, app),
@@ -413,9 +385,6 @@ function install(app, callback) {
        updateApp.bind(null, app, { installationProgress: '90, Waiting for DNS propagation' }),
        exports._waitForDnsPropagation.bind(null, app),

-        updateApp.bind(null, app, { installationProgress: '95, Configure nginx' }),
-        configureNginx.bind(null, app),
-
        // done!
        function (callback) {
            debugApp(app, 'installed');
@@ -431,9 +400,6 @@ function install(app, callback) {
 }

 function backup(app, callback) {
-    assert.strictEqual(typeof app, 'object');
-    assert.strictEqual(typeof callback, 'function');
-
    async.series([
        updateApp.bind(null, app, { installationProgress: '10, Backing up' }),
        apps.backupApp.bind(null, app, app.manifest.addons),
@@ -454,9 +420,6 @@ function backup(app, callback) {

 // restore is also called for upgrades and infra updates. note that in those cases it is possible there is no backup
 function restore(app, callback) {
-    assert.strictEqual(typeof app, 'object');
-    assert.strictEqual(typeof callback, 'function');
-
    // we don't have a backup, same as re-install. this allows us to install from install failures (update failures always
    // have a backupId)
    if (!app.lastBackupId) {
@@ -466,7 +429,6 @@ function restore(app, callback) {

    async.series([
        updateApp.bind(null, app, { installationProgress: '10, Cleaning up old install' }),
-        unconfigureNginx.bind(null, app),
        removeCollectdProfile.bind(null, app),
        stopApp.bind(null, app),
        deleteContainers.bind(null, app),
@@ -480,8 +442,10 @@ function restore(app, callback) {
        },
        removeOAuthProxyCredentials.bind(null, app),
        removeIcon.bind(null, app),
+        unconfigureNginx.bind(null, app),

-        reserveHttpPort.bind(null, app),
+        updateApp.bind(null, app, { installationProgress: '30, Configuring Nginx' }),
+        configureNginx.bind(null, app),

        updateApp.bind(null, app, { installationProgress: '40, Downloading icon' }),
        downloadIcon.bind(null, app),
@@ -512,9 +476,6 @@ function restore(app, callback) {
        updateApp.bind(null, app, { installationProgress: '90, Waiting for DNS propagation' }),
        exports._waitForDnsPropagation.bind(null, app),

-        updateApp.bind(null, app, { installationProgress: '95, Configuring Nginx' }),
-        configureNginx.bind(null, app),
-
        // done!
        function (callback) {
            debugApp(app, 'restored');
@@ -532,12 +493,8 @@ function restore(app, callback) {

 // note that configure is called after an infra update as well
 function configure(app, callback) {
-    assert.strictEqual(typeof app, 'object');
-    assert.strictEqual(typeof callback, 'function');
-
    async.series([
        updateApp.bind(null, app, { installationProgress: '10, Cleaning up old install' }),
-        unconfigureNginx.bind(null, app),
        removeCollectdProfile.bind(null, app),
        stopApp.bind(null, app),
        deleteContainers.bind(null, app),
@@ -547,8 +504,10 @@ function configure(app, callback) {
            unregisterSubdomain(app, app.oldConfig.location, next);
        },
        removeOAuthProxyCredentials.bind(null, app),
+        unconfigureNginx.bind(null, app),

-        reserveHttpPort.bind(null, app),
+        updateApp.bind(null, app, { installationProgress: '25, Configuring Nginx' }),
+        configureNginx.bind(null, app),

        updateApp.bind(null, app, { installationProgress: '30, Create OAuth proxy credentials' }),
        allocateOAuthProxyCredentials.bind(null, app),
@@ -571,9 +530,6 @@ function configure(app, callback) {
        updateApp.bind(null, app, { installationProgress: '80, Waiting for DNS propagation' }),
        exports._waitForDnsPropagation.bind(null, app),

-        updateApp.bind(null, app, { installationProgress: '90, Configuring Nginx' }),
-        configureNginx.bind(null, app),
-
        // done!
        function (callback) {
            debugApp(app, 'configured');
@@ -590,9 +546,6 @@ function configure(app, callback) {

 // nginx configuration is skipped because app.httpPort is expected to be available
 function update(app, callback) {
-    assert.strictEqual(typeof app, 'object');
-    assert.strictEqual(typeof callback, 'function');
-
    debugApp(app, 'Updating to %s', safe.query(app, 'manifest.version'));

    // app does not want these addons anymore
@@ -657,9 +610,6 @@ function update(app, callback) {
 }

 function uninstall(app, callback) {
-    assert.strictEqual(typeof app, 'object');
-    assert.strictEqual(typeof callback, 'function');
-
    debugApp(app, 'uninstalling');

    async.series([
@@ -699,9 +649,6 @@ function uninstall(app, callback) {
 }

 function runApp(app, callback) {
-    assert.strictEqual(typeof app, 'object');
-    assert.strictEqual(typeof callback, 'function');
-
    docker.startContainer(app.containerId, function (error) {
        if (error) return callback(error);

@@ -710,20 +657,14 @@ function runApp(app, callback) {
 }

 function stopApp(app, callback) {
-    assert.strictEqual(typeof app, 'object');
-    assert.strictEqual(typeof callback, 'function');
-
    docker.stopContainers(app.id, function (error) {
        if (error) return callback(error);

-        updateApp(app, { runState: appdb.RSTATE_STOPPED, health: null }, callback);
+        updateApp(app, { runState: appdb.RSTATE_STOPPED }, callback);
    });
 }

 function handleRunCommand(app, callback) {
-    assert.strictEqual(typeof app, 'object');
-    assert.strictEqual(typeof callback, 'function');
-
    if (app.runState === appdb.RSTATE_PENDING_STOP) {
        return stopApp(app, callback);
    }
@@ -739,9 +680,6 @@ function handleRunCommand(app, callback) {
 }

 function startTask(appId, callback) {
-    assert.strictEqual(typeof appId, 'string');
-    assert.strictEqual(typeof callback, 'function');
-
    // determine what to do
    appdb.get(appId, function (error, app) {
        if (error) return callback(error);
@@ -785,3 +723,4 @@ if (require.main === module) {
        });
    });
 }
+
@@ -62,7 +62,7 @@ function getAllPaged(page, perPage, callback) {
        api(backupConfig.provider).getAllPaged(backupConfig, page, perPage, function (error, backups) {
            if (error) return callback(new BackupsError(BackupsError.EXTERNAL_ERROR, error));

-            return callback(null, backups); // [ { creationTime, restoreKey } ] sorted by time (latest first
+            return callback(null, backups); // [ { creationTime, boxVersion, restoreKey, dependsOn: [ ] } ] sorted by time (latest first
        });
    });
 }
@@ -1,425 +0,0 @@
-/* jslint node:true */
-
-'use strict';
-
-var assert = require('assert'),
-    async = require('async'),
-    crypto = require('crypto'),
-    debug = require('debug')('box:cert/acme'),
-    fs = require('fs'),
-    path = require('path'),
-    paths = require('../paths.js'),
-    safe = require('safetydance'),
-    superagent = require('superagent'),
-    ursa = require('ursa'),
-    util = require('util'),
-    _ = require('underscore');
-
-var CA_PROD = 'https://acme-v01.api.letsencrypt.org',
-    CA_STAGING = 'https://acme-staging.api.letsencrypt.org',
-    LE_AGREEMENT = 'https://letsencrypt.org/documents/LE-SA-v1.0.1-July-27-2015.pdf';
-
-exports = module.exports = {
-    getCertificate: getCertificate
-};
-
-function AcmeError(reason, errorOrMessage) {
-    assert.strictEqual(typeof reason, 'string');
-    assert(errorOrMessage instanceof Error || typeof errorOrMessage === 'string' || typeof errorOrMessage === 'undefined');
-
-    Error.call(this);
-    Error.captureStackTrace(this, this.constructor);
-
-    this.name = this.constructor.name;
-    this.reason = reason;
-    if (typeof errorOrMessage === 'undefined') {
-        this.message = reason;
-    } else if (typeof errorOrMessage === 'string') {
-        this.message = errorOrMessage;
-    } else {
-        this.message = 'Internal error';
-        this.nestedError = errorOrMessage;
-    }
-}
-util.inherits(AcmeError, Error);
-AcmeError.INTERNAL_ERROR = 'Internal Error';
-AcmeError.EXTERNAL_ERROR = 'External Error';
-AcmeError.ALREADY_EXISTS = 'Already Exists';
-AcmeError.NOT_COMPLETED = 'Not Completed';
-AcmeError.FORBIDDEN = 'Forbidden';
-
-// http://jose.readthedocs.org/en/latest/
-// https://www.ietf.org/proceedings/92/slides/slides-92-acme-1.pdf
-// https://community.letsencrypt.org/t/list-of-client-implementations/2103
-
-function Acme(options) {
-    assert.strictEqual(typeof options, 'object');
-
-    this.caOrigin = options.prod ? CA_PROD : CA_STAGING;
-    this.accountKeyPem = null; // Buffer
-
-    this.chainPem = options.prod ? safe.fs.readFileSync(__dirname + '/lets-encrypt-x1-cross-signed.pem.txt') : new Buffer('');
-}
-
-Acme.prototype.getNonce = function (callback) {
-    superagent.get(this.caOrigin + '/directory', function (error, response) {
-        if (error) return callback(error);
-        if (response.statusCode !== 200) return callback(new Error('Invalid response code when fetching nonce : ' + response.statusCode));
-
-        return callback(null, response.headers['Replay-Nonce'.toLowerCase()]);
-    });
-};
-
-// urlsafe base64 encoding (jose)
-function urlBase64Encode(string) {
-    return string.replace(/\+/g, '-').replace(/\//g, '_').replace(/=/g, '');
-}
-
-function b64(str) {
-    var buf = util.isBuffer(str) ? str : new Buffer(str);
-   return urlBase64Encode(buf.toString('base64'));
-}
-
-Acme.prototype.sendSignedRequest = function (url, payload, callback) {
-    assert.strictEqual(typeof url, 'string');
-    assert.strictEqual(typeof payload, 'string');
-    assert.strictEqual(typeof callback, 'function');
-
-    assert(util.isBuffer(this.accountKeyPem));
-    var privateKey = ursa.createPrivateKey(this.accountKeyPem);
-
-    var header = {
-        alg: 'RS256',
-        jwk: {
-            e: b64(privateKey.getExponent()),
-            kty: 'RSA',
-            n: b64(privateKey.getModulus())
-        }
-    };
- 
-    var payload64 = b64(payload);
-
-    this.getNonce(function (error, nonce) {
-        if (error) return callback(error);
-
-        debug('sendSignedRequest: using nonce %s for url %s', nonce, url);
-
-        var protected64 = b64(JSON.stringify(_.extend({ }, header, { nonce: nonce })));
-
-        var signer = ursa.createSigner('sha256');
-        signer.update(protected64 + '.' + payload64, 'utf8');
-        var signature64 = urlBase64Encode(signer.sign(privateKey, 'base64'));
-
-        var data = {
-            header: header,
-            protected: protected64,
-            payload: payload64,
-            signature: signature64
-        };
-
-        superagent.post(url).set('Content-Type', 'application/x-www-form-urlencoded').send(JSON.stringify(data)).end(function (error, res) {
-            if (error && !error.response) return callback(error); // network errors
-
-            callback(null, res);
-        });
-    });
-};
-
-Acme.prototype.registerUser = function (email, callback) {
-    assert.strictEqual(typeof email, 'string');
-    assert.strictEqual(typeof callback, 'function');
-
-    var payload = {
-        resource: 'new-reg',
-        contact: [ 'mailto:' + email ],
-        agreement: LE_AGREEMENT
-    };
-
-    debug('registerUser: %s', email);
-
-    this.sendSignedRequest(this.caOrigin + '/acme/new-reg', JSON.stringify(payload), function (error, result) {
-        if (error) return callback(new AcmeError(AcmeError.EXTERNAL_ERROR, 'Network error when registering user: ' + error.message));
-        if (result.statusCode === 409) return callback(new AcmeError(AcmeError.ALREADY_EXISTS, result.body.detail));
-        if (result.statusCode !== 201) return callback(new AcmeError(AcmeError.EXTERNAL_ERROR, util.format('Failed to register user. Expecting 201, got %s %s', result.statusCode, result.text)));
-
-        debug('registerUser: registered user %s', email);
-
-        callback();
-    });
-};
-
-Acme.prototype.registerDomain = function (domain, callback) {
-    assert.strictEqual(typeof domain, 'string');
-    assert.strictEqual(typeof callback, 'function');
-
-    var payload = {
-        resource: 'new-authz',
-        identifier: {
-            type: 'dns',
-            value: domain
-        }
-    };
-
-    debug('registerDomain: %s', domain);
-
-    this.sendSignedRequest(this.caOrigin + '/acme/new-authz', JSON.stringify(payload), function (error, result) {
-        if (error) return callback(new AcmeError(AcmeError.EXTERNAL_ERROR, 'Network error when registering domain: ' + error.message));
-        if (result.statusCode === 403) return callback(new AcmeError(AcmeError.FORBIDDEN, result.body.detail));
-        if (result.statusCode !== 201) return callback(new AcmeError(AcmeError.EXTERNAL_ERROR, util.format('Failed to register user. Expecting 201, got %s %s', result.statusCode, result.text)));
-
-        debug('registerDomain: registered %s', domain);
-
-        callback(null, result.body);
-    });
-};
-
-Acme.prototype.prepareHttpChallenge = function (challenge, callback) {
-    assert.strictEqual(typeof challenge, 'object');
-    assert.strictEqual(typeof callback, 'function');
-
-    debug('prepareHttpChallenge: preparing for challenge %j', challenge);
-
-    var token = challenge.token;
-
-    assert(util.isBuffer(this.accountKeyPem));
-    var privateKey = ursa.createPrivateKey(this.accountKeyPem);
-
-    var jwk = {
-        e: b64(privateKey.getExponent()),
-        kty: 'RSA',
-        n: b64(privateKey.getModulus())
-    };
-
-    var shasum = crypto.createHash('sha256');
-    shasum.update(JSON.stringify(jwk));
-    var thumbprint = urlBase64Encode(shasum.digest('base64'));
-    var keyAuthorization = token + '.' + thumbprint;
-
-    debug('prepareHttpChallenge: writing %s to %s', keyAuthorization, path.join(paths.ACME_CHALLENGES_DIR, token));
-
-    fs.writeFile(path.join(paths.ACME_CHALLENGES_DIR, token), token + '.' + thumbprint, function (error) {
-        if (error) return callback(new AcmeError(AcmeError.INTERNAL_ERROR, error));
-
-        callback();
-    });
-};
-
-Acme.prototype.notifyChallengeReady = function (challenge, callback) {
-    assert.strictEqual(typeof challenge, 'object');
-    assert.strictEqual(typeof callback, 'function');
-
-    debug('notifyChallengeReady: %s was met', challenge.uri);
-
-    var keyAuthorization = fs.readFileSync(path.join(paths.ACME_CHALLENGES_DIR, challenge.token), 'utf8');
-
-    var payload = {
-        resource: 'challenge',
-        keyAuthorization: keyAuthorization
-    };
-
-    this.sendSignedRequest(challenge.uri, JSON.stringify(payload), function (error, result) {
-        if (error) return callback(new AcmeError(AcmeError.EXTERNAL_ERROR, 'Network error when notifying challenge: ' + error.message));
-        if (result.statusCode !== 202) return callback(new AcmeError(AcmeError.EXTERNAL_ERROR, util.format('Failed to notify challenge. Expecting 202, got %s %s', result.statusCode, result.text)));
-
-        callback();
-    });
-};
-
-Acme.prototype.waitForChallenge = function (challenge, callback) {
-    assert.strictEqual(typeof challenge, 'object');
-    assert.strictEqual(typeof callback, 'function');
-
-    debug('waitingForChallenge: %j', challenge);
-
-    async.retry({ times: 10, interval: 5000 }, function (retryCallback) {
-        debug('waitingForChallenge: getting status');
-
-        superagent.get(challenge.uri).end(function (error, result) {
-            if (error && !error.response) {
-                debug('waitForChallenge: network error getting uri %s', challenge.uri);
-                return retryCallback(new AcmeError(AcmeError.EXTERNAL_ERROR, error.message)); // network error
-            }
-            if (result.statusCode !== 202) {
-                debug('waitForChallenge: invalid response code getting uri %s', result.statusCode);
-                return retryCallback(new AcmeError(AcmeError.EXTERNAL_ERROR, 'Bad response code:' + result.statusCode));
-            }
-
-            debug('waitForChallenge: status is "%s"', result.body.status);
-
-            if (result.body.status === 'pending') return retryCallback(new AcmeError(AcmeError.NOT_COMPLETED));
-            else if (result.body.status === 'valid') return retryCallback();
-            else return retryCallback(new AcmeError(AcmeError.EXTERNAL_ERROR, 'Unexpected status: ' + result.body.status));
-        });
-    }, function retryFinished(error) {
-        // async.retry will pass 'undefined' as second arg making it unusable with async.waterfall()
-        callback(error);
-    });
-};
-
-// https://community.letsencrypt.org/t/public-beta-rate-limits/4772 for rate limits
-Acme.prototype.signCertificate = function (domain, csrDer, callback) {
-    assert.strictEqual(typeof domain, 'string');
-    assert(util.isBuffer(csrDer));
-    assert.strictEqual(typeof callback, 'function');
-
-    var outdir = paths.APP_CERTS_DIR;
-
-    var payload = {
-        resource: 'new-cert',
-        csr: b64(csrDer)
-    };
-
-    debug('signCertificate: sending new-cert request');
-
-    this.sendSignedRequest(this.caOrigin + '/acme/new-cert', JSON.stringify(payload), function (error, result) {
-        if (error) return callback(new AcmeError(AcmeError.EXTERNAL_ERROR, 'Network error when signing certificate: ' + error.message));
-        // 429 means we reached the cert limit for this domain
-        if (result.statusCode !== 201) return callback(new AcmeError(AcmeError.EXTERNAL_ERROR, util.format('Failed to sign certificate. Expecting 201, got %s %s', result.statusCode, result.text)));
-
-        var certUrl = result.headers.location;
-
-        if (!certUrl) return callback(new AcmeError(AcmeError.EXTERNAL_ERROR, 'Missing location in downloadCertificate'));
-
-        safe.fs.writeFileSync(path.join(outdir, domain + '.url'), certUrl, 'utf8'); // for renewal
-
-        return callback(null, result.headers.location);
-    });
-};
-
-Acme.prototype.createKeyAndCsr = function (domain, callback) {
-    assert.strictEqual(typeof domain, 'string');
-    assert.strictEqual(typeof callback, 'function');
-
-    var outdir = paths.APP_CERTS_DIR;
-    var execSync = safe.child_process.execSync;
-
-    var privateKeyFile = path.join(outdir, domain + '.key');
-    var key = execSync('openssl genrsa 4096');
-    if (!key) return callback(new AcmeError(AcmeError.INTERNAL_ERROR, safe.error));
-    if (!safe.fs.writeFileSync(privateKeyFile, key)) return callback(new AcmeError(AcmeError.INTERNAL_ERROR, safe.error));
-
-    debug('createKeyAndCsr: key file saved at %s', privateKeyFile);
-
-    var csrDer = execSync(util.format('openssl req -new -key %s -outform DER -subj /CN=%s', privateKeyFile, domain));
-    if (!csrDer) return callback(new AcmeError(AcmeError.INTERNAL_ERROR, safe.error));
-    var csrFile = path.join(outdir, domain + '.csr');
-    if (!safe.fs.writeFileSync(csrFile, csrFile)) return callback(new AcmeError(AcmeError.INTERNAL_ERROR, safe.error));
-
-    debug('createKeyAndCsr: csr file (DER) saved at %s', csrFile);
-
-    callback(null, csrDer);
-};
-
-Acme.prototype.downloadCertificate = function (domain, certUrl, callback) {
-    assert.strictEqual(typeof domain, 'string');
-    assert.strictEqual(typeof certUrl, 'string');
-    assert.strictEqual(typeof callback, 'function');
-
-    var outdir = paths.APP_CERTS_DIR;
-    var that = this;
-
-    superagent.get(certUrl).buffer().parse(function (res, done) {
-        var data = [ ];
-        res.on('data', function(chunk) { data.push(chunk); });
-        res.on('end', function () { res.text = Buffer.concat(data); done(); });
-    }).end(function (error, result) {
-        if (error && !error.response) return callback(new AcmeError(AcmeError.EXTERNAL_ERROR, 'Network error when downloading certificate'));
-        if (result.statusCode === 202) return callback(new AcmeError(AcmeError.INTERNAL_ERROR, 'Retry not implemented yet'));
-        if (result.statusCode !== 200) return callback(new AcmeError(AcmeError.EXTERNAL_ERROR, util.format('Failed to get cert. Expecting 200, got %s %s', result.statusCode, result.text)));
-
-        var certificateDer = result.text;
-        var execSync = safe.child_process.execSync;
-
-        safe.fs.writeFileSync(path.join(outdir, domain + '.der'), certificateDer);
-        debug('downloadCertificate: cert der file saved');
-
-        var certificatePem = execSync('openssl x509 -inform DER -outform PEM', { input: certificateDer }); // this is really just base64 encoding with header
-        if (!certificatePem) return callback(new AcmeError(AcmeError.INTERNAL_ERROR, safe.error));
-
-        var certificateFile = path.join(outdir, domain + '.cert');
-        var fullChainPem = Buffer.concat([certificatePem, that.chainPem]);
-        if (!safe.fs.writeFileSync(certificateFile, fullChainPem)) return callback(new AcmeError(AcmeError.INTERNAL_ERROR, safe.error));
-
-        debug('downloadCertificate: cert file saved at %s', certificateFile);
-
-        callback();
-    });
-};
-
-Acme.prototype.acmeFlow = function (domain, callback) {
-    assert.strictEqual(typeof domain, 'string');
-    assert.strictEqual(typeof callback, 'function');
-
-    // registering user with an email requires A or MX record (https://github.com/letsencrypt/boulder/issues/1197)
-    // we cannot use admin@fqdn because the user might not have set it up.
-    // we cannot use owner email because we don't have it yet (the admin cert is fetched before activation)
-    // one option is to update the owner email when a second cert is requested (https://github.com/ietf-wg-acme/acme/issues/30)
-    var email = 'admin@cloudron.io';
-
-    if (!fs.existsSync(paths.ACME_ACCOUNT_KEY_FILE)) {
-        debug('getCertificate: generating acme account key on first run');
-        this.accountKeyPem = safe.child_process.execSync('openssl genrsa 4096');
-        if (!this.accountKeyPem) return callback(new AcmeError(AcmeError.INTERNAL_ERROR, safe.error));
-
-        safe.fs.writeFileSync(paths.ACME_ACCOUNT_KEY_FILE, this.accountKeyPem);
-    } else {
-        debug('getCertificate: using existing acme account key');
-        this.accountKeyPem = fs.readFileSync(paths.ACME_ACCOUNT_KEY_FILE);
-    }
-
-    var that = this;
-    that.registerUser(email, function (error) {
-        if (error && error.reason !== AcmeError.ALREADY_EXISTS) return callback(error);
-
-        that.registerDomain(domain, function (error, result) {
-            if (error) return callback(error);
-
-            debug('acmeFlow: challenges: %j', result);
-
-            var httpChallenges = result.challenges.filter(function(x) { return x.type === 'http-01'; });
-            if (httpChallenges.length === 0) return callback(new AcmeError(AcmeError.EXTERNAL_ERROR, 'no http challenges'));
-            var challenge = httpChallenges[0];
-
-            async.waterfall([
-                that.prepareHttpChallenge.bind(that, challenge),
-                that.notifyChallengeReady.bind(that, challenge),
-                that.waitForChallenge.bind(that, challenge),
-                that.createKeyAndCsr.bind(that, domain),
-                that.signCertificate.bind(that, domain),
-                that.downloadCertificate.bind(that, domain)
-            ], callback);
-        });
-    });
-};
-
-Acme.prototype.getCertificate = function (domain, callback) {
-    assert.strictEqual(typeof domain, 'string');
-    assert.strictEqual(typeof callback, 'function');
-
-    var outdir = paths.APP_CERTS_DIR;
-    var certUrl = safe.fs.readFileSync(path.join(outdir, domain + '.url'), 'utf8');
-    var certificateGetter;
-
-    if (certUrl) {
-        debug('getCertificate: renewing existing cert for %s from %s', domain, certUrl);
-        certificateGetter = this.downloadCertificate.bind(this, domain, certUrl);
-    } else {
-        debug('getCertificate: start acme flow for %s from %s', domain, this.caOrigin);
-        certificateGetter = this.acmeFlow.bind(this, domain);
-    }
-
-    certificateGetter(function (error) {
-        if (error) return callback(error);
-
-        callback(null, path.join(outdir, domain + '.cert'), path.join(outdir, domain + '.key'));
-    });
-};
-
-function getCertificate(domain, options, callback) {
-    assert.strictEqual(typeof domain, 'string');
-    assert.strictEqual(typeof options, 'object');
-    assert.strictEqual(typeof callback, 'function');
-
-    var acme = new Acme(options || { });
-    acme.getCertificate(domain, callback);
-}
@@ -1,18 +0,0 @@
-'use strict';
-
-exports = module.exports = {
-    getCertificate: getCertificate
-};
-
-var assert = require('assert'),
-	debug = require('debug')('box:cert/caas.js');
-
-function getCertificate(domain, options, callback) {
-	assert.strictEqual(typeof domain, 'string');
-	assert.strictEqual(typeof options, 'object');
-	assert.strictEqual(typeof callback, 'function');
-
-    debug('getCertificate: using fallback certificate', domain);
-
-    return callback(null, 'cert/host.cert', 'cert/host.key');
-}
@@ -1,27 +0,0 @@
-----BEGIN CERTIFICATE-----
-MIIEqDCCA5CgAwIBAgIRAJgT9HUT5XULQ+dDHpceRL0wDQYJKoZIhvcNAQELBQAw
-PzEkMCIGA1UEChMbRGlnaXRhbCBTaWduYXR1cmUgVHJ1c3QgQ28uMRcwFQYDVQQD
-Ew5EU1QgUm9vdCBDQSBYMzAeFw0xNTEwMTkyMjMzMzZaFw0yMDEwMTkyMjMzMzZa
-MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD
-ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMTCCASIwDQYJKoZIhvcNAQEBBQAD
-ggEPADCCAQoCggEBAJzTDPBa5S5Ht3JdN4OzaGMw6tc1Jhkl4b2+NfFwki+3uEtB
-BaupnjUIWOyxKsRohwuj43Xk5vOnYnG6eYFgH9eRmp/z0HhncchpDpWRz/7mmelg
-PEjMfspNdxIknUcbWuu57B43ABycrHunBerOSuu9QeU2mLnL/W08lmjfIypCkAyG
-dGfIf6WauFJhFBM/ZemCh8vb+g5W9oaJ84U/l4avsNwa72sNlRZ9xCugZbKZBDZ1
-gGusSvMbkEl4L6KWTyogJSkExnTA0DHNjzE4lRa6qDO4Q/GxH8Mwf6J5MRM9LTb4
-4/zyM2q5OTHFr8SNDR1kFjOq+oQpttQLwNh9w5MCAwEAAaOCAZIwggGOMBIGA1Ud
-EwEB/wQIMAYBAf8CAQAwDgYDVR0PAQH/BAQDAgGGMH8GCCsGAQUFBwEBBHMwcTAy
-BggrBgEFBQcwAYYmaHR0cDovL2lzcmcudHJ1c3RpZC5vY3NwLmlkZW50cnVzdC5j
-b20wOwYIKwYBBQUHMAKGL2h0dHA6Ly9hcHBzLmlkZW50cnVzdC5jb20vcm9vdHMv
-ZHN0cm9vdGNheDMucDdjMB8GA1UdIwQYMBaAFMSnsaR7LHH62+FLkHX/xBVghYkQ
-MFQGA1UdIARNMEswCAYGZ4EMAQIBMD8GCysGAQQBgt8TAQEBMDAwLgYIKwYBBQUH
-AgEWImh0dHA6Ly9jcHMucm9vdC14MS5sZXRzZW5jcnlwdC5vcmcwPAYDVR0fBDUw
-MzAxoC+gLYYraHR0cDovL2NybC5pZGVudHJ1c3QuY29tL0RTVFJPT1RDQVgzQ1JM
-LmNybDATBgNVHR4EDDAKoQgwBoIELm1pbDAdBgNVHQ4EFgQUqEpqYwR93brm0Tm3
-pkVl7/Oo7KEwDQYJKoZIhvcNAQELBQADggEBANHIIkus7+MJiZZQsY14cCoBG1hd
-v0J20/FyWo5ppnfjL78S2k4s2GLRJ7iD9ZDKErndvbNFGcsW+9kKK/TnY21hp4Dd
-ITv8S9ZYQ7oaoqs7HwhEMY9sibED4aXw09xrJZTC9zK1uIfW6t5dHQjuOWv+HHoW
-ZnupyxpsEUlEaFb+/SCI4KCSBdAsYxAcsHYI5xxEI4LutHp6s3OT2FuO90WfdsIk
-6q78OMSdn875bNjdBYAqxUp2/LEIHfDBkLoQz0hFJmwAbYahqKaLn73PAAm1X2kj
-f1w8DdnkabOLGeOVcj9LQ+s67vBykx4anTjURkbqZslUEUsn2k5xeua2zUk=
-----END CERTIFICATE-----
@@ -1,250 +0,0 @@
-/* jslint node:true */
-
-'use strict';
-
-var acme = require('./cert/acme.js'),
-    assert = require('assert'),
-    async = require('async'),
-    caas = require('./cert/caas.js'),
-    cloudron = require('./cloudron.js'),
-    config = require('./config.js'),
-    constants = require('./constants.js'),
-    debug = require('debug')('box:src/certificates'),
-    fs = require('fs'),
-    nginx = require('./nginx.js'),
-    path = require('path'),
-    paths = require('./paths.js'),
-    safe = require('safetydance'),
-    settings = require('./settings.js'),
-    sysinfo = require('./sysinfo.js'),
-    util = require('util'),
-    waitForDns = require('./waitfordns.js'),
-    x509 = require('x509');
-
-exports = module.exports = {
-    installAdminCertificate: installAdminCertificate,
-    autoRenew: autoRenew,
-    setFallbackCertificate: setFallbackCertificate,
-    setAdminCertificate: setAdminCertificate,
-    CertificatesError: CertificatesError,
-    validateCertificate: validateCertificate,
-    ensureCertificate: ensureCertificate
-};
-
-var NOOP_CALLBACK = function (error) { if (error) debug(error); };
-
-function CertificatesError(reason, errorOrMessage) {
-    assert.strictEqual(typeof reason, 'string');
-    assert(errorOrMessage instanceof Error || typeof errorOrMessage === 'string' || typeof errorOrMessage === 'undefined');
-
-    Error.call(this);
-    Error.captureStackTrace(this, this.constructor);
-
-    this.name = this.constructor.name;
-    this.reason = reason;
-    if (typeof errorOrMessage === 'undefined') {
-        this.message = reason;
-    } else if (typeof errorOrMessage === 'string') {
-        this.message = errorOrMessage;
-    } else {
-        this.message = 'Internal error';
-        this.nestedError = errorOrMessage;
-    }
-}
-util.inherits(CertificatesError, Error);
-CertificatesError.INTERNAL_ERROR = 'Internal Error';
-CertificatesError.INVALID_CERT = 'Invalid certificate';
-
-function getApi(callback) {
-    settings.getTlsConfig(function (error, tlsConfig) {
-        if (error) return callback(error);
-
-        var api = tlsConfig.provider === 'caas' ? caas : acme;
-
-        var options = { };
-        options.prod = tlsConfig.provider.match(/.*-prod/) !== null;
-
-        callback(null, api, options);
-    });
-}
-
-function installAdminCertificate(callback) {
-    if (cloudron.isConfiguredSync()) return callback();
-
-    settings.getTlsConfig(function (error, tlsConfig) {
-        if (error) return callback(error);
-
-        if (tlsConfig.provider === 'caas') return callback();
-
-        sysinfo.getIp(function (error, ip) {
-            if (error) return callback(error);
-
-            waitForDns(config.adminFqdn(), ip, config.fqdn(), function (error) {
-                if (error) return callback(error); // this cannot happen because we retry forever
-
-                ensureCertificate(config.adminFqdn(), function (error, certFilePath, keyFilePath) {
-                    if (error) { // currently, this can never happen
-                        debug('Error obtaining certificate. Proceed anyway', error);
-                        return callback();
-                    }
-
-                    nginx.configureAdmin(certFilePath, keyFilePath, callback);
-                });
-            });
-        });
-    });
-}
-
-function needsRenewalSync(certFilePath) {
-    var result = safe.child_process.execSync('openssl x509 -checkend %s -in %s', 60 * 60 * 24 * 5, certFilePath);
-
-    return result === null; // command errored
-}
-
-function autoRenew(callback) {
-    debug('autoRenew: Checking certificates for renewal');
-    callback = callback || NOOP_CALLBACK;
-
-    var filenames = safe.fs.readdirSync(paths.APP_CERTS_DIR);
-    if (!filenames) {
-        debug('autoRenew: Error getting filenames: %s', safe.error.message);
-        return;
-    }
-
-    var certs = filenames.filter(function (f) {
-        return f.match(/\.cert$/) !== null && needsRenewalSync(path.join(paths.APP_CERTS_DIR, f));
-    });
-
-    debug('autoRenew: %j needs to be renewed', certs);
-
-    getApi(function (error, api, apiOptions) {
-        if (error) return callback(error);
-
-        async.eachSeries(certs, function iterator(cert, iteratorCallback) {
-            var domain = cert.match(/^(.*)\.cert$/)[1];
-            if (domain === 'host') return iteratorCallback(); // cannot renew fallback cert
-
-            debug('autoRenew: renewing cert for %s with options %j', domain, apiOptions);
-
-            api.getCertificate(domain, apiOptions, function (error) {
-                if (error) debug('autoRenew: could not renew cert for %s', domain, error);
-
-                iteratorCallback(); // move on to next cert
-            });
-        });
-    });
-}
-
-// note: https://tools.ietf.org/html/rfc4346#section-7.4.2 (certificate_list) requires that the
-// servers certificate appears first (and not the intermediate cert)
-function validateCertificate(cert, key, fqdn) {
-    assert(cert === null || typeof cert === 'string');
-    assert(key === null || typeof key === 'string');
-    assert.strictEqual(typeof fqdn, 'string');
-
-    if (cert === null && key === null) return null;
-    if (!cert && key) return new Error('missing cert');
-    if (cert && !key) return new Error('missing key');
-
-    var content;
-    try {
-        content = x509.parseCert(cert);
-    } catch (e) {
-        return new Error('invalid cert: ' + e.message);
-    }
-
-    // check expiration
-    if (content.notAfter < new Date()) return new Error('cert expired');
-
-    function matchesDomain(domain) {
-        if (domain === fqdn) return true;
-        if (domain.indexOf('*') === 0 && domain.slice(2) === fqdn.slice(fqdn.indexOf('.') + 1)) return true;
-
-        return false;
-    }
-
-    // check domain
-    var domains = content.altNames.concat(content.subject.commonName);
-    if (!domains.some(matchesDomain)) return new Error(util.format('cert is not valid for this domain. Expecting %s in %j', fqdn, domains));
-
-    // http://httpd.apache.org/docs/2.0/ssl/ssl_faq.html#verify
-    var certModulus = safe.child_process.execSync('openssl x509 -noout -modulus', { encoding: 'utf8', input: cert });
-    var keyModulus = safe.child_process.execSync('openssl rsa -noout -modulus', { encoding: 'utf8', input: key });
-    if (certModulus !== keyModulus) return new Error('key does not match the cert');
-
-    return null;
-}
-
-function setFallbackCertificate(cert, key, callback) {
-    assert.strictEqual(typeof cert, 'string');
-    assert.strictEqual(typeof key, 'string');
-    assert.strictEqual(typeof callback, 'function');
-
-    var error = validateCertificate(cert, key, '*.' + config.fqdn());
-    if (error) return callback(new CertificatesError(CertificatesError.INVALID_CERT, error.message));
-
-    // backup the cert
-    if (!safe.fs.writeFileSync(path.join(paths.APP_CERTS_DIR, 'host.cert'), cert)) return callback(new CertificatesError(CertificatesError.INTERNAL_ERROR, safe.error.message));
-    if (!safe.fs.writeFileSync(path.join(paths.APP_CERTS_DIR, 'host.key'), key)) return callback(new CertificatesError(CertificatesError.INTERNAL_ERROR, safe.error.message));
-
-    // copy over fallback cert
-    if (!safe.fs.writeFileSync(path.join(paths.NGINX_CERT_DIR, 'host.cert'), cert)) return callback(new CertificatesError(CertificatesError.INTERNAL_ERROR, safe.error.message));
-    if (!safe.fs.writeFileSync(path.join(paths.NGINX_CERT_DIR, 'host.key'), key)) return callback(new CertificatesError(CertificatesError.INTERNAL_ERROR, safe.error.message));
-
-    nginx.reload(function (error) {
-        if (error) return callback(new CertificatesError(CertificatesError.INTERNAL_ERROR, error));
-
-        return callback(null);
-    });
-}
-
-function setAdminCertificate(cert, key, callback) {
-    assert.strictEqual(typeof cert, 'string');
-    assert.strictEqual(typeof key, 'string');
-    assert.strictEqual(typeof callback, 'function');
-
-    var vhost = config.appFqdn(constants.ADMIN_LOCATION);
-    var certFilePath = path.join(paths.APP_CERTS_DIR, vhost + '.cert');
-    var keyFilePath = path.join(paths.APP_CERTS_DIR, vhost + '.key');
-
-    var error = validateCertificate(cert, key, vhost);
-    if (error) return callback(new CertificatesError(CertificatesError.INVALID_CERT, error.message));
-
-    // backup the cert
-    if (!safe.fs.writeFileSync(certFilePath, cert)) return callback(new CertificatesError(CertificatesError.INTERNAL_ERROR, safe.error.message));
-    if (!safe.fs.writeFileSync(keyFilePath, key)) return callback(new CertificatesError(CertificatesError.INTERNAL_ERROR, safe.error.message));
-
-    nginx.configureAdmin(certFilePath, keyFilePath, callback);
-}
-
-function ensureCertificate(domain, callback) {
-    assert.strictEqual(typeof domain, 'string');
-    assert.strictEqual(typeof callback, 'function');
-
-    // check if user uploaded a specific cert. ideally, we should not mix user certs and automatic certs as we do here...
-    var userCertFilePath = path.join(paths.APP_CERTS_DIR, domain + '.cert');
-    var userKeyFilePath = path.join(paths.APP_CERTS_DIR, domain + '.key');
-
-    if (fs.existsSync(userCertFilePath) && fs.existsSync(userKeyFilePath)) {
-        debug('ensureCertificate: %s. certificate already exists at %s', domain, userKeyFilePath);
-
-        if (!needsRenewalSync(userCertFilePath)) return callback(null, userCertFilePath, userKeyFilePath);
-
-        debug('ensureCertificate: %s cert require renewal', domain);
-    }
-
-    getApi(function (error, api, apiOptions) {
-        if (error) return callback(error);
-
-        debug('ensureCertificate: getting certificate for %s with options %j', domain, apiOptions);
-
-        api.getCertificate(domain, apiOptions, function (error, certFilePath, keyFilePath) {
-            if (error) {
-                debug('ensureCertificate: could not get certificate. using fallback certs', error);
-                return callback(null, 'cert/host.cert', 'cert/host.key'); // use fallback certs
-            }
-
-            callback(null, certFilePath, keyFilePath);
-        });
-    });
-}
@@ -33,12 +33,12 @@ var apps = require('./apps.js'),
    async = require('async'),
    backups = require('./backups.js'),
    BackupsError = require('./backups.js').BackupsError,
+    bytes = require('bytes'),
    clientdb = require('./clientdb.js'),
    config = require('./config.js'),
    debug = require('debug')('box:cloudron'),
    fs = require('fs'),
    locker = require('./locker.js'),
-    os = require('os'),
    path = require('path'),
    paths = require('./paths.js'),
    progress = require('./progress.js'),
@@ -178,8 +178,8 @@ function setTimeZone(ip, callback) {
    debug('setTimeZone ip:%s', ip);

    superagent.get('http://www.telize.com/geoip/' + ip).end(function (error, result) {
-        if ((error && !error.response) || result.statusCode !== 200) {
-            debug('Failed to get geo location: %s', error.message);
+        if (error || result.statusCode !== 200) {
+            debug('Failed to get geo location', error);
            return callback(null);
        }

@@ -243,8 +243,6 @@ function getStatus(callback) {
            callback(null, {
                activated: count !== 0,
                version: config.version(),
-                boxVersionsUrl: config.get('boxVersionsUrl'),
-                apiServerOrigin: config.apiServerOrigin(), // used by CaaS tool
                cloudronName: cloudronName
            });
        });
@@ -256,21 +254,12 @@ function getCloudronDetails(callback) {

    if (gCloudronDetails) return callback(null, gCloudronDetails);

-    if (!config.token()) {
-        gCloudronDetails = {
-            region: null,
-            size: null
-        };
-
-        return callback(null, gCloudronDetails);
-    }
-
    superagent
        .get(config.apiServerOrigin() + '/api/v1/boxes/' + config.fqdn())
        .query({ token: config.token() })
        .end(function (error, result) {
-            if (error && !error.response) return callback(error);
-            if (result.statusCode !== 200) return callback(new CloudronError(CloudronError.EXTERNAL_ERROR, util.format('%s %j', result.status, result.body)));
+            if (error) return callback(error);
+            if (result.status !== 200) return callback(new CloudronError(CloudronError.EXTERNAL_ERROR, util.format('%s %j', result.status, result.body)));

            gCloudronDetails = result.body.box;

@@ -283,7 +272,7 @@ function getConfig(callback) {

    getCloudronDetails(function (error, result) {
        if (error) {
-            debug('Failed to fetch cloudron details.', error);
+            console.error('Failed to fetch cloudron details.', error);

            // set fallback values to avoid dependency on appstore
            result = {
@@ -292,32 +281,31 @@ function getConfig(callback) {
            };
        }

+        // We rely at the moment on the size being specified in 512mb,1gb,...
+        // TODO provide that number from the appstore
+        var memory = bytes(result.size) || 0;
+
        settings.getCloudronName(function (error, cloudronName) {
            if (error) return callback(new CloudronError(CloudronError.INTERNAL_ERROR, error));

            settings.getDeveloperMode(function (error, developerMode) {
                if (error) return callback(new CloudronError(CloudronError.INTERNAL_ERROR, error));

-                sysinfo.getIp(function (error, ip) {
-                    if (error) return callback(new CloudronError(CloudronError.INTERNAL_ERROR, error));
-
-                    callback(null, {
-                        apiServerOrigin: config.apiServerOrigin(),
-                        webServerOrigin: config.webServerOrigin(),
-                        isDev: config.isDev(),
-                        fqdn: config.fqdn(),
-                        ip: ip,
-                        version: config.version(),
-                        update: updateChecker.getUpdateInfo(),
-                        progress: progress.get(),
-                        isCustomDomain: config.isCustomDomain(),
-                        developerMode: developerMode,
-                        region: result.region,
-                        size: result.size,
-                        memory: os.totalmem(),
-                        provider: config.provider(),
-                        cloudronName: cloudronName
-                    });
+                callback(null, {
+                    apiServerOrigin: config.apiServerOrigin(),
+                    webServerOrigin: config.webServerOrigin(),
+                    isDev: config.isDev(),
+                    fqdn: config.fqdn(),
+                    ip: sysinfo.getIp(),
+                    version: config.version(),
+                    update: updateChecker.getUpdateInfo(),
+                    progress: progress.get(),
+                    isCustomDomain: config.isCustomDomain(),
+                    developerMode: developerMode,
+                    region: result.region,
+                    size: result.size,
+                    memory: memory,
+                    cloudronName: cloudronName
                });
            });
        });
@@ -325,11 +313,10 @@ function getConfig(callback) {
 }

 function sendHeartbeat() {
-    if (!config.token()) return;
-
    var url = config.apiServerOrigin() + '/api/v1/boxes/' + config.fqdn() + '/heartbeat';
+
    superagent.post(url).query({ token: config.token(), version: config.version() }).timeout(10000).end(function (error, result) {
-        if (error && !error.response) debug('Network error sending heartbeat.', error);
+        if (error) debug('Error sending heartbeat.', error);
        else if (result.statusCode !== 200) debug('Server responded to heartbeat with %s %s', result.statusCode, result.text);
        else debug('Heartbeat sent to %s', url);
    });
@@ -396,53 +383,48 @@ function addDnsRecords() {
    var dkimKey = readDkimPublicKeySync();
    if (!dkimKey) return callback(new CloudronError(CloudronError.INTERNAL_ERROR, new Error('internal error failed to read dkim public key')));

-    sysinfo.getIp(function (error, ip) {
-        if (error) return callback(new CloudronError(CloudronError.INTERNAL_ERROR, error));
+    var nakedDomainRecord = { subdomain: '', type: 'A', values: [ sysinfo.getIp() ] };
+    var webadminRecord = { subdomain: 'my', type: 'A', values: [ sysinfo.getIp() ] };
+    // t=s limits the domainkey to this domain and not it's subdomains
+    var dkimRecord = { subdomain: DKIM_SELECTOR + '._domainkey', type: 'TXT', values: [ '"v=DKIM1; t=s; p=' + dkimKey + '"' ] };
+    // DMARC requires special setup if report email id is in different domain
+    var dmarcRecord = { subdomain: '_dmarc', type: 'TXT', values: [ '"v=DMARC1; p=none; pct=100; rua=mailto:' + DMARC_REPORT_EMAIL + '; ruf=' + DMARC_REPORT_EMAIL + '"' ] };

-        var nakedDomainRecord = { subdomain: '', type: 'A', values: [ ip ] };
-        var webadminRecord = { subdomain: 'my', type: 'A', values: [ ip ] };
-        // t=s limits the domainkey to this domain and not it's subdomains
-        var dkimRecord = { subdomain: DKIM_SELECTOR + '._domainkey', type: 'TXT', values: [ '"v=DKIM1; t=s; p=' + dkimKey + '"' ] };
-        // DMARC requires special setup if report email id is in different domain
-        var dmarcRecord = { subdomain: '_dmarc', type: 'TXT', values: [ '"v=DMARC1; p=none; pct=100; rua=mailto:' + DMARC_REPORT_EMAIL + '; ruf=' + DMARC_REPORT_EMAIL + '"' ] };
+    var records = [ ];
+    if (config.isCustomDomain()) {
+        records.push(webadminRecord);
+        records.push(dkimRecord);
+    } else {
+        records.push(nakedDomainRecord);
+        records.push(webadminRecord);
+        records.push(dkimRecord);
+        records.push(dmarcRecord);
+    }

-        var records = [ ];
-        if (config.isCustomDomain()) {
-            records.push(webadminRecord);
-            records.push(dkimRecord);
-        } else {
-            records.push(nakedDomainRecord);
-            records.push(webadminRecord);
-            records.push(dkimRecord);
-            records.push(dmarcRecord);
-        }
+    debug('addDnsRecords: %j', records);

-        debug('addDnsRecords: %j', records);
+    async.retry({ times: 10, interval: 20000 }, function (retryCallback) {
+        txtRecordsWithSpf(function (error, txtRecords) {
+            if (error) return retryCallback(error);

-        async.retry({ times: 10, interval: 20000 }, function (retryCallback) {
-            txtRecordsWithSpf(function (error, txtRecords) {
-                if (error) return retryCallback(error);
+            if (txtRecords) records.push({ subdomain: '', type: 'TXT', values: txtRecords });

-                if (txtRecords) records.push({ subdomain: '', type: 'TXT', values: txtRecords });
+            debug('addDnsRecords: will update %j', records);

-                debug('addDnsRecords: will update %j', records);
+            async.eachSeries(records, function (record, iteratorCallback) {
+                subdomains.update(record.subdomain, record.type, record.values, iteratorCallback);
+            }, function (error) {
+                if (error) debug('addDnsRecords: failed to update : %s. will retry', error);

-                async.mapSeries(records, function (record, iteratorCallback) {
-                    subdomains.update(record.subdomain, record.type, record.values, iteratorCallback);
-                }, function (error, changeIds) {
-                    if (error) debug('addDnsRecords: failed to update : %s. will retry', error);
-                    else debug('addDnsRecords: records %j added with changeIds %j', records, changeIds);
-
-                    retryCallback(error);
-                });
+                retryCallback(error);
            });
-        }, function (error) {
-            gUpdatingDns = false;
-
-            debug('addDnsRecords: done updating records with error:', error);
-
-            callback(error);
        });
+    }, function (error) {
+        gUpdatingDns = false;
+
+        debug('addDnsRecords: done updating records with error:', error);
+
+        callback(error);
    });
 }

@@ -481,10 +463,10 @@ function migrate(size, region, callback) {
          .query({ token: config.token() })
          .send({ size: size, region: region, restoreKey: restoreKey })
          .end(function (error, result) {
-            if (error && !error.response) return unlock(error);
-            if (result.statusCode === 409) return unlock(new CloudronError(CloudronError.BAD_STATE));
-            if (result.statusCode === 404) return unlock(new CloudronError(CloudronError.NOT_FOUND));
-            if (result.statusCode !== 202) return unlock(new CloudronError(CloudronError.EXTERNAL_ERROR, util.format('%s %j', result.status, result.body)));
+            if (error) return unlock(error);
+            if (result.status === 409) return unlock(new CloudronError(CloudronError.BAD_STATE));
+            if (result.status === 404) return unlock(new CloudronError(CloudronError.NOT_FOUND));
+            if (result.status !== 202) return unlock(new CloudronError(CloudronError.EXTERNAL_ERROR, util.format('%s %j', result.status, result.body)));

            return unlock(null);
        });
@@ -507,7 +489,7 @@ function update(boxUpdateInfo, callback) {
        debug('Starting upgrade');
        doUpgrade(boxUpdateInfo, function (error) {
            if (error) {
-                console.error('Upgrade failed with error:', error);
+                debug('Upgrade failed with error: %s', error);
                locker.unlock(locker.OP_BOX_UPDATE);
            }
        });
@@ -515,7 +497,7 @@ function update(boxUpdateInfo, callback) {
        debug('Starting update');
        doUpdate(boxUpdateInfo, function (error) {
            if (error) {
-                console.error('Update failed with error:', error);
+                debug('Update failed with error: %s', error);
                locker.unlock(locker.OP_BOX_UPDATE);
            }
        });
@@ -541,8 +523,8 @@ function doUpgrade(boxUpdateInfo, callback) {
          .query({ token: config.token() })
          .send({ version: boxUpdateInfo.version })
          .end(function (error, result) {
-            if (error && !error.response) return upgradeError(new Error('Network error making upgrade request: ' + error));
-            if (result.statusCode !== 202) return upgradeError(new Error(util.format('Server not ready to upgrade. statusCode: %s body: %j', result.status, result.body)));
+            if (error) return upgradeError(new Error('Error making upgrade request: ' + error));
+            if (result.status !== 202) return upgradeError(new Error(util.format('Server not ready to upgrade. statusCode: %s body: %j', result.status, result.body)));

            progress.set(progress.UPDATE, 10, 'Updating base system');

@@ -570,8 +552,8 @@ function doUpdate(boxUpdateInfo, callback) {
        superagent.get(config.apiServerOrigin() + '/api/v1/boxes/' + config.fqdn() + '/sourcetarballurl')
          .query({ token: config.token(), boxVersion: boxUpdateInfo.version })
          .end(function (error, result) {
-            if (error && !error.response) return updateError(new Error('Network error fetching sourceTarballUrl: ' + error));
-            if (result.statusCode !== 200) return updateError(new Error('Error fetching sourceTarballUrl status: ' + result.statusCode));
+            if (error) return updateError(new Error('Error fetching sourceTarballUrl: ' + error));
+            if (result.status !== 200) return updateError(new Error('Error fetching sourceTarballUrl status: ' + result.status));
            if (!safe.query(result, 'body.url')) return updateError(new Error('Error fetching sourceTarballUrl response: ' + JSON.stringify(result.body)));

            // NOTE: the args here are tied to the installer revision, box code and appstore provisioning logic
@@ -588,16 +570,6 @@ function doUpdate(boxUpdateInfo, callback) {
                    tlsKey: fs.readFileSync(path.join(paths.NGINX_CERT_DIR, 'host.key'), 'utf8'),
                    isCustomDomain: config.isCustomDomain(),

-                    appstore: {
-                        token: config.token(),
-                        apiServerOrigin: config.apiServerOrigin()
-                    },
-                    caas: {
-                        token: config.token(),
-                        apiServerOrigin: config.apiServerOrigin(),
-                        webServerOrigin: config.webServerOrigin()
-                    },
-
                    version: boxUpdateInfo.version,
                    boxVersionsUrl: config.get('boxVersionsUrl')
                }
@@ -606,8 +578,8 @@ function doUpdate(boxUpdateInfo, callback) {
            debug('updating box %j', args);

            superagent.post(INSTALLER_UPDATE_URL).send(args).end(function (error, result) {
-                if (error && !error.response) return updateError(error);
-                if (result.statusCode !== 202) return updateError(new Error('Error initiating update: ' + JSON.stringify(result.body)));
+                if (error) return updateError(error);
+                if (result.status !== 202) return updateError(new Error('Error initiating update: ' + JSON.stringify(result.body)));

                progress.set(progress.UPDATE, 10, 'Updating cloudron software');

@@ -710,13 +682,13 @@ function backupBoxAndApps(callback) {
            ++processed;

            apps.backupApp(app, app.manifest.addons, function (error, backupId) {
+                progress.set(progress.BACKUP, step * processed, 'Backed up app at ' + app.location);
+
                if (error && error.reason !== AppsError.BAD_STATE) {
                    debugApp(app, 'Unable to backup', error);
                    return iteratorCallback(error);
                }

-                progress.set(progress.BACKUP, step * processed, 'Backed up app at ' + app.location);
-
                iteratorCallback(null, backupId || null); // clear backupId if is in BAD_STATE and never backed up
            });
        }, function appsBackedUp(error, backupIds) {
@@ -1,6 +1,6 @@
 LoadPlugin "table"
 <Plugin table>
-  <Table "/sys/fs/cgroup/memory/system.slice/docker.service/docker/<%= containerId %>/memory.stat">
+  <Table "/sys/fs/cgroup/memory/system.slice/docker-<%= containerId %>.scope/memory.stat">
    Instance "<%= appId %>-memory"
    Separator " \\n"
    <Result>
@@ -10,7 +10,7 @@ LoadPlugin "table"
    </Result>
  </Table>

-  <Table "/sys/fs/cgroup/memory/system.slice/docker.service/docker/<%= containerId %>/memory.max_usage_in_bytes">
+  <Table "/sys/fs/cgroup/memory/system.slice/docker-<%= containerId %>.scope/memory.max_usage_in_bytes">
    Instance "<%= appId %>-memory"
    Separator "\\n"
    <Result>
@@ -20,7 +20,7 @@ LoadPlugin "table"
    </Result>
  </Table>

-  <Table "/sys/fs/cgroup/cpuacct/system.slice/docker/<%= containerId %>/cpuacct.stat">
+  <Table "/sys/fs/cgroup/cpuacct/system.slice/docker-<%= containerId %>.scope/cpuacct.stat">
    Instance "<%= appId %>-cpu"
    Separator " \\n"
    <Result>
@@ -17,7 +17,6 @@ exports = module.exports = {
    TEST: process.env.BOX_ENV === 'test',

    // convenience getters
-    provider: provider,
    apiServerOrigin: apiServerOrigin,
    webServerOrigin: webServerOrigin,
    fqdn: fqdn,
@@ -29,7 +28,6 @@ exports = module.exports = {
    // these values are derived
    adminOrigin: adminOrigin,
    internalAdminOrigin: internalAdminOrigin,
-    adminFqdn: adminFqdn,
    appFqdn: appFqdn,
    zoneName: zoneName,

@@ -83,7 +81,6 @@ function initConfig() {
    data.ldapPort = 3002;
    data.oauthProxyPort = 3003;
    data.simpleAuthPort = 3004;
-    data.provider = 'caas';

    if (exports.CLOUDRON) {
        data.port = 3000;
@@ -158,10 +155,6 @@ function appFqdn(location) {
    return isCustomDomain() ? location + '.' + fqdn() : location + '-' + fqdn();
 }

-function adminFqdn() {
-    return appFqdn(constants.ADMIN_LOCATION);
-}
-
 function adminOrigin() {
    return 'https://' + appFqdn(constants.ADMIN_LOCATION);
 }
@@ -196,7 +189,3 @@ function database() {
 function isDev() {
    return /dev/i.test(get('boxVersionsUrl'));
 }
-
-function provider() {
-    return get('provider');
-}
@@ -7,7 +7,6 @@ exports = module.exports = {

 var apps = require('./apps.js'),
    assert = require('assert'),
-    certificates = require('./certificates.js'),
    cloudron = require('./cloudron.js'),
    config = require('./config.js'),
    CronJob = require('cron').CronJob,
@@ -24,8 +23,7 @@ var gAutoupdaterJob = null,
    gBackupJob = null,
    gCleanupTokensJob = null,
    gDockerVolumeCleanerJob = null,
-    gSchedulerSyncJob = null,
-    gCertificateRenewJob = null;
+    gSchedulerSyncJob = null;

 var NOOP_CALLBACK = function (error) { if (error) console.error(error); };

@@ -109,14 +107,6 @@ function recreateJobs(unusedTimeZone, callback) {
            timeZone: allSettings[settings.TIME_ZONE_KEY]
        });

-        if (gCertificateRenewJob) gCertificateRenewJob.stop();
-        gCertificateRenewJob = new CronJob({
-            cronTime: '00 00 */12 * * *', // every 12 hours
-            onTick: certificates.autoRenew,
-            start: true,
-            timeZone: allSettings[settings.TIME_ZONE_KEY]
-        });
-
        settings.events.removeListener(settings.AUTOUPDATE_PATTERN_KEY, autoupdatePatternChanged);
        settings.events.on(settings.AUTOUPDATE_PATTERN_KEY, autoupdatePatternChanged);
        autoupdatePatternChanged(allSettings[settings.AUTOUPDATE_PATTERN_KEY]);
@@ -189,8 +179,5 @@ function uninitialize(callback) {
    if (gSchedulerSyncJob) gSchedulerSyncJob.stop();
    gSchedulerSyncJob = null;

-    if (gCertificateRenewJob) gCertificateRenewJob.stop();
-    gCertificateRenewJob = null;
-
    callback();
 }
@@ -126,8 +126,6 @@ function clear(callback) {
 function beginTransaction(callback) {
    assert.strictEqual(typeof callback, 'function');

-    if (gConnectionPool === null) return callback(new Error('No database connection pool.'));
-
    gConnectionPool.getConnection(function (error, connection) {
        if (error) return callback(error);

@@ -13,7 +13,6 @@ exports = module.exports = {

 var assert = require('assert'),
    config = require('./config.js'),
-    debug = require('debug')('box:developer'),
    tokendb = require('./tokendb.js'),
    settings = require('./settings.js'),
    superagent = require('superagent'),
@@ -39,7 +38,6 @@ function DeveloperError(reason, errorOrMessage) {
 }
 util.inherits(DeveloperError, Error);
 DeveloperError.INTERNAL_ERROR = 'Internal Error';
-DeveloperError.EXTERNAL_ERROR = 'External Error';

 function enabled(callback) {
    assert.strictEqual(typeof callback, 'function');
@@ -79,12 +77,8 @@ function getNonApprovedApps(callback) {

    var url = config.apiServerOrigin() + '/api/v1/boxes/' + config.fqdn() + '/apps';
    superagent.get(url).query({ token: config.token(), boxVersion: config.version() }).end(function (error, result) {
-        if (error && !error.response) return callback(new DeveloperError(DeveloperError.EXTERNAL_ERROR, error));
-        if (result.statusCode === 401) {
-            debug('Failed to list apps in development. Appstore token invalid or missing. Returning empty list.', result.body);
-            return callback(null, []);
-        }
-        if (result.statusCode !== 200) return callback(new DeveloperError(DeveloperError.EXTERNAL_ERROR, util.format('App listing failed. %s %j', result.status, result.body)));
+        if (error) return callback(new DeveloperError(DeveloperError.INTERNAL_ERROR, error));
+        if (result.status !== 200) return callback(new DeveloperError(DeveloperError.INTERNAL_ERROR, util.format('App listing failed. %s %j', result.status, result.body)));

        callback(null, result.body.apps || []);
    });
@@ -40,9 +40,9 @@ function add(dnsConfig, zoneName, subdomain, type, values, callback) {
        .query({ token: dnsConfig.token })
        .send(data)
        .end(function (error, result) {
-            if (error && !error.response) return callback(error);
-            if (result.statusCode === 420) return callback(new SubdomainError(SubdomainError.STILL_BUSY));
-            if (result.statusCode !== 201) return callback(new SubdomainError(SubdomainError.EXTERNAL_ERROR, util.format('%s %j', result.statusCode, result.body)));
+            if (error) return callback(error);
+            if (result.status === 420) return callback(new SubdomainError(SubdomainError.STILL_BUSY));
+            if (result.status !== 201) return callback(new SubdomainError(SubdomainError.EXTERNAL_ERROR, util.format('%s %j', result.status, result.body)));

            return callback(null, result.body.changeId);
        });
@@ -63,8 +63,8 @@ function get(dnsConfig, zoneName, subdomain, type, callback) {
        .get(config.apiServerOrigin() + '/api/v1/domains/' + fqdn)
        .query({ token: dnsConfig.token, type: type })
        .end(function (error, result) {
-            if (error && !error.response) return callback(error);
-            if (result.statusCode !== 200) return callback(new SubdomainError(SubdomainError.EXTERNAL_ERROR, util.format('%s %j', result.statusCode, result.body)));
+            if (error) return callback(error);
+            if (result.status !== 200) return callback(new SubdomainError(SubdomainError.EXTERNAL_ERROR, util.format('%s %j', result.status, result.body)));

            return callback(null, result.body.values);
        });
@@ -107,10 +107,10 @@ function del(dnsConfig, zoneName, subdomain, type, values, callback) {
        .query({ token: dnsConfig.token })
        .send(data)
        .end(function (error, result) {
-            if (error && !error.response) return callback(error);
-            if (result.statusCode === 420) return callback(new SubdomainError(SubdomainError.STILL_BUSY));
-            if (result.statusCode === 404) return callback(new SubdomainError(SubdomainError.NOT_FOUND));
-            if (result.statusCode !== 204) return callback(new SubdomainError(SubdomainError.EXTERNAL_ERROR, util.format('%s %j', result.statusCode, result.body)));
+            if (error) return callback(error);
+            if (result.status === 420) return callback(new SubdomainError(SubdomainError.STILL_BUSY));
+            if (result.status === 404) return callback(new SubdomainError(SubdomainError.NOT_FOUND));
+            if (result.status !== 204) return callback(new SubdomainError(SubdomainError.EXTERNAL_ERROR, util.format('%s %j', result.status, result.body)));

            return callback(null);
        });
@@ -127,8 +127,8 @@ function getChangeStatus(dnsConfig, changeId, callback) {
        .get(config.apiServerOrigin() + '/api/v1/domains/' + config.fqdn() + '/status/' + changeId)
        .query({ token: dnsConfig.token })
        .end(function (error, result) {
-            if (error && !error.response) return callback(error);
-            if (result.statusCode !== 200) return callback(new SubdomainError(SubdomainError.EXTERNAL_ERROR, util.format('%s %j', result.statusCode, result.body)));
+            if (error) return callback(error);
+            if (result.status !== 200) return callback(new SubdomainError(SubdomainError.EXTERNAL_ERROR, util.format('%s %j', result.status, result.body)));

            return callback(null, result.body.status);
        });
@@ -176,19 +176,19 @@ function del(dnsConfig, zoneName, subdomain, type, values, callback) {
        var route53 = new AWS.Route53(getDnsCredentials(dnsConfig));
        route53.changeResourceRecordSets(params, function(error, result) {
            if (error && error.message && error.message.indexOf('it was not found') !== -1) {
-                debug('del: resource record set not found.', error);
+                debug('delSubdomain: resource record set not found.', error);
                return callback(new SubdomainError(SubdomainError.NOT_FOUND, new Error(error)));
            } else if (error && error.code === 'NoSuchHostedZone') {
-                debug('del: hosted zone not found.', error);
+                debug('delSubdomain: hosted zone not found.', error);
                return callback(new SubdomainError(SubdomainError.NOT_FOUND, new Error(error)));
            } else if (error && error.code === 'PriorRequestNotComplete') {
-                debug('del: resource is still busy', error);
+                debug('delSubdomain: resource is still busy', error);
                return callback(new SubdomainError(SubdomainError.STILL_BUSY, new Error(error)));
            } else if (error && error.code === 'InvalidChangeBatch') {
-                debug('del: invalid change batch. No such record to be deleted.');
+                debug('delSubdomain: invalid change batch. No such record to be deleted.');
                return callback(new SubdomainError(SubdomainError.NOT_FOUND, new Error(error)));
            } else if (error) {
-                debug('del: error', error);
+                debug('delSubdomain: error', error);
                return callback(new SubdomainError(SubdomainError.EXTERNAL_ERROR, new Error(error)));
            }

@@ -8,8 +8,7 @@ var addons = require('./addons.js'),
    Docker = require('dockerode'),
    safe = require('safetydance'),
    semver = require('semver'),
-    util = require('util'),
-    _ = require('underscore');
+    util = require('util');

 exports = module.exports = {
    connection: connectionInstance(),
@@ -17,10 +16,8 @@ exports = module.exports = {
    createContainer: createContainer,
    startContainer: startContainer,
    stopContainer: stopContainer,
-    stopContainerByName: stopContainer,
    stopContainers: stopContainers,
    deleteContainer: deleteContainer,
-    deleteContainerByName: deleteContainer,
    deleteImage: deleteImage,
    deleteContainers: deleteContainers,
    createSubcontainer: createSubcontainer
@@ -54,7 +51,7 @@ function targetBoxVersion(manifest) {

    if ('minBoxVersion' in manifest) return manifest.minBoxVersion;

-    return '99999.99999.99999'; // compatible with the latest version
+    return '0.0.1';
 }

 function pullImage(manifest, callback) {
@@ -67,17 +64,18 @@ function pullImage(manifest, callback) {
        // is emitted as a chunk
        stream.on('data', function (chunk) {
            var data = safe.JSON.parse(chunk) || { };
-            debug('pullImage %s: %j', manifest.id, data);
+            debug('pullImage data: %j', data);

            // The information here is useless because this is per layer as opposed to per image
            if (data.status) {
+                // debugApp(app, 'progress: %s', data.status); // progressDetail { current, total }
            } else if (data.error) {
-                debug('pullImage error %s: %s', manifest.id, data.errorDetail.message);
+                debug('pullImage error detail: %s', data.errorDetail.message);
            }
        });

        stream.on('end', function () {
-            debug('downloaded image %s of %s successfully', manifest.dockerImage, manifest.id);
+            debug('downloaded image %s successfully', manifest.dockerImage);

            var image = docker.getImage(manifest.dockerImage);

@@ -86,14 +84,14 @@ function pullImage(manifest, callback) {
                if (!data || !data.Config) return callback(new Error('Missing Config in image:' + JSON.stringify(data, null, 4)));
                if (!data.Config.Entrypoint && !data.Config.Cmd) return callback(new Error('Only images with entry point are allowed'));

-                debug('This image of %s exposes ports: %j', manifest.id, data.Config.ExposedPorts);
+                debug('This image exposes ports: %j', data.Config.ExposedPorts);

                callback(null);
            });
        });

        stream.on('error', function (error) {
-            debug('error pulling image %s of %s: %j', manifest.dockerImage, manifest.id, error);
+            debug('error pulling image %s : %j', manifest.dockerImage, error);

            callback(error);
        });
@@ -104,12 +102,12 @@ function downloadImage(manifest, callback) {
    assert.strictEqual(typeof manifest, 'object');
    assert.strictEqual(typeof callback, 'function');

-    debug('downloadImage %s %s', manifest.id, manifest.dockerImage);
+    debug('downloadImage %s', manifest.dockerImage);

    var attempt = 1;

-    async.retry({ times: 10, interval: 15000 }, function (retryCallback) {
-        debug('Downloading image %s %s. attempt: %s', manifest.id, manifest.dockerImage, attempt++);
+    async.retry({ times: 5, interval: 15000 }, function (retryCallback) {
+        debug('Downloading image. attempt: %s', attempt++);

        pullImage(manifest, function (error) {
            if (error) console.error(error);
@@ -119,11 +117,10 @@ function downloadImage(manifest, callback) {
    }, callback);
 }

-function createSubcontainer(app, name, cmd, options, callback) {
+function createSubcontainer(app, name, cmd, callback) {
    assert.strictEqual(typeof app, 'object');
    assert.strictEqual(typeof name, 'string');
    assert(!cmd || util.isArray(cmd));
-    assert.strictEqual(typeof options, 'object');
    assert.strictEqual(typeof callback, 'function');

    var docker = exports.connection,
@@ -156,9 +153,6 @@ function createSubcontainer(app, name, cmd, options, callback) {
    }

    var memoryLimit = manifest.memoryLimit || 1024 * 1024 * 200; // 200mb by default
-    // for subcontainers, this should ideally be false. but docker does not allow network sharing if the app container is not running
-    // this means cloudron exec does not work
-    var isolatedNetworkNs = true;

    addons.getEnvironment(app, function (error, addonEnv) {
        if (error) return callback(new Error('Error getting addon environment : ' + error));
@@ -166,8 +160,7 @@ function createSubcontainer(app, name, cmd, options, callback) {
        var containerOptions = {
            name: name, // used for filtering logs
            // do _not_ set hostname to app fqdn. doing so sets up the dns name to look up the internal docker ip. this makes curl from within container fail
-            // for subcontainers, this should not be set because we already share the network namespace with app container
-            Hostname: isolatedNetworkNs ? (semver.gte(targetBoxVersion(app.manifest), '0.0.77') ? app.location : config.appFqdn(app.location)) : null,
+            Hostname: semver.gte(targetBoxVersion(app.manifest), '0.0.77') ? app.location : config.appFqdn(app.location),
            Tty: isAppContainer,
            Image: app.manifest.dockerImage,
            Cmd: cmd,
@@ -189,30 +182,28 @@ function createSubcontainer(app, name, cmd, options, callback) {
                PortBindings: isAppContainer ? dockerPortBindings : { },
                PublishAllPorts: false,
                ReadonlyRootfs: semver.gte(targetBoxVersion(app.manifest), '0.0.66'), // see also Volumes in startContainer
+                Links: addons.getLinksSync(app, app.manifest.addons),
                RestartPolicy: {
                    "Name": isAppContainer ? "always" : "no",
                    "MaximumRetryCount": 0
                },
                CpuShares: 512, // relative to 1024 for system processes
                VolumesFrom: isAppContainer ? null : [ app.containerId + ":rw" ],
-                NetworkMode: isolatedNetworkNs ? 'default' : ('container:' + app.containerId), // share network namespace with parent
-                Links: isolatedNetworkNs ? addons.getLinksSync(app, app.manifest.addons) : null, // links is redundant with --net=container
                SecurityOpt: config.CLOUDRON ? [ "apparmor:docker-cloudron-app" ] : null // profile available only on cloudron
            }
        };
-        containerOptions = _.extend(containerOptions, options);

        // older versions wanted a writable /var/log
        if (semver.lte(targetBoxVersion(app.manifest), '0.0.71')) containerOptions.Volumes['/var/log'] = {};

-        debugApp(app, 'Creating container for %s with options %j', app.manifest.dockerImage, containerOptions);
+        debugApp(app, 'Creating container for %s', app.manifest.dockerImage);

        docker.createContainer(containerOptions, callback);
    });
 }

 function createContainer(app, callback) {
-    createSubcontainer(app, app.id /* name */, null /* cmd */, { } /* options */, callback);
+    createSubcontainer(app, app.id /* name */, null /* cmd */, callback);
 }

 function startContainer(containerId, callback) {
@@ -5,7 +5,8 @@ Dear Admin,
 The application titled '<%= title %>' that you installed at <%= appFqdn %>
 is not responding.

-This is most likely a problem in the application.
+This is most likely a problem in the application. Please report this issue to
+support@cloudron.io (by forwarding this email).

 You are receiving this email because you are an Admin of the Cloudron at <%= fqdn %>.

@@ -133,15 +133,6 @@ function checkDns() {
 function processQueue() {
    assert(gDnsReady);

-    sendMails(gMailQueue);
-    gMailQueue = [ ];
-}
-
-// note : this function should NOT access the database. it is called by the crashnotifier
-// which does not initialize mailer or the databse
-function sendMails(queue) {
-    assert(util.isArray(queue));
-
    docker.getContainer('mail').inspect(function (error, data) {
        if (error) return console.error(error);

@@ -153,9 +144,12 @@ function sendMails(queue) {
            port: 2500 // this value comes from mail container
        }));

-        debug('Processing mail queue of size %d (through %s:2500)', queue.length, mailServerIp);
+        var mailQueueCopy = gMailQueue;
+        gMailQueue = [ ];

-        async.mapSeries(queue, function iterator(mailOptions, callback) {
+        debug('Processing mail queue of size %d (through %s:2500)', mailQueueCopy.length, mailServerIp);
+
+        async.mapSeries(mailQueueCopy, function iterator(mailOptions, callback) {
            transport.sendMail(mailOptions, function (error) {
                if (error) return console.error(error); // TODO: requeue?
                debug('Email sent to ' + mailOptions.to);
@@ -284,7 +278,7 @@ function appDied(app) {

        var mailOptions = {
            from: config.get('adminEmail'),
-            to: adminEmails.concat('support@cloudron.io').join(', '),
+            to: adminEmails.join(', '),
            subject: util.format('App %s is down', app.location),
            text: render('app_down.ejs', { fqdn: config.fqdn(), title: app.manifest.title, appFqdn: config.appFqdn(app.location), format: 'text' })
        };
@@ -329,8 +323,6 @@ function appUpdateAvailable(app, updateInfo) {
    });
 }

-// this function bypasses the queue intentionally. it is also expected to work without the mailer module initialized
-// crashnotifier should be able to send mail when there is no db
 function sendCrashNotification(program, context) {
    assert.strictEqual(typeof program, 'string');
    assert.strictEqual(typeof context, 'string');
@@ -342,7 +334,7 @@ function sendCrashNotification(program, context) {
        text: render('crash_notification.ejs', { fqdn: config.fqdn(), program: program, context: context, format: 'text' })
    };

-    sendMails([ mailOptions ]);
+    enqueue(mailOptions);
 }

 function sendFeedback(user, type, subject, description) {
@@ -1,93 +0,0 @@
-/* jslint node:true */
-
-'use strict';
-
-var assert = require('assert'),
-    config = require('./config.js'),
-    debug = require('debug')('box:src/nginx'),
-    ejs = require('ejs'),
-    fs = require('fs'),
-    path = require('path'),
-    paths = require('./paths.js'),
-    safe = require('safetydance'),
-    shell = require('./shell.js');
-
-exports = module.exports = {
-    configureAdmin: configureAdmin,
-    configureApp: configureApp,
-    unconfigureApp: unconfigureApp,
-    reload: reload
-};
-
-var NGINX_APPCONFIG_EJS = fs.readFileSync(__dirname + '/../setup/start/nginx/appconfig.ejs', { encoding: 'utf8' }),
-    RELOAD_NGINX_CMD = path.join(__dirname, 'scripts/reloadnginx.sh');
-
-function configureAdmin(certFilePath, keyFilePath, callback) {
-    assert.strictEqual(typeof certFilePath, 'string');
-    assert.strictEqual(typeof keyFilePath, 'string');
-    assert.strictEqual(typeof callback, 'function');
-
-    var data = {
-        sourceDir: path.resolve(__dirname, '..'),
-        adminOrigin: config.adminOrigin(),
-        vhost: config.adminFqdn(),
-        endpoint: 'admin',
-        certFilePath: certFilePath,
-        keyFilePath: keyFilePath
-    };
-    var nginxConf = ejs.render(NGINX_APPCONFIG_EJS, data);
-    var nginxConfigFilename = path.join(paths.NGINX_APPCONFIG_DIR, 'admin.conf');
-
-    if (!safe.fs.writeFileSync(nginxConfigFilename, nginxConf)) return callback(safe.error);
-
-    reload(callback);
-}
-
-function configureApp(app, certFilePath, keyFilePath, callback) {
-    assert.strictEqual(typeof app, 'object');
-    assert.strictEqual(typeof certFilePath, 'string');
-    assert.strictEqual(typeof keyFilePath, 'string');
-    assert.strictEqual(typeof callback, 'function');
-
-    var sourceDir = path.resolve(__dirname, '..');
-    var endpoint = app.oauthProxy ? 'oauthproxy' : 'app';
-    var vhost = config.appFqdn(app.location);
-
-    var data = {
-        sourceDir: sourceDir,
-        adminOrigin: config.adminOrigin(),
-        vhost: vhost,
-        port: app.httpPort,
-        endpoint: endpoint,
-        certFilePath: certFilePath,
-        keyFilePath: keyFilePath
-    };
-    var nginxConf = ejs.render(NGINX_APPCONFIG_EJS, data);
-
-    var nginxConfigFilename = path.join(paths.NGINX_APPCONFIG_DIR, app.id + '.conf');
-    debug('writing config for "%s" to %s', app.location, nginxConfigFilename);
-
-    if (!safe.fs.writeFileSync(nginxConfigFilename, nginxConf)) {
-        debug('Error creating nginx config for "%s" : %s', app.location, safe.error.message);
-        return callback(safe.error);
-    }
-
-    reload(callback);
-}
-
-function unconfigureApp(app, callback) {
-    assert.strictEqual(typeof app, 'object');
-    assert.strictEqual(typeof callback, 'function');
-
-    var nginxConfigFilename = path.join(paths.NGINX_APPCONFIG_DIR, app.id + '.conf');
-    if (!safe.fs.unlinkSync(nginxConfigFilename)) {
-        debug('Error removing nginx configuration of "%s": %s', app.location, safe.error.message);
-        return callback(null);
-    }
-
-    reload(callback);
-}
-
-function reload(callback) {
-    shell.sudo('reload', [ RELOAD_NGINX_CMD ], callback);
-}
@@ -35,9 +35,9 @@ args.forEach(function (arg) {
 });

 if (code && redirectURI) {
-    window.location.href = redirectURI + (redirectURI.indexOf('?') !== -1 ? '&' : '?') + 'code=' + code + (state ? '&state=' + state : '');
+    window.location.href = redirectURI + '?code=' + code + (state ? '&state=' + state : '');
 } else if (redirectURI && accessToken) {
-    window.location.href = redirectURI + (redirectURI.indexOf('?') !== -1 ? '&' : '?') + 'token=' + accessToken + (state ? '&state=' + state : '');
+    window.location.href = redirectURI + '?token=' + accessToken + (state ? '&state=' + state : '');
 } else {
    window.location.href = '/api/v1/session/login';
 }
@@ -92,7 +92,7 @@ function authenticate(req, res, next) {
            .post(config.internalAdminOrigin() + '/api/v1/oauth/token')
            .query(query).send(data)
            .end(function (error, result) {
-            if (error && !error.response) {
+            if (error) {
                console.error(error);
                return res.send(500, 'Unable to contact the oauth server.');
            }
@@ -12,6 +12,7 @@ exports = module.exports = {
    NGINX_CERT_DIR: path.join(config.baseDir(), 'data/nginx/cert'),

    ADDON_CONFIG_DIR: path.join(config.baseDir(), 'data/addons'),
+    SCHEDULER_FILE: path.join(config.baseDir(), 'data/addons/scheduler.json'),

    DNS_IN_SYNC_FILE: path.join(config.baseDir(), 'data/dns_in_sync'),

@@ -27,8 +28,5 @@ exports = module.exports = {
    CLOUDRON_AVATAR_FILE: path.join(config.baseDir(), 'data/box/avatar.png'),
    CLOUDRON_DEFAULT_AVATAR_FILE: path.join(__dirname + '/../assets/avatar.png'),

-    UPDATE_CHECKER_FILE: path.join(config.baseDir(), 'data/box/updatechecker.json'),
-
-    ACME_CHALLENGES_DIR: path.join(config.baseDir(), 'data/acme'),
-    ACME_ACCOUNT_KEY_FILE: path.join(config.baseDir(), 'data/box/acme/acme.key')
+    UPDATE_CHECKER_FILE: path.join(config.baseDir(), 'data/box/updatechecker.json')
 };
@@ -133,7 +133,6 @@ function installApp(req, res, next) {
        if (error && error.reason === AppsError.PORT_CONFLICT) return next(new HttpError(409, 'Port ' + error.message + ' is already in use.'));
        if (error && error.reason === AppsError.BAD_FIELD) return next(new HttpError(400, error.message));
        if (error && error.reason === AppsError.BILLING_REQUIRED) return next(new HttpError(402, 'Billing required'));
-        if (error && error.reason === AppsError.NOT_FOUND) return next(new HttpError(404, 'No such app'));
        if (error && error.reason === AppsError.BAD_CERTIFICATE) return next(new HttpError(400, error.message));
        if (error && error.reason === AppsError.USER_REQUIRED) return next(new HttpError(400, 'accessRestriction must specify one user'));
        if (error) return next(new HttpError(500, error));
@@ -369,8 +368,6 @@ function exec(req, res, next) {

        duplexStream.pipe(res.socket);
        res.socket.pipe(duplexStream);
-
-        res.on('close', duplexStream.close);
    });
 }

@@ -57,15 +57,12 @@ function activate(req, res, next) {
        if (error && error.reason === CloudronError.BAD_EMAIL) return next(new HttpError(400, 'Bad email'));
        if (error) return next(new HttpError(500, error));

-        // only in caas case do we have to notify the api server about activation
-        if (config.provider() !== 'caas') return next(new HttpSuccess(201, info));
-
        // Now let the api server know we got activated
-        superagent.post(config.apiServerOrigin() + '/api/v1/boxes/' + config.fqdn() + '/setup/done').query({ setupToken: req.query.setupToken }).end(function (error, result) {
-            if (error && !error.response) return next(new HttpError(500, error));
+        superagent.post(config.apiServerOrigin() + '/api/v1/boxes/' + config.fqdn() + '/setup/done').query({ setupToken:req.query.setupToken }).end(function (error, result) {
+            if (error) return next(new HttpError(500, error));
            if (result.statusCode === 403) return next(new HttpError(403, 'Invalid token'));
            if (result.statusCode === 409) return next(new HttpError(409, 'Already setup'));
-            if (result.statusCode !== 201) return next(new HttpError(500, result.text || 'Internal error'));
+            if (result.statusCode !== 201) return next(new HttpError(500, result.text ? result.text.message : 'Internal error'));

            next(new HttpSuccess(201, info));
        });
@@ -75,16 +72,13 @@ function activate(req, res, next) {
 function setupTokenAuth(req, res, next) {
    assert.strictEqual(typeof req.query, 'object');

-    // skip setupToken auth for non caas case
-    if (config.provider() !== 'caas') return next();
-
    if (typeof req.query.setupToken !== 'string') return next(new HttpError(400, 'no setupToken provided'));

    superagent.get(config.apiServerOrigin() + '/api/v1/boxes/' + config.fqdn() + '/setup/verify').query({ setupToken:req.query.setupToken }).end(function (error, result) {
-        if (error && !error.response) return next(new HttpError(500, error));
+        if (error) return next(new HttpError(500, error));
        if (result.statusCode === 403) return next(new HttpError(403, 'Invalid token'));
        if (result.statusCode === 409) return next(new HttpError(409, 'Already setup'));
-        if (result.statusCode !== 200) return next(new HttpError(500, result.text || 'Internal error'));
+        if (result.statusCode !== 200) return next(new HttpError(500, result.text ? result.text.message : 'Internal error'));

        next();
    });
@@ -359,7 +359,7 @@ var authorization = [
            var redirectPath = url.parse(redirectURI).path;
            var redirectOrigin = client.redirectURI;

-            callback(null, client, '/api/v1/session/callback?redirectURI=' + encodeURIComponent(url.resolve(redirectOrigin, redirectPath)));
+            callback(null, client, '/api/v1/session/callback?redirectURI=' + url.resolve(redirectOrigin, redirectPath));
        });
    }),
    function (req, res, next) {
@@ -15,16 +15,11 @@ exports = module.exports = {
    getDnsConfig: getDnsConfig,
    setDnsConfig: setDnsConfig,

-    getBackupConfig: getBackupConfig,
-    setBackupConfig: setBackupConfig,
-
    setCertificate: setCertificate,
    setAdminCertificate: setAdminCertificate
 };

 var assert = require('assert'),
-    certificates = require('../certificates.js'),
-    CertificatesError = require('../certificates.js').CertificatesError,
    HttpError = require('connect-lastmile').HttpError,
    HttpSuccess = require('connect-lastmile').HttpSuccess,
    safe = require('safetydance'),
@@ -116,27 +111,6 @@ function setDnsConfig(req, res, next) {
    });
 }

-function getBackupConfig(req, res, next) {
-    settings.getBackupConfig(function (error, config) {
-        if (error) return next(new HttpError(500, error));
-
-        next(new HttpSuccess(200, config));
-    });
-}
-
-function setBackupConfig(req, res, next) {
-    assert.strictEqual(typeof req.body, 'object');
-
-    if (typeof req.body.provider !== 'string') return next(new HttpError(400, 'provider is required'));
-
-    settings.setBackupConfig(req.body, function (error) {
-        if (error && error.reason === SettingsError.BAD_FIELD) return next(new HttpError(400, error.message));
-        if (error) return next(new HttpError(500, error));
-
-        next(new HttpSuccess(200));
-    });
-}
-
 // default fallback cert
 function setCertificate(req, res, next) {
    assert.strictEqual(typeof req.body, 'object');
@@ -144,8 +118,8 @@ function setCertificate(req, res, next) {
    if (!req.body.cert || typeof req.body.cert !== 'string') return next(new HttpError(400, 'cert must be a string'));
    if (!req.body.key || typeof req.body.key !== 'string') return next(new HttpError(400, 'key must be a string'));

-    certificates.setFallbackCertificate(req.body.cert, req.body.key, function (error) {
-        if (error && error.reason === CertificatesError.INVALID_CERT) return next(new HttpError(400, error.message));
+    settings.setCertificate(req.body.cert, req.body.key, function (error) {
+        if (error && error.reason === SettingsError.INVALID_CERT) return next(new HttpError(400, error.message));
        if (error) return next(new HttpError(500, error));

        next(new HttpSuccess(202, {}));
@@ -159,8 +133,8 @@ function setAdminCertificate(req, res, next) {
    if (!req.body.cert || typeof req.body.cert !== 'string') return next(new HttpError(400, 'cert must be a string'));
    if (!req.body.key || typeof req.body.key !== 'string') return next(new HttpError(400, 'key must be a string'));

-    certificates.setAdminCertificate(req.body.cert, req.body.key, function (error) {
-        if (error && error.reason === CertificatesError.INVALID_CERT) return next(new HttpError(400, error.message));
+    settings.setAdminCertificate(req.body.cert, req.body.key, function (error) {
+        if (error && error.reason === SettingsError.INVALID_CERT) return next(new HttpError(400, error.message));
        if (error) return next(new HttpError(500, error));

        next(new HttpSuccess(202, {}));
@@ -27,7 +27,7 @@ var appdb = require('../../appdb.js'),
    nock = require('nock'),
    paths = require('../../paths.js'),
    redis = require('redis'),
-    superagent = require('superagent'),
+    request = require('superagent'),
    safe = require('safetydance'),
    server = require('../../server.js'),
    settings = require('../../settings.js'),
@@ -114,10 +114,11 @@ function setup(done) {
            var scope1 = nock(config.apiServerOrigin()).get('/api/v1/boxes/' + config.fqdn() + '/setup/verify?setupToken=somesetuptoken').reply(200, {});
            var scope2 = nock(config.apiServerOrigin()).post('/api/v1/boxes/' + config.fqdn() + '/setup/done?setupToken=somesetuptoken').reply(201, {});

-            superagent.post(SERVER_URL + '/api/v1/cloudron/activate')
+            request.post(SERVER_URL + '/api/v1/cloudron/activate')
                   .query({ setupToken: 'somesetuptoken' })
                   .send({ username: USERNAME, password: PASSWORD, email: EMAIL })
                   .end(function (error, result) {
+                expect(error).to.not.be.ok();
                expect(result).to.be.ok();
                expect(result.statusCode).to.eql(201);
                expect(scope1.isDone()).to.be.ok();
@@ -136,10 +137,11 @@ function setup(done) {
        },

        function (callback) {
-            superagent.post(SERVER_URL + '/api/v1/users')
+            request.post(SERVER_URL + '/api/v1/users')
                   .query({ access_token: token })
                   .send({ username: USERNAME_1, email: EMAIL_1 })
                   .end(function (err, res) {
+                expect(err).to.not.be.ok();
                expect(res.statusCode).to.equal(201);

                callback(null);
@@ -154,8 +156,6 @@ function setup(done) {
        },

        settings.setDnsConfig.bind(null, { provider: 'route53', accessKeyId: 'accessKeyId', secretAccessKey: 'secretAccessKey', endpoint: 'http://localhost:5353' }),
-        settings.setTlsConfig.bind(null, { provider: 'caas' }),
-        settings.setBackupConfig.bind(null, { provider: 'caas', token: 'BACKUP_TOKEN', bucket: 'Bucket', prefix: 'Prefix' })
    ], done);
 }

@@ -196,174 +196,174 @@ describe('App API', function () {
    });

    it('app install fails - missing manifest', function (done) {
-        superagent.post(SERVER_URL + '/api/v1/apps/install')
+        request.post(SERVER_URL + '/api/v1/apps/install')
               .query({ access_token: token })
               .send({ appStoreId: APP_STORE_ID, password: PASSWORD })
               .end(function (err, res) {
            expect(res.statusCode).to.equal(400);
            expect(res.body.message).to.eql('manifest is required');
-            done();
+            done(err);
        });
    });

    it('app install fails - missing appId', function (done) {
-        superagent.post(SERVER_URL + '/api/v1/apps/install')
+        request.post(SERVER_URL + '/api/v1/apps/install')
               .query({ access_token: token })
               .send({ manifest: APP_MANIFEST, password: PASSWORD })
               .end(function (err, res) {
            expect(res.statusCode).to.equal(400);
            expect(res.body.message).to.eql('appStoreId is required');
-            done();
+            done(err);
        });
    });

    it('app install fails - invalid json', function (done) {
-        superagent.post(SERVER_URL + '/api/v1/apps/install')
+        request.post(SERVER_URL + '/api/v1/apps/install')
               .query({ access_token: token })
               .send('garbage')
               .end(function (err, res) {
            expect(res.statusCode).to.equal(400);
-            done();
+            done(err);
        });
    });

    it('app install fails - invalid location', function (done) {
-        superagent.post(SERVER_URL + '/api/v1/apps/install')
+        request.post(SERVER_URL + '/api/v1/apps/install')
               .query({ access_token: token })
               .send({ appStoreId: APP_STORE_ID, manifest: APP_MANIFEST, password: PASSWORD, location: '!awesome', accessRestriction: null, oauthProxy: false })
               .end(function (err, res) {
            expect(res.statusCode).to.equal(400);
            expect(res.body.message).to.eql('Hostname can only contain alphanumerics and hyphen');
-            done();
+            done(err);
        });
    });

    it('app install fails - invalid location type', function (done) {
-        superagent.post(SERVER_URL + '/api/v1/apps/install')
+        request.post(SERVER_URL + '/api/v1/apps/install')
               .query({ access_token: token })
               .send({ appStoreId: APP_STORE_ID, manifest: APP_MANIFEST, password: PASSWORD, location: 42, accessRestriction: null, oauthProxy: false })
               .end(function (err, res) {
            expect(res.statusCode).to.equal(400);
            expect(res.body.message).to.eql('location is required');
-            done();
+            done(err);
        });
    });

    it('app install fails - reserved admin location', function (done) {
-        superagent.post(SERVER_URL + '/api/v1/apps/install')
+        request.post(SERVER_URL + '/api/v1/apps/install')
               .query({ access_token: token })
               .send({ appStoreId: APP_STORE_ID, manifest: APP_MANIFEST, password: PASSWORD, location: constants.ADMIN_LOCATION, accessRestriction: null, oauthProxy: false })
               .end(function (err, res) {
            expect(res.statusCode).to.equal(400);
            expect(res.body.message).to.eql(constants.ADMIN_LOCATION + ' is reserved');
-            done();
+            done(err);
        });
    });

    it('app install fails - reserved api location', function (done) {
-        superagent.post(SERVER_URL + '/api/v1/apps/install')
+        request.post(SERVER_URL + '/api/v1/apps/install')
               .query({ access_token: token })
               .send({ appStoreId: APP_STORE_ID, manifest: APP_MANIFEST, password: PASSWORD, location: constants.API_LOCATION, accessRestriction: null, oauthProxy: true })
               .end(function (err, res) {
            expect(res.statusCode).to.equal(400);
            expect(res.body.message).to.eql(constants.API_LOCATION + ' is reserved');
-            done();
+            done(err);
        });
    });

    it('app install fails - portBindings must be object', function (done) {
-        superagent.post(SERVER_URL + '/api/v1/apps/install')
+        request.post(SERVER_URL + '/api/v1/apps/install')
               .query({ access_token: token })
               .send({ appStoreId: APP_STORE_ID, manifest: APP_MANIFEST, password: PASSWORD, location: APP_LOCATION, portBindings: 23, accessRestriction: null, oauthProxy: false })
               .end(function (err, res) {
            expect(res.statusCode).to.equal(400);
            expect(res.body.message).to.eql('portBindings must be an object');
-            done();
+            done(err);
        });
    });

    it('app install fails - accessRestriction is required', function (done) {
-        superagent.post(SERVER_URL + '/api/v1/apps/install')
+        request.post(SERVER_URL + '/api/v1/apps/install')
               .query({ access_token: token })
               .send({ appStoreId: APP_STORE_ID, manifest: APP_MANIFEST, password: PASSWORD, location: APP_LOCATION, portBindings: {}, oauthProxy: false })
               .end(function (err, res) {
            expect(res.statusCode).to.equal(400);
            expect(res.body.message).to.eql('accessRestriction is required');
-            done();
+            done(err);
        });
    });

    it('app install fails - accessRestriction type is wrong', function (done) {
-        superagent.post(SERVER_URL + '/api/v1/apps/install')
+        request.post(SERVER_URL + '/api/v1/apps/install')
               .query({ access_token: token })
               .send({ appStoreId: APP_STORE_ID, manifest: APP_MANIFEST, password: PASSWORD, location: APP_LOCATION, portBindings: {}, accessRestriction: '', oauthProxy: false })
               .end(function (err, res) {
            expect(res.statusCode).to.equal(400);
            expect(res.body.message).to.eql('accessRestriction is required');
-            done();
+            done(err);
        });
    });

    it('app install fails - accessRestriction no users not allowed', function (done) {
-        superagent.post(SERVER_URL + '/api/v1/apps/install')
+        request.post(SERVER_URL + '/api/v1/apps/install')
               .query({ access_token: token })
               .send({ appStoreId: APP_STORE_ID, manifest: APP_MANIFEST_1, password: PASSWORD, location: APP_LOCATION, portBindings: {}, accessRestriction: null, oauthProxy: false })
               .end(function (err, res) {
            expect(res.statusCode).to.equal(400);
            expect(res.body.message).to.eql('accessRestriction must specify one user');
-            done();
+            done(err);
        });
    });

    it('app install fails - accessRestriction too many users not allowed', function (done) {
-        superagent.post(SERVER_URL + '/api/v1/apps/install')
+        request.post(SERVER_URL + '/api/v1/apps/install')
               .query({ access_token: token })
               .send({ appStoreId: APP_STORE_ID, manifest: APP_MANIFEST_1, password: PASSWORD, location: APP_LOCATION, portBindings: {}, accessRestriction: { users: [ 'one', 'two' ] }, oauthProxy: false })
               .end(function (err, res) {
            expect(res.statusCode).to.equal(400);
            expect(res.body.message).to.eql('accessRestriction must specify one user');
-            done();
+            done(err);
        });
    });

    it('app install fails - oauthProxy is required', function (done) {
-        superagent.post(SERVER_URL + '/api/v1/apps/install')
+        request.post(SERVER_URL + '/api/v1/apps/install')
               .query({ access_token: token })
               .send({ appStoreId: APP_STORE_ID, manifest: APP_MANIFEST, password: PASSWORD, location: APP_LOCATION, portBindings: {}, accessRestriction: null })
               .end(function (err, res) {
            expect(res.statusCode).to.equal(400);
            expect(res.body.message).to.eql('oauthProxy must be a boolean');
-            done();
+            done(err);
        });
    });

    it('app install fails for non admin', function (done) {
-        superagent.post(SERVER_URL + '/api/v1/apps/install')
+        request.post(SERVER_URL + '/api/v1/apps/install')
               .query({ access_token: token_1 })
               .send({ appStoreId: APP_STORE_ID, manifest: APP_MANIFEST, password: PASSWORD, location: APP_LOCATION, portBindings: null, accessRestriction: null, oauthProxy: false })
               .end(function (err, res) {
            expect(res.statusCode).to.equal(403);
-            done();
+            done(err);
        });
    });

    it('app install fails due to purchase failure', function (done) {
        var fake = nock(config.apiServerOrigin()).post('/api/v1/apps/test/purchase?token=APPSTORE_TOKEN').reply(402, {});

-        superagent.post(SERVER_URL + '/api/v1/apps/install')
+        request.post(SERVER_URL + '/api/v1/apps/install')
               .query({ access_token: token })
               .send({ appStoreId: APP_STORE_ID, manifest: APP_MANIFEST, password: PASSWORD, location: APP_LOCATION, portBindings: null, accessRestriction: null, oauthProxy: false })
               .end(function (err, res) {
            expect(res.statusCode).to.equal(402);
            expect(fake.isDone()).to.be.ok();
-            done();
+            done(err);
        });
    });

    it('app install succeeds with purchase', function (done) {
        var fake = nock(config.apiServerOrigin()).post('/api/v1/apps/test/purchase?token=APPSTORE_TOKEN').reply(201, {});

-        superagent.post(SERVER_URL + '/api/v1/apps/install')
+        request.post(SERVER_URL + '/api/v1/apps/install')
               .query({ access_token: token })
               .send({ appStoreId: APP_STORE_ID, manifest: APP_MANIFEST, password: PASSWORD, location: APP_LOCATION, portBindings: null, accessRestriction: null, oauthProxy: false })
               .end(function (err, res) {
@@ -371,14 +371,14 @@ describe('App API', function () {
            expect(res.body.id).to.be.a('string');
            APP_ID = res.body.id;
            expect(fake.isDone()).to.be.ok();
-            done();
+            done(err);
        });
    });

    it('app install fails because of conflicting location', function (done) {
        var fake = nock(config.apiServerOrigin()).post('/api/v1/apps/test/purchase?token=APPSTORE_TOKEN').reply(201, {});

-        superagent.post(SERVER_URL + '/api/v1/apps/install')
+        request.post(SERVER_URL + '/api/v1/apps/install')
               .query({ access_token: token })
               .send({ appStoreId: APP_STORE_ID, manifest: APP_MANIFEST, password: PASSWORD, location: APP_LOCATION, portBindings: null, accessRestriction: null, oauthProxy: false })
               .end(function (err, res) {
@@ -389,120 +389,120 @@ describe('App API', function () {
    });

    it('can get app status', function (done) {
-        superagent.get(SERVER_URL + '/api/v1/apps/' + APP_ID)
+        request.get(SERVER_URL + '/api/v1/apps/' + APP_ID)
               .query({ access_token: token })
               .end(function (err, res) {
            expect(res.statusCode).to.equal(200);
            expect(res.body.id).to.eql(APP_ID);
            expect(res.body.installationState).to.be.ok();
-            done();
+            done(err);
         });
    });

    it('cannot get invalid app status', function (done) {
-        superagent.get(SERVER_URL + '/api/v1/apps/kubachi')
+        request.get(SERVER_URL + '/api/v1/apps/kubachi')
               .query({ access_token: token })
               .end(function (err, res) {
            expect(res.statusCode).to.equal(404);
-            done();
+            done(err);
         });
    });

    it('can get all apps', function (done) {
-        superagent.get(SERVER_URL + '/api/v1/apps')
+        request.get(SERVER_URL + '/api/v1/apps')
               .query({ access_token: token })
               .end(function (err, res) {
            expect(res.statusCode).to.equal(200);
            expect(res.body.apps).to.be.an('array');
            expect(res.body.apps[0].id).to.eql(APP_ID);
            expect(res.body.apps[0].installationState).to.be.ok();
-            done();
+            done(err);
         });
    });

    it('non admin can get all apps', function (done) {
-        superagent.get(SERVER_URL + '/api/v1/apps')
+        request.get(SERVER_URL + '/api/v1/apps')
               .query({ access_token: token_1 })
               .end(function (err, res) {
            expect(res.statusCode).to.equal(200);
            expect(res.body.apps).to.be.an('array');
            expect(res.body.apps[0].id).to.eql(APP_ID);
            expect(res.body.apps[0].installationState).to.be.ok();
-            done();
+            done(err);
         });
    });

    it('can get appBySubdomain', function (done) {
-        superagent.get(SERVER_URL + '/api/v1/subdomains/' + APP_LOCATION)
+        request.get(SERVER_URL + '/api/v1/subdomains/' + APP_LOCATION)
               .end(function (err, res) {
            expect(res.statusCode).to.equal(200);
            expect(res.body.id).to.eql(APP_ID);
            expect(res.body.installationState).to.be.ok();
-            done();
+            done(err);
        });
    });

    it('cannot get invalid app by Subdomain', function (done) {
-        superagent.get(SERVER_URL + '/api/v1/subdomains/tikaloma')
+        request.get(SERVER_URL + '/api/v1/subdomains/tikaloma')
               .end(function (err, res) {
            expect(res.statusCode).to.equal(404);
-            done();
+            done(err);
        });
    });

    it('cannot uninstall invalid app', function (done) {
-        superagent.post(SERVER_URL + '/api/v1/apps/whatever/uninstall')
+        request.post(SERVER_URL + '/api/v1/apps/whatever/uninstall')
            .send({ password: PASSWORD })
            .query({ access_token: token })
            .end(function (err, res) {
            expect(res.statusCode).to.equal(404);
-            done();
+            done(err);
        });
    });

    it('cannot uninstall app without password', function (done) {
-        superagent.post(SERVER_URL + '/api/v1/apps/' + APP_ID + '/uninstall')
+        request.post(SERVER_URL + '/api/v1/apps/' + APP_ID + '/uninstall')
            .query({ access_token: token })
            .end(function (err, res) {
            expect(res.statusCode).to.equal(400);
-            done();
+            done(err);
        });
    });

    it('cannot uninstall app with wrong password', function (done) {
-        superagent.post(SERVER_URL + '/api/v1/apps/' + APP_ID + '/uninstall')
+        request.post(SERVER_URL + '/api/v1/apps/' + APP_ID + '/uninstall')
            .send({ password: PASSWORD+PASSWORD })
            .query({ access_token: token })
            .end(function (err, res) {
            expect(res.statusCode).to.equal(403);
-            done();
+            done(err);
        });
    });

    it('non admin cannot uninstall app', function (done) {
-        superagent.post(SERVER_URL + '/api/v1/apps/' + APP_ID + '/uninstall')
+        request.post(SERVER_URL + '/api/v1/apps/' + APP_ID + '/uninstall')
            .send({ password: PASSWORD })
            .query({ access_token: token_1 })
            .end(function (err, res) {
            expect(res.statusCode).to.equal(403);
-            done();
+            done(err);
        });
    });

    it('can uninstall app', function (done) {
-        superagent.post(SERVER_URL + '/api/v1/apps/' + APP_ID + '/uninstall')
+        request.post(SERVER_URL + '/api/v1/apps/' + APP_ID + '/uninstall')
            .send({ password: PASSWORD })
            .query({ access_token: token })
            .end(function (err, res) {
            expect(res.statusCode).to.equal(202);
-            done();
+            done(err);
        });
    });

    it('app install succeeds already purchased', function (done) {
        var fake = nock(config.apiServerOrigin()).post('/api/v1/apps/test/purchase?token=APPSTORE_TOKEN').reply(200, {});

-        superagent.post(SERVER_URL + '/api/v1/apps/install')
+        request.post(SERVER_URL + '/api/v1/apps/install')
               .query({ access_token: token })
               .send({ appStoreId: APP_STORE_ID, manifest: APP_MANIFEST, password: PASSWORD, location: APP_LOCATION_2, portBindings: null, accessRestriction: null, oauthProxy: false })
               .end(function (err, res) {
@@ -510,7 +510,7 @@ describe('App API', function () {
            expect(res.body.id).to.be.a('string');
            APP_ID = res.body.id;
            expect(fake.isDone()).to.be.ok();
-            done();
+            done(err);
        });
    });

@@ -520,7 +520,7 @@ describe('App API', function () {
        settings.setDeveloperMode(true, function (error) {
            expect(error).to.be(null);

-            superagent.post(SERVER_URL + '/api/v1/developer/login')
+            request.post(SERVER_URL + '/api/v1/developer/login')
                   .send({ username: USERNAME, password: PASSWORD })
                   .end(function (error, result) {
                expect(error).to.not.be.ok();
@@ -531,7 +531,7 @@ describe('App API', function () {
                // overwrite non dev token
                token = result.body.token;

-                superagent.post(SERVER_URL + '/api/v1/apps/install')
+                request.post(SERVER_URL + '/api/v1/apps/install')
                       .query({ access_token: token })
                       .send({ appStoreId: APP_STORE_ID, manifest: APP_MANIFEST, location: APP_LOCATION+APP_LOCATION, portBindings: null, accessRestriction: null, oauthProxy: false })
                       .end(function (err, res) {
@@ -539,18 +539,18 @@ describe('App API', function () {
                    expect(res.body.id).to.be.a('string');
                    expect(fake.isDone()).to.be.ok();
                    APP_ID = res.body.id;
-                    done();
+                    done(err);
                });
            });
        });
    });

    it('can uninstall app without password but developer token', function (done) {
-        superagent.post(SERVER_URL + '/api/v1/apps/' + APP_ID + '/uninstall')
+        request.post(SERVER_URL + '/api/v1/apps/' + APP_ID + '/uninstall')
            .query({ access_token: token })
            .end(function (err, res) {
            expect(res.statusCode).to.equal(202);
-            done();
+            done(err);
        });
    });
 });
@@ -627,7 +627,7 @@ describe('App installation', function () {

        var count = 0;
        function checkInstallStatus() {
-            superagent.get(SERVER_URL + '/api/v1/apps/' + APP_ID)
+            request.get(SERVER_URL + '/api/v1/apps/' + APP_ID)
               .query({ access_token: token })
               .end(function (err, res) {
                expect(res.statusCode).to.equal(200);
@@ -638,7 +638,7 @@ describe('App installation', function () {
            });
        }

-        superagent.post(SERVER_URL + '/api/v1/apps/install')
+        request.post(SERVER_URL + '/api/v1/apps/install')
              .query({ access_token: token })
              .send({ appId: APP_ID, appStoreId: APP_STORE_ID, manifest: APP_MANIFEST, password: PASSWORD, location: APP_LOCATION, portBindings: null, accessRestriction: null, oauthProxy: false })
              .end(function (err, res) {
@@ -704,7 +704,7 @@ describe('App installation', function () {
    it('installation - is up and running', function (done) {
        expect(appResult.httpPort).to.be(undefined);
        setTimeout(function () {
-            superagent.get('http://localhost:' + appEntry.httpPort + appResult.manifest.healthCheckPath)
+            request.get('http://localhost:' + appEntry.httpPort + appResult.manifest.healthCheckPath)
                .end(function (err, res) {
                expect(!err).to.be.ok();
                expect(res.statusCode).to.equal(200);
@@ -841,7 +841,7 @@ describe('App installation', function () {
    });

    xit('logs - stdout and stderr', function (done) {
-        superagent.get(SERVER_URL + '/api/v1/apps/' + APP_ID + '/logs')
+        request.get(SERVER_URL + '/api/v1/apps/' + APP_ID + '/logs')
            .query({ access_token: token })
            .end(function (err, res) {
            var data = '';
@@ -855,7 +855,7 @@ describe('App installation', function () {
    });

    xit('logStream - requires event-stream accept header', function (done) {
-        superagent.get(SERVER_URL + '/api/v1/apps/' + APP_ID + '/logstream')
+        request.get(SERVER_URL + '/api/v1/apps/' + APP_ID + '/logstream')
            .query({ access_token: token, fromLine: 0 })
            .end(function (err, res) {
            expect(res.statusCode).to.be(400);
@@ -894,7 +894,7 @@ describe('App installation', function () {
    });

    it('non admin cannot stop app', function (done) {
-        superagent.post(SERVER_URL + '/api/v1/apps/' + APP_ID + '/stop')
+        request.post(SERVER_URL + '/api/v1/apps/' + APP_ID + '/stop')
            .query({ access_token: token_1 })
            .end(function (err, res) {
            expect(res.statusCode).to.equal(403);
@@ -903,7 +903,7 @@ describe('App installation', function () {
    });

    it('can stop app', function (done) {
-        superagent.post(SERVER_URL + '/api/v1/apps/' + APP_ID + '/stop')
+        request.post(SERVER_URL + '/api/v1/apps/' + APP_ID + '/stop')
            .query({ access_token: token })
            .end(function (err, res) {
            expect(res.statusCode).to.equal(202);
@@ -914,7 +914,7 @@ describe('App installation', function () {
    it('did stop the app', function (done) {
        // give the app a couple of seconds to die
        setTimeout(function () {
-            superagent.get('http://localhost:' + appEntry.httpPort + appResult.manifest.healthCheckPath)
+            request.get('http://localhost:' + appEntry.httpPort + appResult.manifest.healthCheckPath)
                .end(function (err, res) {
                expect(err).to.be.ok();
                done();
@@ -923,7 +923,7 @@ describe('App installation', function () {
    });

    it('nonadmin cannot start app', function (done) {
-        superagent.post(SERVER_URL + '/api/v1/apps/' + APP_ID + '/start')
+        request.post(SERVER_URL + '/api/v1/apps/' + APP_ID + '/start')
            .query({ access_token: token_1 })
            .end(function (err, res) {
            expect(res.statusCode).to.equal(403);
@@ -932,7 +932,7 @@ describe('App installation', function () {
    });

    it('can start app', function (done) {
-        superagent.post(SERVER_URL + '/api/v1/apps/' + APP_ID + '/start')
+        request.post(SERVER_URL + '/api/v1/apps/' + APP_ID + '/start')
            .query({ access_token: token })
            .end(function (err, res) {
            expect(res.statusCode).to.equal(202);
@@ -942,7 +942,7 @@ describe('App installation', function () {

    it('did start the app', function (done) {
        setTimeout(function () {
-            superagent.get('http://localhost:' + appEntry.httpPort + appResult.manifest.healthCheckPath)
+            request.get('http://localhost:' + appEntry.httpPort + appResult.manifest.healthCheckPath)
                .end(function (err, res) {
                expect(!err).to.be.ok();
                expect(res.statusCode).to.equal(200);
@@ -954,7 +954,7 @@ describe('App installation', function () {
    it('can uninstall app', function (done) {
        var count = 0;
        function checkUninstallStatus() {
-            superagent.get(SERVER_URL + '/api/v1/apps/' + APP_ID)
+            request.get(SERVER_URL + '/api/v1/apps/' + APP_ID)
               .query({ access_token: token })
               .end(function (err, res) {
                if (res.statusCode === 404) return done(null);
@@ -963,7 +963,7 @@ describe('App installation', function () {
            });
        }

-        superagent.post(SERVER_URL + '/api/v1/apps/' + APP_ID + '/uninstall')
+        request.post(SERVER_URL + '/api/v1/apps/' + APP_ID + '/uninstall')
            .send({ password: PASSWORD })
            .query({ access_token: token })
            .end(function (err, res) {
@@ -1063,8 +1063,6 @@ describe('App installation - port bindings', function () {

            settings.setDnsConfig.bind(null, { provider: 'route53', accessKeyId: 'accessKeyId', secretAccessKey: 'secretAccessKey', endpoint: 'http://localhost:5353' }),

-            settings.setTlsConfig.bind(null, { provider: 'caas' }),
-
            function (callback) {
                awsHockInstance
                    .get('/2013-04-01/hostedzone')
@@ -1097,7 +1095,7 @@ describe('App installation - port bindings', function () {

        var count = 0;
        function checkInstallStatus() {
-            superagent.get(SERVER_URL + '/api/v1/apps/' + APP_ID)
+            request.get(SERVER_URL + '/api/v1/apps/' + APP_ID)
               .query({ access_token: token })
               .end(function (err, res) {
                expect(res.statusCode).to.equal(200);
@@ -1108,7 +1106,7 @@ describe('App installation - port bindings', function () {
            });
        }

-        superagent.post(SERVER_URL + '/api/v1/apps/install')
+        request.post(SERVER_URL + '/api/v1/apps/install')
              .query({ access_token: token })
              .send({ appId: APP_ID, appStoreId: APP_STORE_ID, manifest: APP_MANIFEST, password: PASSWORD, location: APP_LOCATION, portBindings: { ECHO_SERVER_PORT: 7171 }, accessRestriction: null, oauthProxy: false })
              .end(function (err, res) {
@@ -1164,7 +1162,7 @@ describe('App installation - port bindings', function () {
        var tryCount = 20;
        expect(appResult.httpPort).to.be(undefined);
        (function healthCheck() {
-            superagent.get('http://localhost:' + appEntry.httpPort + appResult.manifest.healthCheckPath)
+            request.get('http://localhost:' + appEntry.httpPort + appResult.manifest.healthCheckPath)
                .end(function (err, res) {
                if (err || res.statusCode !== 200) {
                    if (--tryCount === 0) return done(new Error('Timedout'));
@@ -1254,7 +1252,7 @@ describe('App installation - port bindings', function () {
        assert.strictEqual(typeof count, 'number');
        assert.strictEqual(typeof done, 'function');

-        superagent.get(SERVER_URL + '/api/v1/apps/' + APP_ID)
+        request.get(SERVER_URL + '/api/v1/apps/' + APP_ID)
           .query({ access_token: token })
           .end(function (err, res) {
            expect(res.statusCode).to.equal(200);
@@ -1266,7 +1264,7 @@ describe('App installation - port bindings', function () {
    }

    it('cannot reconfigure app with missing location', function (done) {
-        superagent.post(SERVER_URL + '/api/v1/apps/' + APP_ID + '/configure')
+        request.post(SERVER_URL + '/api/v1/apps/' + APP_ID + '/configure')
              .query({ access_token: token })
              .send({ appId: APP_ID, password: PASSWORD, portBindings: { ECHO_SERVER_PORT: 7172 }, accessRestriction: null, oauthProxy: true })
              .end(function (err, res) {
@@ -1276,7 +1274,7 @@ describe('App installation - port bindings', function () {
    });

    it('cannot reconfigure app with missing accessRestriction', function (done) {
-        superagent.post(SERVER_URL + '/api/v1/apps/' + APP_ID + '/configure')
+        request.post(SERVER_URL + '/api/v1/apps/' + APP_ID + '/configure')
              .query({ access_token: token })
              .send({ appId: APP_ID, password: PASSWORD, location: APP_LOCATION_NEW, portBindings: { ECHO_SERVER_PORT: 7172 }, oauthProxy: false })
              .end(function (err, res) {
@@ -1286,7 +1284,7 @@ describe('App installation - port bindings', function () {
    });

    it('cannot reconfigure app with missing oauthProxy', function (done) {
-        superagent.post(SERVER_URL + '/api/v1/apps/' + APP_ID + '/configure')
+        request.post(SERVER_URL + '/api/v1/apps/' + APP_ID + '/configure')
              .query({ access_token: token })
              .send({ appId: APP_ID, password: PASSWORD, location: APP_LOCATION_NEW, portBindings: { ECHO_SERVER_PORT: 7172 }, accessRestriction: null })
              .end(function (err, res) {
@@ -1296,7 +1294,7 @@ describe('App installation - port bindings', function () {
    });

    it('cannot reconfigure app with only the cert, no key', function (done) {
-        superagent.post(SERVER_URL + '/api/v1/apps/' + APP_ID + '/configure')
+        request.post(SERVER_URL + '/api/v1/apps/' + APP_ID + '/configure')
              .query({ access_token: token })
              .send({ appId: APP_ID, password: PASSWORD, location: APP_LOCATION_NEW, portBindings: { ECHO_SERVER_PORT: 7172 }, accessRestriction: null, oauthProxy: true, cert: validCert1 })
              .end(function (err, res) {
@@ -1306,7 +1304,7 @@ describe('App installation - port bindings', function () {
    });

    it('cannot reconfigure app with only the key, no cert', function (done) {
-        superagent.post(SERVER_URL + '/api/v1/apps/' + APP_ID + '/configure')
+        request.post(SERVER_URL + '/api/v1/apps/' + APP_ID + '/configure')
              .query({ access_token: token })
              .send({ appId: APP_ID, password: PASSWORD, location: APP_LOCATION_NEW, portBindings: { ECHO_SERVER_PORT: 7172 }, accessRestriction: null, oauthProxy: true, key: validKey1 })
              .end(function (err, res) {
@@ -1316,7 +1314,7 @@ describe('App installation - port bindings', function () {
    });

    it('cannot reconfigure app with cert not bein a string', function (done) {
-        superagent.post(SERVER_URL + '/api/v1/apps/' + APP_ID + '/configure')
+        request.post(SERVER_URL + '/api/v1/apps/' + APP_ID + '/configure')
              .query({ access_token: token })
              .send({ appId: APP_ID, password: PASSWORD, location: APP_LOCATION_NEW, portBindings: { ECHO_SERVER_PORT: 7172 }, accessRestriction: null, oauthProxy: true, cert: 1234, key: validKey1 })
              .end(function (err, res) {
@@ -1326,7 +1324,7 @@ describe('App installation - port bindings', function () {
    });

    it('cannot reconfigure app with key not bein a string', function (done) {
-        superagent.post(SERVER_URL + '/api/v1/apps/' + APP_ID + '/configure')
+        request.post(SERVER_URL + '/api/v1/apps/' + APP_ID + '/configure')
              .query({ access_token: token })
              .send({ appId: APP_ID, password: PASSWORD, location: APP_LOCATION_NEW, portBindings: { ECHO_SERVER_PORT: 7172 }, accessRestriction: null, oauthProxy: true, cert: validCert1, key: 1234 })
              .end(function (err, res) {
@@ -1336,7 +1334,7 @@ describe('App installation - port bindings', function () {
    });

    it('non admin cannot reconfigure app', function (done) {
-        superagent.post(SERVER_URL + '/api/v1/apps/' + APP_ID + '/configure')
+        request.post(SERVER_URL + '/api/v1/apps/' + APP_ID + '/configure')
              .query({ access_token: token_1 })
              .send({ appId: APP_ID, password: PASSWORD, location: APP_LOCATION_NEW, portBindings: { ECHO_SERVER_PORT: 7172 }, accessRestriction: null, oauthProxy: true })
              .end(function (err, res) {
@@ -1346,7 +1344,7 @@ describe('App installation - port bindings', function () {
    });

    it('can reconfigure app', function (done) {
-        superagent.post(SERVER_URL + '/api/v1/apps/' + APP_ID + '/configure')
+        request.post(SERVER_URL + '/api/v1/apps/' + APP_ID + '/configure')
              .query({ access_token: token })
              .send({ appId: APP_ID, password: PASSWORD, location: APP_LOCATION_NEW, portBindings: { ECHO_SERVER_PORT: 7172 }, accessRestriction: null, oauthProxy: true })
              .end(function (err, res) {
@@ -1430,7 +1428,7 @@ describe('App installation - port bindings', function () {
    });

    it('can reconfigure app with custom certificate', function (done) {
-        superagent.post(SERVER_URL + '/api/v1/apps/' + APP_ID + '/configure')
+        request.post(SERVER_URL + '/api/v1/apps/' + APP_ID + '/configure')
              .query({ access_token: token })
              .send({ appId: APP_ID, password: PASSWORD, location: APP_LOCATION_NEW, portBindings: { ECHO_SERVER_PORT: 7172 }, accessRestriction: null, oauthProxy: true, cert: validCert1, key: validKey1 })
              .end(function (err, res) {
@@ -1440,7 +1438,7 @@ describe('App installation - port bindings', function () {
    });

    it('can stop app', function (done) {
-        superagent.post(SERVER_URL + '/api/v1/apps/' + APP_ID + '/stop')
+        request.post(SERVER_URL + '/api/v1/apps/' + APP_ID + '/stop')
            .query({ access_token: token })
            .end(function (err, res) {
            expect(res.statusCode).to.equal(202);
@@ -1465,7 +1463,7 @@ describe('App installation - port bindings', function () {
    it('can uninstall app', function (done) {
        var count = 0;
        function checkUninstallStatus() {
-            superagent.get(SERVER_URL + '/api/v1/apps/' + APP_ID)
+            request.get(SERVER_URL + '/api/v1/apps/' + APP_ID)
               .query({ access_token: token })
               .end(function (err, res) {
                if (res.statusCode === 404) return done(null);
@@ -1474,7 +1472,7 @@ describe('App installation - port bindings', function () {
            });
        }

-        superagent.post(SERVER_URL + '/api/v1/apps/' + APP_ID + '/uninstall')
+        request.post(SERVER_URL + '/api/v1/apps/' + APP_ID + '/uninstall')
            .send({ password: PASSWORD })
            .query({ access_token: token })
            .end(function (err, res) {
@@ -11,7 +11,7 @@ var appdb = require('../../appdb.js'),
    config = require('../../config.js'),
    database = require('../../database.js'),
    expect = require('expect.js'),
-    superagent = require('superagent'),
+    request = require('superagent'),
    server = require('../../server.js'),
    settings = require('../../settings.js'),
    nock = require('nock'),
@@ -33,10 +33,11 @@ function setup(done) {
            var scope1 = nock(config.apiServerOrigin()).get('/api/v1/boxes/' + config.fqdn() + '/setup/verify?setupToken=somesetuptoken').reply(200, {});
            var scope2 = nock(config.apiServerOrigin()).post('/api/v1/boxes/' + config.fqdn() + '/setup/done?setupToken=somesetuptoken').reply(201, {});

-            superagent.post(SERVER_URL + '/api/v1/cloudron/activate')
+            request.post(SERVER_URL + '/api/v1/cloudron/activate')
                   .query({ setupToken: 'somesetuptoken' })
                   .send({ username: USERNAME, password: PASSWORD, email: EMAIL })
                   .end(function (error, result) {
+                expect(error).to.not.be.ok();
                expect(result).to.be.ok();
                expect(result.statusCode).to.eql(201);
                expect(scope1.isDone()).to.be.ok();
@@ -55,7 +56,7 @@ function setup(done) {
        },

        function createSettings(callback) {
-            settings.setBackupConfig({ provider: 'caas', token: 'BACKUP_TOKEN', bucket: 'Bucket', prefix: 'Prefix' }, callback);
+            settings.setBackupConfig({ provider: 'caas', token: 'BACKUP_TOKEN' }, callback);
        }
    ], done);
 }
@@ -73,22 +74,22 @@ describe('Backups API', function () {
    after(cleanup);

    describe('get', function () {
-        it('cannot get backups with appstore superagent failing', function (done) {
+        it('cannot get backups with appstore request failing', function (done) {
            var req = nock(config.apiServerOrigin()).get('/api/v1/boxes/' + config.fqdn() + '/backups?token=BACKUP_TOKEN').reply(401, {});

-            superagent.get(SERVER_URL + '/api/v1/backups')
+            request.get(SERVER_URL + '/api/v1/backups')
                   .query({ access_token: token })
                   .end(function (err, res) {
                expect(res.statusCode).to.equal(503);
                expect(req.isDone()).to.be.ok();
-                done();
+                done(err);
            });
        });

        it('can get backups', function (done) {
            var req = nock(config.apiServerOrigin()).get('/api/v1/boxes/' + config.fqdn() + '/backups?token=BACKUP_TOKEN').reply(200, { backups: ['foo', 'bar']});

-            superagent.get(SERVER_URL + '/api/v1/backups')
+            request.get(SERVER_URL + '/api/v1/backups')
                   .query({ access_token: token })
                   .end(function (err, res) {
                expect(res.statusCode).to.equal(200);
@@ -96,24 +97,26 @@ describe('Backups API', function () {
                expect(res.body.backups).to.be.an(Array);
                expect(res.body.backups[0]).to.eql('foo');
                expect(res.body.backups[1]).to.eql('bar');
-                done();
+                done(err);
            });
        });
    });

    describe('create', function () {
        it('fails due to mising token', function (done) {
-            superagent.post(SERVER_URL + '/api/v1/backups')
+            request.post(SERVER_URL + '/api/v1/backups')
                   .end(function (error, result) {
+                expect(error).to.not.be.ok();
                expect(result.statusCode).to.equal(401);
                done();
            });
        });

        it('fails due to wrong token', function (done) {
-            superagent.post(SERVER_URL + '/api/v1/backups')
+            request.post(SERVER_URL + '/api/v1/backups')
                   .query({ access_token: token.toUpperCase() })
                   .end(function (error, result) {
+                expect(error).to.not.be.ok();
                expect(result.statusCode).to.equal(401);
                done();
            });
@@ -124,9 +127,10 @@ describe('Backups API', function () {
                        .post('/api/v1/boxes/' + config.fqdn() + '/awscredentials?token=BACKUP_TOKEN')
                        .reply(201, { credentials: { AccessKeyId: 'accessKeyId', SecretAccessKey: 'secretAccessKey', SessionToken: 'sessionToken' } });

-            superagent.post(SERVER_URL + '/api/v1/backups')
+            request.post(SERVER_URL + '/api/v1/backups')
                   .query({ access_token: token })
                   .end(function (error, result) {
+                expect(error).to.not.be.ok();
                expect(result.statusCode).to.equal(202);

                function checkAppstoreServerCalled() {
@@ -142,3 +146,4 @@ describe('Backups API', function () {
        });
    });
 });
+
@@ -46,6 +46,7 @@ describe('OAuth Clients API', function () {
                           .query({ setupToken: 'somesetuptoken' })
                           .send({ username: USERNAME, password: PASSWORD, email: EMAIL })
                           .end(function (error, result) {
+                        expect(error).to.not.be.ok();
                        expect(result).to.be.ok();
                        expect(result.statusCode).to.equal(201);
                        expect(scope1.isDone()).to.be.ok();
@@ -72,6 +73,7 @@ describe('OAuth Clients API', function () {
                       .query({ access_token: token })
                       .send({ appId: 'someApp', redirectURI: 'http://foobar.com', scope: 'profile' })
                       .end(function (error, result) {
+                    expect(error).to.not.be.ok();
                    expect(result.statusCode).to.equal(412);
                    done();
                });
@@ -87,6 +89,7 @@ describe('OAuth Clients API', function () {
                superagent.post(SERVER_URL + '/api/v1/oauth/clients')
                       .send({ appId: 'someApp', redirectURI: 'http://foobar.com', scope: 'profile' })
                       .end(function (error, result) {
+                    expect(error).to.not.be.ok();
                    expect(result.statusCode).to.equal(401);
                    done();
                });
@@ -97,6 +100,7 @@ describe('OAuth Clients API', function () {
                       .query({ access_token: token })
                       .send({ redirectURI: 'http://foobar.com', scope: 'profile' })
                       .end(function (error, result) {
+                    expect(error).to.not.be.ok();
                    expect(result.statusCode).to.equal(400);
                    done();
                });
@@ -107,6 +111,7 @@ describe('OAuth Clients API', function () {
                       .query({ access_token: token })
                       .send({ appId: '', redirectURI: 'http://foobar.com', scope: 'profile' })
                       .end(function (error, result) {
+                    expect(error).to.not.be.ok();
                    expect(result.statusCode).to.equal(400);
                    done();
                });
@@ -117,6 +122,7 @@ describe('OAuth Clients API', function () {
                       .query({ access_token: token })
                       .send({ appId: 'someApp', redirectURI: 'http://foobar.com' })
                       .end(function (error, result) {
+                    expect(error).to.not.be.ok();
                    expect(result.statusCode).to.equal(400);
                    done();
                });
@@ -127,6 +133,7 @@ describe('OAuth Clients API', function () {
                       .query({ access_token: token })
                       .send({ appId: 'someApp', redirectURI: 'http://foobar.com', scope: '' })
                       .end(function (error, result) {
+                    expect(error).to.not.be.ok();
                    expect(result.statusCode).to.equal(400);
                    done();
                });
@@ -137,6 +144,7 @@ describe('OAuth Clients API', function () {
                       .query({ access_token: token })
                       .send({ appId: 'someApp', scope: 'profile' })
                       .end(function (error, result) {
+                    expect(error).to.not.be.ok();
                    expect(result.statusCode).to.equal(400);
                    done();
                });
@@ -147,6 +155,7 @@ describe('OAuth Clients API', function () {
                       .query({ access_token: token })
                       .send({ appId: 'someApp', redirectURI: '', scope: 'profile' })
                       .end(function (error, result) {
+                    expect(error).to.not.be.ok();
                    expect(result.statusCode).to.equal(400);
                    done();
                });
@@ -157,6 +166,7 @@ describe('OAuth Clients API', function () {
                       .query({ access_token: token })
                       .send({ appId: 'someApp', redirectURI: 'foobar', scope: 'profile' })
                       .end(function (error, result) {
+                    expect(error).to.not.be.ok();
                    expect(result.statusCode).to.equal(400);
                    done();
                });
@@ -167,6 +177,7 @@ describe('OAuth Clients API', function () {
                       .query({ access_token: token })
                       .send({ appId: 'someApp', redirectURI: 'http://foobar.com', scope: 'profile' })
                       .end(function (error, result) {
+                    expect(error).to.not.be.ok();
                    expect(result.statusCode).to.equal(201);
                    expect(result.body.id).to.be.a('string');
                    expect(result.body.appId).to.be.a('string');
@@ -200,6 +211,7 @@ describe('OAuth Clients API', function () {
                           .query({ setupToken: 'somesetuptoken' })
                           .send({ username: USERNAME, password: PASSWORD, email: EMAIL })
                           .end(function (error, result) {
+                        expect(error).to.not.be.ok();
                        expect(result).to.be.ok();
                        expect(scope1.isDone()).to.be.ok();
                        expect(scope2.isDone()).to.be.ok();
@@ -218,6 +230,7 @@ describe('OAuth Clients API', function () {
                           .query({ access_token: token })
                           .send({ appId: CLIENT_0.appId, redirectURI: CLIENT_0.redirectURI, scope: CLIENT_0.scope })
                           .end(function (error, result) {
+                        expect(error).to.not.be.ok();
                        expect(result.statusCode).to.equal(201);

                        CLIENT_0 = result.body;
@@ -239,6 +252,7 @@ describe('OAuth Clients API', function () {
                superagent.get(SERVER_URL + '/api/v1/oauth/clients/' + CLIENT_0.id)
                       .query({ access_token: token })
                       .end(function (error, result) {
+                    expect(error).to.not.be.ok();
                    expect(result.statusCode).to.equal(412);
                    done();
                });
@@ -253,6 +267,7 @@ describe('OAuth Clients API', function () {
            it('fails without token', function (done) {
                superagent.get(SERVER_URL + '/api/v1/oauth/clients/' + CLIENT_0.id)
                       .end(function (error, result) {
+                    expect(error).to.not.be.ok();
                    expect(result.statusCode).to.equal(401);
                    done();
                });
@@ -263,6 +278,7 @@ describe('OAuth Clients API', function () {
                superagent.get(SERVER_URL + '/api/v1/oauth/clients/' + CLIENT_0.id.toUpperCase())
                       .query({ access_token: token })
                       .end(function (error, result) {
+                    expect(error).to.not.be.ok();
                    expect(result.statusCode).to.equal(404);
                    done();
                });
@@ -272,6 +288,7 @@ describe('OAuth Clients API', function () {
                superagent.get(SERVER_URL + '/api/v1/oauth/clients/' + CLIENT_0.id)
                       .query({ access_token: token })
                       .end(function (error, result) {
+                    expect(error).to.not.be.ok();
                    expect(result.statusCode).to.equal(200);
                    expect(result.body).to.eql(CLIENT_0);
                    done();
@@ -301,6 +318,7 @@ describe('OAuth Clients API', function () {
                           .query({ setupToken: 'somesetuptoken' })
                           .send({ username: USERNAME, password: PASSWORD, email: EMAIL })
                           .end(function (error, result) {
+                        expect(error).to.not.be.ok();
                        expect(result).to.be.ok();
                        expect(scope1.isDone()).to.be.ok();
                        expect(scope2.isDone()).to.be.ok();
@@ -319,6 +337,7 @@ describe('OAuth Clients API', function () {
                           .query({ access_token: token })
                           .send({ appId: CLIENT_0.appId, redirectURI: CLIENT_0.redirectURI, scope: CLIENT_0.scope })
                           .end(function (error, result) {
+                        expect(error).to.not.be.ok();
                        expect(result.statusCode).to.equal(201);

                        CLIENT_0 = result.body;
@@ -340,6 +359,7 @@ describe('OAuth Clients API', function () {
                superagent.del(SERVER_URL + '/api/v1/oauth/clients/' + CLIENT_0.id)
                       .query({ access_token: token })
                       .end(function (error, result) {
+                    expect(error).to.not.be.ok();
                    expect(result.statusCode).to.equal(412);
                    done();
                });
@@ -354,6 +374,7 @@ describe('OAuth Clients API', function () {
            it('fails without token', function (done) {
                superagent.del(SERVER_URL + '/api/v1/oauth/clients/' + CLIENT_0.id)
                       .end(function (error, result) {
+                    expect(error).to.not.be.ok();
                    expect(result.statusCode).to.equal(401);
                    done();
                });
@@ -364,6 +385,7 @@ describe('OAuth Clients API', function () {
                superagent.del(SERVER_URL + '/api/v1/oauth/clients/' + CLIENT_0.id.toUpperCase())
                       .query({ access_token: token })
                       .end(function (error, result) {
+                    expect(error).to.not.be.ok();
                    expect(result.statusCode).to.equal(404);
                    done();
                });
@@ -373,11 +395,13 @@ describe('OAuth Clients API', function () {
                superagent.del(SERVER_URL + '/api/v1/oauth/clients/' + CLIENT_0.id)
                       .query({ access_token: token })
                       .end(function (error, result) {
+                    expect(error).to.not.be.ok();
                    expect(result.statusCode).to.equal(204);

                    superagent.get(SERVER_URL + '/api/v1/oauth/clients/' + CLIENT_0.id)
                           .query({ access_token: token })
                           .end(function (error, result) {
+                        expect(error).to.be(null);
                        expect(result.statusCode).to.equal(404);

                        done();
@@ -419,6 +443,7 @@ describe('Clients', function () {
                       .query({ setupToken: 'somesetuptoken' })
                       .send({ username: USER_0.username, password: USER_0.password, email: USER_0.email })
                       .end(function (error, result) {
+                    expect(error).to.not.be.ok();
                    expect(result).to.be.ok();
                    expect(result.statusCode).to.eql(201);
                    expect(scope1.isDone()).to.be.ok();
@@ -448,6 +473,7 @@ describe('Clients', function () {
        it('fails due to missing token', function (done) {
            superagent.get(SERVER_URL + '/api/v1/oauth/clients')
            .end(function (error, result) {
+                expect(error).to.not.be.ok();
                expect(result.statusCode).to.equal(401);
                done();
            });
@@ -457,6 +483,7 @@ describe('Clients', function () {
            superagent.get(SERVER_URL + '/api/v1/oauth/clients')
            .query({ access_token: '' })
            .end(function (error, result) {
+                expect(error).to.not.be.ok();
                expect(result.statusCode).to.equal(401);
                done();
            });
@@ -466,6 +493,7 @@ describe('Clients', function () {
            superagent.get(SERVER_URL + '/api/v1/oauth/clients')
            .query({ access_token: token.toUpperCase() })
            .end(function (error, result) {
+                expect(error).to.not.be.ok();
                expect(result.statusCode).to.equal(401);
                done();
            });
@@ -475,6 +503,7 @@ describe('Clients', function () {
            superagent.get(SERVER_URL + '/api/v1/oauth/clients')
            .query({ access_token: token })
            .end(function (error, result) {
+                expect(error).to.not.be.ok();
                expect(result.statusCode).to.equal(200);

                expect(result.body.clients.length).to.eql(1);
@@ -492,6 +521,7 @@ describe('Clients', function () {
        it('fails due to missing token', function (done) {
            superagent.get(SERVER_URL + '/api/v1/oauth/clients/cid-webadmin/tokens')
            .end(function (error, result) {
+                expect(error).to.not.be.ok();
                expect(result.statusCode).to.equal(401);
                done();
            });
@@ -501,6 +531,7 @@ describe('Clients', function () {
            superagent.get(SERVER_URL + '/api/v1/oauth/clients/cid-webadmin/tokens')
            .query({ access_token: '' })
            .end(function (error, result) {
+                expect(error).to.not.be.ok();
                expect(result.statusCode).to.equal(401);
                done();
            });
@@ -510,6 +541,7 @@ describe('Clients', function () {
            superagent.get(SERVER_URL + '/api/v1/oauth/clients/cid-webadmin/tokens')
            .query({ access_token: token.toUpperCase() })
            .end(function (error, result) {
+                expect(error).to.not.be.ok();
                expect(result.statusCode).to.equal(401);
                done();
            });
@@ -519,6 +551,7 @@ describe('Clients', function () {
            superagent.get(SERVER_URL + '/api/v1/oauth/clients/CID-WEBADMIN/tokens')
            .query({ access_token: token })
            .end(function (error, result) {
+                expect(error).to.not.be.ok();
                expect(result.statusCode).to.equal(404);
                done();
            });
@@ -528,6 +561,7 @@ describe('Clients', function () {
            superagent.get(SERVER_URL + '/api/v1/oauth/clients/cid-webadmin/tokens')
            .query({ access_token: token })
            .end(function (error, result) {
+                expect(error).to.not.be.ok();
                expect(result.statusCode).to.equal(200);

                expect(result.body.tokens.length).to.eql(1);
@@ -545,6 +579,7 @@ describe('Clients', function () {
        it('fails due to missing token', function (done) {
            superagent.del(SERVER_URL + '/api/v1/oauth/clients/cid-webadmin/tokens')
            .end(function (error, result) {
+                expect(error).to.not.be.ok();
                expect(result.statusCode).to.equal(401);
                done();
            });
@@ -554,6 +589,7 @@ describe('Clients', function () {
            superagent.del(SERVER_URL + '/api/v1/oauth/clients/cid-webadmin/tokens')
            .query({ access_token: '' })
            .end(function (error, result) {
+                expect(error).to.not.be.ok();
                expect(result.statusCode).to.equal(401);
                done();
            });
@@ -563,6 +599,7 @@ describe('Clients', function () {
            superagent.del(SERVER_URL + '/api/v1/oauth/clients/cid-webadmin/tokens')
            .query({ access_token: token.toUpperCase() })
            .end(function (error, result) {
+                expect(error).to.not.be.ok();
                expect(result.statusCode).to.equal(401);
                done();
            });
@@ -572,6 +609,7 @@ describe('Clients', function () {
            superagent.del(SERVER_URL + '/api/v1/oauth/clients/CID-WEBADMIN/tokens')
            .query({ access_token: token })
            .end(function (error, result) {
+                expect(error).to.not.be.ok();
                expect(result.statusCode).to.equal(404);
                done();
            });
@@ -581,6 +619,7 @@ describe('Clients', function () {
            superagent.get(SERVER_URL + '/api/v1/oauth/clients/cid-webadmin/tokens')
            .query({ access_token: token })
            .end(function (error, result) {
+                expect(error).to.not.be.ok();
                expect(result.statusCode).to.equal(200);

                expect(result.body.tokens.length).to.eql(1);
@@ -589,12 +628,14 @@ describe('Clients', function () {
                superagent.del(SERVER_URL + '/api/v1/oauth/clients/cid-webadmin/tokens')
                .query({ access_token: token })
                .end(function (error, result) {
+                    expect(error).to.not.be.ok();
                    expect(result.statusCode).to.equal(204);

                    // further calls with this token should not work
                    superagent.get(SERVER_URL + '/api/v1/profile')
                    .query({ access_token: token })
                    .end(function (error, result) {
+                        expect(error).to.not.be.ok();
                        expect(result.statusCode).to.equal(401);
                        done();
                    });
@@ -11,8 +11,7 @@ var async = require('async'),
    database = require('../../database.js'),
    expect = require('expect.js'),
    nock = require('nock'),
-    os = require('os'),
-    superagent = require('superagent'),
+    request = require('superagent'),
    server = require('../../server.js'),
    shell = require('../../shell.js');

@@ -55,34 +54,23 @@ describe('Cloudron', function () {
        after(cleanup);

        it('fails due to missing setupToken', function (done) {
-            superagent.post(SERVER_URL + '/api/v1/cloudron/activate')
+            request.post(SERVER_URL + '/api/v1/cloudron/activate')
                   .send({ username: '', password: 'somepassword', email: 'admin@foo.bar' })
                   .end(function (error, result) {
+                expect(error).to.not.be.ok();
                expect(result.statusCode).to.equal(400);
                done();
            });
        });

-        it('fails due to internal server error on appstore side', function (done) {
-            var scope = nock(config.apiServerOrigin()).get('/api/v1/boxes/' + config.fqdn() + '/setup/verify?setupToken=somesetuptoken').reply(500, { message: 'this is wrong' });
-
-            superagent.post(SERVER_URL + '/api/v1/cloudron/activate')
-                   .query({ setupToken: 'somesetuptoken' })
-                   .send({ username: 'someuser', password: 'somepassword', email: 'admin@foo.bar' })
-                   .end(function (error, result) {
-                expect(result.statusCode).to.equal(500);
-                expect(scope.isDone()).to.be.ok();
-                done();
-            });
-        });
-
        it('fails due to empty username', function (done) {
            var scope = nock(config.apiServerOrigin()).get('/api/v1/boxes/' + config.fqdn() + '/setup/verify?setupToken=somesetuptoken').reply(200, {});

-            superagent.post(SERVER_URL + '/api/v1/cloudron/activate')
+            request.post(SERVER_URL + '/api/v1/cloudron/activate')
                   .query({ setupToken: 'somesetuptoken' })
                   .send({ username: '', password: 'somepassword', email: 'admin@foo.bar' })
                   .end(function (error, result) {
+                expect(error).to.not.be.ok();
                expect(result.statusCode).to.equal(400);
                expect(scope.isDone()).to.be.ok();
                done();
@@ -92,10 +80,11 @@ describe('Cloudron', function () {
        it('fails due to empty password', function (done) {
            var scope = nock(config.apiServerOrigin()).get('/api/v1/boxes/' + config.fqdn() + '/setup/verify?setupToken=somesetuptoken').reply(200, {});

-            superagent.post(SERVER_URL + '/api/v1/cloudron/activate')
+            request.post(SERVER_URL + '/api/v1/cloudron/activate')
                   .query({ setupToken: 'somesetuptoken' })
                   .send({ username: 'someuser', password: '', email: 'admin@foo.bar' })
                   .end(function (error, result) {
+                expect(error).to.not.be.ok();
                expect(result.statusCode).to.equal(400);
                expect(scope.isDone()).to.be.ok();
                done();
@@ -105,10 +94,11 @@ describe('Cloudron', function () {
        it('fails due to empty email', function (done) {
            var scope = nock(config.apiServerOrigin()).get('/api/v1/boxes/' + config.fqdn() + '/setup/verify?setupToken=somesetuptoken').reply(200, {});

-            superagent.post(SERVER_URL + '/api/v1/cloudron/activate')
+            request.post(SERVER_URL + '/api/v1/cloudron/activate')
                   .query({ setupToken: 'somesetuptoken' })
                   .send({ username: 'someuser', password: 'somepassword', email: '' })
                   .end(function (error, result) {
+                expect(error).to.not.be.ok();
                expect(result.statusCode).to.equal(400);
                expect(scope.isDone()).to.be.ok();
                done();
@@ -118,10 +108,11 @@ describe('Cloudron', function () {
        it('fails due to empty name', function (done) {
            var scope = nock(config.apiServerOrigin()).get('/api/v1/boxes/' + config.fqdn() + '/setup/verify?setupToken=somesetuptoken').reply(200, {});

-            superagent.post(SERVER_URL + '/api/v1/cloudron/activate')
+            request.post(SERVER_URL + '/api/v1/cloudron/activate')
                   .query({ setupToken: 'somesetuptoken' })
                   .send({ username: 'someuser', password: '', email: 'admin@foo.bar', name: '' })
                   .end(function (error, result) {
+                expect(error).to.not.be.ok();
                expect(result.statusCode).to.equal(400);
                expect(scope.isDone()).to.be.ok();
                done();
@@ -131,10 +122,11 @@ describe('Cloudron', function () {
        it('fails due to invalid email', function (done) {
            var scope = nock(config.apiServerOrigin()).get('/api/v1/boxes/' + config.fqdn() + '/setup/verify?setupToken=somesetuptoken').reply(200, {});

-            superagent.post(SERVER_URL + '/api/v1/cloudron/activate')
+            request.post(SERVER_URL + '/api/v1/cloudron/activate')
                   .query({ setupToken: 'somesetuptoken' })
                   .send({ username: 'someuser', password: 'somepassword', email: 'invalidemail' })
                   .end(function (error, result) {
+                expect(error).to.not.be.ok();
                expect(result.statusCode).to.equal(400);
                expect(scope.isDone()).to.be.ok();
                done();
@@ -145,10 +137,11 @@ describe('Cloudron', function () {
            var scope1 = nock(config.apiServerOrigin()).get('/api/v1/boxes/' + config.fqdn() + '/setup/verify?setupToken=somesetuptoken').reply(200, {});
            var scope2 = nock(config.apiServerOrigin()).post('/api/v1/boxes/' + config.fqdn() + '/setup/done?setupToken=somesetuptoken').reply(201, {});

-            superagent.post(SERVER_URL + '/api/v1/cloudron/activate')
+            request.post(SERVER_URL + '/api/v1/cloudron/activate')
                   .query({ setupToken: 'somesetuptoken' })
                   .send({ username: 'someuser', password: 'somepassword', email: 'admin@foo.bar', name: 'tester' })
                   .end(function (error, result) {
+                expect(error).to.not.be.ok();
                expect(result.statusCode).to.equal(201);
                expect(scope1.isDone()).to.be.ok();
                expect(scope2.isDone()).to.be.ok();
@@ -159,10 +152,11 @@ describe('Cloudron', function () {
        it('fails the second time', function (done) {
            var scope = nock(config.apiServerOrigin()).get('/api/v1/boxes/' + config.fqdn() + '/setup/verify?setupToken=somesetuptoken').reply(200, {});

-            superagent.post(SERVER_URL + '/api/v1/cloudron/activate')
+            request.post(SERVER_URL + '/api/v1/cloudron/activate')
                   .query({ setupToken: 'somesetuptoken' })
                   .send({ username: 'someuser', password: 'somepassword', email: 'admin@foo.bar' })
                   .end(function (error, result) {
+                expect(error).to.not.be.ok();
                expect(result.statusCode).to.equal(409);
                expect(scope.isDone()).to.be.ok();
                done();
@@ -181,10 +175,11 @@ describe('Cloudron', function () {

                    config._reset();

-                    superagent.post(SERVER_URL + '/api/v1/cloudron/activate')
+                    request.post(SERVER_URL + '/api/v1/cloudron/activate')
                           .query({ setupToken: 'somesetuptoken' })
                           .send({ username: USERNAME, password: PASSWORD, email: EMAIL })
                           .end(function (error, result) {
+                        expect(error).to.not.be.ok();
                        expect(result).to.be.ok();
                        expect(scope1.isDone()).to.be.ok();
                        expect(scope2.isDone()).to.be.ok();
@@ -201,17 +196,19 @@ describe('Cloudron', function () {
        after(cleanup);

        it('cannot get without token', function (done) {
-            superagent.get(SERVER_URL + '/api/v1/cloudron/config')
+            request.get(SERVER_URL + '/api/v1/cloudron/config')
                   .end(function (error, result) {
+                expect(error).to.not.be.ok();
                expect(result.statusCode).to.equal(401);
                done();
            });
        });

        it('succeeds without appstore', function (done) {
-            superagent.get(SERVER_URL + '/api/v1/cloudron/config')
+            request.get(SERVER_URL + '/api/v1/cloudron/config')
                   .query({ access_token: token })
                   .end(function (error, result) {
+                expect(error).to.not.be.ok();
                expect(result.statusCode).to.equal(200);
                expect(result.body.apiServerOrigin).to.eql('http://localhost:6060');
                expect(result.body.webServerOrigin).to.eql(null);
@@ -223,7 +220,7 @@ describe('Cloudron', function () {
                expect(result.body.developerMode).to.be.a('boolean');
                expect(result.body.size).to.eql(null);
                expect(result.body.region).to.eql(null);
-                expect(result.body.memory).to.eql(os.totalmem());
+                expect(result.body.memory).to.eql(0);
                expect(result.body.cloudronName).to.be.a('string');

                done();
@@ -233,9 +230,10 @@ describe('Cloudron', function () {
        it('succeeds', function (done) {
            var scope = nock(config.apiServerOrigin()).get('/api/v1/boxes/localhost?token=' + config.token()).reply(200, { box: { region: 'sfo', size: '1gb' }});

-            superagent.get(SERVER_URL + '/api/v1/cloudron/config')
+            request.get(SERVER_URL + '/api/v1/cloudron/config')
                   .query({ access_token: token })
                   .end(function (error, result) {
+                expect(error).to.not.be.ok();
                expect(result.statusCode).to.equal(200);
                expect(result.body.apiServerOrigin).to.eql('http://localhost:6060');
                expect(result.body.webServerOrigin).to.eql(null);
@@ -247,7 +245,7 @@ describe('Cloudron', function () {
                expect(result.body.developerMode).to.be.a('boolean');
                expect(result.body.size).to.eql('1gb');
                expect(result.body.region).to.eql('sfo');
-                expect(result.body.memory).to.eql(os.totalmem());
+                expect(result.body.memory).to.eql(1073741824);
                expect(result.body.cloudronName).to.be.a('string');

                expect(scope.isDone()).to.be.ok();
@@ -269,10 +267,11 @@ describe('Cloudron', function () {

                    config._reset();

-                    superagent.post(SERVER_URL + '/api/v1/cloudron/activate')
+                    request.post(SERVER_URL + '/api/v1/cloudron/activate')
                           .query({ setupToken: 'somesetuptoken' })
                           .send({ username: USERNAME, password: PASSWORD, email: EMAIL })
                           .end(function (error, result) {
+                        expect(error).to.not.be.ok();
                        expect(result).to.be.ok();
                        expect(scope1.isDone()).to.be.ok();
                        expect(scope2.isDone()).to.be.ok();
@@ -283,77 +282,72 @@ describe('Cloudron', function () {
                        callback();
                    });
                },
-
-                function setupBackupConfig(callback) {
-                    superagent.post(SERVER_URL + '/api/v1/settings/backup_config')
-                           .send({ provider: 'caas', token: 'BACKUP_TOKEN', bucket: 'Bucket', prefix: 'Prefix' })
-                           .query({ access_token: token })
-                           .end(function (error, result) {
-                        expect(result.statusCode).to.equal(200);
-
-                        callback();
-                    });
-                }
-
            ], done);
        });

        after(cleanup);

        it('fails without token', function (done) {
-            superagent.post(SERVER_URL + '/api/v1/cloudron/migrate')
+            request.post(SERVER_URL + '/api/v1/cloudron/migrate')
                   .send({ size: 'small', region: 'sfo'})
                   .end(function (error, result) {
+                expect(error).to.not.be.ok();
                expect(result.statusCode).to.equal(401);
                done();
            });
        });

        it('fails without password', function (done) {
-            superagent.post(SERVER_URL + '/api/v1/cloudron/migrate')
+            request.post(SERVER_URL + '/api/v1/cloudron/migrate')
                   .send({ size: 'small', region: 'sfo'})
                   .query({ access_token: token })
                   .end(function (error, result) {
+                expect(error).to.not.be.ok();
                expect(result.statusCode).to.equal(400);
                done();
            });
        });

        it('fails with missing size', function (done) {
-            superagent.post(SERVER_URL + '/api/v1/cloudron/migrate')
+            request.post(SERVER_URL + '/api/v1/cloudron/migrate')
                   .send({ region: 'sfo', password: PASSWORD })
                   .query({ access_token: token })
                   .end(function (error, result) {
+                expect(error).to.not.be.ok();
                expect(result.statusCode).to.equal(400);
                done();
            });
        });

        it('fails with wrong size type', function (done) {
-            superagent.post(SERVER_URL + '/api/v1/cloudron/migrate')
+            request.post(SERVER_URL + '/api/v1/cloudron/migrate')
                   .send({ size: 4, region: 'sfo', password: PASSWORD })
                   .query({ access_token: token })
                   .end(function (error, result) {
+                expect(error).to.not.be.ok();
                expect(result.statusCode).to.equal(400);
                done();
            });
        });

        it('fails with missing region', function (done) {
-            superagent.post(SERVER_URL + '/api/v1/cloudron/migrate')
+            request.post(SERVER_URL + '/api/v1/cloudron/migrate')
                   .send({ size: 'small', password: PASSWORD })
                   .query({ access_token: token })
                   .end(function (error, result) {
+                expect(error).to.not.be.ok();
                expect(result.statusCode).to.equal(400);
                done();
            });
        });

+
        it('fails with wrong region type', function (done) {
-            superagent.post(SERVER_URL + '/api/v1/cloudron/migrate')
+            request.post(SERVER_URL + '/api/v1/cloudron/migrate')
                   .send({ size: 'small', region: 4, password: PASSWORD })
                   .query({ access_token: token })
                   .end(function (error, result) {
+                expect(error).to.not.be.ok();
                expect(result.statusCode).to.equal(400);
                done();
            });
@@ -361,7 +355,7 @@ describe('Cloudron', function () {

        it('fails when in wrong state', function (done) {
            var scope2 = nock(config.apiServerOrigin())
-                    .post('/api/v1/boxes/' + config.fqdn() + '/awscredentials?token=BACKUP_TOKEN')
+                    .post('/api/v1/boxes/' + config.fqdn() + '/awscredentials?token=APPSTORE_TOKEN')
                    .reply(201, { credentials: { AccessKeyId: 'accessKeyId', SecretAccessKey: 'secretAccessKey', SessionToken: 'sessionToken' } });

            var scope3 = nock(config.apiServerOrigin())
@@ -377,10 +371,11 @@ describe('Cloudron', function () {

            injectShellMock();

-            superagent.post(SERVER_URL + '/api/v1/cloudron/migrate')
+            request.post(SERVER_URL + '/api/v1/cloudron/migrate')
                   .send({ size: 'small', region: 'sfo', password: PASSWORD })
                   .query({ access_token: token })
                   .end(function (error, result) {
+                expect(error).to.not.be.ok();
                expect(result.statusCode).to.equal(202);

                function checkAppstoreServerCalled() {
@@ -396,6 +391,7 @@ describe('Cloudron', function () {
            });
        });

+
        it('succeeds', function (done) {
            var scope1 = nock(config.apiServerOrigin()).post('/api/v1/boxes/' + config.fqdn() + '/migrate?token=APPSTORE_TOKEN', function (body) {
                return body.size && body.region && body.restoreKey;
@@ -408,15 +404,16 @@ describe('Cloudron', function () {
                    .reply(200, { id: 'someid' });

            var scope3 = nock(config.apiServerOrigin())
-                    .post('/api/v1/boxes/' + config.fqdn() + '/awscredentials?token=BACKUP_TOKEN')
+                    .post('/api/v1/boxes/' + config.fqdn() + '/awscredentials?token=APPSTORE_TOKEN')
                    .reply(201, { credentials: { AccessKeyId: 'accessKeyId', SecretAccessKey: 'secretAccessKey', SessionToken: 'sessionToken' } });

            injectShellMock();

-            superagent.post(SERVER_URL + '/api/v1/cloudron/migrate')
+            request.post(SERVER_URL + '/api/v1/cloudron/migrate')
                   .send({ size: 'small', region: 'sfo', password: PASSWORD })
                   .query({ access_token: token })
                   .end(function (error, result) {
+                expect(error).to.not.be.ok();
                expect(result.statusCode).to.equal(202);

                function checkAppstoreServerCalled() {
@@ -444,10 +441,11 @@ describe('Cloudron', function () {

                    config._reset();

-                    superagent.post(SERVER_URL + '/api/v1/cloudron/activate')
+                    request.post(SERVER_URL + '/api/v1/cloudron/activate')
                           .query({ setupToken: 'somesetuptoken' })
                           .send({ username: USERNAME, password: PASSWORD, email: EMAIL })
                           .end(function (error, result) {
+                        expect(error).to.not.be.ok();
                        expect(result).to.be.ok();
                        expect(scope1.isDone()).to.be.ok();
                        expect(scope2.isDone()).to.be.ok();
@@ -464,112 +462,125 @@ describe('Cloudron', function () {
        after(cleanup);

        it('fails without token', function (done) {
-            superagent.post(SERVER_URL + '/api/v1/cloudron/feedback')
+            request.post(SERVER_URL + '/api/v1/cloudron/feedback')
                   .send({ type: 'ticket', subject: 'some subject', description: 'some description' })
                   .end(function (error, result) {
+                expect(error).to.not.be.ok();
                expect(result.statusCode).to.equal(401);
                done();
            });
        });

        it('fails without type', function (done) {
-            superagent.post(SERVER_URL + '/api/v1/cloudron/feedback')
+            request.post(SERVER_URL + '/api/v1/cloudron/feedback')
                   .send({ subject: 'some subject', description: 'some description' })
                   .query({ access_token: token })
                   .end(function (error, result) {
+                expect(error).to.not.be.ok();
                expect(result.statusCode).to.equal(400);
                done();
            });
        });

        it('fails with empty type', function (done) {
-            superagent.post(SERVER_URL + '/api/v1/cloudron/feedback')
+            request.post(SERVER_URL + '/api/v1/cloudron/feedback')
                   .send({ type: '', subject: 'some subject', description: 'some description' })
                   .query({ access_token: token })
                   .end(function (error, result) {
+                expect(error).to.not.be.ok();
                expect(result.statusCode).to.equal(400);
                done();
            });
        });

        it('fails with unknown type', function (done) {
-            superagent.post(SERVER_URL + '/api/v1/cloudron/feedback')
+            request.post(SERVER_URL + '/api/v1/cloudron/feedback')
                   .send({ type: 'foobar', subject: 'some subject', description: 'some description' })
                   .query({ access_token: token })
                   .end(function (error, result) {
+                expect(error).to.not.be.ok();
                expect(result.statusCode).to.equal(400);
                done();
            });
        });

        it('succeeds with ticket type', function (done) {
-            superagent.post(SERVER_URL + '/api/v1/cloudron/feedback')
+            request.post(SERVER_URL + '/api/v1/cloudron/feedback')
                   .send({ type: 'ticket', subject: 'some subject', description: 'some description' })
                   .query({ access_token: token })
                   .end(function (error, result) {
+                expect(error).to.not.be.ok();
                expect(result.statusCode).to.equal(201);
                done();
            });
        });

        it('succeeds with app type', function (done) {
-            superagent.post(SERVER_URL + '/api/v1/cloudron/feedback')
+            request.post(SERVER_URL + '/api/v1/cloudron/feedback')
                   .send({ type: 'app', subject: 'some subject', description: 'some description' })
                   .query({ access_token: token })
                   .end(function (error, result) {
+                expect(error).to.not.be.ok();
                expect(result.statusCode).to.equal(201);
                done();
            });
        });

        it('fails without description', function (done) {
-            superagent.post(SERVER_URL + '/api/v1/cloudron/feedback')
+            request.post(SERVER_URL + '/api/v1/cloudron/feedback')
                   .send({ type: 'ticket', subject: 'some subject' })
                   .query({ access_token: token })
                   .end(function (error, result) {
+                expect(error).to.not.be.ok();
                expect(result.statusCode).to.equal(400);
                done();
            });
        });

        it('fails with empty subject', function (done) {
-            superagent.post(SERVER_URL + '/api/v1/cloudron/feedback')
+            request.post(SERVER_URL + '/api/v1/cloudron/feedback')
                   .send({ type: 'ticket', subject: '', description: 'some description' })
                   .query({ access_token: token })
                   .end(function (error, result) {
+                expect(error).to.not.be.ok();
                expect(result.statusCode).to.equal(400);
                done();
            });
        });

        it('fails with empty description', function (done) {
-            superagent.post(SERVER_URL + '/api/v1/cloudron/feedback')
+            request.post(SERVER_URL + '/api/v1/cloudron/feedback')
                   .send({ type: 'ticket', subject: 'some subject', description: '' })
                   .query({ access_token: token })
                   .end(function (error, result) {
+                expect(error).to.not.be.ok();
                expect(result.statusCode).to.equal(400);
                done();
            });
        });

        it('succeeds with feedback type', function (done) {
-            superagent.post(SERVER_URL + '/api/v1/cloudron/feedback')
+            request.post(SERVER_URL + '/api/v1/cloudron/feedback')
                   .send({ type: 'feedback', subject: 'some subject', description: 'some description' })
                   .query({ access_token: token })
                   .end(function (error, result) {
+                expect(error).to.not.be.ok();
                expect(result.statusCode).to.equal(201);
                done();
            });
        });

        it('fails without subject', function (done) {
-            superagent.post(SERVER_URL + '/api/v1/cloudron/feedback')
+            request.post(SERVER_URL + '/api/v1/cloudron/feedback')
                   .send({ type: 'ticket', description: 'some description' })
                   .query({ access_token: token })
                   .end(function (error, result) {
+                expect(error).to.not.be.ok();
                expect(result.statusCode).to.equal(400);
                done();
            });
        });
    });
 });
+
+
@@ -11,7 +11,7 @@ var async = require('async'),
    database = require('../../database.js'),
    expect = require('expect.js'),
    nock = require('nock'),
-    superagent = require('superagent'),
+    request = require('superagent'),
    server = require('../../server.js'),
    settings = require('../../settings.js');

@@ -43,10 +43,11 @@ describe('Developer API', function () {
                    var scope1 = nock(config.apiServerOrigin()).get('/api/v1/boxes/' + config.fqdn() + '/setup/verify?setupToken=somesetuptoken').reply(200, {});
                    var scope2 = nock(config.apiServerOrigin()).post('/api/v1/boxes/' + config.fqdn() + '/setup/done?setupToken=somesetuptoken').reply(201, {});

-                    superagent.post(SERVER_URL + '/api/v1/cloudron/activate')
+                    request.post(SERVER_URL + '/api/v1/cloudron/activate')
                           .query({ setupToken: 'somesetuptoken' })
                           .send({ username: USERNAME, password: PASSWORD, email: EMAIL })
                           .end(function (error, result) {
+                        expect(error).to.not.be.ok();
                        expect(result).to.be.ok();
                        expect(scope1.isDone()).to.be.ok();
                        expect(scope2.isDone()).to.be.ok();
@@ -66,8 +67,9 @@ describe('Developer API', function () {
            settings.setDeveloperMode(true, function (error) {
                expect(error).to.be(null);

-                superagent.get(SERVER_URL + '/api/v1/developer')
+                request.get(SERVER_URL + '/api/v1/developer')
                       .end(function (error, result) {
+                    expect(error).to.not.be.ok();
                    expect(result.statusCode).to.equal(401);
                    done();
                });
@@ -78,9 +80,10 @@ describe('Developer API', function () {
            settings.setDeveloperMode(true, function (error) {
                expect(error).to.be(null);

-                superagent.get(SERVER_URL + '/api/v1/developer')
+                request.get(SERVER_URL + '/api/v1/developer')
                       .query({ access_token: token })
                       .end(function (error, result) {
+                    expect(error).to.not.be.ok();
                    expect(result.statusCode).to.equal(200);
                    done();
                });
@@ -91,9 +94,10 @@ describe('Developer API', function () {
            settings.setDeveloperMode(false, function (error) {
                expect(error).to.be(null);

-                superagent.get(SERVER_URL + '/api/v1/developer')
+                request.get(SERVER_URL + '/api/v1/developer')
                       .query({ access_token: token })
                       .end(function (error, result) {
+                    expect(error).to.not.be.ok();
                    expect(result.statusCode).to.equal(412);
                    done();
                });
@@ -110,10 +114,11 @@ describe('Developer API', function () {
                    var scope1 = nock(config.apiServerOrigin()).get('/api/v1/boxes/' + config.fqdn() + '/setup/verify?setupToken=somesetuptoken').reply(200, {});
                    var scope2 = nock(config.apiServerOrigin()).post('/api/v1/boxes/' + config.fqdn() + '/setup/done?setupToken=somesetuptoken').reply(201, {});

-                    superagent.post(SERVER_URL + '/api/v1/cloudron/activate')
+                    request.post(SERVER_URL + '/api/v1/cloudron/activate')
                           .query({ setupToken: 'somesetuptoken' })
                           .send({ username: USERNAME, password: PASSWORD, email: EMAIL })
                           .end(function (error, result) {
+                        expect(error).to.not.be.ok();
                        expect(result).to.be.ok();
                        expect(scope1.isDone()).to.be.ok();
                        expect(scope2.isDone()).to.be.ok();
@@ -130,74 +135,82 @@ describe('Developer API', function () {
        after(cleanup);

        it('fails without token', function (done) {
-            superagent.post(SERVER_URL + '/api/v1/developer')
+            request.post(SERVER_URL + '/api/v1/developer')
                   .send({ enabled: true })
                   .end(function (error, result) {
+                expect(error).to.not.be.ok();
                expect(result.statusCode).to.equal(401);
                done();
            });
        });

        it('fails due to missing password', function (done) {
-            superagent.post(SERVER_URL + '/api/v1/developer')
+            request.post(SERVER_URL + '/api/v1/developer')
                   .query({ access_token: token })
                   .send({ enabled: true })
                   .end(function (error, result) {
+                expect(error).to.not.be.ok();
                expect(result.statusCode).to.equal(400);
                done();
            });
        });

        it('fails due to empty password', function (done) {
-            superagent.post(SERVER_URL + '/api/v1/developer')
+            request.post(SERVER_URL + '/api/v1/developer')
                   .query({ access_token: token })
                   .send({ password: '', enabled: true })
                   .end(function (error, result) {
+                expect(error).to.not.be.ok();
                expect(result.statusCode).to.equal(403);
                done();
            });
        });

        it('fails due to wrong password', function (done) {
-            superagent.post(SERVER_URL + '/api/v1/developer')
+            request.post(SERVER_URL + '/api/v1/developer')
                   .query({ access_token: token })
                   .send({ password: PASSWORD.toUpperCase(), enabled: true })
                   .end(function (error, result) {
+                expect(error).to.not.be.ok();
                expect(result.statusCode).to.equal(403);
                done();
            });
        });

        it('fails due to missing enabled property', function (done) {
-            superagent.post(SERVER_URL + '/api/v1/developer')
+            request.post(SERVER_URL + '/api/v1/developer')
                   .query({ access_token: token })
                   .send({ password: PASSWORD })
                   .end(function (error, result) {
+                expect(error).to.not.be.ok();
                expect(result.statusCode).to.equal(400);
                done();
            });
        });

        it('fails due to wrong enabled property type', function (done) {
-            superagent.post(SERVER_URL + '/api/v1/developer')
+            request.post(SERVER_URL + '/api/v1/developer')
                   .query({ access_token: token })
                   .send({ password: PASSWORD, enabled: 'true' })
                   .end(function (error, result) {
+                expect(error).to.not.be.ok();
                expect(result.statusCode).to.equal(400);
                done();
            });
        });

        it('succeeds enabling', function (done) {
-            superagent.post(SERVER_URL + '/api/v1/developer')
+            request.post(SERVER_URL + '/api/v1/developer')
                   .query({ access_token: token })
                   .send({ password: PASSWORD, enabled: true })
                   .end(function (error, result) {
+                expect(error).to.not.be.ok();
                expect(result.statusCode).to.equal(200);

-                superagent.get(SERVER_URL + '/api/v1/developer')
+                request.get(SERVER_URL + '/api/v1/developer')
                       .query({ access_token: token })
                       .end(function (error, result) {
+                    expect(error).to.not.be.ok();
                    expect(result.statusCode).to.equal(200);
                    done();
                });
@@ -205,15 +218,17 @@ describe('Developer API', function () {
        });

        it('succeeds disabling', function (done) {
-            superagent.post(SERVER_URL + '/api/v1/developer')
+            request.post(SERVER_URL + '/api/v1/developer')
                   .query({ access_token: token })
                   .send({ password: PASSWORD, enabled: false })
                   .end(function (error, result) {
+                expect(error).to.not.be.ok();
                expect(result.statusCode).to.equal(200);

-                superagent.get(SERVER_URL + '/api/v1/developer')
+                request.get(SERVER_URL + '/api/v1/developer')
                       .query({ access_token: token })
                       .end(function (error, result) {
+                    expect(error).to.not.be.ok();
                    expect(result.statusCode).to.equal(412);
                    done();
                });
@@ -232,10 +247,11 @@ describe('Developer API', function () {
                    var scope1 = nock(config.apiServerOrigin()).get('/api/v1/boxes/' + config.fqdn() + '/setup/verify?setupToken=somesetuptoken').reply(200, {});
                    var scope2 = nock(config.apiServerOrigin()).post('/api/v1/boxes/' + config.fqdn() + '/setup/done?setupToken=somesetuptoken').reply(201, {});

-                    superagent.post(SERVER_URL + '/api/v1/cloudron/activate')
+                    request.post(SERVER_URL + '/api/v1/cloudron/activate')
                           .query({ setupToken: 'somesetuptoken' })
                           .send({ username: USERNAME, password: PASSWORD, email: EMAIL })
                           .end(function (error, result) {
+                        expect(error).to.not.be.ok();
                        expect(result).to.be.ok();
                        expect(scope1.isDone()).to.be.ok();
                        expect(scope2.isDone()).to.be.ok();
@@ -252,71 +268,79 @@ describe('Developer API', function () {
        after(cleanup);

        it('fails without body', function (done) {
-            superagent.post(SERVER_URL + '/api/v1/developer/login')
+            request.post(SERVER_URL + '/api/v1/developer/login')
                   .end(function (error, result) {
+                expect(error).to.not.be.ok();
                expect(result.statusCode).to.equal(401);
                done();
            });
        });

        it('fails without username', function (done) {
-            superagent.post(SERVER_URL + '/api/v1/developer/login')
+            request.post(SERVER_URL + '/api/v1/developer/login')
                   .send({ password: PASSWORD })
                   .end(function (error, result) {
+                expect(error).to.not.be.ok();
                expect(result.statusCode).to.equal(401);
                done();
            });
        });

        it('fails without password', function (done) {
-            superagent.post(SERVER_URL + '/api/v1/developer/login')
+            request.post(SERVER_URL + '/api/v1/developer/login')
                   .send({ username: USERNAME })
                   .end(function (error, result) {
+                expect(error).to.not.be.ok();
                expect(result.statusCode).to.equal(401);
                done();
            });
        });

        it('fails with empty username', function (done) {
-            superagent.post(SERVER_URL + '/api/v1/developer/login')
+            request.post(SERVER_URL + '/api/v1/developer/login')
                   .send({ username: '', password: PASSWORD })
                   .end(function (error, result) {
+                expect(error).to.not.be.ok();
                expect(result.statusCode).to.equal(401);
                done();
            });
        });

        it('fails with empty password', function (done) {
-            superagent.post(SERVER_URL + '/api/v1/developer/login')
+            request.post(SERVER_URL + '/api/v1/developer/login')
                   .send({ username: USERNAME, password: '' })
                   .end(function (error, result) {
+                expect(error).to.not.be.ok();
                expect(result.statusCode).to.equal(401);
                done();
            });
        });

        it('fails with unknown username', function (done) {
-            superagent.post(SERVER_URL + '/api/v1/developer/login')
+            request.post(SERVER_URL + '/api/v1/developer/login')
                   .send({ username: USERNAME.toUpperCase(), password: PASSWORD })
                   .end(function (error, result) {
+                expect(error).to.not.be.ok();
                expect(result.statusCode).to.equal(401);
                done();
            });
        });

        it('fails with wrong password', function (done) {
-            superagent.post(SERVER_URL + '/api/v1/developer/login')
+            request.post(SERVER_URL + '/api/v1/developer/login')
                   .send({ username: USERNAME, password: PASSWORD.toUpperCase() })
                   .end(function (error, result) {
+                expect(error).to.not.be.ok();
                expect(result.statusCode).to.equal(401);
                done();
            });
        });

        it('with username succeeds', function (done) {
-            superagent.post(SERVER_URL + '/api/v1/developer/login')
+            request.post(SERVER_URL + '/api/v1/developer/login')
                   .send({ username: USERNAME, password: PASSWORD })
                   .end(function (error, result) {
+                expect(error).to.not.be.ok();
                expect(result.statusCode).to.equal(200);
                expect(result.body.expiresAt).to.be.a('number');
                expect(result.body.token).to.be.a('string');
@@ -325,9 +349,10 @@ describe('Developer API', function () {
        });

        it('with email succeeds', function (done) {
-            superagent.post(SERVER_URL + '/api/v1/developer/login')
+            request.post(SERVER_URL + '/api/v1/developer/login')
                   .send({ username: EMAIL, password: PASSWORD })
                   .end(function (error, result) {
+                expect(error).to.not.be.ok();
                expect(result.statusCode).to.equal(200);
                expect(result.body.expiresAt).to.be.a('number');
                expect(result.body.token).to.be.a('string');
@@ -319,6 +319,7 @@ describe('OAuth2', function () {
            it('fails due to missing redirect_uri param', function (done) {
                superagent.get(SERVER_URL + '/api/v1/oauth/dialog/authorize')
                .end(function (error, result) {
+                    expect(error).to.not.be.ok();
                    expect(result.text.indexOf('<!-- error tester -->')).to.not.equal(-1);
                    expect(result.text.indexOf('Invalid request. redirect_uri query param is not set.')).to.not.equal(-1);
                    expect(result.statusCode).to.equal(200);
@@ -329,6 +330,7 @@ describe('OAuth2', function () {
            it('fails due to missing client_id param', function (done) {
                superagent.get(SERVER_URL + '/api/v1/oauth/dialog/authorize?redirect_uri=http://someredirect')
                .end(function (error, result) {
+                    expect(error).to.not.be.ok();
                    expect(result.text.indexOf('<!-- error tester -->')).to.not.equal(-1);
                    expect(result.text.indexOf('Invalid request. client_id query param is not set.')).to.not.equal(-1);
                    expect(result.statusCode).to.equal(200);
@@ -339,6 +341,7 @@ describe('OAuth2', function () {
            it('fails due to missing response_type param', function (done) {
                superagent.get(SERVER_URL + '/api/v1/oauth/dialog/authorize?redirect_uri=http://someredirect&client_id=someclientid')
                .end(function (error, result) {
+                    expect(error).to.not.be.ok();
                    expect(result.text.indexOf('<!-- error tester -->')).to.not.equal(-1);
                    expect(result.text.indexOf('Invalid request. response_type query param is not set.')).to.not.equal(-1);
                    expect(result.statusCode).to.equal(200);
@@ -349,6 +352,7 @@ describe('OAuth2', function () {
            it('fails for unkown grant type', function (done) {
                superagent.get(SERVER_URL + '/api/v1/oauth/dialog/authorize?redirect_uri=http://someredirect&client_id=someclientid&response_type=foobar')
                .end(function (error, result) {
+                    expect(error).to.not.be.ok();
                    expect(result.text.indexOf('<!-- error tester -->')).to.not.equal(-1);
                    expect(result.text.indexOf('Invalid request. Only token and code response types are supported.')).to.not.equal(-1);
                    expect(result.statusCode).to.equal(200);
@@ -359,6 +363,7 @@ describe('OAuth2', function () {
            it('succeeds for grant type code', function (done) {
                superagent.get(SERVER_URL + '/api/v1/oauth/dialog/authorize?redirect_uri=http://someredirect&client_id=someclientid&response_type=code')
                .end(function (error, result) {
+                    expect(error).to.not.be.ok();
                    expect(result.text).to.eql('<script>window.location.href = "/api/v1/session/login?returnTo=http://someredirect";</script>');
                    expect(result.statusCode).to.equal(200);
                    done();
@@ -368,6 +373,7 @@ describe('OAuth2', function () {
            it('succeeds for grant type token', function (done) {
                superagent.get(SERVER_URL + '/api/v1/oauth/dialog/authorize?redirect_uri=http://someredirect&client_id=someclientid&response_type=token')
                .end(function (error, result) {
+                    expect(error).to.not.be.ok();
                    expect(result.text).to.eql('<script>window.location.href = "/api/v1/session/login?returnTo=http://someredirect";</script>');
                    expect(result.statusCode).to.equal(200);
                    done();
@@ -382,6 +388,7 @@ describe('OAuth2', function () {
            it('fails without prior authentication call and not returnTo query', function (done) {
                superagent.get(SERVER_URL + '/api/v1/session/login')
                .end(function (error, result) {
+                    expect(error).to.not.be.ok();
                    expect(result.text.indexOf('<!-- error tester -->')).to.not.equal(-1);
                    expect(result.text.indexOf('Invalid login request. No returnTo provided.')).to.not.equal(-1);
                    expect(result.statusCode).to.equal(200);
@@ -394,6 +401,7 @@ describe('OAuth2', function () {
                superagent.get(SERVER_URL + '/api/v1/session/login?returnTo=http://someredirect')
                .redirects(0)
                .end(function (error, result) {
+                    expect(error).to.not.be.ok();
                    expect(result.statusCode).to.equal(302);
                    expect(result.headers.location).to.eql('http://someredirect');

@@ -405,6 +413,7 @@ describe('OAuth2', function () {
                superagent.get(SERVER_URL + '/api/v1/oauth/dialog/authorize?redirect_uri=http://someredirect&response_type=code')
                .redirects(0)
                .end(function (error, result) {
+                    expect(error).to.not.be.ok();
                    expect(result.text.indexOf('<!-- error tester -->')).to.not.equal(-1);
                    expect(result.text.indexOf('Invalid request. client_id query param is not set.')).to.not.equal(-1);
                    expect(result.statusCode).to.equal(200);
@@ -1280,6 +1289,7 @@ describe('Password', function () {
        it('reset request succeeds', function (done) {
            superagent.get(SERVER_URL + '/api/v1/session/password/resetRequest.html')
            .end(function (error, result) {
+                expect(error).to.not.be.ok();
                expect(result.text.indexOf('<!-- tester -->')).to.not.equal(-1);
                expect(result.statusCode).to.equal(200);
                done();
@@ -1289,6 +1299,7 @@ describe('Password', function () {
        it('setup fails due to missing reset_token', function (done) {
            superagent.get(SERVER_URL + '/api/v1/session/password/setup.html')
            .end(function (error, result) {
+                expect(error).to.not.be.ok();
                expect(result.statusCode).to.equal(400);
                done();
            });
@@ -1298,6 +1309,7 @@ describe('Password', function () {
            superagent.get(SERVER_URL + '/api/v1/session/password/setup.html')
            .query({ reset_token: hat(256) })
            .end(function (error, result) {
+                expect(error).to.not.be.ok();
                expect(result.statusCode).to.equal(401);
                done();
            });
@@ -1307,6 +1319,7 @@ describe('Password', function () {
            superagent.get(SERVER_URL + '/api/v1/session/password/setup.html')
            .query({ reset_token: USER_0.resetToken })
            .end(function (error, result) {
+                expect(error).to.not.be.ok();
                expect(result.statusCode).to.equal(200);
                expect(result.text.indexOf('<!-- tester -->')).to.not.equal(-1);
                done();
@@ -1316,6 +1329,7 @@ describe('Password', function () {
        it('reset fails due to missing reset_token', function (done) {
            superagent.get(SERVER_URL + '/api/v1/session/password/reset.html')
            .end(function (error, result) {
+                expect(error).to.not.be.ok();
                expect(result.statusCode).to.equal(400);
                done();
            });
@@ -1325,6 +1339,7 @@ describe('Password', function () {
            superagent.get(SERVER_URL + '/api/v1/session/password/reset.html')
            .query({ reset_token: hat(256) })
            .end(function (error, result) {
+                expect(error).to.not.be.ok();
                expect(result.statusCode).to.equal(401);
                done();
            });
@@ -1334,6 +1349,7 @@ describe('Password', function () {
            superagent.get(SERVER_URL + '/api/v1/session/password/reset.html')
            .query({ reset_token: USER_0.resetToken })
            .end(function (error, result) {
+                expect(error).to.not.be.ok();
                expect(result.text.indexOf('<!-- tester -->')).to.not.equal(-1);
                expect(result.statusCode).to.equal(200);
                done();
@@ -1343,6 +1359,7 @@ describe('Password', function () {
        it('sent succeeds', function (done) {
            superagent.get(SERVER_URL + '/api/v1/session/password/sent.html')
            .end(function (error, result) {
+                expect(error).to.not.be.ok();
                expect(result.text.indexOf('<!-- tester -->')).to.not.equal(-1);
                expect(result.statusCode).to.equal(200);
                done();
@@ -1358,6 +1375,7 @@ describe('Password', function () {
            superagent.post(SERVER_URL + '/api/v1/session/password/resetRequest')
            .send({ identifier: USER_0.email })
            .end(function (error, result) {
+                expect(error).to.not.be.ok();
                expect(result.text.indexOf('<!-- tester -->')).to.not.equal(-1);
                expect(result.statusCode).to.equal(200);
                done();
@@ -1373,6 +1391,7 @@ describe('Password', function () {
            superagent.post(SERVER_URL + '/api/v1/session/password/reset')
            .send({ password: 'somepassword' })
            .end(function (error, result) {
+                expect(error).to.not.be.ok();
                expect(result.statusCode).to.equal(400);
                done();
            });
@@ -1382,6 +1401,7 @@ describe('Password', function () {
            superagent.post(SERVER_URL + '/api/v1/session/password/reset')
            .send({ resetToken: hat(256) })
            .end(function (error, result) {
+                expect(error).to.not.be.ok();
                expect(result.statusCode).to.equal(400);
                done();
            });
@@ -1391,6 +1411,7 @@ describe('Password', function () {
            superagent.post(SERVER_URL + '/api/v1/session/password/reset')
            .send({ password: '', resetToken: hat(256) })
            .end(function (error, result) {
+                expect(error).to.not.be.ok();
                expect(result.statusCode).to.equal(401);
                done();
            });
@@ -1400,6 +1421,7 @@ describe('Password', function () {
            superagent.post(SERVER_URL + '/api/v1/session/password/reset')
            .send({ password: '', resetToken: '' })
            .end(function (error, result) {
+                expect(error).to.not.be.ok();
                expect(result.statusCode).to.equal(401);
                done();
            });
@@ -1417,6 +1439,7 @@ describe('Password', function () {
            superagent.post(SERVER_URL + '/api/v1/session/password/reset')
            .send({ password: 'somepassword', resetToken: USER_0.resetToken })
            .end(function (error, result) {
+                expect(error).to.not.be.ok();
                expect(scope.isDone()).to.be.ok();
                expect(result.statusCode).to.equal(200);
                done();
@@ -13,7 +13,7 @@ var appdb = require('../../appdb.js'),
    expect = require('expect.js'),
    path = require('path'),
    paths = require('../../paths.js'),
-    superagent = require('superagent'),
+    request = require('superagent'),
    server = require('../../server.js'),
    settings = require('../../settings.js'),
    fs = require('fs'),
@@ -38,10 +38,11 @@ function setup(done) {
            var scope1 = nock(config.apiServerOrigin()).get('/api/v1/boxes/' + config.fqdn() + '/setup/verify?setupToken=somesetuptoken').reply(200, {});
            var scope2 = nock(config.apiServerOrigin()).post('/api/v1/boxes/' + config.fqdn() + '/setup/done?setupToken=somesetuptoken').reply(201, {});

-            superagent.post(SERVER_URL + '/api/v1/cloudron/activate')
+            request.post(SERVER_URL + '/api/v1/cloudron/activate')
                   .query({ setupToken: 'somesetuptoken' })
                   .send({ username: USERNAME, password: PASSWORD, email: EMAIL })
                   .end(function (error, result) {
+                expect(error).to.not.be.ok();
                expect(result).to.be.ok();
                expect(result.statusCode).to.eql(201);
                expect(scope1.isDone()).to.be.ok();
@@ -77,17 +78,17 @@ describe('Settings API', function () {

    describe('autoupdate_pattern', function () {
        it('can get auto update pattern (default)', function (done) {
-            superagent.get(SERVER_URL + '/api/v1/settings/autoupdate_pattern')
+            request.get(SERVER_URL + '/api/v1/settings/autoupdate_pattern')
                   .query({ access_token: token })
                   .end(function (err, res) {
                expect(res.statusCode).to.equal(200);
                expect(res.body.pattern).to.be.ok();
-                done();
+                done(err);
            });
        });

        it('cannot set autoupdate_pattern without pattern', function (done) {
-            superagent.post(SERVER_URL + '/api/v1/settings/autoupdate_pattern')
+            request.post(SERVER_URL + '/api/v1/settings/autoupdate_pattern')
                   .query({ access_token: token })
                   .end(function (err, res) {
                expect(res.statusCode).to.equal(400);
@@ -101,7 +102,7 @@ describe('Settings API', function () {
                eventPattern = pattern;
            });

-            superagent.post(SERVER_URL + '/api/v1/settings/autoupdate_pattern')
+            request.post(SERVER_URL + '/api/v1/settings/autoupdate_pattern')
                   .query({ access_token: token })
                   .send({ pattern: '00 30 11 * * 1-5' })
                   .end(function (err, res) {
@@ -117,7 +118,7 @@ describe('Settings API', function () {
                eventPattern = pattern;
            });

-            superagent.post(SERVER_URL + '/api/v1/settings/autoupdate_pattern')
+            request.post(SERVER_URL + '/api/v1/settings/autoupdate_pattern')
                   .query({ access_token: token })
                   .send({ pattern: 'never' })
                   .end(function (err, res) {
@@ -128,7 +129,7 @@ describe('Settings API', function () {
        });

        it('cannot set invalid autoupdate_pattern', function (done) {
-            superagent.post(SERVER_URL + '/api/v1/settings/autoupdate_pattern')
+            request.post(SERVER_URL + '/api/v1/settings/autoupdate_pattern')
                   .query({ access_token: token })
                   .send({ pattern: '1 3 x 5 6' })
                   .end(function (err, res) {
@@ -142,17 +143,17 @@ describe('Settings API', function () {
        var name = 'foobar';

        it('get default succeeds', function (done) {
-            superagent.get(SERVER_URL + '/api/v1/settings/cloudron_name')
+            request.get(SERVER_URL + '/api/v1/settings/cloudron_name')
                   .query({ access_token: token })
                   .end(function (err, res) {
                expect(res.statusCode).to.equal(200);
                expect(res.body.name).to.be.ok();
-                done();
+                done(err);
            });
        });

        it('cannot set without name', function (done) {
-            superagent.post(SERVER_URL + '/api/v1/settings/cloudron_name')
+            request.post(SERVER_URL + '/api/v1/settings/cloudron_name')
                   .query({ access_token: token })
                   .end(function (err, res) {
                expect(res.statusCode).to.equal(400);
@@ -161,7 +162,7 @@ describe('Settings API', function () {
        });

        it('cannot set empty name', function (done) {
-            superagent.post(SERVER_URL + '/api/v1/settings/cloudron_name')
+            request.post(SERVER_URL + '/api/v1/settings/cloudron_name')
                   .query({ access_token: token })
                   .send({ name: '' })
                   .end(function (err, res) {
@@ -171,7 +172,7 @@ describe('Settings API', function () {
        });

        it('set succeeds', function (done) {
-            superagent.post(SERVER_URL + '/api/v1/settings/cloudron_name')
+            request.post(SERVER_URL + '/api/v1/settings/cloudron_name')
                   .query({ access_token: token })
                   .send({ name: name })
                   .end(function (err, res) {
@@ -181,29 +182,29 @@ describe('Settings API', function () {
        });

        it('get succeeds', function (done) {
-            superagent.get(SERVER_URL + '/api/v1/settings/cloudron_name')
+            request.get(SERVER_URL + '/api/v1/settings/cloudron_name')
                   .query({ access_token: token })
                   .end(function (err, res) {
                expect(res.statusCode).to.equal(200);
                expect(res.body.name).to.eql(name);
-                done();
+                done(err);
            });
        });
    });

    describe('cloudron_avatar', function () {
        it('get default succeeds', function (done) {
-            superagent.get(SERVER_URL + '/api/v1/settings/cloudron_avatar')
+            request.get(SERVER_URL + '/api/v1/settings/cloudron_avatar')
                   .query({ access_token: token })
                   .end(function (err, res) {
                expect(res.statusCode).to.equal(200);
                expect(res.body).to.be.a(Buffer);
-                done();
+                done(err);
            });
        });

        it('cannot set without data', function (done) {
-            superagent.post(SERVER_URL + '/api/v1/settings/cloudron_avatar')
+            request.post(SERVER_URL + '/api/v1/settings/cloudron_avatar')
                   .query({ access_token: token })
                   .end(function (err, res) {
                expect(res.statusCode).to.equal(400);
@@ -212,7 +213,7 @@ describe('Settings API', function () {
        });

        it('set succeeds', function (done) {
-            superagent.post(SERVER_URL + '/api/v1/settings/cloudron_avatar')
+            request.post(SERVER_URL + '/api/v1/settings/cloudron_avatar')
                   .query({ access_token: token })
                   .attach('avatar', paths.CLOUDRON_DEFAULT_AVATAR_FILE)
                   .end(function (err, res) {
@@ -222,7 +223,7 @@ describe('Settings API', function () {
        });

        it('get succeeds', function (done) {
-            superagent.get(SERVER_URL + '/api/v1/settings/cloudron_avatar')
+            request.get(SERVER_URL + '/api/v1/settings/cloudron_avatar')
                   .query({ access_token: token })
                   .end(function (err, res) {
                expect(res.statusCode).to.equal(200);
@@ -234,17 +235,17 @@ describe('Settings API', function () {

    describe('dns_config', function () {
        it('get dns_config fails', function (done) {
-            superagent.get(SERVER_URL + '/api/v1/settings/dns_config')
+            request.get(SERVER_URL + '/api/v1/settings/dns_config')
                   .query({ access_token: token })
                   .end(function (err, res) {
                expect(res.statusCode).to.equal(200);
                expect(res.body).to.eql({});
-                done();
+                done(err);
            });
        });

        it('cannot set without data', function (done) {
-            superagent.post(SERVER_URL + '/api/v1/settings/dns_config')
+            request.post(SERVER_URL + '/api/v1/settings/dns_config')
                   .query({ access_token: token })
                   .end(function (err, res) {
                expect(res.statusCode).to.equal(400);
@@ -253,7 +254,7 @@ describe('Settings API', function () {
        });

        it('set succeeds', function (done) {
-            superagent.post(SERVER_URL + '/api/v1/settings/dns_config')
+            request.post(SERVER_URL + '/api/v1/settings/dns_config')
                   .query({ access_token: token })
                   .send({ provider: 'route53', accessKeyId: 'accessKey', secretAccessKey: 'secretAccessKey' })
                   .end(function (err, res) {
@@ -263,12 +264,12 @@ describe('Settings API', function () {
        });

        it('get succeeds', function (done) {
-            superagent.get(SERVER_URL + '/api/v1/settings/dns_config')
+            request.get(SERVER_URL + '/api/v1/settings/dns_config')
                   .query({ access_token: token })
                   .end(function (err, res) {
                expect(res.statusCode).to.equal(200);
                expect(res.body).to.eql({ provider: 'route53', accessKeyId: 'accessKey', secretAccessKey: 'secretAccessKey', region: 'us-east-1', endpoint: null });
-                done();
+                done(err);
            });
        });
    });
@@ -283,68 +284,75 @@ describe('Settings API', function () {
        var validKey1 = '-----BEGIN RSA PRIVATE KEY-----\nMIIBOQIBAAJBALQUp/TtlYxwAEWVnD4bNcr0SJmuUnWWme7rhGE333PsxdGvxwWd\nlWBjeOBq27JHmzdZ3NS/J7Z4nSs2JyXYRkkCAwEAAQJALV2eykcoC48TonQEPmkg\nbhaIS57syw67jMLsQImQ02UABKzqHPEKLXPOZhZPS9hsC/hGIehwiYCXMUlrl+WF\nAQIhAOntBI6qaecNjAAVG7UbZclMuHROUONmZUF1KNq6VyV5AiEAxRLkfHWy52CM\njOQrX347edZ30f4QczvugXwsyuU9A1ECIGlGZ8Sk4OBA8n6fAUcyO06qnmCJVlHg\npTUeOvKk5c9RAiBs28+8dCNbrbhVhx/yQr9FwNM0+ttJW/yWJ+pyNQhr0QIgJTT6\nxwCWYOtbioyt7B9l+ENy3AMSO3Uq+xmIKkvItK4=\n-----END RSA PRIVATE KEY-----';

        it('cannot set certificate without token', function (done) {
-            superagent.post(SERVER_URL + '/api/v1/settings/certificate')
+            request.post(SERVER_URL + '/api/v1/settings/certificate')
                   .end(function (error, result) {
+                expect(error).to.not.be.ok();
                expect(result.statusCode).to.equal(401);
                done();
            });
        });

        it('cannot set certificate without certificate', function (done) {
-            superagent.post(SERVER_URL + '/api/v1/settings/certificate')
+            request.post(SERVER_URL + '/api/v1/settings/certificate')
                   .query({ access_token: token })
                   .send({ key: validKey1 })
                   .end(function (error, result) {
+                expect(error).to.not.be.ok();
                expect(result.statusCode).to.equal(400);
                done();
            });
        });

        it('cannot set certificate without key', function (done) {
-            superagent.post(SERVER_URL + '/api/v1/settings/certificate')
+            request.post(SERVER_URL + '/api/v1/settings/certificate')
                   .query({ access_token: token })
                   .send({ cert: validCert1 })
                   .end(function (error, result) {
+                expect(error).to.not.be.ok();
                expect(result.statusCode).to.equal(400);
                done();
            });
        });

        it('cannot set certificate with cert not being a string', function (done) {
-            superagent.post(SERVER_URL + '/api/v1/settings/certificate')
+            request.post(SERVER_URL + '/api/v1/settings/certificate')
                   .query({ access_token: token })
                   .send({ cert: 1234, key: validKey1 })
                   .end(function (error, result) {
+                expect(error).to.not.be.ok();
                expect(result.statusCode).to.equal(400);
                done();
            });
        });

        it('cannot set certificate with key not being a string', function (done) {
-            superagent.post(SERVER_URL + '/api/v1/settings/certificate')
+            request.post(SERVER_URL + '/api/v1/settings/certificate')
                   .query({ access_token: token })
                   .send({ cert: validCert1, key: true })
                   .end(function (error, result) {
+                expect(error).to.not.be.ok();
                expect(result.statusCode).to.equal(400);
                done();
            });
        });

        it('cannot set non wildcard certificate', function (done) {
-            superagent.post(SERVER_URL + '/api/v1/settings/certificate')
+            request.post(SERVER_URL + '/api/v1/settings/certificate')
                   .query({ access_token: token })
                   .send({ cert: validCert0, key: validKey0 })
                   .end(function (error, result) {
+                expect(error).to.not.be.ok();
                expect(result.statusCode).to.equal(400);
                done();
            });
        });

        it('can set certificate', function (done) {
-            superagent.post(SERVER_URL + '/api/v1/settings/certificate')
+            request.post(SERVER_URL + '/api/v1/settings/certificate')
                   .query({ access_token: token })
                   .send({ cert: validCert1, key: validKey1 })
                   .end(function (error, result) {
+                expect(error).to.not.be.ok();
                expect(result.statusCode).to.equal(202);
                done();
            });
@@ -12,7 +12,7 @@ var clientdb = require('../../clientdb.js'),
    config = require('../../config.js'),
    database = require('../../database.js'),
    expect = require('expect.js'),
-    superagent = require('superagent'),
+    request = require('superagent'),
    server = require('../../server.js'),
    simpleauth = require('../../simpleauth.js'),
    nock = require('nock');
@@ -109,7 +109,7 @@ describe('SimpleAuth API', function () {
                var scope1 = nock(config.apiServerOrigin()).get('/api/v1/boxes/' + config.fqdn() + '/setup/verify?setupToken=somesetuptoken').reply(200, {});
                var scope2 = nock(config.apiServerOrigin()).post('/api/v1/boxes/' + config.fqdn() + '/setup/done?setupToken=somesetuptoken').reply(201, {});

-                superagent.post(SERVER_URL + '/api/v1/cloudron/activate')
+                request.post(SERVER_URL + '/api/v1/cloudron/activate')
                       .query({ setupToken: 'somesetuptoken' })
                       .send({ username: USERNAME, password: PASSWORD, email: EMAIL })
                       .end(function (error, result) {
@@ -146,9 +146,10 @@ describe('SimpleAuth API', function () {
        it('cannot login without clientId', function (done) {
            var body = {};

-            superagent.post(SIMPLE_AUTH_ORIGIN + '/api/v1/login')
+            request.post(SIMPLE_AUTH_ORIGIN + '/api/v1/login')
            .send(body)
            .end(function (error, result) {
+                expect(error).to.be(null);
                expect(result.statusCode).to.equal(400);
                done();
            });
@@ -159,9 +160,10 @@ describe('SimpleAuth API', function () {
                clientId: 'someclientid'
            };

-            superagent.post(SIMPLE_AUTH_ORIGIN + '/api/v1/login')
+            request.post(SIMPLE_AUTH_ORIGIN + '/api/v1/login')
            .send(body)
            .end(function (error, result) {
+                expect(error).to.be(null);
                expect(result.statusCode).to.equal(400);
                done();
            });
@@ -173,9 +175,10 @@ describe('SimpleAuth API', function () {
                username: USERNAME
            };

-            superagent.post(SIMPLE_AUTH_ORIGIN + '/api/v1/login')
+            request.post(SIMPLE_AUTH_ORIGIN + '/api/v1/login')
            .send(body)
            .end(function (error, result) {
+                expect(error).to.be(null);
                expect(result.statusCode).to.equal(400);
                done();
            });
@@ -188,9 +191,10 @@ describe('SimpleAuth API', function () {
                password: PASSWORD
            };

-            superagent.post(SIMPLE_AUTH_ORIGIN + '/api/v1/login')
+            request.post(SIMPLE_AUTH_ORIGIN + '/api/v1/login')
            .send(body)
            .end(function (error, result) {
+                expect(error).to.be(null);
                expect(result.statusCode).to.equal(401);
                done();
            });
@@ -203,9 +207,10 @@ describe('SimpleAuth API', function () {
                password: PASSWORD
            };

-            superagent.post(SIMPLE_AUTH_ORIGIN + '/api/v1/login')
+            request.post(SIMPLE_AUTH_ORIGIN + '/api/v1/login')
            .send(body)
            .end(function (error, result) {
+                expect(error).to.be(null);
                expect(result.statusCode).to.equal(401);
                done();
            });
@@ -218,9 +223,10 @@ describe('SimpleAuth API', function () {
                password: ''
            };

-            superagent.post(SIMPLE_AUTH_ORIGIN + '/api/v1/login')
+            request.post(SIMPLE_AUTH_ORIGIN + '/api/v1/login')
            .send(body)
            .end(function (error, result) {
+                expect(error).to.be(null);
                expect(result.statusCode).to.equal(401);
                done();
            });
@@ -233,9 +239,10 @@ describe('SimpleAuth API', function () {
                password: PASSWORD+PASSWORD
            };

-            superagent.post(SIMPLE_AUTH_ORIGIN + '/api/v1/login')
+            request.post(SIMPLE_AUTH_ORIGIN + '/api/v1/login')
            .send(body)
            .end(function (error, result) {
+                expect(error).to.be(null);
                expect(result.statusCode).to.equal(401);
                done();
            });
@@ -248,9 +255,10 @@ describe('SimpleAuth API', function () {
                password: PASSWORD
            };

-            superagent.post(SIMPLE_AUTH_ORIGIN + '/api/v1/login')
+            request.post(SIMPLE_AUTH_ORIGIN + '/api/v1/login')
            .send(body)
            .end(function (error, result) {
+                expect(error).to.be(null);
                expect(result.statusCode).to.equal(401);
                done();
            });
@@ -263,9 +271,10 @@ describe('SimpleAuth API', function () {
                password: PASSWORD
            };

-            superagent.post(SIMPLE_AUTH_ORIGIN + '/api/v1/login')
+            request.post(SIMPLE_AUTH_ORIGIN + '/api/v1/login')
            .send(body)
            .end(function (error, result) {
+                expect(error).to.be(null);
                expect(result.statusCode).to.equal(401);
                done();
            });
@@ -278,7 +287,7 @@ describe('SimpleAuth API', function () {
                password: PASSWORD
            };

-            superagent.post(SIMPLE_AUTH_ORIGIN + '/api/v1/login')
+            request.post(SIMPLE_AUTH_ORIGIN + '/api/v1/login')
            .send(body)
            .end(function (error, result) {
                expect(error).to.be(null);
@@ -290,7 +299,7 @@ describe('SimpleAuth API', function () {
                expect(result.body.user.email).to.be.a('string');
                expect(result.body.user.admin).to.be.a('boolean');

-                superagent.get(SERVER_URL + '/api/v1/profile')
+                request.get(SERVER_URL + '/api/v1/profile')
                .query({ access_token: result.body.accessToken })
                .end(function (error, result) {
                    expect(error).to.be(null);
@@ -309,7 +318,7 @@ describe('SimpleAuth API', function () {
                password: PASSWORD
            };

-            superagent.post(SIMPLE_AUTH_ORIGIN + '/api/v1/login')
+            request.post(SIMPLE_AUTH_ORIGIN + '/api/v1/login')
            .send(body)
            .end(function (error, result) {
                expect(error).to.be(null);
@@ -321,7 +330,7 @@ describe('SimpleAuth API', function () {
                expect(result.body.user.email).to.be.a('string');
                expect(result.body.user.admin).to.be.a('boolean');

-                superagent.get(SERVER_URL + '/api/v1/profile')
+                request.get(SERVER_URL + '/api/v1/profile')
                .query({ access_token: result.body.accessToken })
                .end(function (error, result) {
                    expect(error).to.be(null);
@@ -340,9 +349,10 @@ describe('SimpleAuth API', function () {
                password: PASSWORD
            };

-            superagent.post(SIMPLE_AUTH_ORIGIN + '/api/v1/login')
+            request.post(SIMPLE_AUTH_ORIGIN + '/api/v1/login')
            .send(body)
            .end(function (error, result) {
+                expect(error).to.be(null);
                expect(result.statusCode).to.equal(401);
                done();
            });
@@ -359,7 +369,7 @@ describe('SimpleAuth API', function () {
                password: PASSWORD
            };

-            superagent.post(SIMPLE_AUTH_ORIGIN + '/api/v1/login')
+            request.post(SIMPLE_AUTH_ORIGIN + '/api/v1/login')
            .send(body)
            .end(function (error, result) {
                expect(error).to.be(null);
@@ -372,32 +382,35 @@ describe('SimpleAuth API', function () {
        });

        it('fails without access_token', function (done) {
-            superagent.get(SIMPLE_AUTH_ORIGIN + '/api/v1/logout')
+            request.get(SIMPLE_AUTH_ORIGIN + '/api/v1/logout')
            .end(function (error, result) {
+                expect(error).to.be(null);
                expect(result.statusCode).to.equal(400);
                done();
            });
        });

        it('fails with unkonwn access_token', function (done) {
-            superagent.get(SIMPLE_AUTH_ORIGIN + '/api/v1/logout')
+            request.get(SIMPLE_AUTH_ORIGIN + '/api/v1/logout')
            .query({ access_token: accessToken+accessToken })
            .end(function (error, result) {
+                expect(error).to.be(null);
                expect(result.statusCode).to.equal(401);
                done();
            });
        });

        it('succeeds', function (done) {
-            superagent.get(SIMPLE_AUTH_ORIGIN + '/api/v1/logout')
+            request.get(SIMPLE_AUTH_ORIGIN + '/api/v1/logout')
            .query({ access_token: accessToken })
            .end(function (error, result) {
                expect(error).to.be(null);
                expect(result.statusCode).to.equal(200);

-                superagent.get(SERVER_URL + '/api/v1/profile')
+                request.get(SERVER_URL + '/api/v1/profile')
                .query({ access_token: accessToken })
                .end(function (error, result) {
+                    expect(error).to.be(null);
                    expect(result.statusCode).to.equal(401);

                    done();
@@ -10,7 +10,7 @@ var config = require('../../config.js'),
    database = require('../../database.js'),
    tokendb = require('../../tokendb.js'),
    expect = require('expect.js'),
-    superagent = require('superagent'),
+    request = require('superagent'),
    nock = require('nock'),
    server = require('../../server.js'),
    userdb = require('../../userdb.js');
@@ -50,7 +50,7 @@ describe('User API', function () {
    after(cleanup);

    it('device is in first time mode', function (done) {
-        superagent.get(SERVER_URL + '/api/v1/cloudron/status')
+        request.get(SERVER_URL + '/api/v1/cloudron/status')
               .end(function (err, res) {
            expect(res.statusCode).to.equal(200);
            expect(res.body.activated).to.not.be.ok();
@@ -61,21 +61,21 @@ describe('User API', function () {
    it('create admin fails due to missing parameters', function (done) {
        var scope = nock(config.apiServerOrigin()).get('/api/v1/boxes/' + config.fqdn() + '/setup/verify?setupToken=somesetuptoken').reply(200, {});

-        superagent.post(SERVER_URL + '/api/v1/cloudron/activate')
+        request.post(SERVER_URL + '/api/v1/cloudron/activate')
               .query({ setupToken: 'somesetuptoken' })
               .send({ username: USERNAME_0 })
               .end(function (err, res) {
            expect(res.statusCode).to.equal(400);
            expect(scope.isDone()).to.be.ok();
-            done();
+            done(err);
        });
    });

    it('create admin fails because only POST is allowed', function (done) {
-        superagent.get(SERVER_URL + '/api/v1/cloudron/activate')
+        request.get(SERVER_URL + '/api/v1/cloudron/activate')
               .end(function (err, res) {
            expect(res.statusCode).to.equal(404);
-            done();
+            done(err);
        });
    });

@@ -83,7 +83,7 @@ describe('User API', function () {
        var scope1 = nock(config.apiServerOrigin()).get('/api/v1/boxes/' + config.fqdn() + '/setup/verify?setupToken=somesetuptoken').reply(200, {});
        var scope2 = nock(config.apiServerOrigin()).post('/api/v1/boxes/' + config.fqdn() + '/setup/done?setupToken=somesetuptoken').reply(201, {});

-        superagent.post(SERVER_URL + '/api/v1/cloudron/activate')
+        request.post(SERVER_URL + '/api/v1/cloudron/activate')
               .query({ setupToken: 'somesetuptoken' })
               .send({ username: USERNAME_0, password: PASSWORD, email: EMAIL })
               .end(function (err, res) {
@@ -99,16 +99,16 @@ describe('User API', function () {
    });

    it('device left first time mode', function (done) {
-        superagent.get(SERVER_URL + '/api/v1/cloudron/status')
+        request.get(SERVER_URL + '/api/v1/cloudron/status')
               .end(function (err, res) {
            expect(res.statusCode).to.equal(200);
            expect(res.body.activated).to.be.ok();
-            done();
+            done(err);
        });
    });

    it('can get userInfo with token', function (done) {
-        superagent.get(SERVER_URL + '/api/v1/users/' + USERNAME_0)
+        request.get(SERVER_URL + '/api/v1/users/' + USERNAME_0)
        .query({ access_token: token })
        .end(function (err, res) {
            expect(res.statusCode).to.equal(200);
@@ -119,7 +119,7 @@ describe('User API', function () {
            // stash for further use
            user_0 = res.body;

-            done();
+            done(err);
        });
    });

@@ -131,9 +131,10 @@ describe('User API', function () {
            expect(error).to.not.be.ok();

            setTimeout(function () {
-                superagent.get(SERVER_URL + '/api/v1/users/' + user_0.username)
+                request.get(SERVER_URL + '/api/v1/users/' + user_0.username)
                .query({ access_token: token })
                .end(function (error, result) {
+                    expect(error).to.not.be.ok();
                    expect(result.statusCode).to.equal(401);
                    done();
                });
@@ -142,46 +143,46 @@ describe('User API', function () {
    });

    it('can get userInfo with token', function (done) {
-        superagent.get(SERVER_URL + '/api/v1/users/' + USERNAME_0)
+        request.get(SERVER_URL + '/api/v1/users/' + USERNAME_0)
               .query({ access_token: token })
               .end(function (err, res) {
            expect(res.statusCode).to.equal(200);
            expect(res.body.username).to.equal(USERNAME_0);
            expect(res.body.email).to.equal(EMAIL);
            expect(res.body.admin).to.be.ok();
-            done();
+            done(err);
        });
    });

    it('cannot get userInfo only with basic auth', function (done) {
-        superagent.get(SERVER_URL + '/api/v1/users/' + USERNAME_0)
+        request.get(SERVER_URL + '/api/v1/users/' + USERNAME_0)
               .auth(USERNAME_0, PASSWORD)
               .end(function (err, res) {
            expect(res.statusCode).to.equal(401);
-            done();
+            done(err);
        });
    });

    it('cannot get userInfo with invalid token (token length)', function (done) {
-        superagent.get(SERVER_URL + '/api/v1/users/' + USERNAME_0)
+        request.get(SERVER_URL + '/api/v1/users/' + USERNAME_0)
               .query({ access_token: 'x' + token })
               .end(function (err, res) {
            expect(res.statusCode).to.equal(401);
-            done();
+            done(err);
        });
    });

    it('cannot get userInfo with invalid token (wrong token)', function (done) {
-        superagent.get(SERVER_URL + '/api/v1/users/' + USERNAME_0)
+        request.get(SERVER_URL + '/api/v1/users/' + USERNAME_0)
               .query({ access_token: token.toUpperCase() })
               .end(function (err, res) {
            expect(res.statusCode).to.equal(401);
-            done();
+            done(err);
        });
    });

    it('can get userInfo with token in auth header', function (done) {
-        superagent.get(SERVER_URL + '/api/v1/users/' + USERNAME_0)
+        request.get(SERVER_URL + '/api/v1/users/' + USERNAME_0)
               .set('Authorization', 'Bearer ' + token)
               .end(function (err, res) {
            expect(res.statusCode).to.equal(200);
@@ -190,30 +191,30 @@ describe('User API', function () {
            expect(res.body.admin).to.be.ok();
            expect(res.body.password).to.not.be.ok();
            expect(res.body.salt).to.not.be.ok();
-            done();
+            done(err);
        });
    });

    it('cannot get userInfo with invalid token in auth header', function (done) {
-        superagent.get(SERVER_URL + '/api/v1/users/' + USERNAME_0)
+        request.get(SERVER_URL + '/api/v1/users/' + USERNAME_0)
               .set('Authorization', 'Bearer ' + 'x' + token)
               .end(function (err, res) {
            expect(res.statusCode).to.equal(401);
-            done();
+            done(err);
        });
    });

    it('cannot get userInfo with invalid token (wrong token)', function (done) {
-        superagent.get(SERVER_URL + '/api/v1/users/' + USERNAME_0)
+        request.get(SERVER_URL + '/api/v1/users/' + USERNAME_0)
               .set('Authorization', 'Bearer ' + 'x' + token.toUpperCase())
               .end(function (err, res) {
            expect(res.statusCode).to.equal(401);
-            done();
+            done(err);
        });
    });

    it('create second user succeeds', function (done) {
-        superagent.post(SERVER_URL + '/api/v1/users')
+        request.post(SERVER_URL + '/api/v1/users')
               .query({ access_token: token })
               .send({ username: USERNAME_1, email: EMAIL_1 })
               .end(function (err, res) {
@@ -227,86 +228,90 @@ describe('User API', function () {

    it('set second user as admin succeeds', function (done) {
        // TODO is USERNAME_1 in body and url redundant?
-        superagent.post(SERVER_URL + '/api/v1/users/' + USERNAME_1 + '/admin')
+        request.post(SERVER_URL + '/api/v1/users/' + USERNAME_1 + '/admin')
               .query({ access_token: token })
               .send({ username: USERNAME_1, admin: true })
               .end(function (err, res) {
            expect(res.statusCode).to.equal(204);
-            done();
+            done(err);
        });
    });

    it('remove first user from admins succeeds', function (done) {
-        superagent.post(SERVER_URL + '/api/v1/users/' + USERNAME_0 + '/admin')
+        request.post(SERVER_URL + '/api/v1/users/' + USERNAME_0 + '/admin')
               .query({ access_token: token_1 })
               .send({ username: USERNAME_0, admin: false })
               .end(function (err, res) {
            expect(res.statusCode).to.equal(204);
-            done();
+            done(err);
        });
    });

    it('remove second user by first, now normal, user fails', function (done) {
-        superagent.del(SERVER_URL + '/api/v1/users/' + USERNAME_1)
+        request.del(SERVER_URL + '/api/v1/users/' + USERNAME_1)
               .query({ access_token: token })
               .send({ password: PASSWORD })
               .end(function (err, res) {
            expect(res.statusCode).to.equal(403);
-            done();
+            done(err);
        });
    });

    it('remove second user from admins and thus last admin fails', function (done) {
-        superagent.post(SERVER_URL + '/api/v1/users/' + USERNAME_1 + '/admin')
+        request.post(SERVER_URL + '/api/v1/users/' + USERNAME_1 + '/admin')
               .query({ access_token: token_1 })
               .send({ username: USERNAME_1, admin: false })
               .end(function (err, res) {
            expect(res.statusCode).to.equal(403);
-            done();
+            done(err);
        });
    });

    it('reset first user as admin succeeds', function (done) {
-        superagent.post(SERVER_URL + '/api/v1/users/' + USERNAME_0 + '/admin')
+        request.post(SERVER_URL + '/api/v1/users/' + USERNAME_0 + '/admin')
               .query({ access_token: token_1 })
               .send({ username: USERNAME_0, admin: true })
               .end(function (err, res) {
            expect(res.statusCode).to.equal(204);
-            done();
+            done(err);
        });
    });

    it('create user missing username fails', function (done) {
-        superagent.post(SERVER_URL + '/api/v1/users')
+        request.post(SERVER_URL + '/api/v1/users')
               .query({ access_token: token })
               .send({ email: EMAIL_2 })
               .end(function (error, result) {
+            expect(error).to.not.be.ok();
            expect(result.statusCode).to.equal(400);
            done();
        });
    });

    it('create user missing email fails', function (done) {
-        superagent.post(SERVER_URL + '/api/v1/users')
+        request.post(SERVER_URL + '/api/v1/users')
               .query({ access_token: token })
               .send({ username: USERNAME_2 })
               .end(function (error, result) {
+            expect(error).to.not.be.ok();
            expect(result.statusCode).to.equal(400);
            done();
        });
    });

    it('create second and third user', function (done) {
-        superagent.post(SERVER_URL + '/api/v1/users')
+        request.post(SERVER_URL + '/api/v1/users')
               .query({ access_token: token })
               .send({ username: USERNAME_2, email: EMAIL_2 })
               .end(function (error, res) {
+            expect(error).to.not.be.ok();
            expect(res.statusCode).to.equal(201);

-            superagent.post(SERVER_URL + '/api/v1/users')
+            request.post(SERVER_URL + '/api/v1/users')
                   .query({ access_token: token })
                   .send({ username: USERNAME_3, email: EMAIL_3 })
                   .end(function (error, res) {
+                expect(error).to.not.be.ok();
                expect(res.statusCode).to.equal(201);

                // HACK to get a token for second user (passwords are generated and the user should have gotten a password setup link...)
@@ -316,9 +321,10 @@ describe('User API', function () {
    });

    it('second user userInfo', function (done) {
-        superagent.get(SERVER_URL + '/api/v1/users/' + USERNAME_2)
+        request.get(SERVER_URL + '/api/v1/users/' + USERNAME_2)
               .query({ access_token: token_1 })
               .end(function (error, result) {
+            expect(error).to.be(null);
            expect(result.statusCode).to.equal(200);
            expect(result.body.username).to.equal(USERNAME_2);
            expect(result.body.email).to.equal(EMAIL_2);
@@ -329,17 +335,17 @@ describe('User API', function () {
    });

    it('create user with same username should fail', function (done) {
-        superagent.post(SERVER_URL + '/api/v1/users')
+        request.post(SERVER_URL + '/api/v1/users')
               .query({ access_token: token })
               .send({ username: USERNAME_2, email: EMAIL })
               .end(function (err, res) {
            expect(res.statusCode).to.equal(409);
-            done();
+            done(err);
        });
    });

    it('list users', function (done) {
-        superagent.get(SERVER_URL + '/api/v1/users')
+        request.get(SERVER_URL + '/api/v1/users')
        .query({ access_token: token_2 })
        .end(function (error, res) {
            expect(error).to.be(null);
@@ -361,106 +367,106 @@ describe('User API', function () {
    });

    it('user removes himself is not allowed', function (done) {
-        superagent.del(SERVER_URL + '/api/v1/users/' + USERNAME_0)
+        request.del(SERVER_URL + '/api/v1/users/' + USERNAME_0)
               .query({ access_token: token })
               .send({ password: PASSWORD })
               .end(function (err, res) {
            expect(res.statusCode).to.equal(403);
-            done();
+            done(err);
        });
    });

    it('admin cannot remove normal user without giving a password', function (done) {
-        superagent.del(SERVER_URL + '/api/v1/users/' + USERNAME_3)
+        request.del(SERVER_URL + '/api/v1/users/' + USERNAME_3)
               .query({ access_token: token })
               .end(function (err, res) {
            expect(res.statusCode).to.equal(400);
-            done();
+            done(err);
        });
    });

    it('admin cannot remove normal user with empty password', function (done) {
-        superagent.del(SERVER_URL + '/api/v1/users/' + USERNAME_3)
+        request.del(SERVER_URL + '/api/v1/users/' + USERNAME_3)
               .query({ access_token: token })
               .send({ password: '' })
               .end(function (err, res) {
            expect(res.statusCode).to.equal(403);
-            done();
+            done(err);
        });
    });

    it('admin cannot remove normal user with giving wrong password', function (done) {
-        superagent.del(SERVER_URL + '/api/v1/users/' + USERNAME_3)
+        request.del(SERVER_URL + '/api/v1/users/' + USERNAME_3)
               .query({ access_token: token })
               .send({ password: PASSWORD + PASSWORD })
               .end(function (err, res) {
            expect(res.statusCode).to.equal(403);
-            done();
+            done(err);
        });
    });

    it('admin removes normal user', function (done) {
-        superagent.del(SERVER_URL + '/api/v1/users/' + USERNAME_3)
+        request.del(SERVER_URL + '/api/v1/users/' + USERNAME_3)
               .query({ access_token: token })
               .send({ password: PASSWORD })
               .end(function (err, res) {
            expect(res.statusCode).to.equal(204);
-            done();
+            done(err);
        });
    });

    it('admin removes himself should not be allowed', function (done) {
-        superagent.del(SERVER_URL + '/api/v1/users/' + USERNAME_0)
+        request.del(SERVER_URL + '/api/v1/users/' + USERNAME_0)
               .query({ access_token: token })
               .send({ password: PASSWORD })
               .end(function (err, res) {
            expect(res.statusCode).to.equal(403);
-            done();
+            done(err);
        });
    });

    // Change email
    it('change email fails due to missing token', function (done) {
-        superagent.put(SERVER_URL + '/api/v1/users/' + USERNAME_0)
+        request.put(SERVER_URL + '/api/v1/users/' + USERNAME_0)
               .send({ password: PASSWORD, email: EMAIL_0_NEW })
               .end(function (error, result) {
            expect(result.statusCode).to.equal(401);
-            done();
+            done(error);
        });
    });

    it('change email fails due to missing password', function (done) {
-        superagent.put(SERVER_URL + '/api/v1/users/' + USERNAME_0)
+        request.put(SERVER_URL + '/api/v1/users/' + USERNAME_0)
               .query({ access_token: token })
               .send({ email: EMAIL_0_NEW })
               .end(function (error, result) {
            expect(result.statusCode).to.equal(400);
-            done();
+            done(error);
        });
    });

    it('change email fails due to wrong password', function (done) {
-        superagent.put(SERVER_URL + '/api/v1/users/' + USERNAME_0)
+        request.put(SERVER_URL + '/api/v1/users/' + USERNAME_0)
               .query({ access_token: token })
               .send({ password: PASSWORD+PASSWORD, email: EMAIL_0_NEW })
               .end(function (error, result) {
            expect(result.statusCode).to.equal(403);
-            done();
+            done(error);
        });
    });

    it('change email fails due to invalid email', function (done) {
-        superagent.put(SERVER_URL + '/api/v1/users/' + USERNAME_0)
+        request.put(SERVER_URL + '/api/v1/users/' + USERNAME_0)
               .query({ access_token: token })
               .send({ password: PASSWORD, email: 'foo@bar' })
               .end(function (error, result) {
            expect(result.statusCode).to.equal(400);
-            done();
+            done(error);
        });
    });

    it('change email succeeds', function (done) {
-        superagent.put(SERVER_URL + '/api/v1/users/' + USERNAME_0)
+        request.put(SERVER_URL + '/api/v1/users/' + USERNAME_0)
               .query({ access_token: token })
               .send({ password: PASSWORD, email: EMAIL_0_NEW })
               .end(function (error, result) {
@@ -471,52 +477,52 @@ describe('User API', function () {

    // Change password
    it('change password fails due to missing current password', function (done) {
-        superagent.post(SERVER_URL + '/api/v1/users/' + USERNAME_0 + '/password')
+        request.post(SERVER_URL + '/api/v1/users/' + USERNAME_0 + '/password')
               .query({ access_token: token })
               .send({ newPassword: 'some wrong password' })
               .end(function (err, res) {
            expect(res.statusCode).to.equal(400);
-            done();
+            done(err);
        });
    });

    it('change password fails due to missing new password', function (done) {
-        superagent.post(SERVER_URL + '/api/v1/users/' + USERNAME_0 + '/password')
+        request.post(SERVER_URL + '/api/v1/users/' + USERNAME_0 + '/password')
               .query({ access_token: token })
               .send({ password: PASSWORD })
               .end(function (err, res) {
            expect(res.statusCode).to.equal(400);
-            done();
+            done(err);
        });
    });

    it('change password fails due to wrong password', function (done) {
-        superagent.post(SERVER_URL + '/api/v1/users/' + USERNAME_0 + '/password')
+        request.post(SERVER_URL + '/api/v1/users/' + USERNAME_0 + '/password')
               .query({ access_token: token })
               .send({ password: 'some wrong password', newPassword: 'newpassword' })
               .end(function (err, res) {
            expect(res.statusCode).to.equal(403);
-            done();
+            done(err);
        });
    });

    it('change password fails due to invalid password', function (done) {
-        superagent.post(SERVER_URL + '/api/v1/users/' + USERNAME_0 + '/password')
+        request.post(SERVER_URL + '/api/v1/users/' + USERNAME_0 + '/password')
               .query({ access_token: token })
               .send({ password: PASSWORD, newPassword: 'five' })
               .end(function (err, res) {
            expect(res.statusCode).to.equal(400);
-            done();
+            done(err);
        });
    });

    it('change password succeeds', function (done) {
-        superagent.post(SERVER_URL + '/api/v1/users/' + USERNAME_0 + '/password')
+        request.post(SERVER_URL + '/api/v1/users/' + USERNAME_0 + '/password')
               .query({ access_token: token })
               .send({ password: PASSWORD, newPassword: 'new_password' })
               .end(function (err, res) {
            expect(res.statusCode).to.equal(204);
-            done();
+            done(err);
        });
    });
 });
@@ -12,12 +12,29 @@ var appdb = require('./appdb.js'),
    CronJob = require('cron').CronJob,
    debug = require('debug')('box:src/scheduler'),
    docker = require('./docker.js'),
+    paths = require('./paths.js'),
+    safe = require('safetydance'),
    _ = require('underscore');

 var NOOP_CALLBACK = function (error) { if (error) debug('Unhandled error: ', error); };

-// appId -> { schedulerConfig (manifest), cronjobs }
-var gState = { };
+// appId -> { schedulerConfig (manifest), cronjobs, containerIds }
+var gState = (function loadState() {
+    var state = safe.JSON.parse(safe.fs.readFileSync(paths.SCHEDULER_FILE, 'utf8'));
+    return state || { };
+})();
+
+function saveState(state) {
+    // do not save cronJobs
+    var safeState = { };
+    for (var appId in state) {
+        safeState[appId] = {
+            schedulerConfig: state[appId].schedulerConfig,
+            containerIds: state[appId].containerIds
+        };
+    }
+    safe.fs.writeFileSync(paths.SCHEDULER_FILE, JSON.stringify(safeState, null, 4), 'utf8');
+}

 function sync(callback) {
    assert(!callback || typeof callback === 'function');
@@ -29,18 +46,17 @@ function sync(callback) {
    apps.getAll(function (error, allApps) {
        if (error) return callback(error);

+        // stop tasks of apps that went away
        var allAppIds = allApps.map(function (app) { return app.id; });
        var removedAppIds = _.difference(Object.keys(gState), allAppIds);
-        if (removedAppIds.length !== 0) debug('sync: stopping jobs of removed apps %j', removedAppIds);
-
        async.eachSeries(removedAppIds, function (appId, iteratorDone) {
-            stopJobs(appId, gState[appId], iteratorDone);
+            stopJobs(appId, gState[appId], true /* killContainers */, iteratorDone);
        }, function (error) {
-            if (error) debug('Error stopping jobs of removed apps', error);
+            if (error) debug('Error stopping jobs : %j', error);

            gState = _.omit(gState, removedAppIds);

-            debug('sync: checking apps %j', allAppIds);
+            // start tasks of new apps
            async.eachSeries(allApps, function (app, iteratorDone) {
                var appState = gState[app.id] || null;
                var schedulerConfig = app.manifest.addons.scheduler || null;
@@ -51,8 +67,8 @@ function sync(callback) {
                    return iteratorDone(); // nothing changed
                }

-                debug('sync: app %s changed', app.id);
-                stopJobs(app.id, appState, function (error) {
+                var killContainers = appState && !appState.cronJobs ? true : false; // keep the old containers on 'startup'
+                stopJobs(app.id, appState, killContainers, function (error) {
                    if (error) debug('Error stopping jobs for %s : %s', app.id, error.message);

                    if (!schedulerConfig) {
@@ -62,9 +78,12 @@ function sync(callback) {

                    gState[app.id] = {
                        schedulerConfig: schedulerConfig,
-                        cronJobs: createCronJobs(app.id, schedulerConfig)
+                        cronJobs: createCronJobs(app.id, schedulerConfig),
+                        containerIds: { }
                    };

+                    saveState(gState);
+
                    iteratorDone();
                });
            });
@@ -74,22 +93,23 @@ function sync(callback) {
    });
 }

-function killContainer(containerName, callback) {
-    if (!containerName) return callback();
+function killContainer(containerId, callback) {
+    if (!containerId) return callback();

    async.series([
-        docker.stopContainerByName.bind(null, containerName),
-        docker.deleteContainerByName.bind(null, containerName)
+        docker.stopContainer.bind(null, containerId),
+        docker.deleteContainer.bind(null, containerId)
    ], function (error) {
-        if (error) debug('Failed to kill task with name %s : %s', containerName, error.message);
+        if (error) debug('Failed to kill task with containerId %s : %s', containerId, error.message);

        callback(error);
    });
 }

-function stopJobs(appId, appState, callback) {
+function stopJobs(appId, appState, killContainers, callback) {
    assert.strictEqual(typeof appId, 'string');
    assert.strictEqual(typeof appState, 'object');
+    assert.strictEqual(typeof killContainers, 'boolean');
    assert.strictEqual(typeof callback, 'function');

    debug('stopJobs for %s', appId);
@@ -101,8 +121,9 @@ function stopJobs(appId, appState, callback) {
            appState.cronJobs[taskName].stop();
        }

-        var containerName = appId + '-' + taskName;
-        killContainer(containerName, iteratorDone);
+        if (!killContainers) return iteratorDone();
+
+        killContainer(appState.containerIds[taskName], iteratorDone);
    }, callback);
 }

@@ -140,6 +161,8 @@ function doTask(appId, taskName, callback) {

    callback = callback || NOOP_CALLBACK;

+    var appState = gState[appId];
+
    debug('Executing task %s/%s', appId, taskName);

    apps.get(appId, function (error, app) {
@@ -150,16 +173,18 @@ function doTask(appId, taskName, callback) {
            return callback();
        }

-        var containerName = app.id + '-' + taskName;
+        if (appState.containerIds[taskName]) debug('task %s/%s has existing container %s. killing it', appId, taskName, appState.containerIds[taskName]);

-        killContainer(containerName, function (error) {
+        killContainer(appState.containerIds[taskName], function (error) {
            if (error) return callback(error);

-            debug('Creating subcontainer for %s/%s : %s', app.id, taskName, gState[appId].schedulerConfig[taskName].command);
+            debug('Creating createSubcontainer for %s/%s : %s', app.id, taskName, gState[appId].schedulerConfig[taskName].command);

            // NOTE: if you change container name here, fix addons.js to return correct container names
-            docker.createSubcontainer(app, containerName, [ '/bin/sh', '-c', gState[appId].schedulerConfig[taskName].command ], { } /* options */, function (error, container) {
-                if (error) return callback(error);
+            docker.createSubcontainer(app, app.id + '-' + taskName, [ '/bin/sh', '-c', gState[appId].schedulerConfig[taskName].command ], function (error, container) {
+                appState.containerIds[taskName] = container.id;
+
+                saveState(gState);

                docker.startContainer(container.id, callback);
            });
@@ -42,7 +42,7 @@ for try in `seq 1 5`; do

    if tar -cvzf - -C "${app_data_snapshot}" . \
           | openssl aes-256-cbc -e -pass "pass:${backup_key}" \
-           | curl --fail -X PUT ${headers[@]} --data-binary @- "${backup_url}" 2>"${error_log}"; then
+           | curl --fail -X PUT "${headers[@]}" --data-binary @- "${backup_url}" 2>"${error_log}"; then
        break
    fi
    cat "${error_log}" && rm "${error_log}"
@@ -21,7 +21,7 @@ readonly program_name=$1

 echo "${program_name}.log"
 echo "-------------------"
-journalctl --all --no-pager -u ${program_name} -n 100
+journalctl --no-pager -u ${program_name} -n 100
 echo
 echo
 echo "dmesg"
@@ -31,7 +31,7 @@ echo
 echo
 echo "docker"
 echo "------"
-journalctl --all --no-pager -u docker -n 50
+journalctl --no-pager -u docker -n 50
 echo
 echo

@@ -10,7 +10,6 @@ exports = module.exports = {
 var assert = require('assert'),
    async = require('async'),
    auth = require('./auth.js'),
-    certificates = require('./certificates.js'),
    cloudron = require('./cloudron.js'),
    cron = require('./cron.js'),
    config = require('./config.js'),
@@ -21,6 +20,7 @@ var assert = require('assert'),
    middleware = require('./middleware'),
    passport = require('passport'),
    path = require('path'),
+    paths = require('./paths.js'),
    routes = require('./routes/index.js'),
    taskmanager = require('./taskmanager.js');

@@ -161,8 +161,6 @@ function initializeExpressSync() {
    router.post('/api/v1/settings/cloudron_avatar',    settingsScope, multipart, routes.settings.setCloudronAvatar);
    router.get ('/api/v1/settings/dns_config',         settingsScope, routes.settings.getDnsConfig);
    router.post('/api/v1/settings/dns_config',         settingsScope, routes.settings.setDnsConfig);
-    router.get ('/api/v1/settings/backup_config',      settingsScope, routes.settings.getBackupConfig);
-    router.post('/api/v1/settings/backup_config',      settingsScope, routes.settings.setBackupConfig);
    router.post('/api/v1/settings/certificate',        settingsScope, routes.settings.setCertificate);
    router.post('/api/v1/settings/admin_certificate',  settingsScope, routes.settings.setAdminCertificate);

@@ -236,7 +234,6 @@ function start(callback) {
        auth.initialize,
        database.initialize,
        cloudron.initialize, // keep this here because it reads activation state that others depend on
-        certificates.installAdminCertificate, // keep this before cron to block heartbeats until cert is ready
        taskmanager.initialize,
        mailer.initialize,
        cron.initialize,
@@ -26,31 +26,37 @@ exports = module.exports = {
    getBackupConfig: getBackupConfig,
    setBackupConfig: setBackupConfig,

-    getTlsConfig: getTlsConfig,
-    setTlsConfig: setTlsConfig,
-
    getDefaultSync: getDefaultSync,
    getAll: getAll,

+    validateCertificate: validateCertificate,
+    setCertificate: setCertificate,
+    setAdminCertificate: setAdminCertificate,
+
    AUTOUPDATE_PATTERN_KEY: 'autoupdate_pattern',
    TIME_ZONE_KEY: 'time_zone',
    CLOUDRON_NAME_KEY: 'cloudron_name',
    DEVELOPER_MODE_KEY: 'developer_mode',
    DNS_CONFIG_KEY: 'dns_config',
    BACKUP_CONFIG_KEY: 'backup_config',
-    TLS_CONFIG_KEY: 'tls_config',

    events: new (require('events').EventEmitter)()
 };

 var assert = require('assert'),
    config = require('./config.js'),
+    constants = require('./constants.js'),
    CronJob = require('cron').CronJob,
    DatabaseError = require('./databaseerror.js'),
+    ejs = require('ejs'),
+    fs = require('fs'),
+    path = require('path'),
    paths = require('./paths.js'),
    safe = require('safetydance'),
    settingsdb = require('./settingsdb.js'),
+    shell = require('./shell.js'),
    util = require('util'),
+    x509 = require('x509'),
    _ = require('underscore');

 var gDefaults = (function () {
@@ -61,11 +67,13 @@ var gDefaults = (function () {
    result[exports.DEVELOPER_MODE_KEY] = false;
    result[exports.DNS_CONFIG_KEY] = { };
    result[exports.BACKUP_CONFIG_KEY] = { };
-    result[exports.TLS_CONFIG_KEY] = { provider: 'caas' };

    return result;
 })();

+var NGINX_APPCONFIG_EJS = fs.readFileSync(__dirname + '/../setup/start/nginx/appconfig.ejs', { encoding: 'utf8' }),
+    RELOAD_NGINX_CMD = path.join(__dirname, 'scripts/reloadnginx.sh');
+
 if (config.TEST) {
    // avoid noisy warnings during npm test
    exports.events.setMaxListeners(100);
@@ -93,6 +101,7 @@ util.inherits(SettingsError, Error);
 SettingsError.INTERNAL_ERROR = 'Internal Error';
 SettingsError.NOT_FOUND = 'Not Found';
 SettingsError.BAD_FIELD = 'Bad Field';
+SettingsError.INVALID_CERT = 'Invalid certificate';

 function setAutoupdatePattern(pattern, callback) {
    assert.strictEqual(typeof pattern, 'string');
@@ -267,34 +276,6 @@ function setDnsConfig(dnsConfig, callback) {
    });
 }

-function getTlsConfig(callback) {
-    assert.strictEqual(typeof callback, 'function');
-
-    settingsdb.get(exports.TLS_CONFIG_KEY, function (error, value) {
-        if (error && error.reason === DatabaseError.NOT_FOUND) return callback(null, gDefaults[exports.TLS_CONFIG_KEY]);
-        if (error) return callback(new SettingsError(SettingsError.INTERNAL_ERROR, error));
-
-        callback(null, JSON.parse(value)); // provider
-    });
-}
-
-function setTlsConfig(tlsConfig, callback) {
-    assert.strictEqual(typeof tlsConfig, 'object');
-    assert.strictEqual(typeof callback, 'function');
-
-    if (tlsConfig.provider !== 'caas' && tlsConfig.provider.indexOf('le-') !== 0) {
-        return callback(new SettingsError(SettingsError.BAD_FIELD, 'provider must be caas or le-*'));
-    }
-
-    settingsdb.set(exports.TLS_CONFIG_KEY, JSON.stringify(tlsConfig), function (error) {
-        if (error) return callback(new SettingsError(SettingsError.INTERNAL_ERROR, error));
-
-        exports.events.emit(exports.TLS_CONFIG_KEY, tlsConfig);
-
-        callback(null);
-    });
-}
-
 function getBackupConfig(callback) {
    assert.strictEqual(typeof callback, 'function');

@@ -341,3 +322,103 @@ function getAll(callback) {
        callback(null, result);
    });
 }
+
+// note: https://tools.ietf.org/html/rfc4346#section-7.4.2 (certificate_list) requires that the
+// servers certificate appears first (and not the intermediate cert)
+function validateCertificate(cert, key, fqdn) {
+    assert(cert === null || typeof cert === 'string');
+    assert(key === null || typeof key === 'string');
+    assert.strictEqual(typeof fqdn, 'string');
+
+    if (cert === null && key === null) return null;
+    if (!cert && key) return new Error('missing cert');
+    if (cert && !key) return new Error('missing key');
+
+    var content;
+    try {
+        content = x509.parseCert(cert);
+    } catch (e) {
+        return new Error('invalid cert: ' + e.message);
+    }
+
+    // check expiration
+    if (content.notAfter < new Date()) return new Error('cert expired');
+
+    function matchesDomain(domain) {
+        if (domain === fqdn) return true;
+        if (domain.indexOf('*') === 0 && domain.slice(2) === fqdn.slice(fqdn.indexOf('.') + 1)) return true;
+
+        return false;
+    }
+
+    // check domain
+    var domains = content.altNames.concat(content.subject.commonName);
+    if (!domains.some(matchesDomain)) return new Error(util.format('cert is not valid for this domain. Expecting %s in %j', fqdn, domains));
+
+    // http://httpd.apache.org/docs/2.0/ssl/ssl_faq.html#verify
+    var certModulus = safe.child_process.execSync('openssl x509 -noout -modulus', { encoding: 'utf8', input: cert });
+    var keyModulus = safe.child_process.execSync('openssl rsa -noout -modulus', { encoding: 'utf8', input: key });
+    if (certModulus !== keyModulus) return new Error('key does not match the cert');
+
+    return null;
+}
+
+function setCertificate(cert, key, callback) {
+    assert.strictEqual(typeof cert, 'string');
+    assert.strictEqual(typeof key, 'string');
+    assert.strictEqual(typeof callback, 'function');
+
+    var error = validateCertificate(cert, key, '*.' + config.fqdn());
+    if (error) return callback(new SettingsError(SettingsError.INVALID_CERT, error.message));
+
+    if (!safe.fs.writeFileSync(path.join(paths.NGINX_CERT_DIR, 'host.cert'), cert)) {
+        return callback(new SettingsError(SettingsError.INTERNAL_ERROR, safe.error.message));
+    }
+
+    if (!safe.fs.writeFileSync(path.join(paths.NGINX_CERT_DIR, 'host.key'), key)) {
+        return callback(new SettingsError(SettingsError.INTERNAL_ERROR, safe.error.message));
+    }
+
+    shell.sudo('setCertificate', [ RELOAD_NGINX_CMD ], function (error) {
+        if (error) return callback(new SettingsError(SettingsError.INTERNAL_ERROR, error));
+
+        return callback(null);
+    });
+}
+
+function setAdminCertificate(cert, key, callback) {
+    assert.strictEqual(typeof cert, 'string');
+    assert.strictEqual(typeof key, 'string');
+    assert.strictEqual(typeof callback, 'function');
+
+    var sourceDir = path.resolve(__dirname, '..');
+    var endpoint = 'admin';
+    var vhost = config.appFqdn(constants.ADMIN_LOCATION);
+    var certFilePath = path.join(paths.APP_CERTS_DIR, 'admin.cert');
+    var keyFilePath = path.join(paths.APP_CERTS_DIR, 'admin.key');
+
+    var error = validateCertificate(cert, key, vhost);
+    if (error) return callback(new SettingsError(SettingsError.INVALID_CERT, error.message));
+
+    if (!safe.fs.writeFileSync(certFilePath, cert)) return callback(new SettingsError(SettingsError.INTERNAL_ERROR, safe.error.message));
+    if (!safe.fs.writeFileSync(keyFilePath, key)) return callback(new SettingsError(SettingsError.INTERNAL_ERROR, safe.error.message));
+
+    var data = {
+        sourceDir: sourceDir,
+        adminOrigin: config.adminOrigin(),
+        vhost: vhost,
+        endpoint: endpoint,
+        certFilePath: certFilePath,
+        keyFilePath: keyFilePath
+    };
+    var nginxConf = ejs.render(NGINX_APPCONFIG_EJS, data);
+    var nginxConfigFilename = path.join(paths.NGINX_APPCONFIG_DIR, 'admin.conf');
+
+    if (!safe.fs.writeFileSync(nginxConfigFilename, nginxConf)) return callback(safe.error);
+
+    shell.sudo('setAdminCertificate', [ RELOAD_NGINX_CMD ], function (error) {
+        if (error) return callback(new SettingsError(SettingsError.INTERNAL_ERROR, error));
+
+        return callback(null);
+    });
+}
@@ -24,7 +24,7 @@ function getBackupCredentials(backupConfig, callback) {

    var url = config.apiServerOrigin() + '/api/v1/boxes/' + config.fqdn() + '/awscredentials';
    superagent.post(url).query({ token: backupConfig.token }).end(function (error, result) {
-        if (error && !error.response) return callback(error);
+        if (error) return callback(error);
        if (result.statusCode !== 201) return callback(new Error(result.text));
        if (!result.body || !result.body.credentials) return callback(new Error('Unexpected response'));

@@ -49,10 +49,11 @@ function getAllPaged(backupConfig, page, perPage, callback) {

    var url = config.apiServerOrigin() + '/api/v1/boxes/' + config.fqdn() + '/backups';
    superagent.get(url).query({ token: backupConfig.token }).end(function (error, result) {
-        if (error && !error.response) return callback(error);
+        if (error) return callback(error);
        if (result.statusCode !== 200) return callback(new Error(result.text));
        if (!result.body || !util.isArray(result.body.backups)) return callback(new Error('Unexpected response'));

+        // [ { creationTime, boxVersion, restoreKey, dependsOn: [ ] } ] sorted by time (latest first)
        return callback(null, result.body.backups);
    });
 }
@@ -62,8 +63,6 @@ function getSignedUploadUrl(backupConfig, filename, callback) {
    assert.strictEqual(typeof filename, 'string');
    assert.strictEqual(typeof callback, 'function');

-    if (!backupConfig.bucket || !backupConfig.prefix) return new Error('Invalid configuration'); // prevent error in s3
-
    getBackupCredentials(backupConfig, function (error, credentials) {
        if (error) return callback(error);

@@ -86,8 +85,6 @@ function getSignedDownloadUrl(backupConfig, filename, callback) {
    assert.strictEqual(typeof filename, 'string');
    assert.strictEqual(typeof callback, 'function');

-    if (!backupConfig.bucket || !backupConfig.prefix) return new Error('Invalid configuration'); // prevent error in s3
-
    getBackupCredentials(backupConfig, function (error, credentials) {
        if (error) return callback(error);

@@ -111,8 +108,6 @@ function copyObject(backupConfig, from, to, callback) {
    assert.strictEqual(typeof to, 'string');
    assert.strictEqual(typeof callback, 'function');

-    if (!backupConfig.bucket || !backupConfig.prefix) return new Error('Invalid configuration'); // prevent error in s3
-
    getBackupCredentials(backupConfig, function (error, credentials) {
        if (error) return callback(error);

@@ -36,32 +36,7 @@ function getAllPaged(backupConfig, page, perPage, callback) {
    assert.strictEqual(typeof perPage, 'number');
    assert.strictEqual(typeof callback, 'function');

-    getBackupCredentials(backupConfig, function (error, credentials) {
-        if (error) return callback(error);
-
-        var s3 = new AWS.S3(credentials);
-
-        var params = {
-            Bucket: backupConfig.bucket,
-            EncodingType: 'url',
-            Prefix: backupConfig.prefix + '/backup_'
-        };
-
-        s3.listObjects(params, function (error, data) {
-            if (error) return callback(error);
-
-            var results = data.Contents.map(function (backup) {
-                return {
-                    creationTime: backup.LastModified,
-                    restoreKey: backup.Key.slice(backupConfig.prefix.length + 1)
-                };
-            });
-
-            results.sort(function (a, b) { return a.creationTime < b.creationTime; });
-
-            return callback(null, results);
-        });
-    });
+    return callback(new Error('Not implemented yet'));
 }

 function getSignedUploadUrl(backupConfig, filename, callback) {
@@ -1,68 +1,28 @@
-/* jslint node:true */
-
 'use strict';

-var assert = require('assert'),
-    caas = require('./sysinfo/caas.js'),
-    config = require('./config.js'),
-    ec2 = require('./sysinfo/ec2.js'),
-    util = require('util');
-
 exports = module.exports = {
-    SysInfoError: SysInfoError,
-
    getIp: getIp
 };

+var os = require('os');
+
 var gCachedIp = null;

-function SysInfoError(reason, errorOrMessage) {
-    assert.strictEqual(typeof reason, 'string');
-    assert(errorOrMessage instanceof Error || typeof errorOrMessage === 'string' || typeof errorOrMessage === 'undefined');
+function getIp() {
+    if (gCachedIp) return gCachedIp;

-    Error.call(this);
-    Error.captureStackTrace(this, this.constructor);
+    var ifaces = os.networkInterfaces();
+    for (var dev in ifaces) {
+        if (dev.match(/^(en|eth|wlp).*/) === null) continue;

-    this.name = this.constructor.name;
-    this.reason = reason;
-    if (typeof errorOrMessage === 'undefined') {
-        this.message = reason;
-    } else if (typeof errorOrMessage === 'string') {
-        this.message = errorOrMessage;
-    } else {
-        this.message = 'Internal error';
-        this.nestedError = errorOrMessage;
+        for (var i = 0; i < ifaces[dev].length; i++) {
+            if (ifaces[dev][i].family === 'IPv4') {
+                gCachedIp = ifaces[dev][i].address;
+                return gCachedIp;
+            }
+        }
    }
-}
-util.inherits(SysInfoError, Error);
-SysInfoError.INTERNAL_ERROR = 'Internal Error';

-function getApi(callback) {
-    assert.strictEqual(typeof callback, 'function');
-
-    switch (config.provider()) {
-        case '': return callback(null, caas);   // current fallback for caas
-        case 'caas': return callback(null, caas);
-        case 'digitalocean': return callback(null, caas);
-        case 'ec2': return callback(null, ec2);
-        default: return callback(new Error('Unkown provider ' + config.provider()));
-    }
+    return null;
 }

-function getIp(callback) {
-    assert.strictEqual(typeof callback, 'function');
-
-    if (gCachedIp) return callback(null, gCachedIp);
-
-    getApi(function (error, api) {
-        if (error) return callback(error);
-
-        api.getIp(function (error, ip) {
-            if (error) return callback(error);
-
-            gCachedIp = ip;
-
-            callback(null, gCachedIp);
-        });
-    });
-}
@@ -1,26 +0,0 @@
-'use strict';
-
-exports = module.exports = {
-    getIp: getIp
-};
-
-var assert = require('assert'),
-    os = require('os'),
-    SysInfoError = require('../sysinfo.js').SysInfoError;
-
-function getIp(callback) {
-    assert.strictEqual(typeof callback, 'function');
-
-    var ifaces = os.networkInterfaces();
-    for (var dev in ifaces) {
-        if (dev.match(/^(en|eth|wlp).*/) === null) continue;
-
-        for (var i = 0; i < ifaces[dev].length; i++) {
-            if (ifaces[dev][i].family === 'IPv4') {
-                return callback(null, ifaces[dev][i].address);
-            }
-        }
-    }
-
-    callback(new SysInfoError(SysInfoError.INTERNAL_ERROR, 'No IP found'));
-}
@@ -1,21 +0,0 @@
-'use strict';
-
-exports = module.exports = {
-    getIp: getIp
-};
-
-var assert = require('assert'),
-    superagent = require('superagent'),
-    SysInfoError = require('../sysinfo.js').SysInfoError,
-    util = require('util');
-
-function getIp(callback) {
-    assert.strictEqual(typeof callback, 'function');
-
-    superagent.get('http://169.254.169.254/latest/meta-data/public-ipv4').end(function (error, result) {
-        if (error) return callback(new SysInfoError(SysInfoError.INTERNAL_ERROR, error.status ? 'Request failed: ' + error.status : 'Network failure'));
-        if (result.statusCode !== 200) return callback(new SysInfoError(SysInfoError.EXTERNAL_ERROR, util.format('%s %j', result.status, result.body)));
-
-        callback(null, result.text);
-    });
-}
@@ -9,7 +9,6 @@ exports = module.exports = {

 var appdb = require('./appdb.js'),
    assert = require('assert'),
-    async = require('async'),
    child_process = require('child_process'),
    cloudron = require('./cloudron.js'),
    debug = require('debug')('box:taskmanager'),
@@ -40,11 +39,14 @@ function uninitialize(callback) {
    assert.strictEqual(typeof callback, 'function');

    gPendingTasks = [ ]; // clear this first, otherwise stopAppTask will resume them
+    for (var appId in gActiveTasks) {
+        stopAppTask(appId);
+    }

    cloudron.events.removeListener(cloudron.EVENT_CONFIGURED, resumeTasks);
    locker.removeListener('unlocked', startNextTask);

-    async.eachSeries(Object.keys(gActiveTasks), stopAppTask, callback);
+    callback(null);
 }


@@ -93,47 +95,31 @@ function startAppTask(appId) {
    }

    gActiveTasks[appId] = child_process.fork(__dirname + '/apptask.js', [ appId ]);
-
-    var pid = gActiveTasks[appId].pid;
-    debug('Started task of %s pid: %s', appId, pid);
-
-    gActiveTasks[appId].once('exit', function (code, signal) {
-        debug('Task for %s pid %s completed with status %s', appId, pid, code);
-        if (code === null /* signal */ || (code !== 0 && code !== 50)) { // apptask crashed
-            debug('Apptask crashed with code %s and signal %s', code, signal);
-            appdb.update(appId, { installationState: appdb.ISTATE_ERROR, installationProgress: 'Apptask crashed with code ' + code + ' and signal ' + signal }, NOOP_CALLBACK);
+    gActiveTasks[appId].once('exit', function (code) {
+        debug('Task for %s completed with status %s', appId, code);
+        if (code && code !== 50) { // apptask crashed
+            appdb.update(appId, { installationState: appdb.ISTATE_ERROR, installationProgress: 'Apptask crashed with code ' + code }, NOOP_CALLBACK);
        }
        delete gActiveTasks[appId];
        locker.unlock(locker.OP_APPTASK); // unlock event will trigger next task
    });
 }

-function stopAppTask(appId, callback) {
+function stopAppTask(appId) {
    assert.strictEqual(typeof appId, 'string');
-    assert.strictEqual(typeof callback, 'function');

    if (gActiveTasks[appId]) {
-        debug('stopAppTask : Killing existing task of %s with pid %s', appId, gActiveTasks[appId].pid);
-        gActiveTasks[appId].once('exit', function () { callback(); });
+        debug('stopAppTask : Killing existing task of %s with pid %s: ', appId, gActiveTasks[appId].pid);
        gActiveTasks[appId].kill(); // this will end up calling the 'exit' handler
-        return;
-    }
-
-    if (gPendingTasks.indexOf(appId) !== -1) {
-        debug('stopAppTask: Removing pending task : %s', appId);
+        delete gActiveTasks[appId];
+    } else if (gPendingTasks.indexOf(appId) !== -1) {
+        debug('stopAppTask: Removing existing pending task : %s', appId);
        gPendingTasks = _.without(gPendingTasks, appId);
-    } else {
-        debug('stopAppTask: no task for %s to be stopped', appId);
    }
-
-    callback();
 }

-function restartAppTask(appId, callback) {
-    callback = callback || NOOP_CALLBACK;
-
-    async.series([
-        stopAppTask.bind(null, appId),
-        startAppTask.bind(null, appId)
-    ], callback);
+function restartAppTask(appId) {
+    stopAppTask(appId);
+    startAppTask(appId);
 }
+
@@ -85,8 +85,7 @@ describe('apptask', function () {
        async.series([
            database.initialize,
            appdb.add.bind(null, APP.id, APP.appStoreId, APP.manifest, APP.location, APP.portBindings, APP.accessRestriction, APP.oauthProxy),
-            settings.setDnsConfig.bind(null, { provider: 'route53', accessKeyId: 'accessKeyId', secretAccessKey: 'secretAccessKey', endpoint: 'http://localhost:5353' }),
-            settings.setTlsConfig.bind(null, { provider: 'caas' })
+            settings.setDnsConfig.bind(null, { provider: 'route53', accessKeyId: 'accessKeyId', secretAccessKey: 'secretAccessKey', endpoint: 'http://localhost:5353' })
        ], done);
    });

@@ -98,12 +97,12 @@ describe('apptask', function () {
        apptask.initialize(done);
    });

-    it('reserve port', function (done) {
-        apptask._reserveHttpPort(APP, function (error) {
-            expect(error).to.not.be.ok();
-            expect(APP.httpPort).to.be.a('number');
-            var client = net.connect(APP.httpPort);
-            client.on('connect', function () { done(new Error('Port is not free:' + APP.httpPort)); });
+    it('free port', function (done) {
+        apptask._getFreePort(function (error, port) {
+            expect(error).to.be(null);
+            expect(port).to.be.a('number');
+            var client = net.connect(port);
+            client.on('connect', function () { done(new Error('Port is not free:' + port)); });
            client.on('error', function (error) { done(); });
        });
    });
@@ -1,90 +0,0 @@
-/* jslint node:true */
-/* global it:false */
-/* global describe:false */
-/* global before:false */
-/* global after:false */
-
-'use strict';
-
-var certificates = require('../certificates.js'),
-    expect = require('expect.js');
-
-describe('Certificates', function () {
-    describe('validateCertificate', function () {
-        /*
-          Generate these with:
-            openssl genrsa -out server.key 512
-            openssl req -new -key server.key -out server.csr -subj "/C=DE/ST=Berlin/L=Berlin/O=Nebulon/OU=CTO/CN=baz.foobar.com"
-            openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
-        */
-
-        // foobar.com
-        var validCert0 = '-----BEGIN CERTIFICATE-----\nMIIBujCCAWQCCQCjLyTKzAJ4FDANBgkqhkiG9w0BAQsFADBkMQswCQYDVQQGEwJE\nRTEPMA0GA1UECAwGQmVybGluMQ8wDQYDVQQHDAZCZXJsaW4xEDAOBgNVBAoMB05l\nYnVsb24xDDAKBgNVBAsMA0NUTzETMBEGA1UEAwwKZm9vYmFyLmNvbTAeFw0xNTEw\nMjgxMjM5MjZaFw0xNjEwMjcxMjM5MjZaMGQxCzAJBgNVBAYTAkRFMQ8wDQYDVQQI\nDAZCZXJsaW4xDzANBgNVBAcMBkJlcmxpbjEQMA4GA1UECgwHTmVidWxvbjEMMAoG\nA1UECwwDQ1RPMRMwEQYDVQQDDApmb29iYXIuY29tMFwwDQYJKoZIhvcNAQEBBQAD\nSwAwSAJBAMeYofgwHeNVmGkGe0gj4dnX2ciifDi7X2K/oVHp7mxuHjGMSYP9Z7b6\n+mu0IMf4OedwXStHBeO8mwjKxZmE7p8CAwEAATANBgkqhkiG9w0BAQsFAANBAJI7\nFUUHXjR63UFk8pgxp0c7hEGqj4VWWGsmo8oZnnX8jGVmQDKbk8o3MtDujfqupmMR\nMo7tSAFlG7zkm3GYhpw=\n-----END CERTIFICATE-----';
-        var validKey0 = '-----BEGIN RSA PRIVATE KEY-----\nMIIBOwIBAAJBAMeYofgwHeNVmGkGe0gj4dnX2ciifDi7X2K/oVHp7mxuHjGMSYP9\nZ7b6+mu0IMf4OedwXStHBeO8mwjKxZmE7p8CAwEAAQJBAJS59Sb8o6i8JT9NJxvQ\nMQCkSJGqEaosZJ0uccSZ7aE48v+H7HiPzXAueitohcEif2Wp1EZ1RbRMURhznNiZ\neLECIQDxxqhakO6wc7H68zmpRXJ5ZxGUNbM24AMtpONAtEw9iwIhANNWtp6P74OV\ntvfOmtubbqw768fmGskFCOcp5oF8oF29AiBkTAf9AhCyjFwyAYJTEScq67HkLN66\njfVjkvpfFixmfwIgI+xldmZ5DCDyzQSthg7RrS0yUvRmMS1N6h1RNUl96PECIQDl\nit4lFcytbqNo1PuBZvzQE+plCjiJqXHYo3WCst1Jbg==\n-----END RSA PRIVATE KEY-----';
-
-        // *.foobar.com
-        var validCert1 = '-----BEGIN CERTIFICATE-----\nMIIBvjCCAWgCCQCg957GWuHtbzANBgkqhkiG9w0BAQsFADBmMQswCQYDVQQGEwJE\nRTEPMA0GA1UECAwGQmVybGluMQ8wDQYDVQQHDAZCZXJsaW4xEDAOBgNVBAoMB05l\nYnVsb24xDDAKBgNVBAsMA0NUTzEVMBMGA1UEAwwMKi5mb29iYXIuY29tMB4XDTE1\nMTAyODEzMDI1MFoXDTE2MTAyNzEzMDI1MFowZjELMAkGA1UEBhMCREUxDzANBgNV\nBAgMBkJlcmxpbjEPMA0GA1UEBwwGQmVybGluMRAwDgYDVQQKDAdOZWJ1bG9uMQww\nCgYDVQQLDANDVE8xFTATBgNVBAMMDCouZm9vYmFyLmNvbTBcMA0GCSqGSIb3DQEB\nAQUAA0sAMEgCQQC0FKf07ZWMcABFlZw+GzXK9EiZrlJ1lpnu64RhN99z7MXRr8cF\nnZVgY3jgatuyR5s3WdzUvye2eJ0rNicl2EZJAgMBAAEwDQYJKoZIhvcNAQELBQAD\nQQAw4bteMZAeJWl2wgNLw+wTwAH96E0jyxwreCnT5AxJLmgimyQ0XOF4FsssdRFj\nxD9WA+rktelBodJyPeTDNhIh\n-----END CERTIFICATE-----';
-        var validKey1 = '-----BEGIN RSA PRIVATE KEY-----\nMIIBOQIBAAJBALQUp/TtlYxwAEWVnD4bNcr0SJmuUnWWme7rhGE333PsxdGvxwWd\nlWBjeOBq27JHmzdZ3NS/J7Z4nSs2JyXYRkkCAwEAAQJALV2eykcoC48TonQEPmkg\nbhaIS57syw67jMLsQImQ02UABKzqHPEKLXPOZhZPS9hsC/hGIehwiYCXMUlrl+WF\nAQIhAOntBI6qaecNjAAVG7UbZclMuHROUONmZUF1KNq6VyV5AiEAxRLkfHWy52CM\njOQrX347edZ30f4QczvugXwsyuU9A1ECIGlGZ8Sk4OBA8n6fAUcyO06qnmCJVlHg\npTUeOvKk5c9RAiBs28+8dCNbrbhVhx/yQr9FwNM0+ttJW/yWJ+pyNQhr0QIgJTT6\nxwCWYOtbioyt7B9l+ENy3AMSO3Uq+xmIKkvItK4=\n-----END RSA PRIVATE KEY-----';
-
-        // baz.foobar.com
-        var validCert2 = '-----BEGIN CERTIFICATE-----\nMIIBwjCCAWwCCQDIKtL9RCDCkDANBgkqhkiG9w0BAQsFADBoMQswCQYDVQQGEwJE\nRTEPMA0GA1UECAwGQmVybGluMQ8wDQYDVQQHDAZCZXJsaW4xEDAOBgNVBAoMB05l\nYnVsb24xDDAKBgNVBAsMA0NUTzEXMBUGA1UEAwwOYmF6LmZvb2Jhci5jb20wHhcN\nMTUxMDI4MTMwNTMzWhcNMTYxMDI3MTMwNTMzWjBoMQswCQYDVQQGEwJERTEPMA0G\nA1UECAwGQmVybGluMQ8wDQYDVQQHDAZCZXJsaW4xEDAOBgNVBAoMB05lYnVsb24x\nDDAKBgNVBAsMA0NUTzEXMBUGA1UEAwwOYmF6LmZvb2Jhci5jb20wXDANBgkqhkiG\n9w0BAQEFAANLADBIAkEAw7UWW/VoQePv2l92l3XcntZeyw1nBiHxk1axZwC6auOW\n2/zfA//Tg7fv4q5qKnV1n/71IiMAheeFcpfogY5rTwIDAQABMA0GCSqGSIb3DQEB\nCwUAA0EAtluL6dGNfOdNkzoO/UwzRaIvEm2reuqe+Ik4WR/k+DJ4igrmRCQqXwjW\nJaGYsFWsuk3QLOWQ9YgCKlcIYd+1/A==\n-----END CERTIFICATE-----';
-        var validKey2 = '-----BEGIN RSA PRIVATE KEY-----\nMIIBOQIBAAJBAMO1Flv1aEHj79pfdpd13J7WXssNZwYh8ZNWsWcAumrjltv83wP/\n04O37+Kuaip1dZ/+9SIjAIXnhXKX6IGOa08CAwEAAQJAUPD3Y2cXDJFaJQXwhWnw\nqhzdLbvITUgCor5rNr+dWhE2MopGPpRHiabA1PeWEPx8CfblyTZGd8KUR/2W1c0r\naQIhAP4ZxB3+uhuzzMfyRrn/khr12pFn/FCIDbwnDbyUxLrTAiEAxSuVOFs+Mupt\nYCz/pPrDCx3eid0wyXRObbkLHOxJiBUCIBTp5fxaBNNW3xnt1OhmIo5Zgd3J4zh1\nmjvMMxM8Y1zFAiAxOP0qsZSoj1+41+MGY9fXaaCJ2F96m3+M4tpEYTTGNQIgdESZ\nz+hzHBeYVbWJpIR8uaNkx7wveUF90FpipXyeTsA=\n-----END RSA PRIVATE KEY-----';
-
-        it('allows both null', function () {
-            expect(certificates.validateCertificate(null, null, 'foobar.com')).to.be(null);
-        });
-
-        it('does not allow only cert', function () {
-            expect(certificates.validateCertificate('cert', null, 'foobar.com')).to.be.an(Error);
-        });
-
-        it('does not allow only key', function () {
-            expect(certificates.validateCertificate(null, 'key', 'foobar.com')).to.be.an(Error);
-        });
-
-        it('does not allow empty string for cert', function () {
-            expect(certificates.validateCertificate('', 'key', 'foobar.com')).to.be.an(Error);
-        });
-
-        it('does not allow empty string for key', function () {
-            expect(certificates.validateCertificate('cert', '', 'foobar.com')).to.be.an(Error);
-        });
-
-        it('does not allow invalid cert', function () {
-            expect(certificates.validateCertificate('someinvalidcert', validKey0, 'foobar.com')).to.be.an(Error);
-        });
-
-        it('does not allow invalid key', function () {
-            expect(certificates.validateCertificate(validCert0, 'invalidkey', 'foobar.com')).to.be.an(Error);
-        });
-
-        it('does not allow cert without matching domain', function () {
-            expect(certificates.validateCertificate(validCert0, validKey0, 'cloudron.io')).to.be.an(Error);
-        });
-
-        it('allows valid cert with matching domain', function () {
-            expect(certificates.validateCertificate(validCert0, validKey0, 'foobar.com')).to.be(null);
-        });
-
-        it('allows valid cert with matching domain (wildcard)', function () {
-            expect(certificates.validateCertificate(validCert1, validKey1, 'abc.foobar.com')).to.be(null);
-        });
-
-        it('does now allow cert without matching domain (wildcard)', function () {
-            expect(certificates.validateCertificate(validCert1, validKey1, 'foobar.com')).to.be.an(Error);
-            expect(certificates.validateCertificate(validCert1, validKey1, 'bar.abc.foobar.com')).to.be.an(Error);
-        });
-
-        it('allows valid cert with matching domain (subdomain)', function () {
-            expect(certificates.validateCertificate(validCert2, validKey2, 'baz.foobar.com')).to.be(null);
-        });
-
-        it('does not allow cert without matching domain (subdomain)', function () {
-            expect(certificates.validateCertificate(validCert0, validKey0, 'baz.foobar.com')).to.be.an(Error);
-        });
-
-        it('does not allow invalid cert/key tuple', function () {
-            expect(certificates.validateCertificate(validCert0, validKey1, 'foobar.com')).to.be.an(Error);
-        });
-    });
-});
@@ -35,40 +35,28 @@ for script in "${scripts[@]}"; do
    fi
 done

-image_missing=""
-
 if ! docker inspect "${TEST_IMAGE}" >/dev/null 2>/dev/null; then
-    echo "docker pull ${TEST_IMAGE}"
-    image_missing="true"
-fi
-
-if ! docker inspect "${REDIS_IMAGE}" >/dev/null 2>/dev/null; then
-    echo "docker pull ${REDIS_IMAGE}"
-    image_missing="true"
-fi
-
-if ! docker inspect "${MYSQL_IMAGE}" >/dev/null 2>/dev/null; then
-    echo "docker pull ${MYSQL_IMAGE}"
-    image_missing="true"
-fi
-
-if ! docker inspect "${POSTGRESQL_IMAGE}" >/dev/null 2>/dev/null; then
-    echo "docker pull ${POSTGRESQL_IMAGE}"
-    image_missing="true"
-fi
-
-if ! docker inspect "${MONGODB_IMAGE}" >/dev/null 2>/dev/null; then
-    echo "docker pull ${MONGODB_IMAGE}"
-    image_missing="true"
-fi
-
-if ! docker inspect "${MAIL_IMAGE}" >/dev/null 2>/dev/null; then
-    echo "docker pull ${MAIL_IMAGE}"
-    image_missing="true"
-fi
-
-if [[ "${image_missing}" == "true" ]]; then
-    echo "Pull above images before running tests"
+    echo "docker pull "${TEST_IMAGE}" for tests to run"
+    exit 1
+fi
+
+if ! docker inspect "${REDIS_IMAGE}" >/dev/null 2>/dev/null; then
+    echo "docker pull ${REDIS_IMAGE} for tests to run"
+    exit 1
+fi
+
+if ! docker inspect "${MYSQL_IMAGE}" >/dev/null 2>/dev/null; then
+    echo "docker pull ${MYSQL_IMAGE} for tests to run"
+    exit 1
+fi
+
+if ! docker inspect "${POSTGRESQL_IMAGE}" >/dev/null 2>/dev/null; then
+    echo "docker pull ${POSTGRESQL_IMAGE} for tests to run"
+    exit 1
+fi
+
+if ! docker inspect "${MONGODB_IMAGE}" >/dev/null 2>/dev/null; then
+    echo "docker pull ${MONGODB_IMAGE} for tests to run"
    exit 1
 fi

@@ -11,7 +11,7 @@ var progress = require('../progress.js'),
    database = require('../database.js'),
    expect = require('expect.js'),
    nock = require('nock'),
-    superagent = require('superagent'),
+    request = require('superagent'),
    server = require('../server.js');

 var SERVER_URL = 'http://localhost:' + config.get('port');
@@ -46,7 +46,7 @@ describe('Server', function () {
        });

        it('is reachable', function (done) {
-            superagent.get(SERVER_URL + '/api/v1/cloudron/status', function (err, res) {
+            request.get(SERVER_URL + '/api/v1/cloudron/status', function (err, res) {
                expect(res.statusCode).to.equal(200);
                done(err);
            });
@@ -79,32 +79,32 @@ describe('Server', function () {
            });
        });

-        it('random bad superagents', function (done) {
-            superagent.get(SERVER_URL + '/random', function (err, res) {
-                expect(err).to.be.ok();
+        it('random bad requests', function (done) {
+            request.get(SERVER_URL + '/random', function (err, res) {
+                expect(err).to.not.be.ok();
                expect(res.statusCode).to.equal(404);
-                done();
+                done(err);
            });
        });

        it('version', function (done) {
-            superagent.get(SERVER_URL + '/api/v1/cloudron/status', function (err, res) {
+            request.get(SERVER_URL + '/api/v1/cloudron/status', function (err, res) {
                expect(err).to.not.be.ok();
                expect(res.statusCode).to.equal(200);
                expect(res.body.version).to.equal('0.5.0');
-                done();
+                done(err);
            });
        });

        it('status route is GET', function (done) {
-            superagent.post(SERVER_URL + '/api/v1/cloudron/status')
+            request.post(SERVER_URL + '/api/v1/cloudron/status')
                   .end(function (err, res) {
                expect(res.statusCode).to.equal(404);

-                superagent.get(SERVER_URL + '/api/v1/cloudron/status')
+                request.get(SERVER_URL + '/api/v1/cloudron/status')
                       .end(function (err, res) {
                    expect(res.statusCode).to.equal(200);
-                    done();
+                    done(err);
                });
            });
        });
@@ -122,16 +122,18 @@ describe('Server', function () {
        });

        it('config fails due missing token', function (done) {
-            superagent.get(SERVER_URL + '/api/v1/cloudron/config', function (err, res) {
+            request.get(SERVER_URL + '/api/v1/cloudron/config', function (err, res) {
+                expect(err).to.not.be.ok();
                expect(res.statusCode).to.equal(401);
-                done();
+                done(err);
            });
        });

        it('config fails due wrong token', function (done) {
-            superagent.get(SERVER_URL + '/api/v1/cloudron/config').query({ access_token: 'somewrongtoken' }).end(function (err, res) {
+            request.get(SERVER_URL + '/api/v1/cloudron/config').query({ access_token: 'somewrongtoken' }).end(function (err, res) {
+                expect(err).to.not.be.ok();
                expect(res.statusCode).to.equal(401);
-                done();
+                done(err);
            });
        });
    });
@@ -148,7 +150,8 @@ describe('Server', function () {
        });

        it('succeeds with no progress', function (done) {
-            superagent.get(SERVER_URL + '/api/v1/cloudron/progress', function (error, result) {
+            request.get(SERVER_URL + '/api/v1/cloudron/progress', function (error, result) {
+                expect(error).to.not.be.ok();
                expect(result.statusCode).to.equal(200);
                expect(result.body.update).to.be(null);
                expect(result.body.backup).to.be(null);
@@ -159,7 +162,8 @@ describe('Server', function () {
        it('succeeds with update progress', function (done) {
            progress.set(progress.UPDATE, 13, 'This is some status string');

-            superagent.get(SERVER_URL + '/api/v1/cloudron/progress', function (error, result) {
+            request.get(SERVER_URL + '/api/v1/cloudron/progress', function (error, result) {
+                expect(error).to.not.be.ok();
                expect(result.statusCode).to.equal(200);
                expect(result.body.update).to.be.an('object');
                expect(result.body.update.percent).to.be.a('number');
@@ -175,7 +179,8 @@ describe('Server', function () {
        it('succeeds with no progress after clearing the update', function (done) {
            progress.clear(progress.UPDATE);

-            superagent.get(SERVER_URL + '/api/v1/cloudron/progress', function (error, result) {
+            request.get(SERVER_URL + '/api/v1/cloudron/progress', function (error, result) {
+                expect(error).to.not.be.ok();
                expect(result.statusCode).to.equal(200);
                expect(result.body.update).to.be(null);
                expect(result.body.backup).to.be(null);
@@ -206,9 +211,8 @@ describe('Server', function () {
        });

        it('is not reachable anymore', function (done) {
-            superagent.get(SERVER_URL + '/api/v1/cloudron/status', function (error, result) {
+            request.get(SERVER_URL + '/api/v1/cloudron/status', function (error, result) {
                expect(error).to.not.be(null);
-                expect(!error.response).to.be.ok();
                done();
            });
        });
@@ -222,15 +226,15 @@ describe('Server', function () {
        });

        it('responds to OPTIONS', function (done) {
-            superagent('OPTIONS', SERVER_URL + '/api/v1/cloudron/status')
+            request('OPTIONS', SERVER_URL + '/api/v1/cloudron/status')
                .set('Access-Control-Request-Method', 'GET')
-                .set('Access-Control-Request-Headers', 'accept, origin, x-superagented-with')
+                .set('Access-Control-Request-Headers', 'accept, origin, x-requested-with')
                .set('Origin', 'http://localhost')
-                .end(function (error, res) {
+                .end(function (res) {
                expect(res.headers['access-control-allow-methods']).to.be('GET, PUT, DELETE, POST, OPTIONS');
                expect(res.headers['access-control-allow-credentials']).to.be('true');
-                expect(res.headers['access-control-allow-headers']).to.be('accept, origin, x-superagented-with'); // mirrored from superagent
-                expect(res.headers['access-control-allow-origin']).to.be('http://localhost'); // mirrors from superagent
+                expect(res.headers['access-control-allow-headers']).to.be('accept, origin, x-requested-with'); // mirrored from request
+                expect(res.headers['access-control-allow-origin']).to.be('http://localhost'); // mirrors from request
                done();
            });
        });
@@ -100,21 +100,6 @@ describe('Settings', function () {
            });
        });

-        it('can set tls config', function (done) {
-            settings.setTlsConfig({ provider: 'caas' }, function (error) {
-                expect(error).to.be(null);
-                done();
-            });
-        });
-
-        it('can get tls config', function (done) {
-            settings.getTlsConfig(function (error, dnsConfig) {
-                expect(error).to.be(null);
-                expect(dnsConfig.provider).to.be('caas');
-                done();
-            });
-        });
-
        it('can set backup config', function (done) {
            settings.setBackupConfig({ provider: 'caas', token: 'TOKEN' }, function (error) {
                expect(error).to.be(null);
@@ -141,4 +126,85 @@ describe('Settings', function () {
            });
        });
    });
+
+    describe('validateCertificate', function () {
+        before(setup);
+        after(cleanup);
+
+        /*
+          Generate these with:
+            openssl genrsa -out server.key 512
+            openssl req -new -key server.key -out server.csr -subj "/C=DE/ST=Berlin/L=Berlin/O=Nebulon/OU=CTO/CN=baz.foobar.com"
+            openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
+        */
+
+        // foobar.com
+        var validCert0 = '-----BEGIN CERTIFICATE-----\nMIIBujCCAWQCCQCjLyTKzAJ4FDANBgkqhkiG9w0BAQsFADBkMQswCQYDVQQGEwJE\nRTEPMA0GA1UECAwGQmVybGluMQ8wDQYDVQQHDAZCZXJsaW4xEDAOBgNVBAoMB05l\nYnVsb24xDDAKBgNVBAsMA0NUTzETMBEGA1UEAwwKZm9vYmFyLmNvbTAeFw0xNTEw\nMjgxMjM5MjZaFw0xNjEwMjcxMjM5MjZaMGQxCzAJBgNVBAYTAkRFMQ8wDQYDVQQI\nDAZCZXJsaW4xDzANBgNVBAcMBkJlcmxpbjEQMA4GA1UECgwHTmVidWxvbjEMMAoG\nA1UECwwDQ1RPMRMwEQYDVQQDDApmb29iYXIuY29tMFwwDQYJKoZIhvcNAQEBBQAD\nSwAwSAJBAMeYofgwHeNVmGkGe0gj4dnX2ciifDi7X2K/oVHp7mxuHjGMSYP9Z7b6\n+mu0IMf4OedwXStHBeO8mwjKxZmE7p8CAwEAATANBgkqhkiG9w0BAQsFAANBAJI7\nFUUHXjR63UFk8pgxp0c7hEGqj4VWWGsmo8oZnnX8jGVmQDKbk8o3MtDujfqupmMR\nMo7tSAFlG7zkm3GYhpw=\n-----END CERTIFICATE-----';
+        var validKey0 = '-----BEGIN RSA PRIVATE KEY-----\nMIIBOwIBAAJBAMeYofgwHeNVmGkGe0gj4dnX2ciifDi7X2K/oVHp7mxuHjGMSYP9\nZ7b6+mu0IMf4OedwXStHBeO8mwjKxZmE7p8CAwEAAQJBAJS59Sb8o6i8JT9NJxvQ\nMQCkSJGqEaosZJ0uccSZ7aE48v+H7HiPzXAueitohcEif2Wp1EZ1RbRMURhznNiZ\neLECIQDxxqhakO6wc7H68zmpRXJ5ZxGUNbM24AMtpONAtEw9iwIhANNWtp6P74OV\ntvfOmtubbqw768fmGskFCOcp5oF8oF29AiBkTAf9AhCyjFwyAYJTEScq67HkLN66\njfVjkvpfFixmfwIgI+xldmZ5DCDyzQSthg7RrS0yUvRmMS1N6h1RNUl96PECIQDl\nit4lFcytbqNo1PuBZvzQE+plCjiJqXHYo3WCst1Jbg==\n-----END RSA PRIVATE KEY-----';
+
+        // *.foobar.com
+        var validCert1 = '-----BEGIN CERTIFICATE-----\nMIIBvjCCAWgCCQCg957GWuHtbzANBgkqhkiG9w0BAQsFADBmMQswCQYDVQQGEwJE\nRTEPMA0GA1UECAwGQmVybGluMQ8wDQYDVQQHDAZCZXJsaW4xEDAOBgNVBAoMB05l\nYnVsb24xDDAKBgNVBAsMA0NUTzEVMBMGA1UEAwwMKi5mb29iYXIuY29tMB4XDTE1\nMTAyODEzMDI1MFoXDTE2MTAyNzEzMDI1MFowZjELMAkGA1UEBhMCREUxDzANBgNV\nBAgMBkJlcmxpbjEPMA0GA1UEBwwGQmVybGluMRAwDgYDVQQKDAdOZWJ1bG9uMQww\nCgYDVQQLDANDVE8xFTATBgNVBAMMDCouZm9vYmFyLmNvbTBcMA0GCSqGSIb3DQEB\nAQUAA0sAMEgCQQC0FKf07ZWMcABFlZw+GzXK9EiZrlJ1lpnu64RhN99z7MXRr8cF\nnZVgY3jgatuyR5s3WdzUvye2eJ0rNicl2EZJAgMBAAEwDQYJKoZIhvcNAQELBQAD\nQQAw4bteMZAeJWl2wgNLw+wTwAH96E0jyxwreCnT5AxJLmgimyQ0XOF4FsssdRFj\nxD9WA+rktelBodJyPeTDNhIh\n-----END CERTIFICATE-----';
+        var validKey1 = '-----BEGIN RSA PRIVATE KEY-----\nMIIBOQIBAAJBALQUp/TtlYxwAEWVnD4bNcr0SJmuUnWWme7rhGE333PsxdGvxwWd\nlWBjeOBq27JHmzdZ3NS/J7Z4nSs2JyXYRkkCAwEAAQJALV2eykcoC48TonQEPmkg\nbhaIS57syw67jMLsQImQ02UABKzqHPEKLXPOZhZPS9hsC/hGIehwiYCXMUlrl+WF\nAQIhAOntBI6qaecNjAAVG7UbZclMuHROUONmZUF1KNq6VyV5AiEAxRLkfHWy52CM\njOQrX347edZ30f4QczvugXwsyuU9A1ECIGlGZ8Sk4OBA8n6fAUcyO06qnmCJVlHg\npTUeOvKk5c9RAiBs28+8dCNbrbhVhx/yQr9FwNM0+ttJW/yWJ+pyNQhr0QIgJTT6\nxwCWYOtbioyt7B9l+ENy3AMSO3Uq+xmIKkvItK4=\n-----END RSA PRIVATE KEY-----';
+
+        // baz.foobar.com
+        var validCert2 = '-----BEGIN CERTIFICATE-----\nMIIBwjCCAWwCCQDIKtL9RCDCkDANBgkqhkiG9w0BAQsFADBoMQswCQYDVQQGEwJE\nRTEPMA0GA1UECAwGQmVybGluMQ8wDQYDVQQHDAZCZXJsaW4xEDAOBgNVBAoMB05l\nYnVsb24xDDAKBgNVBAsMA0NUTzEXMBUGA1UEAwwOYmF6LmZvb2Jhci5jb20wHhcN\nMTUxMDI4MTMwNTMzWhcNMTYxMDI3MTMwNTMzWjBoMQswCQYDVQQGEwJERTEPMA0G\nA1UECAwGQmVybGluMQ8wDQYDVQQHDAZCZXJsaW4xEDAOBgNVBAoMB05lYnVsb24x\nDDAKBgNVBAsMA0NUTzEXMBUGA1UEAwwOYmF6LmZvb2Jhci5jb20wXDANBgkqhkiG\n9w0BAQEFAANLADBIAkEAw7UWW/VoQePv2l92l3XcntZeyw1nBiHxk1axZwC6auOW\n2/zfA//Tg7fv4q5qKnV1n/71IiMAheeFcpfogY5rTwIDAQABMA0GCSqGSIb3DQEB\nCwUAA0EAtluL6dGNfOdNkzoO/UwzRaIvEm2reuqe+Ik4WR/k+DJ4igrmRCQqXwjW\nJaGYsFWsuk3QLOWQ9YgCKlcIYd+1/A==\n-----END CERTIFICATE-----';
+        var validKey2 = '-----BEGIN RSA PRIVATE KEY-----\nMIIBOQIBAAJBAMO1Flv1aEHj79pfdpd13J7WXssNZwYh8ZNWsWcAumrjltv83wP/\n04O37+Kuaip1dZ/+9SIjAIXnhXKX6IGOa08CAwEAAQJAUPD3Y2cXDJFaJQXwhWnw\nqhzdLbvITUgCor5rNr+dWhE2MopGPpRHiabA1PeWEPx8CfblyTZGd8KUR/2W1c0r\naQIhAP4ZxB3+uhuzzMfyRrn/khr12pFn/FCIDbwnDbyUxLrTAiEAxSuVOFs+Mupt\nYCz/pPrDCx3eid0wyXRObbkLHOxJiBUCIBTp5fxaBNNW3xnt1OhmIo5Zgd3J4zh1\nmjvMMxM8Y1zFAiAxOP0qsZSoj1+41+MGY9fXaaCJ2F96m3+M4tpEYTTGNQIgdESZ\nz+hzHBeYVbWJpIR8uaNkx7wveUF90FpipXyeTsA=\n-----END RSA PRIVATE KEY-----';
+
+        it('allows both null', function () {
+            expect(settings.validateCertificate(null, null, 'foobar.com')).to.be(null);
+        });
+
+        it('does not allow only cert', function () {
+            expect(settings.validateCertificate('cert', null, 'foobar.com')).to.be.an(Error);
+        });
+
+        it('does not allow only key', function () {
+            expect(settings.validateCertificate(null, 'key', 'foobar.com')).to.be.an(Error);
+        });
+
+        it('does not allow empty string for cert', function () {
+            expect(settings.validateCertificate('', 'key', 'foobar.com')).to.be.an(Error);
+        });
+
+        it('does not allow empty string for key', function () {
+            expect(settings.validateCertificate('cert', '', 'foobar.com')).to.be.an(Error);
+        });
+
+        it('does not allow invalid cert', function () {
+            expect(settings.validateCertificate('someinvalidcert', validKey0, 'foobar.com')).to.be.an(Error);
+        });
+
+        it('does not allow invalid key', function () {
+            expect(settings.validateCertificate(validCert0, 'invalidkey', 'foobar.com')).to.be.an(Error);
+        });
+
+        it('does not allow cert without matching domain', function () {
+            expect(settings.validateCertificate(validCert0, validKey0, 'cloudron.io')).to.be.an(Error);
+        });
+
+        it('allows valid cert with matching domain', function () {
+            expect(settings.validateCertificate(validCert0, validKey0, 'foobar.com')).to.be(null);
+        });
+
+        it('allows valid cert with matching domain (wildcard)', function () {
+            expect(settings.validateCertificate(validCert1, validKey1, 'abc.foobar.com')).to.be(null);
+        });
+
+        it('does now allow cert without matching domain (wildcard)', function () {
+            expect(settings.validateCertificate(validCert1, validKey1, 'foobar.com')).to.be.an(Error);
+            expect(settings.validateCertificate(validCert1, validKey1, 'bar.abc.foobar.com')).to.be.an(Error);
+        });
+
+        it('allows valid cert with matching domain (subdomain)', function () {
+            expect(settings.validateCertificate(validCert2, validKey2, 'baz.foobar.com')).to.be(null);
+        });
+
+        it('does not allow cert without matching domain (subdomain)', function () {
+            expect(settings.validateCertificate(validCert0, validKey0, 'baz.foobar.com')).to.be.an(Error);
+        });
+
+        it('does not allow invalid cert/key tuple', function () {
+            expect(settings.validateCertificate(validCert0, validKey1, 'foobar.com')).to.be.an(Error);
+        });
+    });
 });
@@ -53,7 +53,7 @@ function getAppUpdates(callback) {
            .timeout(10 * 1000)
            .end(function (error, result) {

-            if (error && !error.response) return callback(error);
+            if (error) return callback(error);

            if (result.statusCode !== 200 || !result.body.appVersions) {
                return callback(new Error(util.format('Error checking app update: %s %s', result.statusCode, result.text)));
@@ -88,8 +88,8 @@ function getBoxUpdates(callback) {
        .get(config.get('boxVersionsUrl'))
        .timeout(10 * 1000)
        .end(function (error, result) {
-        if (error && !error.response) return callback(error);
-        if (result.statusCode !== 200) return callback(new Error(util.format('Bad status: %s %s', result.statusCode, result.text)));
+        if (error) return callback(error);
+        if (result.status !== 200) return callback(new Error(util.format('Bad status: %s %s', result.status, result.text)));

        var versions = safe.JSON.parse(result.text);

@@ -1,89 +0,0 @@
-/* jslint node:true */
-
-'use strict';
-
-exports = module.exports = waitForDns;
-
-var assert = require('assert'),
-    async = require('async'),
-    attempt = require('attempt'),
-    debug = require('debug')('box:src/waitfordns'),
-    dns = require('native-dns');
-
-// the first arg to callback is not an error argument; this is required for async.every
-function isChangeSynced(domain, ip, nameserver, callback) {
-    assert.strictEqual(typeof domain, 'string');
-    assert.strictEqual(typeof ip, 'string');
-    assert.strictEqual(typeof nameserver, 'string');
-    assert.strictEqual(typeof callback, 'function');
-
-    // ns records cannot have cname
-    dns.resolve4(nameserver, function (error, nsIps) {
-        if (error || !nsIps || nsIps.length === 0) return callback(false);
-
-        async.every(nsIps, function (nsIp, iteratorCallback) {
-            var req = dns.Request({
-                question: dns.Question({ name: domain, type: 'A' }),
-                server: { address: nsIp },
-                timeout: 5000
-            });
-
-            req.on('timeout', function () { return iteratorCallback(false); });
-
-            req.on('message', function (error, message) {
-                if (error || !message.answer || message.answer.length === 0) return iteratorCallback(false);
-
-                debug('isChangeSynced: ns: %s (%s), name:%s Actual:%j Expecting:%s', nameserver, nsIp, domain, message.answer[0], ip);
-
-                if (message.answer[0].address !== ip) return iteratorCallback(false);
-
-                iteratorCallback(true); // done
-            });
-
-            req.send();
-        }, callback);
-    });
- }
-
-// check if IP change has propagated to every nameserver
-function waitForDns(domain, ip, zoneName, options, callback) {
-    assert.strictEqual(typeof domain, 'string');
-    assert.strictEqual(typeof ip, 'string');
-    assert.strictEqual(typeof zoneName, 'string');
-
-    var defaultOptions = {
-        retryInterval: 5000,
-        retries: Infinity
-    };
-
-    if (typeof options === 'function') {
-        callback = options;
-        options = defaultOptions;
-    } else {
-        assert.strictEqual(typeof options, 'object');
-        assert.strictEqual(typeof callback, 'function');
-    }
-
-    debug('waitForDNS: domain %s to be %s in zone %s.', domain, ip, zoneName);
-
-    attempt(function (attempts) {
-        var callback = this; // gross
-        debug('waitForDNS: %s attempt %s.', domain, attempts);
-
-        dns.resolveNs(zoneName, function (error, nameservers) {
-            if (error || !nameservers) return callback(error || new Error('Unable to get nameservers'));
-
-            async.every(nameservers, isChangeSynced.bind(null, domain, ip), function (synced) {
-                debug('waitForDNS: %s %s ns: %j', domain, synced ? 'done' : 'not done', nameservers);
-
-                callback(synced ? null : new Error('ETRYAGAIN'));
-            });
-        });
-    }, { interval: options.retryInterval, retries: options.retries }, function (error) {
-         if (error) return callback(error);
-
-        debug('waitForDNS: %s done.', domain);
-
-        callback(null);
-     });
-}
@@ -32,7 +32,7 @@ function backupDone(filename, app, appBackupIds, callback) {
        };

        superagent.post(url).send(data).query({ token: config.token() }).end(function (error, result) {
-            if (error && !error.response) return callback(error);
+            if (error) return callback(error);
            if (result.statusCode !== 200) return callback(new Error(result.text));
            if (!result.body) return callback(new Error('Unexpected response'));

@@ -307,10 +307,10 @@ angular.module('Application').service('Client', ['$http', 'md5', 'Notification',
        }).error(defaultErrorHandler(callback));
    };

-    Client.prototype.getStatus = function (callback) {
+    Client.prototype.isServerFirstTime = function (callback) {
        $http.get(client.apiOrigin + '/api/v1/cloudron/status').success(function(data, status) {
            if (status !== 200 || typeof data !== 'object') return callback(new ClientError(status, data));
-            callback(null, data);
+            callback(null, !data.activated);
        }).error(defaultErrorHandler(callback));
    };

@@ -23,12 +23,8 @@ angular.module('Application').controller('MainController', ['$scope', '$route',
        Client.logout();
    };

-    $scope.setup = function (provider) {
-        if (provider === 'caas') {
-            window.location.href = '/error.html?errorCode=1';
-        } else {
-            window.location.href = '/setup.html';
-        }
+    $scope.setup = function () {
+        window.location.href = '/error.html?errorCode=1';
    };

    $scope.error = function (error) {
@@ -67,9 +63,9 @@ angular.module('Application').controller('MainController', ['$scope', '$route',
        });
    };

-    Client.getStatus(function (error, status) {
+    Client.isServerFirstTime(function (error, isFirstTime) {
        if (error) return $scope.error(error);
-        if (!status.activated) return $scope.setup();
+        if (isFirstTime) return $scope.setup();

        Client.refreshConfig(function (error) {
            if (error) return $scope.error(error);
@@ -43,8 +43,6 @@ app.service('Wizard', [ function () {
        this.username = '';
        this.email = '';
        this.password = '';
-        this.setupToken = null;
-        this.provider = null;
        this.availableAvatars = [{
            file: null,
            data: null,
@@ -221,7 +219,7 @@ app.controller('StepController', ['$scope', '$route', '$location', 'Wizard', fun
 app.controller('FinishController', ['$scope', '$location', 'Wizard', 'Client', function ($scope, $location, Wizard, Client) {
    $scope.wizard = Wizard;

-    Client.createAdmin(Wizard.username, Wizard.password, Wizard.email, Wizard.setupToken, function (error) {
+    Client.createAdmin($scope.wizard.username, $scope.wizard.password, $scope.wizard.email, $scope.setupToken, function (error) {
        if (error) {
            console.error('Internal error', error);
            window.location.href = '/error.html';
@@ -251,43 +249,31 @@ app.controller('SetupController', ['$scope', '$location', 'Client', 'Wizard', fu
    // Stupid angular location provider either wants html5 location mode or not, do the query parsing on my own
    var search = decodeURIComponent(window.location.search).slice(1).split('&').map(function (item) { return item.split('='); }).reduce(function (o, k) { o[k[0]] = k[1]; return o; }, {});

-    Client.getStatus(function (error, status) {
+    if (!search.setupToken) return window.location.href = '/error.html?errorCode=2';
+    $scope.setupToken = search.setupToken;
+
+    if (!search.email) return window.location.href = '/error.html?errorCode=3';
+    Wizard.email = search.email;
+
+    if (search.customDomain === 'true') {
+        Wizard.dnsConfig = {
+            provider: 'route53',
+            accessKeyId: null,
+            secretAccessKey: null
+        };
+    }
+
+    Client.isServerFirstTime(function (error, isFirstTime) {
        if (error) {
            window.location.href = '/error.html';
            return;
        }

-        if (status.activated) {
+        if (!isFirstTime) {
            window.location.href = '/';
            return;
        }

-        if (status.provider === 'caas') {
-            if (!search.setupToken) {
-                window.location.href = '/error.html?errorCode=2';
-                return;
-            }
-
-            if (!search.email) {
-                window.location.href = '/error.html?errorCode=3';
-                return;
-            }
-
-            if (search.customDomain === 'true') {
-                Wizard.dnsConfig = {
-                    provider: 'route53',
-                    accessKeyId: null,
-                    secretAccessKey: null
-                };
-            }
-
-            Wizard.setupToken = search.setupToken;
-        }
-
-        Wizard.email = search.email;
-        Wizard.requireEmail = !search.email;
-        Wizard.provider = status.provider;
-
        $location.path('/step1');

        $scope.initialized = true;
@@ -38,13 +38,13 @@

 <body class="setup" ng-app="Application" ng-controller="SetupController">

-    <center ng-show="wizard.provider === 'caas' && !setupToken">
+    <center ng-show="!setupToken">
        <h1> <i class="fa fa-frown-o fa-fw text-danger"></i> No setup token provided. </h1>
        Please use the setup link for this cloudron.
    </center>

    <div class="main-container">
-        <div class="row" ng-show="initialized && !busy && !(wizard.provider === 'caas' && !setupToken)">
+        <div class="row" ng-show="initialized && !busy && setupToken">
            <div class="col-md-8 col-md-offset-2">
                <div class="card" style="max-width: none; padding: 20px;">
                    <form role="form" name="setup_form" novalidate>
@@ -119,24 +119,6 @@
    </div>
 </div>

-<!-- Modal error app -->
-<div class="modal fade" id="appErrorModal" tabindex="-1" role="dialog">
-    <div class="modal-dialog">
-        <div class="modal-content">
-            <div class="modal-header">
-                <h4 class="modal-title">{{ appError.app.location }}</h4>
-            </div>
-            <div class="modal-body">
-                <p>There was an error installing this app</p>
-                <p>{{appError.app.installationProgress}}</p>
-            </div>
-            <div class="modal-footer">
-                <button type="button" class="btn btn-default" data-dismiss="modal">OK</button>
-            </div>
-        </div>
-    </div>
-</div>
-
 <!-- Modal uninstall app -->
 <div class="modal fade" id="appUninstallModal" tabindex="-1" role="dialog">
    <div class="modal-dialog">
@@ -237,7 +219,7 @@
    <div class="row animateMeOpacity ng-hide" ng-show="installedApps.length > 0">
        <div class="col-sm-1 grid-item" ng-repeat="app in installedApps">
            <div style="background-color: white;" class="highlight grid-item-content">
-                <a ng-href="{{app | applicationLink}}" ng-click="(app | installError) === true && showError(app)" target="_blank">
+                <a ng-href="{{app | applicationLink}}" target="_blank">
                    <div class="grid-item-top">
                        <div class="row">
                            <div class="col-xs-12 text-center" style="padding-left: 5px; padding-right: 5px;">
@@ -1,5 +1,4 @@
 /* global ISTATES:false */
-/* global HSTATES:false */

 'use strict';

@@ -41,10 +40,6 @@ angular.module('Application').controller('AppsController', ['$scope', '$location
        password: ''
    };

-    $scope.appError = {
-        app: {}
-    };
-
    $scope.appUpdate = {
        busy: false,
        error: {},
@@ -206,16 +201,6 @@ angular.module('Application').controller('AppsController', ['$scope', '$location
        });
    };

-    $scope.showError = function (app) {
-        $scope.reset();
-
-        $scope.appError.app = app;
-
-        $('#appErrorModal').modal('show');
-
-        return false; // prevent propagation and default
-    };
-
    $scope.showRestore = function (app) {
        $scope.reset();

@@ -65,7 +65,7 @@
            <form name="defaultCertForm" ng-submit="setDefaultCert()">
                <fieldset>
                    <label class="control-label" for="defaultCertInput">Fallback Certificate</label>
-                    <p>A wildcard certificate that will be used for apps installed without a specific certificate.</p>
+                    <p>This certificate has to be wildcard certificates and will be used for all apps, which were not configured to use a specific certificate.</p>
                    <div class="has-error text-center" ng-show="defaultCert.error">{{ defaultCert.error }}</div>
                    <div class="text-success text-center" ng-show="defaultCert.success"><b>Upload successful</b></div>
                    <div class="form-group" ng-class="{ 'has-error': (!defaultCert.cert.$dirty && defaultCert.error) }">
@@ -11,18 +11,17 @@
 <div class="row">
    <div class="col-md-4 col-md-offset-4 text-center">
        <div class="form-group" ng-class="{ 'has-error': setup_form.username.$dirty && setup_form.username.$invalid }">
-            <input type="text" class="form-control" ng-model="wizard.username" id="inputUsername" name="username" placeholder="Username" ng-enter="focusNext(wizard.requireEmail ? 'inputEmail' : 'inputPassword', setup_form.username.$invalid)" ng-maxlength="512" ng-minlength="3" autofocus required autocomplete="off">
-        </div>
-        <div ng-show="wizard.requireEmail" class="form-group" ng-class="{ 'has-error': setup_form.email.$dirty && setup_form.email.$invalid }">
-            <input type="email" class="form-control" ng-model="wizard.email" id="inputEmail" name="email" placeholder="Email" ng-enter="focusNext('inputPassword', setup_form.email.$invalid)" required autocomplete="off">
+            <!-- <label class="control-label" for="inputUsername">Username</label> -->
+            <input type="text" class="form-control" ng-model="wizard.username" id="inputUsername" name="username" placeholder="Username" ng-enter="focusNext('inputPassword', setup_form.username.$invalid)" ng-maxlength="512" ng-minlength="3" autofocus required autocomplete="off">
        </div>
        <div class="form-group" ng-class="{ 'has-error': setup_form.password.$dirty && setup_form.password.$invalid }">
-            <input type="password" class="form-control" ng-model="wizard.password" id="inputPassword" name="password" placeholder="Password" ng-enter="next(setup_form.username.$invalid || setup_form.password.$invalid || setup_form.email.$invalid)" ng-maxlength="512" ng-minlength="5" required autocomplete="off">
+            <!-- <label class="control-label" for="inputPassword">Password</label> -->
+            <input type="password" class="form-control" ng-model="wizard.password" id="inputPassword" name="password" placeholder="Password" ng-enter="next(setup_form.password.$invalid)" ng-maxlength="512" ng-minlength="5" required autocomplete="off">
        </div>
    </div>
 </div>
 <div class="row">
    <div class="col-md-12 text-center">
-        <button class="btn btn-primary" ng-click="next(setup_form.username.$invalid || setup_form.password.$invalid || setup_form.email.$invalid)" ng-disabled="setup_form.username.$invalid || setup_form.password.$invalid">Done</button>
+        <button class="btn btn-primary" ng-click="next(setup_form.username.$invalid || setup_form.password.$invalid)" ng-disabled="setup_form.username.$invalid || setup_form.password.$invalid">Done</button>
    </div>
 </div>