2025-06-04 08:34:11 +00:00
7 changed files with 109 additions and 428 deletions
--- a/.github/workflows/pr_dns.yml
+++ b/.github/workflows/pr_dns.yml
@ -20,14 +20,12 @@ jobs:
              owner: context.repo.owner,
              repo: context.repo.repo,
              body: `**Welcome**
-                    READ ME !!!!!
-                    Read me !!!!!!
-                    First thing: don't send PR to the master branch, please send to the dev branch instead.
-                    Please read the [DNS API Dev Guide](../wiki/DNS-API-Dev-Guide).
-                    You MUST pass the [DNS-API-Test](../wiki/DNS-API-Test).
-                    Then reply on this message, otherwise, your code will not be reviewed or merged.
-                    Please also make sure to add/update the usage here: https://github.com/acmesh-official/acme.sh/wiki/dnsapi2
-                    注意: 必须通过了 [DNS-API-Test](../wiki/DNS-API-Test) 才会被 review. 无论是修改, 还是新加的 dns api, 都必须确保通过这个测试.
+                First thing: don't send PR to the master branch, please send to the dev branch instead.
+                Please make sure you've read our [DNS API Dev Guide](../wiki/DNS-API-Dev-Guide) and [DNS-API-Test](../wiki/DNS-API-Test).
+                Then reply on this message, otherwise, your code will not be reviewed or merged.
+                Please also make sure to add/update the usage here: https://github.com/acmesh-official/acme.sh/wiki/dnsapi2
+                We look forward to reviewing your Pull request shortly ✨
+                注意: 必须通过了 [DNS-API-Test](../wiki/DNS-API-Test) 才会被 review. 无论是修改, 还是新加的 dns api, 都必须确保通过这个测试.
                `
            })

--- a/acme.sh
+++ b/acme.sh
@ -1,6 +1,6 @@
 #!/usr/bin/env sh

-VER=3.1.2
+VER=3.1.1

 PROJECT_NAME="acme.sh"

@ -5504,13 +5504,6 @@ renew() {
  if [ -z "$Le_Keylength" ]; then
    Le_Keylength=2048
  fi
-  if [ "$CA_LETSENCRYPT_V2" = "$Le_API" ]; then
-    #letsencrypt doesn't support ocsp anymore
-    if [ "$Le_OCSP_Staple" ]; then
-      export Le_OCSP_Staple=""
-      _cleardomainconf Le_OCSP_Staple
-    fi
-  fi
  issue "$Le_Webroot" "$Le_Domain" "$Le_Alt" "$Le_Keylength" "$Le_RealCertPath" "$Le_RealKeyPath" "$Le_RealCACertPath" "$Le_ReloadCmd" "$Le_RealFullChainPath" "$Le_PreHook" "$Le_PostHook" "$Le_RenewHook" "$Le_LocalAddress" "$Le_ChallengeAlias" "$Le_Preferred_Chain" "$Le_Valid_From" "$Le_Valid_To"
  res="$?"
  if [ "$res" != "0" ]; then
--- a/deploy/truenas_ws.sh
+++ b/deploy/truenas_ws.sh
@ -52,39 +52,6 @@ _ws_call() {
  return 0
 }

-# Upload certificate with webclient api
-_ws_upload_cert() {
-
-  /usr/bin/env python - <<EOF
-
-import sys
-
-from truenas_api_client import Client
-with Client() as c:
-
-  ### Login with API key
-  print("I:Trying to upload new certificate...")
-  ret = c.call("auth.login_with_api_key", "${DEPLOY_TRUENAS_APIKEY}")
-  if ret:
-    ### upload certificate
-    with open('$1', 'r') as file:
-      fullchain = file.read()
-    with open('$2', 'r') as file:
-      privatekey = file.read()
-    ret = c.call("certificate.create", {"name": "$3", "create_type": "CERTIFICATE_CREATE_IMPORTED", "certificate": fullchain, "privatekey": privatekey, "passphrase": ""}, job=True)
-    print("R:" + str(ret["id"]))
-    sys.exit(0)
-  else:
-    print("R:0")
-    print("E:_ws_upload_cert error!")
-    sys.exit(7)
-
-EOF
-
-  return $?
-
-}
-
 # Check argument is a number
 # Usage:
 #
@ -162,6 +129,7 @@ _ws_get_job_result() {
 #  5: WebUI cert error
 #  6: Job error
 #  7: WS call error
+# 10: No CORE or SCALE detected
 #
 truenas_ws_deploy() {
  _domain="$1"
@ -211,8 +179,14 @@ truenas_ws_deploy() {

  _info "Gather system info..."
  _ws_response=$(_ws_call "system.info")
-  _truenas_version=$(printf "%s" "$_ws_response" | jq -r '."version"')
+  _truenas_system=$(printf "%s" "$_ws_response" | jq -r '."version"' | cut -d '-' -f 2 | tr '[:lower:]' '[:upper:]')
+  _truenas_version=$(printf "%s" "$_ws_response" | jq -r '."version"' | cut -d '-' -f 3)
+  _info "TrueNAS system: $_truenas_system"
  _info "TrueNAS version: $_truenas_version"
+  if [ "$_truenas_system" != "SCALE" ] && [ "$_truenas_system" != "CORE" ]; then
+    _err "Cannot gather TrueNAS system. Nor CORE oder SCALE detected."
+    return 10
+  fi

  ########## Gather current certificate

@ -229,26 +203,19 @@ truenas_ws_deploy() {
  _certname="acme_$(_utc_date | tr -d '\-\:' | tr ' ' '_')"
  _info "New WebUI certificate name: $_certname"
  _debug _certname "$_certname"
-  _ws_out=$(_ws_upload_cert "$_file_fullchain" "$_file_key" "$_certname")
-
-  echo "$_ws_out" | while IFS= read -r LINE; do
-    case "$LINE" in
-    I:*)
-      _info "${LINE#I:}"
-      ;;
-    D:*)
-      _debug "${LINE#D:}"
-      ;;
-    E*)
-      _err "${LINE#E:}"
-      ;;
-    *) ;;
-
-    esac
-  done
-
-  _new_certid=$(echo "$_ws_out" | grep 'R:' | cut -d ':' -f 2)
-
+  _ws_jobid=$(_ws_call "certificate.create" "{\"name\": \"${_certname}\", \"create_type\": \"CERTIFICATE_CREATE_IMPORTED\", \"certificate\": \"$(_json_encode <"$_file_fullchain")\", \"privatekey\": \"$(_json_encode <"$_file_key")\", \"passphrase\": \"\"}")
+  _debug "_ws_jobid" "$_ws_jobid"
+  if ! _ws_check_jobid "$_ws_jobid"; then
+    _err "No JobID returned from websocket method."
+    return 3
+  fi
+  _ws_result=$(_ws_get_job_result "$_ws_jobid")
+  _ws_ret=$?
+  if [ $_ws_ret -gt 0 ]; then
+    return $_ws_ret
+  fi
+  _debug "_ws_result" "$_ws_result"
+  _new_certid=$(printf "%s" "$_ws_result" | jq -r '."id"')
  _info "New certificate ID: $_new_certid"

  ########## FTP
@ -264,31 +231,33 @@ truenas_ws_deploy() {

  ########## ix Apps (SCALE only)

-  _info "Replace app certificates..."
-  _ws_response=$(_ws_call "app.query")
-  for _app_name in $(printf "%s" "$_ws_response" | jq -r '.[]."name"'); do
-    _info "Checking app $_app_name..."
-    _ws_response=$(_ws_call "app.config" "$_app_name")
-    if [ "$(printf "%s" "$_ws_response" | jq -r '."network" | has("certificate_id")')" = "true" ]; then
-      _info "App has certificate option, setup new certificate..."
-      _info "App will be redeployed after updating the certificate."
-      _ws_jobid=$(_ws_call "app.update" "$_app_name" "{\"values\": {\"network\": {\"certificate_id\": $_new_certid}}}")
-      _debug "_ws_jobid" "$_ws_jobid"
-      if ! _ws_check_jobid "$_ws_jobid"; then
-        _err "No JobID returned from websocket method."
-        return 3
+  if [ "$_truenas_system" = "SCALE" ]; then
+    _info "Replace app certificates..."
+    _ws_response=$(_ws_call "app.query")
+    for _app_name in $(printf "%s" "$_ws_response" | jq -r '.[]."name"'); do
+      _info "Checking app $_app_name..."
+      _ws_response=$(_ws_call "app.config" "$_app_name")
+      if [ "$(printf "%s" "$_ws_response" | jq -r '."network" | has("certificate_id")')" = "true" ]; then
+        _info "App has certificate option, setup new certificate..."
+        _info "App will be redeployed after updating the certificate."
+        _ws_jobid=$(_ws_call "app.update" "$_app_name" "{\"values\": {\"network\": {\"certificate_id\": $_new_certid}}}")
+        _debug "_ws_jobid" "$_ws_jobid"
+        if ! _ws_check_jobid "$_ws_jobid"; then
+          _err "No JobID returned from websocket method."
+          return 3
+        fi
+        _ws_result=$(_ws_get_job_result "$_ws_jobid")
+        _ws_ret=$?
+        if [ $_ws_ret -gt 0 ]; then
+          return $_ws_ret
+        fi
+        _debug "_ws_result" "$_ws_result"
+        _info "App certificate replaced."
+      else
+        _info "App has no certificate option, skipping..."
      fi
-      _ws_result=$(_ws_get_job_result "$_ws_jobid")
-      _ws_ret=$?
-      if [ $_ws_ret -gt 0 ]; then
-        return $_ws_ret
-      fi
-      _debug "_ws_result" "$_ws_result"
-      _info "App certificate replaced."
-    else
-      _info "App has no certificate option, skipping..."
-    fi
-  done
+    done
+  fi

  ########## WebUI

--- a/dnsapi/dns_1984hosting.sh
+++ b/dnsapi/dns_1984hosting.sh
@ -128,7 +128,7 @@ _1984hosting_login() {

  _get "https://1984.hosting/accounts/login/" | grep "csrfmiddlewaretoken"
  csrftoken="$(grep -i '^set-cookie:' "$HTTP_HEADER" | _egrep_o 'csrftoken=[^;]*;' | tr -d ';')"
-  sessionid="$(grep -i '^set-cookie:' "$HTTP_HEADER" | _egrep_o 'cookie1984nammnamm=[^;]*;' | tr -d ';')"
+  sessionid="$(grep -i '^set-cookie:' "$HTTP_HEADER" | _egrep_o 'sessionid=[^;]*;' | tr -d ';')"

  if [ -z "$csrftoken" ] || [ -z "$sessionid" ]; then
    _err "One or more cookies are empty: '$csrftoken', '$sessionid'."
@ -145,7 +145,7 @@ _1984hosting_login() {
  _debug2 response "$response"

  if _contains "$response" '"loggedin": true'; then
-    One984HOSTING_SESSIONID_COOKIE="$(grep -i '^set-cookie:' "$HTTP_HEADER" | _egrep_o 'cookie1984nammnamm=[^;]*;' | tr -d ';')"
+    One984HOSTING_SESSIONID_COOKIE="$(grep -i '^set-cookie:' "$HTTP_HEADER" | _egrep_o 'sessionid=[^;]*;' | tr -d ';')"
    One984HOSTING_CSRFTOKEN_COOKIE="$(grep -i '^set-cookie:' "$HTTP_HEADER" | _egrep_o 'csrftoken=[^;]*;' | tr -d ';')"
    export One984HOSTING_SESSIONID_COOKIE
    export One984HOSTING_CSRFTOKEN_COOKIE
--- a/dnsapi/dns_active24.sh
+++ b/dnsapi/dns_active24.sh
@ -1,17 +1,17 @@
 #!/usr/bin/env sh
 # shellcheck disable=SC2034
-dns_active24_info='Active24.cz
-Site: Active24.cz
+dns_active24_info='Active24.com
+Site: Active24.com
 Docs: github.com/acmesh-official/acme.sh/wiki/dnsapi#dns_active24
 Options:
- Active24_ApiKey API Key. Called "Identifier" in the Active24 Admin
- Active24_ApiSecret API Secret. Called "Secret key" in the Active24 Admin
+ ACTIVE24_Token API Token
 Issues: github.com/acmesh-official/acme.sh/issues/2059
+Author: Milan Pála
 '

-Active24_Api="https://rest.active24.cz"
-# export Active24_ApiKey=ak48l3h7-ak5d-qn4t-p8gc-b6fs8c3l
-# export Active24_ApiSecret=ajvkeo3y82ndsu2smvxy3o36496dcascksldncsq
+ACTIVE24_Api="https://api.active24.com"
+
+########  Public functions #####################

 # Usage: add  _acme-challenge.www.domain.com   "XKrxpRBosdIKFzxW_CT3KLZNf6q0HG9i01zxXp5CPBs"
 # Used to add txt record
@ -22,8 +22,8 @@ dns_active24_add() {
  _active24_init

  _info "Adding txt record"
-  if _active24_rest POST "/v2/service/$_service_id/dns/record" "{\"type\":\"TXT\",\"name\":\"$_sub_domain\",\"content\":\"$txtvalue\",\"ttl\":300}"; then
-    if _contains "$response" "error"; then
+  if _active24_rest POST "dns/$_domain/txt/v1" "{\"name\":\"$_sub_domain\",\"text\":\"$txtvalue\",\"ttl\":0}"; then
+    if _contains "$response" "errors"; then
      _err "Add txt record error."
      return 1
    else
@ -31,7 +31,6 @@ dns_active24_add() {
      return 0
    fi
  fi
-
  _err "Add txt record error."
  return 1
 }
@ -45,25 +44,19 @@ dns_active24_rm() {
  _active24_init

  _debug "Getting txt records"
-  # The API needs to send data in body in order the filter to work
-  # TODO: web can also add content $txtvalue to filter and then get the id from response
-  _active24_rest GET "/v2/service/$_service_id/dns/record" "{\"page\":1,\"descending\":true,\"sortBy\":\"name\",\"rowsPerPage\":100,\"totalRecords\":0,\"filters\":{\"type\":[\"TXT\"],\"name\":\"${_sub_domain}\"}}"
-  #_active24_rest GET "/v2/service/$_service_id/dns/record?rowsPerPage=100"
+  _active24_rest GET "dns/$_domain/records/v1"

-  if _contains "$response" "error"; then
+  if _contains "$response" "errors"; then
    _err "Error"
    return 1
  fi

-  # Note: it might never be more than one record actually, NEEDS more INVESTIGATION
-  record_ids=$(printf "%s" "$response" | _egrep_o "[^{]+${txtvalue}[^}]+" | _egrep_o '"id" *: *[^,]+' | cut -d ':' -f 2)
-  _debug2 record_ids "$record_ids"
+  hash_ids=$(echo "$response" | _egrep_o "[^{]+${txtvalue}[^}]+" | _egrep_o "hashId\":\"[^\"]+" | cut -c10-)

-  for redord_id in $record_ids; do
-    _debug "Removing record_id" "$redord_id"
-    _debug "txtvalue" "$txtvalue"
-    if _active24_rest DELETE "/v2/service/$_service_id/dns/record/$redord_id" ""; then
-      if _contains "$response" "error"; then
+  for hash_id in $hash_ids; do
+    _debug "Removing hash_id" "$hash_id"
+    if _active24_rest DELETE "dns/$_domain/$hash_id/v1" ""; then
+      if _contains "$response" "errors"; then
        _err "Unable to remove txt record."
        return 1
      else
@ -77,15 +70,21 @@ dns_active24_rm() {
  return 1
 }

+####################  Private functions below ##################################
+#_acme-challenge.www.domain.com
+#returns
+# _sub_domain=_acme-challenge.www
+# _domain=domain.com
+# _domain_id=sdjkglgdfewsdfg
 _get_root() {
  domain=$1
-  i=1
-  p=1

-  if ! _active24_rest GET "/v1/user/self/service"; then
+  if ! _active24_rest GET "dns/domains/v1"; then
    return 1
  fi

+  i=1
+  p=1
  while true; do
    h=$(printf "%s" "$domain" | cut -d . -f "$i"-100)
    _debug "h" "$h"
@ -105,98 +104,21 @@ _get_root() {
  return 1
 }

-_active24_init() {
-  Active24_ApiKey="${Active24_ApiKey:-$(_readaccountconf_mutable Active24_ApiKey)}"
-  Active24_ApiSecret="${Active24_ApiSecret:-$(_readaccountconf_mutable Active24_ApiSecret)}"
-  #Active24_ServiceId="${Active24_ServiceId:-$(_readaccountconf_mutable Active24_ServiceId)}"
-
-  if [ -z "$Active24_ApiKey" ] || [ -z "$Active24_ApiSecret" ]; then
-    Active24_ApiKey=""
-    Active24_ApiSecret=""
-    _err "You don't specify Active24 api key and ApiSecret yet."
-    _err "Please create your key and try again."
-    return 1
-  fi
-
-  #save the credentials to the account conf file.
-  _saveaccountconf_mutable Active24_ApiKey "$Active24_ApiKey"
-  _saveaccountconf_mutable Active24_ApiSecret "$Active24_ApiSecret"
-
-  _debug "A24 API CHECK"
-  if ! _active24_rest GET "/v2/check"; then
-    _err "A24 API check failed with: $response"
-    return 1
-  fi
-
-  if ! echo "$response" | tr -d " " | grep \"verified\":true >/dev/null; then
-    _err "A24 API check failed with: $response"
-    return 1
-  fi
-
-  _debug "First detect the root zone"
-  if ! _get_root "$fulldomain"; then
-    _err "invalid domain"
-    return 1
-  fi
-
-  _debug _sub_domain "$_sub_domain"
-  _debug _domain "$_domain"
-  _active24_get_service_id "$_domain"
-  _debug _service_id "$_service_id"
-}
-
-_active24_get_service_id() {
-  _d=$1
-  if ! _active24_rest GET "/v1/user/self/zone/${_d}"; then
-    return 1
-  else
-    response=$(echo "$response" | _json_decode)
-    _service_id=$(echo "$response" | _egrep_o '"id" *: *[^,]+' | cut -d ':' -f 2)
-  fi
-}
-
 _active24_rest() {
  m=$1
-  ep_qs=$2 # with query string
-  # ep=$2
-  ep=$(printf "%s" "$ep_qs" | cut -d '?' -f1) # no query string
+  ep="$2"
  data="$3"
+  _debug "$ep"

-  _debug "A24 $ep"
-  _debug "A24 $Active24_ApiKey"
-  _debug "A24 $Active24_ApiSecret"
-
-  timestamp=$(_time)
-  datez=$(date -u +"%Y%m%dT%H%M%SZ")
-  canonicalRequest="${m} ${ep} ${timestamp}"
-  signature=$(printf "%s" "$canonicalRequest" | _hmac sha1 "$(printf "%s" "$Active24_ApiSecret" | _hex_dump | tr -d " ")" hex)
-  authorization64="$(printf "%s:%s" "$Active24_ApiKey" "$signature" | _base64)"
-
-  export _H1="Date: ${datez}"
-  export _H2="Accept: application/json"
-  export _H3="Content-Type: application/json"
-  export _H4="Authorization: Basic ${authorization64}"
-
-  _debug2 H1 "$_H1"
-  _debug2 H2 "$_H2"
-  _debug2 H3 "$_H3"
-  _debug2 H4 "$_H4"
-
-  # _sleep 1
+  export _H1="Authorization: Bearer $ACTIVE24_Token"

  if [ "$m" != "GET" ]; then
-    _debug2 "${m} $Active24_Api${ep_qs}"
    _debug "data" "$data"
-    response="$(_post "$data" "$Active24_Api${ep_qs}" "" "$m" "application/json")"
+    response="$(_post "$data" "$ACTIVE24_Api/$ep" "" "$m" "application/json")"
  else
-    if [ -z "$data" ]; then
-      _debug2 "GET $Active24_Api${ep_qs}"
-      response="$(_get "$Active24_Api${ep_qs}")"
-    else
-      _debug2 "GET $Active24_Api${ep_qs} with data: ${data}"
-      response="$(_post "$data" "$Active24_Api${ep_qs}" "" "$m" "application/json")"
-    fi
+    response="$(_get "$ACTIVE24_Api/$ep")"
  fi
+
  if [ "$?" != "0" ]; then
    _err "error $ep"
    return 1
@ -204,3 +126,23 @@ _active24_rest() {
  _debug2 response "$response"
  return 0
 }
+
+_active24_init() {
+  ACTIVE24_Token="${ACTIVE24_Token:-$(_readaccountconf_mutable ACTIVE24_Token)}"
+  if [ -z "$ACTIVE24_Token" ]; then
+    ACTIVE24_Token=""
+    _err "You didn't specify a Active24 api token yet."
+    _err "Please create the token and try again."
+    return 1
+  fi
+
+  _saveaccountconf_mutable ACTIVE24_Token "$ACTIVE24_Token"
+
+  _debug "First detect the root zone"
+  if ! _get_root "$fulldomain"; then
+    _err "invalid domain"
+    return 1
+  fi
+  _debug _sub_domain "$_sub_domain"
+  _debug _domain "$_domain"
+}
--- a/dnsapi/dns_azure.sh
+++ b/dnsapi/dns_azure.sh
@ -340,17 +340,8 @@ _azure_getaccess_token() {

  if [ "$managedIdentity" = true ]; then
    # https://learn.microsoft.com/en-us/entra/identity/managed-identities-azure-resources/how-to-use-vm-token#get-a-token-using-http
-    if [ -n "$IDENTITY_ENDPOINT" ]; then
-      # Some Azure environments may set IDENTITY_ENDPOINT (formerly MSI_ENDPOINT) to have an alternative metadata endpoint
-      url="$IDENTITY_ENDPOINT?api-version=2019-08-01&resource=https://management.azure.com/"
-      headers="X-IDENTITY-HEADER: $IDENTITY_HEADER"
-    else
-      url="http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https://management.azure.com/"
-      headers="Metadata: true"
-    fi
-
-    export _H1="$headers"
-    response="$(_get "$url")"
+    export _H1="Metadata: true"
+    response="$(_get http://169.254.169.254/metadata/identity/oauth2/token\?api-version=2018-02-01\&resource=https://management.azure.com/)"
    response="$(echo "$response" | _normalizeJson)"
    accesstoken=$(echo "$response" | _egrep_o "\"access_token\":\"[^\"]*\"" | _head_n 1 | cut -d : -f 2 | tr -d \")
    expires_on=$(echo "$response" | _egrep_o "\"expires_on\":\"[^\"]*\"" | _head_n 1 | cut -d : -f 2 | tr -d \")
--- a/dnsapi/dns_spaceship.sh
+++ b/dnsapi/dns_spaceship.sh
@ -1,212 +0,0 @@
-#!/usr/bin/env sh
-# shellcheck disable=SC2034
-dns_spaceship_info='Spaceship.com
-Site: Spaceship.com
-Docs: github.com/acmesh-official/acme.sh/wiki/dnsapi2#dns_spaceship
-Options:
- SPACESHIP_API_KEY Spaceship API Key
- SPACESHIP_API_SECRET Spaceship API Secret
- SPACESHIP_ROOT_DOMAIN (Optional) Manually specify the root domain if auto-detection fails
-Issues: github.com/acmesh-official/acme.sh/issues/6304
-Author: Meow <https://github.com/Meo597>
-'
-
-# Spaceship API
-# https://docs.spaceship.dev/
-
-########  Public functions #####################
-
-SPACESHIP_API_BASE="https://spaceship.dev/api/v1"
-
-# Usage: add  _acme-challenge.www.domain.com   "XKrxpRBosdIKFzxW_CT3KLZNf6q0HG9i01zxXp5CPBs"
-# Used to add txt record
-dns_spaceship_add() {
-  fulldomain="$1"
-  txtvalue="$2"
-
-  _info "Adding TXT record for $fulldomain with value $txtvalue"
-
-  # Initialize API credentials and headers
-  if ! _spaceship_init; then
-    return 1
-  fi
-
-  # Detect root zone
-  if ! _get_root "$fulldomain"; then
-    return 1
-  fi
-
-  # Extract subdomain part relative to root domain
-  subdomain=$(echo "$fulldomain" | sed "s/\.$_domain$//")
-  if [ "$subdomain" = "$fulldomain" ]; then
-    _err "Failed to extract subdomain from $fulldomain relative to root domain $_domain"
-    return 1
-  fi
-  _debug "Extracted subdomain: $subdomain for root domain: $_domain"
-
-  # Escape txtvalue to prevent JSON injection (e.g., quotes in txtvalue)
-  escaped_txtvalue=$(echo "$txtvalue" | sed 's/"/\\"/g')
-
-  # Prepare payload and URL for adding TXT record
-  # Note: 'name' in payload uses subdomain (e.g., _acme-challenge.sub) as required by Spaceship API
-  payload="{\"force\": true, \"items\": [{\"type\": \"TXT\", \"name\": \"$subdomain\", \"value\": \"$escaped_txtvalue\", \"ttl\": 600}]}"
-  url="$SPACESHIP_API_BASE/dns/records/$_domain"
-
-  # Send API request
-  if _spaceship_api_request "PUT" "$url" "$payload"; then
-    _info "Successfully added TXT record for $fulldomain"
-    return 0
-  else
-    _err "Failed to add TXT record. If the domain $_domain is incorrect, set SPACESHIP_ROOT_DOMAIN to the correct root domain."
-    return 1
-  fi
-}
-
-# Usage: fulldomain txtvalue
-# Used to remove the txt record after validation
-dns_spaceship_rm() {
-  fulldomain="$1"
-  txtvalue="$2"
-
-  _info "Removing TXT record for $fulldomain with value $txtvalue"
-
-  # Initialize API credentials and headers
-  if ! _spaceship_init; then
-    return 1
-  fi
-
-  # Detect root zone
-  if ! _get_root "$fulldomain"; then
-    return 1
-  fi
-
-  # Extract subdomain part relative to root domain
-  subdomain=$(echo "$fulldomain" | sed "s/\.$_domain$//")
-  if [ "$subdomain" = "$fulldomain" ]; then
-    _err "Failed to extract subdomain from $fulldomain relative to root domain $_domain"
-    return 1
-  fi
-  _debug "Extracted subdomain: $subdomain for root domain: $_domain"
-
-  # Escape txtvalue to prevent JSON injection
-  escaped_txtvalue=$(echo "$txtvalue" | sed 's/"/\\"/g')
-
-  # Prepare payload and URL for deleting TXT record
-  # Note: 'name' in payload uses subdomain (e.g., _acme-challenge.sub) as required by Spaceship API
-  payload="[{\"type\": \"TXT\", \"name\": \"$subdomain\", \"value\": \"$escaped_txtvalue\"}]"
-  url="$SPACESHIP_API_BASE/dns/records/$_domain"
-
-  # Send API request
-  if _spaceship_api_request "DELETE" "$url" "$payload"; then
-    _info "Successfully deleted TXT record for $fulldomain"
-    return 0
-  else
-    _err "Failed to delete TXT record. If the domain $_domain is incorrect, set SPACESHIP_ROOT_DOMAIN to the correct root domain."
-    return 1
-  fi
-}
-
-####################  Private functions below ##################################
-
-_spaceship_init() {
-  SPACESHIP_API_KEY="${SPACESHIP_API_KEY:-$(_readaccountconf_mutable SPACESHIP_API_KEY)}"
-  SPACESHIP_API_SECRET="${SPACESHIP_API_SECRET:-$(_readaccountconf_mutable SPACESHIP_API_SECRET)}"
-
-  if [ -z "$SPACESHIP_API_KEY" ] || [ -z "$SPACESHIP_API_SECRET" ]; then
-    _err "Spaceship API credentials are not set. Please set SPACESHIP_API_KEY and SPACESHIP_API_SECRET."
-    _err "Ensure \"$LE_CONFIG_HOME\" directory has restricted permissions (chmod 700 \"$LE_CONFIG_HOME\") to protect credentials."
-    return 1
-  fi
-
-  # Save credentials to account config for future renewals
-  _saveaccountconf_mutable SPACESHIP_API_KEY "$SPACESHIP_API_KEY"
-  _saveaccountconf_mutable SPACESHIP_API_SECRET "$SPACESHIP_API_SECRET"
-
-  # Set common headers for API requests
-  export _H1="X-API-Key: $SPACESHIP_API_KEY"
-  export _H2="X-API-Secret: $SPACESHIP_API_SECRET"
-  export _H3="Content-Type: application/json"
-  return 0
-}
-
-_get_root() {
-  domain="$1"
-
-  # Check manual override
-  SPACESHIP_ROOT_DOMAIN="${SPACESHIP_ROOT_DOMAIN:-$(_readdomainconf SPACESHIP_ROOT_DOMAIN)}"
-  if [ -n "$SPACESHIP_ROOT_DOMAIN" ]; then
-    _domain="$SPACESHIP_ROOT_DOMAIN"
-    _debug "Using manually specified or saved root domain: $_domain"
-    _savedomainconf SPACESHIP_ROOT_DOMAIN "$SPACESHIP_ROOT_DOMAIN"
-    return 0
-  fi
-
-  _debug "Detecting root zone for '$domain'"
-
-  i=1
-  p=1
-  while true; do
-    _cutdomain=$(printf "%s" "$domain" | cut -d . -f "$i"-100)
-
-    _debug "Attempt i=$i: Checking if '$_cutdomain' is root zone (cut ret=$?)"
-
-    if [ -z "$_cutdomain" ]; then
-      _debug "Cut resulted in empty string, root zone not found."
-      break
-    fi
-
-    # Call the API to check if this _cutdomain is a manageable zone
-    if _spaceship_api_request "GET" "$SPACESHIP_API_BASE/dns/records/$_cutdomain?take=1&skip=0"; then
-      # API call succeeded (HTTP 200 OK for GET /dns/records)
-      _domain="$_cutdomain"
-      _debug "Root zone found: '$_domain'"
-
-      # Save the detected root domain
-      _savedomainconf SPACESHIP_ROOT_DOMAIN "$_domain"
-      _info "Root domain '$_domain' saved to configuration for future use."
-
-      return 0
-    fi
-
-    _debug "API check failed for '$_cutdomain'. Continuing search."
-
-    p=$i
-    i=$((i + 1))
-  done
-
-  _err "Could not detect root zone for '$domain'. Please set SPACESHIP_ROOT_DOMAIN manually."
-  return 1
-}
-
-_spaceship_api_request() {
-  method="$1"
-  url="$2"
-  payload="$3"
-
-  _debug2 "Sending $method request to $url with payload $payload"
-  if [ "$method" = "GET" ]; then
-    response="$(_get "$url")"
-  else
-    response="$(_post "$payload" "$url" "" "$method")"
-  fi
-
-  if [ "$?" != "0" ]; then
-    _err "API request failed. Response: $response"
-    return 1
-  fi
-
-  _debug2 "API response body: $response"
-
-  if [ "$method" = "GET" ]; then
-    if _contains "$(_head_n 1 <"$HTTP_HEADER")" '200'; then
-      return 0
-    fi
-  else
-    if _contains "$(_head_n 1 <"$HTTP_HEADER")" '204'; then
-      return 0
-    fi
-  fi
-
-  _debug2 "API response header: $HTTP_HEADER"
-  return 1
-}