2025-06-06 02:42:43 +00:00
7 changed files with 109 additions and 428 deletions
--- a/.github/workflows/pr_dns.yml
+++ b/.github/workflows/pr_dns.yml
@ -20,14 +20,12 @@ jobs:
              owner: context.repo.owner,
              repo: context.repo.repo,
              body: `**Welcome**
-                    READ ME !!!!!
+                First thing: don't send PR to the master branch, please send to the dev branch instead.
-                    Read me !!!!!!
+                Please make sure you've read our [DNS API Dev Guide](../wiki/DNS-API-Dev-Guide) and [DNS-API-Test](../wiki/DNS-API-Test).
-                    First thing: don't send PR to the master branch, please send to the dev branch instead.
+                Then reply on this message, otherwise, your code will not be reviewed or merged.
-                    Please read the [DNS API Dev Guide](../wiki/DNS-API-Dev-Guide).
+                Please also make sure to add/update the usage here: https://github.com/acmesh-official/acme.sh/wiki/dnsapi2
-                    You MUST pass the [DNS-API-Test](../wiki/DNS-API-Test).
+                We look forward to reviewing your Pull request shortly ✨
-                    Then reply on this message, otherwise, your code will not be reviewed or merged.
+                注意: 必须通过了 [DNS-API-Test](../wiki/DNS-API-Test) 才会被 review. 无论是修改, 还是新加的 dns api, 都必须确保通过这个测试.
                    Please also make sure to add/update the usage here: https://github.com/acmesh-official/acme.sh/wiki/dnsapi2
                    注意: 必须通过了 [DNS-API-Test](../wiki/DNS-API-Test) 才会被 review. 无论是修改, 还是新加的 dns api, 都必须确保通过这个测试.
                `
            })
--- a/acme.sh
+++ b/acme.sh
@ -1,6 +1,6 @@
 #!/usr/bin/env sh
-VER=3.1.2
+VER=3.1.1
 PROJECT_NAME="acme.sh"
@ -5504,13 +5504,6 @@ renew() {
  if [ -z "$Le_Keylength" ]; then
    Le_Keylength=2048
  fi
  if [ "$CA_LETSENCRYPT_V2" = "$Le_API" ]; then
    #letsencrypt doesn't support ocsp anymore
    if [ "$Le_OCSP_Staple" ]; then
      export Le_OCSP_Staple=""
      _cleardomainconf Le_OCSP_Staple
    fi
  fi
  issue "$Le_Webroot" "$Le_Domain" "$Le_Alt" "$Le_Keylength" "$Le_RealCertPath" "$Le_RealKeyPath" "$Le_RealCACertPath" "$Le_ReloadCmd" "$Le_RealFullChainPath" "$Le_PreHook" "$Le_PostHook" "$Le_RenewHook" "$Le_LocalAddress" "$Le_ChallengeAlias" "$Le_Preferred_Chain" "$Le_Valid_From" "$Le_Valid_To"
  res="$?"
  if [ "$res" != "0" ]; then
--- a/deploy/truenas_ws.sh
+++ b/deploy/truenas_ws.sh
@ -52,39 +52,6 @@ _ws_call() {
  return 0
 }
 # Upload certificate with webclient api
 _ws_upload_cert() {
  /usr/bin/env python - <<EOF
 import sys
 from truenas_api_client import Client
 with Client() as c:
  ### Login with API key
  print("I:Trying to upload new certificate...")
  ret = c.call("auth.login_with_api_key", "${DEPLOY_TRUENAS_APIKEY}")
  if ret:
    ### upload certificate
    with open('$1', 'r') as file:
      fullchain = file.read()
    with open('$2', 'r') as file:
      privatekey = file.read()
    ret = c.call("certificate.create", {"name": "$3", "create_type": "CERTIFICATE_CREATE_IMPORTED", "certificate": fullchain, "privatekey": privatekey, "passphrase": ""}, job=True)
    print("R:" + str(ret["id"]))
    sys.exit(0)
  else:
    print("R:0")
    print("E:_ws_upload_cert error!")
    sys.exit(7)
 EOF
  return $?
 }
 # Check argument is a number
 # Usage:
 #
@ -162,6 +129,7 @@ _ws_get_job_result() {
 #  5: WebUI cert error
 #  6: Job error
 #  7: WS call error
 # 10: No CORE or SCALE detected
 #
 truenas_ws_deploy() {
  _domain="$1"
@ -211,8 +179,14 @@ truenas_ws_deploy() {
  _info "Gather system info..."
  _ws_response=$(_ws_call "system.info")
-  _truenas_version=$(printf "%s" "$_ws_response" | jq -r '."version"')
+  _truenas_system=$(printf "%s" "$_ws_response" | jq -r '."version"' | cut -d '-' -f 2 | tr '[:lower:]' '[:upper:]')
  _truenas_version=$(printf "%s" "$_ws_response" | jq -r '."version"' | cut -d '-' -f 3)
  _info "TrueNAS system: $_truenas_system"
  _info "TrueNAS version: $_truenas_version"
  if [ "$_truenas_system" != "SCALE" ] && [ "$_truenas_system" != "CORE" ]; then
    _err "Cannot gather TrueNAS system. Nor CORE oder SCALE detected."
    return 10
  fi
  ########## Gather current certificate
@ -229,26 +203,19 @@ truenas_ws_deploy() {
  _certname="acme_$(_utc_date | tr -d '\-\:' | tr ' ' '_')"
  _info "New WebUI certificate name: $_certname"
  _debug _certname "$_certname"
-  _ws_out=$(_ws_upload_cert "$_file_fullchain" "$_file_key" "$_certname")
+  _ws_jobid=$(_ws_call "certificate.create" "{\"name\": \"${_certname}\", \"create_type\": \"CERTIFICATE_CREATE_IMPORTED\", \"certificate\": \"$(_json_encode <"$_file_fullchain")\", \"privatekey\": \"$(_json_encode <"$_file_key")\", \"passphrase\": \"\"}")
-
+  _debug "_ws_jobid" "$_ws_jobid"
-  echo "$_ws_out" | while IFS= read -r LINE; do
+  if ! _ws_check_jobid "$_ws_jobid"; then
-    case "$LINE" in
+    _err "No JobID returned from websocket method."
-    I:*)
+    return 3
-      _info "${LINE#I:}"
+  fi
-      ;;
+  _ws_result=$(_ws_get_job_result "$_ws_jobid")
-    D:*)
+  _ws_ret=$?
-      _debug "${LINE#D:}"
+  if [ $_ws_ret -gt 0 ]; then
-      ;;
+    return $_ws_ret
-    E*)
+  fi
-      _err "${LINE#E:}"
+  _debug "_ws_result" "$_ws_result"
-      ;;
+  _new_certid=$(printf "%s" "$_ws_result" | jq -r '."id"')
    *) ;;
    esac
  done
  _new_certid=$(echo "$_ws_out" | grep 'R:' | cut -d ':' -f 2)
  _info "New certificate ID: $_new_certid"
  ########## FTP
@ -264,31 +231,33 @@ truenas_ws_deploy() {
  ########## ix Apps (SCALE only)
-  _info "Replace app certificates..."
+  if [ "$_truenas_system" = "SCALE" ]; then
-  _ws_response=$(_ws_call "app.query")
+    _info "Replace app certificates..."
-  for _app_name in $(printf "%s" "$_ws_response" | jq -r '.[]."name"'); do
+    _ws_response=$(_ws_call "app.query")
-    _info "Checking app $_app_name..."
+    for _app_name in $(printf "%s" "$_ws_response" | jq -r '.[]."name"'); do
-    _ws_response=$(_ws_call "app.config" "$_app_name")
+      _info "Checking app $_app_name..."
-    if [ "$(printf "%s" "$_ws_response" | jq -r '."network" | has("certificate_id")')" = "true" ]; then
+      _ws_response=$(_ws_call "app.config" "$_app_name")
-      _info "App has certificate option, setup new certificate..."
+      if [ "$(printf "%s" "$_ws_response" | jq -r '."network" | has("certificate_id")')" = "true" ]; then
-      _info "App will be redeployed after updating the certificate."
+        _info "App has certificate option, setup new certificate..."
-      _ws_jobid=$(_ws_call "app.update" "$_app_name" "{\"values\": {\"network\": {\"certificate_id\": $_new_certid}}}")
+        _info "App will be redeployed after updating the certificate."
-      _debug "_ws_jobid" "$_ws_jobid"
+        _ws_jobid=$(_ws_call "app.update" "$_app_name" "{\"values\": {\"network\": {\"certificate_id\": $_new_certid}}}")
-      if ! _ws_check_jobid "$_ws_jobid"; then
+        _debug "_ws_jobid" "$_ws_jobid"
-        _err "No JobID returned from websocket method."
+        if ! _ws_check_jobid "$_ws_jobid"; then
-        return 3
+          _err "No JobID returned from websocket method."
          return 3
        fi
        _ws_result=$(_ws_get_job_result "$_ws_jobid")
        _ws_ret=$?
        if [ $_ws_ret -gt 0 ]; then
          return $_ws_ret
        fi
        _debug "_ws_result" "$_ws_result"
        _info "App certificate replaced."
      else
        _info "App has no certificate option, skipping..."
      fi
-      _ws_result=$(_ws_get_job_result "$_ws_jobid")
+    done
-      _ws_ret=$?
+  fi
      if [ $_ws_ret -gt 0 ]; then
        return $_ws_ret
      fi
      _debug "_ws_result" "$_ws_result"
      _info "App certificate replaced."
    else
      _info "App has no certificate option, skipping..."
    fi
  done
  ########## WebUI
--- a/dnsapi/dns_1984hosting.sh
+++ b/dnsapi/dns_1984hosting.sh
@ -128,7 +128,7 @@ _1984hosting_login() {
  _get "https://1984.hosting/accounts/login/" | grep "csrfmiddlewaretoken"
  csrftoken="$(grep -i '^set-cookie:' "$HTTP_HEADER" | _egrep_o 'csrftoken=[^;]*;' | tr -d ';')"
-  sessionid="$(grep -i '^set-cookie:' "$HTTP_HEADER" | _egrep_o 'cookie1984nammnamm=[^;]*;' | tr -d ';')"
+  sessionid="$(grep -i '^set-cookie:' "$HTTP_HEADER" | _egrep_o 'sessionid=[^;]*;' | tr -d ';')"
  if [ -z "$csrftoken" ] || [ -z "$sessionid" ]; then
    _err "One or more cookies are empty: '$csrftoken', '$sessionid'."
@ -145,7 +145,7 @@ _1984hosting_login() {
  _debug2 response "$response"
  if _contains "$response" '"loggedin": true'; then
-    One984HOSTING_SESSIONID_COOKIE="$(grep -i '^set-cookie:' "$HTTP_HEADER" | _egrep_o 'cookie1984nammnamm=[^;]*;' | tr -d ';')"
+    One984HOSTING_SESSIONID_COOKIE="$(grep -i '^set-cookie:' "$HTTP_HEADER" | _egrep_o 'sessionid=[^;]*;' | tr -d ';')"
    One984HOSTING_CSRFTOKEN_COOKIE="$(grep -i '^set-cookie:' "$HTTP_HEADER" | _egrep_o 'csrftoken=[^;]*;' | tr -d ';')"
    export One984HOSTING_SESSIONID_COOKIE
    export One984HOSTING_CSRFTOKEN_COOKIE
--- a/dnsapi/dns_active24.sh
+++ b/dnsapi/dns_active24.sh
@ -1,17 +1,17 @@
 #!/usr/bin/env sh
 # shellcheck disable=SC2034
-dns_active24_info='Active24.cz
+dns_active24_info='Active24.com
-Site: Active24.cz
+Site: Active24.com
 Docs: github.com/acmesh-official/acme.sh/wiki/dnsapi#dns_active24
 Options:
- Active24_ApiKey API Key. Called "Identifier" in the Active24 Admin
+ ACTIVE24_Token API Token
 Active24_ApiSecret API Secret. Called "Secret key" in the Active24 Admin
 Issues: github.com/acmesh-official/acme.sh/issues/2059
 Author: Milan Pála
 '
-Active24_Api="https://rest.active24.cz"
+ACTIVE24_Api="https://api.active24.com"
-# export Active24_ApiKey=ak48l3h7-ak5d-qn4t-p8gc-b6fs8c3l
+
-# export Active24_ApiSecret=ajvkeo3y82ndsu2smvxy3o36496dcascksldncsq
+########  Public functions #####################
 # Usage: add  _acme-challenge.www.domain.com   "XKrxpRBosdIKFzxW_CT3KLZNf6q0HG9i01zxXp5CPBs"
 # Used to add txt record
@ -22,8 +22,8 @@ dns_active24_add() {
  _active24_init
  _info "Adding txt record"
-  if _active24_rest POST "/v2/service/$_service_id/dns/record" "{\"type\":\"TXT\",\"name\":\"$_sub_domain\",\"content\":\"$txtvalue\",\"ttl\":300}"; then
+  if _active24_rest POST "dns/$_domain/txt/v1" "{\"name\":\"$_sub_domain\",\"text\":\"$txtvalue\",\"ttl\":0}"; then
-    if _contains "$response" "error"; then
+    if _contains "$response" "errors"; then
      _err "Add txt record error."
      return 1
    else
@ -31,7 +31,6 @@ dns_active24_add() {
      return 0
    fi
  fi
  _err "Add txt record error."
  return 1
 }
@ -45,25 +44,19 @@ dns_active24_rm() {
  _active24_init
  _debug "Getting txt records"
-  # The API needs to send data in body in order the filter to work
+  _active24_rest GET "dns/$_domain/records/v1"
  # TODO: web can also add content $txtvalue to filter and then get the id from response
  _active24_rest GET "/v2/service/$_service_id/dns/record" "{\"page\":1,\"descending\":true,\"sortBy\":\"name\",\"rowsPerPage\":100,\"totalRecords\":0,\"filters\":{\"type\":[\"TXT\"],\"name\":\"${_sub_domain}\"}}"
  #_active24_rest GET "/v2/service/$_service_id/dns/record?rowsPerPage=100"
-  if _contains "$response" "error"; then
+  if _contains "$response" "errors"; then
    _err "Error"
    return 1
  fi
-  # Note: it might never be more than one record actually, NEEDS more INVESTIGATION
+  hash_ids=$(echo "$response" | _egrep_o "[^{]+${txtvalue}[^}]+" | _egrep_o "hashId\":\"[^\"]+" | cut -c10-)
  record_ids=$(printf "%s" "$response" | _egrep_o "[^{]+${txtvalue}[^}]+" | _egrep_o '"id" *: *[^,]+' | cut -d ':' -f 2)
  _debug2 record_ids "$record_ids"
-  for redord_id in $record_ids; do
+  for hash_id in $hash_ids; do
-    _debug "Removing record_id" "$redord_id"
+    _debug "Removing hash_id" "$hash_id"
-    _debug "txtvalue" "$txtvalue"
+    if _active24_rest DELETE "dns/$_domain/$hash_id/v1" ""; then
-    if _active24_rest DELETE "/v2/service/$_service_id/dns/record/$redord_id" ""; then
+      if _contains "$response" "errors"; then
      if _contains "$response" "error"; then
        _err "Unable to remove txt record."
        return 1
      else
@ -77,15 +70,21 @@ dns_active24_rm() {
  return 1
 }
 ####################  Private functions below ##################################
 #_acme-challenge.www.domain.com
 #returns
 # _sub_domain=_acme-challenge.www
 # _domain=domain.com
 # _domain_id=sdjkglgdfewsdfg
 _get_root() {
  domain=$1
  i=1
  p=1
-  if ! _active24_rest GET "/v1/user/self/service"; then
+  if ! _active24_rest GET "dns/domains/v1"; then
    return 1
  fi
  i=1
  p=1
  while true; do
    h=$(printf "%s" "$domain" | cut -d . -f "$i"-100)
    _debug "h" "$h"
@ -105,98 +104,21 @@ _get_root() {
  return 1
 }
 _active24_init() {
  Active24_ApiKey="${Active24_ApiKey:-$(_readaccountconf_mutable Active24_ApiKey)}"
  Active24_ApiSecret="${Active24_ApiSecret:-$(_readaccountconf_mutable Active24_ApiSecret)}"
  #Active24_ServiceId="${Active24_ServiceId:-$(_readaccountconf_mutable Active24_ServiceId)}"
  if [ -z "$Active24_ApiKey" ] || [ -z "$Active24_ApiSecret" ]; then
    Active24_ApiKey=""
    Active24_ApiSecret=""
    _err "You don't specify Active24 api key and ApiSecret yet."
    _err "Please create your key and try again."
    return 1
  fi
  #save the credentials to the account conf file.
  _saveaccountconf_mutable Active24_ApiKey "$Active24_ApiKey"
  _saveaccountconf_mutable Active24_ApiSecret "$Active24_ApiSecret"
  _debug "A24 API CHECK"
  if ! _active24_rest GET "/v2/check"; then
    _err "A24 API check failed with: $response"
    return 1
  fi
  if ! echo "$response" | tr -d " " | grep \"verified\":true >/dev/null; then
    _err "A24 API check failed with: $response"
    return 1
  fi
  _debug "First detect the root zone"
  if ! _get_root "$fulldomain"; then
    _err "invalid domain"
    return 1
  fi
  _debug _sub_domain "$_sub_domain"
  _debug _domain "$_domain"
  _active24_get_service_id "$_domain"
  _debug _service_id "$_service_id"
 }
 _active24_get_service_id() {
  _d=$1
  if ! _active24_rest GET "/v1/user/self/zone/${_d}"; then
    return 1
  else
    response=$(echo "$response" | _json_decode)
    _service_id=$(echo "$response" | _egrep_o '"id" *: *[^,]+' | cut -d ':' -f 2)
  fi
 }
 _active24_rest() {
  m=$1
-  ep_qs=$2 # with query string
+  ep="$2"
  # ep=$2
  ep=$(printf "%s" "$ep_qs" | cut -d '?' -f1) # no query string
  data="$3"
  _debug "$ep"
-  _debug "A24 $ep"
+  export _H1="Authorization: Bearer $ACTIVE24_Token"
  _debug "A24 $Active24_ApiKey"
  _debug "A24 $Active24_ApiSecret"
  timestamp=$(_time)
  datez=$(date -u +"%Y%m%dT%H%M%SZ")
  canonicalRequest="${m} ${ep} ${timestamp}"
  signature=$(printf "%s" "$canonicalRequest" | _hmac sha1 "$(printf "%s" "$Active24_ApiSecret" | _hex_dump | tr -d " ")" hex)
  authorization64="$(printf "%s:%s" "$Active24_ApiKey" "$signature" | _base64)"
  export _H1="Date: ${datez}"
  export _H2="Accept: application/json"
  export _H3="Content-Type: application/json"
  export _H4="Authorization: Basic ${authorization64}"
  _debug2 H1 "$_H1"
  _debug2 H2 "$_H2"
  _debug2 H3 "$_H3"
  _debug2 H4 "$_H4"
  # _sleep 1
  if [ "$m" != "GET" ]; then
    _debug2 "${m} $Active24_Api${ep_qs}"
    _debug "data" "$data"
-    response="$(_post "$data" "$Active24_Api${ep_qs}" "" "$m" "application/json")"
+    response="$(_post "$data" "$ACTIVE24_Api/$ep" "" "$m" "application/json")"
  else
-    if [ -z "$data" ]; then
+    response="$(_get "$ACTIVE24_Api/$ep")"
      _debug2 "GET $Active24_Api${ep_qs}"
      response="$(_get "$Active24_Api${ep_qs}")"
    else
      _debug2 "GET $Active24_Api${ep_qs} with data: ${data}"
      response="$(_post "$data" "$Active24_Api${ep_qs}" "" "$m" "application/json")"
    fi
  fi
  if [ "$?" != "0" ]; then
    _err "error $ep"
    return 1
@ -204,3 +126,23 @@ _active24_rest() {
  _debug2 response "$response"
  return 0
 }
 _active24_init() {
  ACTIVE24_Token="${ACTIVE24_Token:-$(_readaccountconf_mutable ACTIVE24_Token)}"
  if [ -z "$ACTIVE24_Token" ]; then
    ACTIVE24_Token=""
    _err "You didn't specify a Active24 api token yet."
    _err "Please create the token and try again."
    return 1
  fi
  _saveaccountconf_mutable ACTIVE24_Token "$ACTIVE24_Token"
  _debug "First detect the root zone"
  if ! _get_root "$fulldomain"; then
    _err "invalid domain"
    return 1
  fi
  _debug _sub_domain "$_sub_domain"
  _debug _domain "$_domain"
 }
--- a/dnsapi/dns_azure.sh
+++ b/dnsapi/dns_azure.sh
@ -340,17 +340,8 @@ _azure_getaccess_token() {
  if [ "$managedIdentity" = true ]; then
    # https://learn.microsoft.com/en-us/entra/identity/managed-identities-azure-resources/how-to-use-vm-token#get-a-token-using-http
-    if [ -n "$IDENTITY_ENDPOINT" ]; then
+    export _H1="Metadata: true"
-      # Some Azure environments may set IDENTITY_ENDPOINT (formerly MSI_ENDPOINT) to have an alternative metadata endpoint
+    response="$(_get http://169.254.169.254/metadata/identity/oauth2/token\?api-version=2018-02-01\&resource=https://management.azure.com/)"
      url="$IDENTITY_ENDPOINT?api-version=2019-08-01&resource=https://management.azure.com/"
      headers="X-IDENTITY-HEADER: $IDENTITY_HEADER"
    else
      url="http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https://management.azure.com/"
      headers="Metadata: true"
    fi
    export _H1="$headers"
    response="$(_get "$url")"
    response="$(echo "$response" | _normalizeJson)"
    accesstoken=$(echo "$response" | _egrep_o "\"access_token\":\"[^\"]*\"" | _head_n 1 | cut -d : -f 2 | tr -d \")
    expires_on=$(echo "$response" | _egrep_o "\"expires_on\":\"[^\"]*\"" | _head_n 1 | cut -d : -f 2 | tr -d \")
--- a/dnsapi/dns_spaceship.sh
+++ b/dnsapi/dns_spaceship.sh
@ -1,212 +0,0 @@
 #!/usr/bin/env sh
 # shellcheck disable=SC2034
 dns_spaceship_info='Spaceship.com
 Site: Spaceship.com
 Docs: github.com/acmesh-official/acme.sh/wiki/dnsapi2#dns_spaceship
 Options:
 SPACESHIP_API_KEY Spaceship API Key
 SPACESHIP_API_SECRET Spaceship API Secret
 SPACESHIP_ROOT_DOMAIN (Optional) Manually specify the root domain if auto-detection fails
 Issues: github.com/acmesh-official/acme.sh/issues/6304
 Author: Meow <https://github.com/Meo597>
 '
 # Spaceship API
 # https://docs.spaceship.dev/
 ########  Public functions #####################
 SPACESHIP_API_BASE="https://spaceship.dev/api/v1"
 # Usage: add  _acme-challenge.www.domain.com   "XKrxpRBosdIKFzxW_CT3KLZNf6q0HG9i01zxXp5CPBs"
 # Used to add txt record
 dns_spaceship_add() {
  fulldomain="$1"
  txtvalue="$2"
  _info "Adding TXT record for $fulldomain with value $txtvalue"
  # Initialize API credentials and headers
  if ! _spaceship_init; then
    return 1
  fi
  # Detect root zone
  if ! _get_root "$fulldomain"; then
    return 1
  fi
  # Extract subdomain part relative to root domain
  subdomain=$(echo "$fulldomain" | sed "s/\.$_domain$//")
  if [ "$subdomain" = "$fulldomain" ]; then
    _err "Failed to extract subdomain from $fulldomain relative to root domain $_domain"
    return 1
  fi
  _debug "Extracted subdomain: $subdomain for root domain: $_domain"
  # Escape txtvalue to prevent JSON injection (e.g., quotes in txtvalue)
  escaped_txtvalue=$(echo "$txtvalue" | sed 's/"/\\"/g')
  # Prepare payload and URL for adding TXT record
  # Note: 'name' in payload uses subdomain (e.g., _acme-challenge.sub) as required by Spaceship API
  payload="{\"force\": true, \"items\": [{\"type\": \"TXT\", \"name\": \"$subdomain\", \"value\": \"$escaped_txtvalue\", \"ttl\": 600}]}"
  url="$SPACESHIP_API_BASE/dns/records/$_domain"
  # Send API request
  if _spaceship_api_request "PUT" "$url" "$payload"; then
    _info "Successfully added TXT record for $fulldomain"
    return 0
  else
    _err "Failed to add TXT record. If the domain $_domain is incorrect, set SPACESHIP_ROOT_DOMAIN to the correct root domain."
    return 1
  fi
 }
 # Usage: fulldomain txtvalue
 # Used to remove the txt record after validation
 dns_spaceship_rm() {
  fulldomain="$1"
  txtvalue="$2"
  _info "Removing TXT record for $fulldomain with value $txtvalue"
  # Initialize API credentials and headers
  if ! _spaceship_init; then
    return 1
  fi
  # Detect root zone
  if ! _get_root "$fulldomain"; then
    return 1
  fi
  # Extract subdomain part relative to root domain
  subdomain=$(echo "$fulldomain" | sed "s/\.$_domain$//")
  if [ "$subdomain" = "$fulldomain" ]; then
    _err "Failed to extract subdomain from $fulldomain relative to root domain $_domain"
    return 1
  fi
  _debug "Extracted subdomain: $subdomain for root domain: $_domain"
  # Escape txtvalue to prevent JSON injection
  escaped_txtvalue=$(echo "$txtvalue" | sed 's/"/\\"/g')
  # Prepare payload and URL for deleting TXT record
  # Note: 'name' in payload uses subdomain (e.g., _acme-challenge.sub) as required by Spaceship API
  payload="[{\"type\": \"TXT\", \"name\": \"$subdomain\", \"value\": \"$escaped_txtvalue\"}]"
  url="$SPACESHIP_API_BASE/dns/records/$_domain"
  # Send API request
  if _spaceship_api_request "DELETE" "$url" "$payload"; then
    _info "Successfully deleted TXT record for $fulldomain"
    return 0
  else
    _err "Failed to delete TXT record. If the domain $_domain is incorrect, set SPACESHIP_ROOT_DOMAIN to the correct root domain."
    return 1
  fi
 }
 ####################  Private functions below ##################################
 _spaceship_init() {
  SPACESHIP_API_KEY="${SPACESHIP_API_KEY:-$(_readaccountconf_mutable SPACESHIP_API_KEY)}"
  SPACESHIP_API_SECRET="${SPACESHIP_API_SECRET:-$(_readaccountconf_mutable SPACESHIP_API_SECRET)}"
  if [ -z "$SPACESHIP_API_KEY" ] || [ -z "$SPACESHIP_API_SECRET" ]; then
    _err "Spaceship API credentials are not set. Please set SPACESHIP_API_KEY and SPACESHIP_API_SECRET."
    _err "Ensure \"$LE_CONFIG_HOME\" directory has restricted permissions (chmod 700 \"$LE_CONFIG_HOME\") to protect credentials."
    return 1
  fi
  # Save credentials to account config for future renewals
  _saveaccountconf_mutable SPACESHIP_API_KEY "$SPACESHIP_API_KEY"
  _saveaccountconf_mutable SPACESHIP_API_SECRET "$SPACESHIP_API_SECRET"
  # Set common headers for API requests
  export _H1="X-API-Key: $SPACESHIP_API_KEY"
  export _H2="X-API-Secret: $SPACESHIP_API_SECRET"
  export _H3="Content-Type: application/json"
  return 0
 }
 _get_root() {
  domain="$1"
  # Check manual override
  SPACESHIP_ROOT_DOMAIN="${SPACESHIP_ROOT_DOMAIN:-$(_readdomainconf SPACESHIP_ROOT_DOMAIN)}"
  if [ -n "$SPACESHIP_ROOT_DOMAIN" ]; then
    _domain="$SPACESHIP_ROOT_DOMAIN"
    _debug "Using manually specified or saved root domain: $_domain"
    _savedomainconf SPACESHIP_ROOT_DOMAIN "$SPACESHIP_ROOT_DOMAIN"
    return 0
  fi
  _debug "Detecting root zone for '$domain'"
  i=1
  p=1
  while true; do
    _cutdomain=$(printf "%s" "$domain" | cut -d . -f "$i"-100)
    _debug "Attempt i=$i: Checking if '$_cutdomain' is root zone (cut ret=$?)"
    if [ -z "$_cutdomain" ]; then
      _debug "Cut resulted in empty string, root zone not found."
      break
    fi
    # Call the API to check if this _cutdomain is a manageable zone
    if _spaceship_api_request "GET" "$SPACESHIP_API_BASE/dns/records/$_cutdomain?take=1&skip=0"; then
      # API call succeeded (HTTP 200 OK for GET /dns/records)
      _domain="$_cutdomain"
      _debug "Root zone found: '$_domain'"
      # Save the detected root domain
      _savedomainconf SPACESHIP_ROOT_DOMAIN "$_domain"
      _info "Root domain '$_domain' saved to configuration for future use."
      return 0
    fi
    _debug "API check failed for '$_cutdomain'. Continuing search."
    p=$i
    i=$((i + 1))
  done
  _err "Could not detect root zone for '$domain'. Please set SPACESHIP_ROOT_DOMAIN manually."
  return 1
 }
 _spaceship_api_request() {
  method="$1"
  url="$2"
  payload="$3"
  _debug2 "Sending $method request to $url with payload $payload"
  if [ "$method" = "GET" ]; then
    response="$(_get "$url")"
  else
    response="$(_post "$payload" "$url" "" "$method")"
  fi
  if [ "$?" != "0" ]; then
    _err "API request failed. Response: $response"
    return 1
  fi
  _debug2 "API response body: $response"
  if [ "$method" = "GET" ]; then
    if _contains "$(_head_n 1 <"$HTTP_HEADER")" '200'; then
      return 0
    fi
  else
    if _contains "$(_head_n 1 <"$HTTP_HEADER")" '204'; then
      return 0
    fi
  fi
  _debug2 "API response header: $HTTP_HEADER"
  return 1
 }