Merge pull request #6696 from taoso/dev

Support list IPv6 address certificate
Merge pull request #6692 from as-kholin/omglol_202512
2025-12-25 04:32:08 +08:00 · 2025-12-23 21:42:01 +01:00 · 2025-12-22 20:09:23 +01:00 · 2025-12-22 20:06:16 +01:00 · 2025-12-22 19:48:07 +01:00 · 2025-12-22 19:42:12 +01:00
17 changed files with 1524 additions and 126 deletions
--- a/.github/workflows/DNS.yml
+++ b/.github/workflows/DNS.yml
@@ -441,7 +441,9 @@ jobs:
      with:
        envs: 'TEST_DNS TestingDomain TEST_DNS_NO_WILDCARD TEST_DNS_NO_SUBDOMAIN TEST_DNS_SLEEP CASE TEST_LOCAL DEBUG http_proxy https_proxy HTTPS_INSECURE TokenName1 TokenName2 TokenName3 TokenName4 TokenName5 ${{ secrets.TokenName1}} ${{ secrets.TokenName2}} ${{ secrets.TokenName3}} ${{ secrets.TokenName4}} ${{ secrets.TokenName5}}'
        copyback: false
-        prepare: pkgutil -y -i socat
+        prepare: |
          pkgutil -U
          pkgutil -y -i socat
        run: |
          pkg set-mediator -v -I default@1.1 openssl
          export PATH=/usr/gnu/bin:$PATH
--- a/.github/workflows/Solaris.yml
+++ b/.github/workflows/Solaris.yml
@@ -66,7 +66,9 @@ jobs:
        envs: 'TEST_LOCAL TestingDomain TEST_ACME_Server CA_ECDSA CA CA_EMAIL TEST_PREFERRED_CHAIN ACME_USE_WGET'
        nat: |
          "8080": "80"
-        prepare: pkgutil -y -i socat curl wget
+        prepare: |
          pkgutil -U
          pkgutil -y -i socat curl wget
        copyback: false
        run: |
          cd ../acmetest \
--- a/.github/workflows/wiki-monitor.yml
+++ b/.github/workflows/wiki-monitor.yml
@@ -22,6 +22,7 @@ jobs:
            page_sha=$(jq -r '.pages[0].sha' "$GITHUB_EVENT_PATH")
            page_url=$(jq -r '.pages[0].html_url' "$GITHUB_EVENT_PATH")
            page_action=$(jq -r '.pages[0].action' "$GITHUB_EVENT_PATH")
            page_summary=$(jq -r '.pages[0].summary' "$GITHUB_EVENT_PATH")
            now="$(date '+%Y-%m-%d %H:%M:%S')"
            cd wiki
@@ -35,9 +36,11 @@ jobs:
            {
            echo "Wiki edited"
            echo -n "User: "
-            echo "[$actor]($sender_url)"
+            echo "@$actor [$actor]($sender_url)"
            echo "Time: $now"
            echo "Page: [$page_name]($page_url) (Action: $page_action)"
            echo "Comment: $page_summary"
            echo "[Click here to Revert](${page_url}/_history)"
            echo ""
            echo "----"
            echo "###  diff："
--- a/acme.sh
+++ b/acme.sh
@@ -1,6 +1,6 @@
 #!/usr/bin/env sh
-VER=3.1.2
+VER=3.1.3
 PROJECT_NAME="acme.sh"
@@ -1031,7 +1031,7 @@ _digest() {
  outputhex="$2"
-  if [ "$alg" = "sha256" ] || [ "$alg" = "sha1" ] || [ "$alg" = "md5" ]; then
+  if [ "$alg" = "sha3-256" ] || [ "$alg" = "sha256" ] || [ "$alg" = "sha1" ] || [ "$alg" = "md5" ]; then
    if [ "$outputhex" ]; then
      ${ACME_OPENSSL_BIN:-openssl} dgst -"$alg" -hex | cut -d = -f 2 | tr -d ' '
    else
@@ -5840,7 +5840,7 @@ list() {
    if [ -z "$_domain" ]; then
      printf "%s\n" "Main_Domain${_sep}KeyLength${_sep}SAN_Domains${_sep}Profile${_sep}CA${_sep}Created${_sep}Renew"
    fi
-    for di in "${CERT_HOME}"/*.*/; do
+    for di in "${CERT_HOME}"/{*.*,*:*}/; do
      d=$(basename "$di")
      _debug d "$d"
      (
--- a/deploy/ali_cdn.sh
+++ b/deploy/ali_cdn.sh
@@ -83,6 +83,6 @@ _set_cdn_domain_ssl_certificate_query() {
  query=$query'&SignatureMethod=HMAC-SHA1'
  query=$query"&SignatureNonce=$(_ali_nonce)"
  query=$query'&SignatureVersion=1.0'
-  query=$query'&Timestamp='$(_timestamp)
+  query=$query'&Timestamp='$(_ali_timestamp)
  query=$query'&Version=2018-05-10'
 }
--- a/deploy/ali_dcdn.sh
+++ b/deploy/ali_dcdn.sh
@@ -83,6 +83,6 @@ _set_dcdn_domain_ssl_certificate_query() {
  query=$query'&SignatureMethod=HMAC-SHA1'
  query=$query"&SignatureNonce=$(_ali_nonce)"
  query=$query'&SignatureVersion=1.0'
-  query=$query'&Timestamp='$(_timestamp)
+  query=$query'&Timestamp='$(_ali_timestamp)
  query=$query'&Version=2018-01-15'
 }
--- a/dnsapi/dns_ali.sh
+++ b/dnsapi/dns_ali.sh
@@ -97,12 +97,13 @@ _ali_rest() {
 }
 _ali_nonce() {
-  #_head_n 1 </dev/urandom | _digest "sha256" hex | cut -c 1-31
+  if [ "$ACME_OPENSSL_BIN" ]; then
-  #Not so good...
+    "$ACME_OPENSSL_BIN" rand -hex 16 2>/dev/null && return 0
-  date +"%s%N" | sed 's/%N//g'
+  fi
  printf "%s" "$(date +%s)$$$(date +%N)" | _digest sha256 hex | cut -c 1-32
 }
-_timestamp() {
+_ali_timestamp() {
  date -u +"%Y-%m-%dT%H%%3A%M%%3A%SZ"
 }
@@ -150,7 +151,7 @@ _check_exist_query() {
  query=$query'&SignatureMethod=HMAC-SHA1'
  query=$query"&SignatureNonce=$(_ali_nonce)"
  query=$query'&SignatureVersion=1.0'
-  query=$query'&Timestamp='$(_timestamp)
+  query=$query'&Timestamp='$(_ali_timestamp)
  query=$query'&TypeKeyWord=TXT'
  query=$query'&Version=2015-01-09'
 }
@@ -166,7 +167,7 @@ _add_record_query() {
  query=$query'&SignatureMethod=HMAC-SHA1'
  query=$query"&SignatureNonce=$(_ali_nonce)"
  query=$query'&SignatureVersion=1.0'
-  query=$query'&Timestamp='$(_timestamp)
+  query=$query'&Timestamp='$(_ali_timestamp)
  query=$query'&Type=TXT'
  query=$query'&Value='$3
  query=$query'&Version=2015-01-09'
@@ -182,7 +183,7 @@ _delete_record_query() {
  query=$query'&SignatureMethod=HMAC-SHA1'
  query=$query"&SignatureNonce=$(_ali_nonce)"
  query=$query'&SignatureVersion=1.0'
-  query=$query'&Timestamp='$(_timestamp)
+  query=$query'&Timestamp='$(_ali_timestamp)
  query=$query'&Version=2015-01-09'
 }
@@ -196,7 +197,7 @@ _describe_records_query() {
  query=$query'&SignatureMethod=HMAC-SHA1'
  query=$query"&SignatureNonce=$(_ali_nonce)"
  query=$query'&SignatureVersion=1.0'
-  query=$query'&Timestamp='$(_timestamp)
+  query=$query'&Timestamp='$(_ali_timestamp)
  query=$query'&Version=2015-01-09'
 }
--- a/dnsapi/dns_aws.sh
+++ b/dnsapi/dns_aws.sh
@@ -161,7 +161,7 @@ _get_root() {
    h=$(printf "%s" "$domain" | cut -d . -f "$i"-100 | sed 's/\./\\./g')
    _debug "Checking domain: $h"
    if [ -z "$h" ]; then
-      _error "invalid domain"
+      _err "invalid domain"
      return 1
    fi
--- a/dnsapi/dns_efficientip.sh
+++ b/dnsapi/dns_efficientip.sh
@@ -0,0 +1,139 @@
 #!/usr/bin/env sh
 # shellcheck disable=SC2034
 dns_efficientip_info='efficientip.com
 Site: https://efficientip.com/
 Docs: github.com/acmesh-official/acme.sh/wiki/dnsapi2#dns_efficientip
 Options:
  EfficientIP_Creds HTTP Basic Authentication credentials. E.g. "username:password"
  EfficientIP_Server EfficientIP SOLIDserver Management IP address or FQDN.
  EfficientIP_DNS_Name Name of the DNS smart or server hosting the zone. Optional.
  EfficientIP_View Name of the DNS view hosting the zone. Optional.
 OptionsAlt:
  EfficientIP_Token_Key Alternative API token key, prefered over basic authentication.
  EfficientIP_Token_Secret Alternative API token secret, required when using a token key.
  EfficientIP_Server EfficientIP SOLIDserver Management IP address or FQDN.
  EfficientIP_DNS_Name Name of the DNS smart or server hosting the zone. Optional.
  EfficientIP_View Name of the DNS view hosting the zone. Optional.
 Issues: github.com/acmesh-official/acme.sh/issues/6325
 Author: EfficientIP-Labs <contact@efficientip.com>
 '
 dns_efficientip_add() {
  fulldomain=$1
  txtvalue=$2
  _info "Using EfficientIP API"
  _debug fulldomain "$fulldomain"
  _debug txtvalue "$txtvalue"
  if { [ -z "${EfficientIP_Creds}" ] && { [ -z "${EfficientIP_Token_Key}" ] || [ -z "${EfficientIP_Token_Secret}" ]; }; } || [ -z "${EfficientIP_Server}" ]; then
    EfficientIP_Creds=""
    EfficientIP_Token_Key=""
    EfficientIP_Token_Secret=""
    EfficientIP_Server=""
    _err "You didn't specify any EfficientIP credentials or token or server (EfficientIP_Creds; EfficientIP_Token_Key; EfficientIP_Token_Secret; EfficientIP_Server)."
    _err "Please set them via EXPORT EfficientIP_Creds=username:password or EXPORT EfficientIP_server=ip/hostname"
    _err "or if you want to use Token instead EXPORT EfficientIP_Token_Key=yourkey"
    _err "and EXPORT EfficientIP_Token_Secret=yoursecret"
    _err "then try again."
    return 1
  fi
  if [ -z "${EfficientIP_DNS_Name}" ]; then
    EfficientIP_DNS_Name=""
  fi
  EfficientIP_DNSNameEncoded=$(printf "%b" "${EfficientIP_DNS_Name}" | _url_encode)
  if [ -z "${EfficientIP_View}" ]; then
    EfficientIP_View=""
  fi
  EfficientIP_ViewEncoded=$(printf "%b" "${EfficientIP_View}" | _url_encode)
  _saveaccountconf EfficientIP_Creds "${EfficientIP_Creds}"
  _saveaccountconf EfficientIP_Token_Key "${EfficientIP_Token_Key}"
  _saveaccountconf EfficientIP_Token_Secret "${EfficientIP_Token_Secret}"
  _saveaccountconf EfficientIP_Server "${EfficientIP_Server}"
  _saveaccountconf EfficientIP_DNS_Name "${EfficientIP_DNS_Name}"
  _saveaccountconf EfficientIP_View "${EfficientIP_View}"
  export _H1="Accept-Language:en-US"
  baseurlnObject="https://${EfficientIP_Server}/rest/dns_rr_add?rr_type=TXT&rr_ttl=300&rr_name=${fulldomain}&rr_value1=${txtvalue}"
  if [ "${EfficientIP_DNSNameEncoded}" != "" ]; then
    baseurlnObject="${baseurlnObject}&dns_name=${EfficientIP_DNSNameEncoded}"
  fi
  if [ "${EfficientIP_ViewEncoded}" != "" ]; then
    baseurlnObject="${baseurlnObject}&dnsview_name=${EfficientIP_ViewEncoded}"
  fi
  if [ -z "${EfficientIP_Token_Secret}" ] || [ -z "${EfficientIP_Token_Key}" ]; then
    EfficientIP_CredsEncoded=$(printf "%b" "${EfficientIP_Creds}" | _base64)
    export _H2="Authorization: Basic ${EfficientIP_CredsEncoded}"
  else
    TS=$(date +%s)
    Sig=$(printf "%b\n$TS\nPOST\n$baseurlnObject" "${EfficientIP_Token_Secret}" | _digest sha3-256 hex)
    EfficientIP_CredsEncoded=$(printf "%b:%b" "${EfficientIP_Token_Key}" "$Sig")
    export _H2="Authorization: SDS ${EfficientIP_CredsEncoded}"
    export _H3="X-SDS-TS: ${TS}"
  fi
  result="$(_post "" "${baseurlnObject}" "" "POST")"
  if [ "$(echo "${result}" | _egrep_o "ret_oid")" ]; then
    _info "DNS record successfully created"
    return 0
  else
    _err "Error creating DNS record"
    _err "${result}"
    return 1
  fi
 }
 dns_efficientip_rm() {
  fulldomain=$1
  txtvalue=$2
  _info "Using EfficientIP API"
  _debug fulldomain "${fulldomain}"
  _debug txtvalue "${txtvalue}"
  EfficientIP_ViewEncoded=$(printf "%b" "${EfficientIP_View}" | _url_encode)
  EfficientIP_DNSNameEncoded=$(printf "%b" "${EfficientIP_DNS_Name}" | _url_encode)
  EfficientIP_CredsEncoded=$(printf "%b" "${EfficientIP_Creds}" | _base64)
  export _H1="Accept-Language:en-US"
  baseurlnObject="https://${EfficientIP_Server}/rest/dns_rr_delete?rr_type=TXT&rr_name=$fulldomain&rr_value1=$txtvalue"
  if [ "${EfficientIP_DNSNameEncoded}" != "" ]; then
    baseurlnObject="${baseurlnObject}&dns_name=${EfficientIP_DNSNameEncoded}"
  fi
  if [ "${EfficientIP_ViewEncoded}" != "" ]; then
    baseurlnObject="${baseurlnObject}&dnsview_name=${EfficientIP_ViewEncoded}"
  fi
  if [ -z "$EfficientIP_Token_Secret" ] || [ -z "$EfficientIP_Token_Key" ]; then
    EfficientIP_CredsEncoded=$(printf "%b" "${EfficientIP_Creds}" | _base64)
    export _H2="Authorization: Basic $EfficientIP_CredsEncoded"
  else
    TS=$(date +%s)
    Sig=$(printf "%b\n$TS\nDELETE\n${baseurlnObject}" "${EfficientIP_Token_Secret}" | _digest sha3-256 hex)
    EfficientIP_CredsEncoded=$(printf "%b:%b" "${EfficientIP_Token_Key}" "$Sig")
    export _H2="Authorization: SDS ${EfficientIP_CredsEncoded}"
    export _H3="X-SDS-TS: $TS"
  fi
  result="$(_post "" "${baseurlnObject}" "" "DELETE")"
  if [ "$(echo "${result}" | _egrep_o "ret_oid")" ]; then
    _info "DNS Record successfully deleted"
    return 0
  else
    _err "Error deleting DNS record"
    _err "${result}"
    return 1
  fi
 }
--- a/dnsapi/dns_exoscale.sh
+++ b/dnsapi/dns_exoscale.sh
@@ -8,9 +8,9 @@ Options:
 EXOSCALE_SECRET_KEY API Secret key
 '
-EXOSCALE_API=https://api.exoscale.com/dns/v1
+EXOSCALE_API="https://api-ch-gva-2.exoscale.com/v2"
-########  Public functions #####################
+########  Public functions  ########
 # Usage: add  _acme-challenge.www.domain.com   "XKrxpRBosdIKFzxW_CT3KLZNf6q0HG9i01zxXp5CPBs"
 # Used to add txt record
@@ -18,159 +18,197 @@ dns_exoscale_add() {
  fulldomain=$1
  txtvalue=$2
-  if ! _checkAuth; then
+  _debug "Using Exoscale DNS v2 API"
  _debug fulldomain "$fulldomain"
  _debug txtvalue "$txtvalue"
  if ! _check_auth; then
    return 1
  fi
-  _debug "First detect the root zone"
+  root_domain_id=$(_get_root_domain_id "$fulldomain")
-  if ! _get_root "$fulldomain"; then
+  if [ -z "$root_domain_id" ]; then
-    _err "invalid domain"
+    _err "Unable to determine root domain ID for $fulldomain"
    return 1
  fi
  _debug root_domain_id "$root_domain_id"
-  _debug _sub_domain "$_sub_domain"
+  # Always get the subdomain part first
-  _debug _domain "$_domain"
+  sub_domain=$(_get_sub_domain "$fulldomain" "$root_domain_id")
  _debug sub_domain "$sub_domain"
-  _info "Adding record"
+  # Build the record name properly
-  if _exoscale_rest POST "domains/$_domain_id/records" "{\"record\":{\"name\":\"$_sub_domain\",\"record_type\":\"TXT\",\"content\":\"$txtvalue\",\"ttl\":120}}" "$_domain_token"; then
+  if [ -z "$sub_domain" ]; then
-    if _contains "$response" "$txtvalue"; then
+    record_name="_acme-challenge"
-      _info "Added, OK"
+  else
-      return 0
+    record_name="_acme-challenge.$sub_domain"
    fi
  fi
  _err "Add txt record error."
  return 1
  payload=$(printf '{"name":"%s","type":"TXT","content":"%s","ttl":120}' "$record_name" "$txtvalue")
  _debug payload "$payload"
  response=$(_exoscale_rest POST "/dns-domain/${root_domain_id}/record" "$payload")
  if _contains "$response" "\"id\""; then
    _info "TXT record added successfully."
    return 0
  else
    _err "Error adding TXT record: $response"
    return 1
  fi
 }
 # Usage: fulldomain txtvalue
 # Used to remove the txt record after validation
 dns_exoscale_rm() {
  fulldomain=$1
  txtvalue=$2
-  if ! _checkAuth; then
+  _debug "Using Exoscale DNS v2 API for removal"
  _debug fulldomain "$fulldomain"
  if ! _check_auth; then
    return 1
  fi
-  _debug "First detect the root zone"
+  root_domain_id=$(_get_root_domain_id "$fulldomain")
-  if ! _get_root "$fulldomain"; then
+  if [ -z "$root_domain_id" ]; then
-    _err "invalid domain"
+    _err "Unable to determine root domain ID for $fulldomain"
    return 1
  fi
-  _debug _sub_domain "$_sub_domain"
+  record_name="_acme-challenge"
-  _debug _domain "$_domain"
+  sub_domain=$(_get_sub_domain "$fulldomain" "$root_domain_id")
-
+  if [ -n "$sub_domain" ]; then
-  _debug "Getting txt records"
+    record_name="_acme-challenge.$sub_domain"
  _exoscale_rest GET "domains/${_domain_id}/records?type=TXT&name=$_sub_domain" "" "$_domain_token"
  if _contains "$response" "\"name\":\"$_sub_domain\"" >/dev/null; then
    _record_id=$(echo "$response" | tr '{' "\n" | grep "\"content\":\"$txtvalue\"" | _egrep_o "\"id\":[^,]+" | _head_n 1 | cut -d : -f 2 | tr -d \")
  fi
-  if [ -z "$_record_id" ]; then
+  record_id=$(_find_record_id "$root_domain_id" "$record_name")
-    _err "Can not get record id to remove."
+  if [ -z "$record_id" ]; then
    _err "TXT record not found for deletion."
    return 1
  fi
-  _debug "Deleting record $_record_id"
+  response=$(_exoscale_rest DELETE "/dns-domain/$root_domain_id/record/$record_id")
-
+  if _contains "$response" "\"state\":\"success\""; then
-  if ! _exoscale_rest DELETE "domains/$_domain_id/records/$_record_id" "" "$_domain_token"; then
+    _info "TXT record deleted successfully."
-    _err "Delete record error."
+    return 0
  else
    _err "Error deleting TXT record: $response"
    return 1
  fi
  return 0
 }
-####################  Private functions below ##################################
+########  Private helpers  ########
-_checkAuth() {
+_check_auth() {
  EXOSCALE_API_KEY="${EXOSCALE_API_KEY:-$(_readaccountconf_mutable EXOSCALE_API_KEY)}"
  EXOSCALE_SECRET_KEY="${EXOSCALE_SECRET_KEY:-$(_readaccountconf_mutable EXOSCALE_SECRET_KEY)}"
  if [ -z "$EXOSCALE_API_KEY" ] || [ -z "$EXOSCALE_SECRET_KEY" ]; then
-    EXOSCALE_API_KEY=""
+    _err "EXOSCALE_API_KEY and EXOSCALE_SECRET_KEY must be set."
    EXOSCALE_SECRET_KEY=""
    _err "You don't specify Exoscale application key and application secret yet."
    _err "Please create you key and try again."
    return 1
  fi
  _saveaccountconf_mutable EXOSCALE_API_KEY "$EXOSCALE_API_KEY"
  _saveaccountconf_mutable EXOSCALE_SECRET_KEY "$EXOSCALE_SECRET_KEY"
  return 0
 }
-#_acme-challenge.www.domain.com
+_get_root_domain_id() {
 #returns
 # _sub_domain=_acme-challenge.www
 # _domain=domain.com
 # _domain_id=sdjkglgdfewsdfg
 # _domain_token=sdjkglgdfewsdfg
 _get_root() {
  if ! _exoscale_rest GET "domains"; then
    return 1
  fi
  domain=$1
-  i=2
+  i=1
  p=1
  while true; do
-    h=$(printf "%s" "$domain" | cut -d . -f "$i"-100)
+    candidate=$(printf "%s" "$domain" | cut -d . -f "${i}-100")
-    _debug h "$h"
+    [ -z "$candidate" ] && return 1
-    if [ -z "$h" ]; then
+    _debug "Trying root domain candidate: $candidate"
-      #not valid
+    domains=$(_exoscale_rest GET "/dns-domain")
-      return 1
+    # Extract from dns-domains array
-    fi
+    result=$(echo "$domains" | _egrep_o '"dns-domains":\[.*\]' | _egrep_o '\{"id":"[^"]*","created-at":"[^"]*","unicode-name":"[^"]*"\}' | while read -r item; do
-
+      name=$(echo "$item" | _egrep_o '"unicode-name":"[^"]*"' | cut -d'"' -f4)
-    if _contains "$response" "\"name\":\"$h\"" >/dev/null; then
+      id=$(echo "$item" | _egrep_o '"id":"[^"]*"' | cut -d'"' -f4)
-      _domain_id=$(echo "$response" | tr '{' "\n" | grep "\"name\":\"$h\"" | _egrep_o "\"id\":[^,]+" | _head_n 1 | cut -d : -f 2 | tr -d \")
+      if [ "$name" = "$candidate" ]; then
-      _domain_token=$(echo "$response" | tr '{' "\n" | grep "\"name\":\"$h\"" | _egrep_o "\"token\":\"[^\"]*\"" | _head_n 1 | cut -d : -f 2 | tr -d \")
+        echo "$id"
-      if [ "$_domain_token" ] && [ "$_domain_id" ]; then
+        break
        _sub_domain=$(printf "%s" "$domain" | cut -d . -f 1-"$p")
        _domain=$h
        return 0
      fi
-      return 1
+    done)
    if [ -n "$result" ]; then
      echo "$result"
      return 0
    fi
    p=$i
    i=$(_math "$i" + 1)
  done
  return 1
 }
-# returns response
+_get_sub_domain() {
  fulldomain=$1
  root_id=$2
  root_info=$(_exoscale_rest GET "/dns-domain/$root_id")
  _debug root_info "$root_info"
  root_name=$(echo "$root_info" | _egrep_o "\"unicode-name\":\"[^\"]*\"" | cut -d\" -f4)
  sub=${fulldomain%%."$root_name"}
  if [ "$sub" = "_acme-challenge" ]; then
    echo ""
  else
    # Remove _acme-challenge. prefix to get the actual subdomain
    echo "${sub#_acme-challenge.}"
  fi
 }
 _find_record_id() {
  root_id=$1
  name=$2
  records=$(_exoscale_rest GET "/dns-domain/$root_id/record")
  # Convert search name to lowercase for case-insensitive matching
  name_lower=$(echo "$name" | tr '[:upper:]' '[:lower:]')
  echo "$records" | _egrep_o '\{[^}]*"name":"[^"]*"[^}]*\}' | while read -r record; do
    record_name=$(echo "$record" | _egrep_o '"name":"[^"]*"' | cut -d'"' -f4)
    record_name_lower=$(echo "$record_name" | tr '[:upper:]' '[:lower:]')
    if [ "$record_name_lower" = "$name_lower" ]; then
      echo "$record" | _egrep_o '"id":"[^"]*"' | _head_n 1 | cut -d'"' -f4
      break
    fi
  done
 }
 _exoscale_sign() {
  k=$1
  shift
  hex_key=$(printf %b "$k" | _hex_dump | tr -d ' ')
  printf %s "$@" | _hmac sha256 "$hex_key"
 }
 _exoscale_rest() {
  method=$1
-  path="$2"
+  path=$2
-  data="$3"
+  data=$3
-  token="$4"
+
-  request_url="$EXOSCALE_API/$path"
+  url="${EXOSCALE_API}${path}"
-  _debug "$path"
+  expiration=$(_math "$(date +%s)" + 300) # 5m from now
  # Build the message with the actual body or empty line
  message=$(printf "%s %s\n%s\n\n\n%s" "$method" "/v2$path" "$data" "$expiration")
  signature=$(_exoscale_sign "$EXOSCALE_SECRET_KEY" "$message" | _base64)
  auth="EXO2-HMAC-SHA256 credential=${EXOSCALE_API_KEY},expires=${expiration},signature=${signature}"
  _debug "API request: $method $url"
  _debug "Signed message: [$message]"
  _debug "Authorization header: [$auth]"
  export _H1="Accept: application/json"
-
+  export _H2="Authorization: ${auth}"
  if [ "$token" ]; then
    export _H2="X-DNS-Domain-Token: $token"
  else
    export _H2="X-DNS-Token: $EXOSCALE_API_KEY:$EXOSCALE_SECRET_KEY"
  fi
  if [ "$data" ] || [ "$method" = "DELETE" ]; then
    export _H3="Content-Type: application/json"
    _debug data "$data"
-    response="$(_post "$data" "$request_url" "" "$method")"
+    response="$(_post "$data" "$url" "" "$method")"
  else
-    response="$(_get "$request_url" "" "" "$method")"
+    response="$(_get "$url" "" "" "$method")"
  fi
-  if [ "$?" != "0" ]; then
+  # shellcheck disable=SC2181
-    _err "error $request_url"
+  if [ "$?" -ne 0 ]; then
    _err "error $url"
    return 1
  fi
  _debug2 response "$response"
  echo "$response"
  return 0
 }
--- a/dnsapi/dns_gandi_livedns.sh
+++ b/dnsapi/dns_gandi_livedns.sh
@@ -23,6 +23,8 @@ dns_gandi_livedns_add() {
  fulldomain=$1
  txtvalue=$2
  GANDI_LIVEDNS_KEY="${GANDI_LIVEDNS_KEY:-$(_readaccountconf_mutable GANDI_LIVEDNS_KEY)}"
  GANDI_LIVEDNS_TOKEN="${GANDI_LIVEDNS_TOKEN:-$(_readaccountconf_mutable GANDI_LIVEDNS_TOKEN)}"
  if [ -z "$GANDI_LIVEDNS_KEY" ] && [ -z "$GANDI_LIVEDNS_TOKEN" ]; then
    _err "No Token or API key (deprecated) specified for Gandi LiveDNS."
    _err "Create your token or key and export it as GANDI_LIVEDNS_KEY or GANDI_LIVEDNS_TOKEN respectively"
@@ -31,11 +33,11 @@ dns_gandi_livedns_add() {
  # Keep only one secret in configuration
  if [ -n "$GANDI_LIVEDNS_TOKEN" ]; then
-    _saveaccountconf GANDI_LIVEDNS_TOKEN "$GANDI_LIVEDNS_TOKEN"
+    _saveaccountconf_mutable GANDI_LIVEDNS_TOKEN "$GANDI_LIVEDNS_TOKEN"
-    _clearaccountconf GANDI_LIVEDNS_KEY
+    _clearaccountconf_mutable GANDI_LIVEDNS_KEY
  elif [ -n "$GANDI_LIVEDNS_KEY" ]; then
-    _saveaccountconf GANDI_LIVEDNS_KEY "$GANDI_LIVEDNS_KEY"
+    _saveaccountconf_mutable GANDI_LIVEDNS_KEY "$GANDI_LIVEDNS_KEY"
-    _clearaccountconf GANDI_LIVEDNS_TOKEN
+    _clearaccountconf_mutable GANDI_LIVEDNS_TOKEN
  fi
  _debug "First detect the root zone"
--- a/dnsapi/dns_hostup.sh
+++ b/dnsapi/dns_hostup.sh
@@ -0,0 +1,501 @@
 #!/usr/bin/env sh
 # shellcheck disable=SC2034,SC2154
 dns_hostup_info='HostUp DNS
 Site: hostup.se
 Docs: https://developer.hostup.se/
 Options:
 HOSTUP_API_KEY     Required. HostUp API key with read:dns + write:dns + read:domains scopes.
 HOSTUP_API_BASE    Optional. Override API base URL (default: https://cloud.hostup.se/api).
 HOSTUP_TTL         Optional. TTL for TXT records (default: 60 seconds).
 HOSTUP_ZONE_ID     Optional. Force a specific zone ID (skip auto-detection).
 Author: HostUp (https://cloud.hostup.se/contact/en)
 '
 HOSTUP_API_BASE_DEFAULT="https://cloud.hostup.se/api"
 HOSTUP_DEFAULT_TTL=60
 # Public: add TXT record
 # Usage: dns_hostup_add _acme-challenge.example.com "txt-value"
 dns_hostup_add() {
  fulldomain="$1"
  txtvalue="$2"
  _info "Using HostUp DNS API"
  if ! _hostup_init; then
    return 1
  fi
  if ! _hostup_detect_zone "$fulldomain"; then
    _err "Unable to determine HostUp zone for $fulldomain"
    return 1
  fi
  record_name="$(_hostup_record_name "$fulldomain" "$HOSTUP_ZONE_DOMAIN")"
  record_name="$(_hostup_sanitize_name "$record_name")"
  record_value="$(_hostup_json_escape "$txtvalue")"
  ttl="${HOSTUP_TTL:-$HOSTUP_DEFAULT_TTL}"
  _debug "zone_id" "$HOSTUP_ZONE_ID"
  _debug "zone_domain" "$HOSTUP_ZONE_DOMAIN"
  _debug "record_name" "$record_name"
  _debug "ttl" "$ttl"
  request_body="{\"name\":\"$record_name\",\"type\":\"TXT\",\"value\":\"$record_value\",\"ttl\":$ttl}"
  if ! _hostup_rest "POST" "/dns/zones/$HOSTUP_ZONE_ID/records" "$request_body"; then
    return 1
  fi
  if ! _contains "$_hostup_response" '"success":true'; then
    _err "HostUp DNS API: failed to create TXT record for $fulldomain"
    _debug2 "_hostup_response" "$_hostup_response"
    return 1
  fi
  record_id="$(_hostup_extract_record_id "$_hostup_response")"
  if [ -n "$record_id" ]; then
    _hostup_save_record_id "$HOSTUP_ZONE_ID" "$fulldomain" "$record_id"
    _debug "hostup_saved_record_id" "$record_id"
  fi
  _info "Added TXT record for $fulldomain"
  return 0
 }
 # Public: remove TXT record
 # Usage: dns_hostup_rm _acme-challenge.example.com "txt-value"
 dns_hostup_rm() {
  fulldomain="$1"
  txtvalue="$2"
  _info "Using HostUp DNS API"
  if ! _hostup_init; then
    return 1
  fi
  if ! _hostup_detect_zone "$fulldomain"; then
    _err "Unable to determine HostUp zone for $fulldomain"
    return 1
  fi
  record_name_fqdn="$(_hostup_fqdn "$fulldomain")"
  record_value="$txtvalue"
  record_id_cached="$(_hostup_get_saved_record_id "$HOSTUP_ZONE_ID" "$fulldomain")"
  if [ -n "$record_id_cached" ]; then
    _debug "hostup_record_id_cached" "$record_id_cached"
    if _hostup_delete_record_by_id "$HOSTUP_ZONE_ID" "$record_id_cached"; then
      _info "Deleted TXT record $record_id_cached"
      _hostup_clear_record_id "$HOSTUP_ZONE_ID" "$fulldomain"
      HOSTUP_ZONE_ID=""
      return 0
    fi
  fi
  if ! _hostup_find_record "$HOSTUP_ZONE_ID" "$record_name_fqdn" "$record_value"; then
    _info "TXT record not found for $record_name_fqdn. Skipping removal."
    _hostup_clear_record_id "$HOSTUP_ZONE_ID" "$fulldomain"
    return 0
  fi
  _debug "Deleting record" "$HOSTUP_RECORD_ID"
  if ! _hostup_delete_record_by_id "$HOSTUP_ZONE_ID" "$HOSTUP_RECORD_ID"; then
    return 1
  fi
  _info "Deleted TXT record $HOSTUP_RECORD_ID"
  _hostup_clear_record_id "$HOSTUP_ZONE_ID" "$fulldomain"
  HOSTUP_ZONE_ID=""
  return 0
 }
 ##########################
 # Private helper methods #
 ##########################
 _hostup_init() {
  HOSTUP_API_KEY="${HOSTUP_API_KEY:-$(_readaccountconf_mutable HOSTUP_API_KEY)}"
  HOSTUP_API_BASE="${HOSTUP_API_BASE:-$(_readaccountconf_mutable HOSTUP_API_BASE)}"
  HOSTUP_TTL="${HOSTUP_TTL:-$(_readaccountconf_mutable HOSTUP_TTL)}"
  HOSTUP_ZONE_ID="${HOSTUP_ZONE_ID:-$(_readaccountconf_mutable HOSTUP_ZONE_ID)}"
  if [ -z "$HOSTUP_API_BASE" ]; then
    HOSTUP_API_BASE="$HOSTUP_API_BASE_DEFAULT"
  fi
  if [ -z "$HOSTUP_API_KEY" ]; then
    HOSTUP_API_KEY=""
    _err "HOSTUP_API_KEY is not set."
    _err "Please export your HostUp API key with read:dns and write:dns scopes."
    return 1
  fi
  _saveaccountconf_mutable HOSTUP_API_KEY "$HOSTUP_API_KEY"
  _saveaccountconf_mutable HOSTUP_API_BASE "$HOSTUP_API_BASE"
  if [ -n "$HOSTUP_TTL" ]; then
    _saveaccountconf_mutable HOSTUP_TTL "$HOSTUP_TTL"
  fi
  if [ -n "$HOSTUP_ZONE_ID" ]; then
    _saveaccountconf_mutable HOSTUP_ZONE_ID "$HOSTUP_ZONE_ID"
  fi
  return 0
 }
 _hostup_detect_zone() {
  fulldomain="$1"
  if [ -n "$HOSTUP_ZONE_ID" ] && [ -n "$HOSTUP_ZONE_DOMAIN" ]; then
    return 0
  fi
  HOSTUP_ZONE_DOMAIN=""
  _debug "hostup_full_domain" "$fulldomain"
  if [ -n "$HOSTUP_ZONE_ID" ] && [ -z "$HOSTUP_ZONE_DOMAIN" ]; then
    # Attempt to fetch domain name for provided zone ID
    if _hostup_fetch_zone_details "$HOSTUP_ZONE_ID"; then
      return 0
    fi
    HOSTUP_ZONE_ID=""
  fi
  if ! _hostup_load_zones; then
    return 1
  fi
  _domain_candidate="$(printf "%s" "$fulldomain" | _lower_case)"
  _debug "hostup_initial_candidate" "$_domain_candidate"
  while [ -n "$_domain_candidate" ]; do
    _debug "hostup_zone_candidate" "$_domain_candidate"
    if _hostup_lookup_zone "$_domain_candidate"; then
      HOSTUP_ZONE_DOMAIN="$_lookup_zone_domain"
      HOSTUP_ZONE_ID="$_lookup_zone_id"
      return 0
    fi
    case "$_domain_candidate" in
    *.*) ;;
    *) break ;;
    esac
    _domain_candidate="${_domain_candidate#*.}"
  done
  HOSTUP_ZONE_ID=""
  return 1
 }
 _hostup_record_name() {
  fulldomain="$1"
  zonedomain="$2"
  # Remove trailing dot, if any
  fulldomain="${fulldomain%.}"
  zonedomain="${zonedomain%.}"
  if [ "$fulldomain" = "$zonedomain" ]; then
    printf "%s" "@"
    return 0
  fi
  suffix=".$zonedomain"
  case "$fulldomain" in
  *"$suffix")
    printf "%s" "${fulldomain%"$suffix"}"
    ;;
  *)
    # Domain not within zone, fall back to full host
    printf "%s" "$fulldomain"
    ;;
  esac
 }
 _hostup_sanitize_name() {
  name="$1"
  if [ -z "$name" ] || [ "$name" = "." ]; then
    printf "%s" "@"
    return 0
  fi
  # Remove any trailing dot
  name="${name%.}"
  printf "%s" "$name"
 }
 _hostup_fqdn() {
  domain="$1"
  printf "%s" "${domain%.}"
 }
 _hostup_fetch_zone_details() {
  zone_id="$1"
  if ! _hostup_rest "GET" "/dns/zones/$zone_id/records" ""; then
    return 1
  fi
  zonedomain="$(printf "%s" "$_hostup_response" | _egrep_o '"domain":"[^"]*"' | sed -n '1p' | cut -d ':' -f 2 | tr -d '"')"
  if [ -n "$zonedomain" ]; then
    HOSTUP_ZONE_DOMAIN="$zonedomain"
    return 0
  fi
  return 1
 }
 _hostup_load_zones() {
  if ! _hostup_rest "GET" "/dns/zones" ""; then
    return 1
  fi
  HOSTUP_ZONES_CACHE=""
  data="$(printf "%s" "$_hostup_response" | tr '{' '\n')"
  while IFS= read -r line; do
    case "$line" in
    *'"domain_id"'*'"domain"'*)
      zone_id="$(printf "%s" "$line" | _hostup_json_extract "domain_id")"
      zone_domain="$(printf "%s" "$line" | _hostup_json_extract "domain")"
      if [ -n "$zone_id" ] && [ -n "$zone_domain" ]; then
        HOSTUP_ZONES_CACHE="${HOSTUP_ZONES_CACHE}${zone_domain}|${zone_id}
 "
        _debug "hostup_zone_loaded" "$zone_domain|$zone_id"
      fi
      ;;
    esac
  done <<EOF
 $data
 EOF
  if [ -z "$HOSTUP_ZONES_CACHE" ]; then
    _err "HostUp DNS API: no zones returned for the current API key."
    return 1
  fi
  return 0
 }
 _hostup_lookup_zone() {
  lookup_domain="$1"
  _lookup_zone_id=""
  _lookup_zone_domain=""
  while IFS='|' read -r domain zone_id; do
    [ -z "$domain" ] && continue
    if [ "$domain" = "$lookup_domain" ]; then
      _lookup_zone_domain="$domain"
      _lookup_zone_id="$zone_id"
      HOSTUP_ZONE_DOMAIN="$domain"
      HOSTUP_ZONE_ID="$zone_id"
      return 0
    fi
  done <<EOF
 $HOSTUP_ZONES_CACHE
 EOF
  return 1
 }
 _hostup_find_record() {
  zone_id="$1"
  fqdn="$2"
  txtvalue="$3"
  if ! _hostup_rest "GET" "/dns/zones/$zone_id/records" ""; then
    return 1
  fi
  HOSTUP_RECORD_ID=""
  records="$(printf "%s" "$_hostup_response" | tr '{' '\n')"
  while IFS= read -r line; do
    # Normalize line to make TXT value matching reliable
    line_clean="$(printf "%s" "$line" | tr -d '\r\n')"
    line_value_clean="$(printf "%s" "$line_clean" | sed 's/\\"//g')"
    case "$line_clean" in
    *'"type":"TXT"'*'"name"'*'"value"'*)
      name_value="$(_hostup_json_extract "name" "$line_clean")"
      record_value="$(_hostup_json_extract "value" "$line_value_clean")"
      _debug "hostup_record_raw" "$record_value"
      if [ "${record_value#\"}" != "$record_value" ] && [ "${record_value%\"}" != "$record_value" ]; then
        record_value="${record_value#\"}"
        record_value="${record_value%\"}"
      fi
      if [ "${record_value#\'}" != "$record_value" ] && [ "${record_value%\'}" != "$record_value" ]; then
        record_value="${record_value#\'}"
        record_value="${record_value%\'}"
      fi
      record_value="$(printf "%s" "$record_value" | tr -d '\r\n')"
      _debug "hostup_record_value" "$record_value"
      if [ "$name_value" = "$fqdn" ] && [ "$record_value" = "$txtvalue" ]; then
        record_id="$(_hostup_json_extract "id" "$line_clean")"
        if [ -n "$record_id" ]; then
          HOSTUP_RECORD_ID="$record_id"
          return 0
        fi
      fi
      ;;
    esac
  done <<EOF
 $records
 EOF
  return 1
 }
 _hostup_json_extract() {
  key="$1"
  input="${2:-$line}"
  # First try to extract quoted values (strings)
  quoted_match="$(printf "%s" "$input" | _egrep_o "\"$key\":\"[^\"]*\"" | _head_n 1)"
  if [ -n "$quoted_match" ]; then
    printf "%s" "$quoted_match" |
      cut -d : -f2- |
      sed 's/^"//' |
      sed 's/"$//' |
      sed 's/\\"/"/g'
    return 0
  fi
  # Fallback for unquoted values (e.g., numeric IDs)
  unquoted_match="$(printf "%s" "$input" | _egrep_o "\"$key\":[^,}]*" | _head_n 1)"
  if [ -n "$unquoted_match" ]; then
    printf "%s" "$unquoted_match" |
      cut -d : -f2- |
      tr -d '", ' |
      tr -d '\r\n'
    return 0
  fi
  return 1
 }
 _hostup_json_escape() {
  printf "%s" "$1" | sed 's/\\/\\\\/g; s/"/\\"/g'
 }
 _hostup_record_key() {
  zone_id="$1"
  domain="$2"
  safe_zone="$(printf "%s" "$zone_id" | sed 's/[^A-Za-z0-9]/_/g')"
  safe_domain="$(printf "%s" "$domain" | _lower_case | sed 's/[^a-z0-9]/_/g')"
  printf "%s_%s" "$safe_zone" "$safe_domain"
 }
 _hostup_save_record_id() {
  zone_id="$1"
  domain="$2"
  record_id="$3"
  key="$(_hostup_record_key "$zone_id" "$domain")"
  _saveaccountconf_mutable "HOSTUP_RECORD_$key" "$record_id"
 }
 _hostup_get_saved_record_id() {
  zone_id="$1"
  domain="$2"
  key="$(_hostup_record_key "$zone_id" "$domain")"
  _readaccountconf_mutable "HOSTUP_RECORD_$key"
 }
 _hostup_clear_record_id() {
  zone_id="$1"
  domain="$2"
  key="$(_hostup_record_key "$zone_id" "$domain")"
  _clearaccountconf_mutable "HOSTUP_RECORD_$key"
 }
 _hostup_extract_record_id() {
  record_id="$(_hostup_json_extract "id" "$1")"
  if [ -n "$record_id" ]; then
    printf "%s" "$record_id"
    return 0
  fi
  printf "%s" "$1" | _egrep_o '"id":[0-9]+' | _head_n 1 | cut -d: -f2
 }
 _hostup_delete_record_by_id() {
  zone_id="$1"
  record_id="$2"
  if ! _hostup_rest "DELETE" "/dns/zones/$zone_id/records/$record_id" ""; then
    return 1
  fi
  if ! _contains "$_hostup_response" '"success":true'; then
    return 1
  fi
  return 0
 }
 _hostup_rest() {
  method="$1"
  route="$2"
  data="$3"
  _hostup_response=""
  export _H1="Authorization: Bearer $HOSTUP_API_KEY"
  export _H2="Content-Type: application/json"
  export _H3="Accept: application/json"
  if [ "$method" = "GET" ]; then
    _hostup_response="$(_get "$HOSTUP_API_BASE$route")"
  else
    _hostup_response="$(_post "$data" "$HOSTUP_API_BASE$route" "" "$method" "application/json")"
  fi
  ret="$?"
  unset _H1
  unset _H2
  unset _H3
  if [ "$ret" != "0" ]; then
    _err "HTTP request failed for $route"
    return 1
  fi
  http_status="$(grep "^HTTP" "$HTTP_HEADER" | _tail_n 1 | cut -d " " -f 2 | tr -d "\r\n")"
  _debug2 "HTTP status" "$http_status"
  _debug2 "_hostup_response" "$_hostup_response"
  case "$http_status" in
  200 | 201 | 204) return 0 ;;
  401)
    _err "HostUp API returned 401 Unauthorized. Check HOSTUP_API_KEY scopes and IP restrictions."
    return 1
    ;;
  403)
    _err "HostUp API returned 403 Forbidden. The API key lacks required DNS scopes."
    return 1
    ;;
  404)
    _err "HostUp API returned 404 Not Found for $route"
    return 1
    ;;
  429)
    _err "HostUp API rate limit exceeded. Please retry later."
    return 1
    ;;
  *)
    _err "HostUp API request failed with status $http_status"
    return 1
    ;;
  esac
 }
--- a/dnsapi/dns_infoblox_uddi.sh
+++ b/dnsapi/dns_infoblox_uddi.sh
@@ -0,0 +1,244 @@
 #!/usr/bin/env sh
 # shellcheck disable=SC2034
 dns_infoblox_uddi_info='Infoblox UDDI
 Site: Infoblox.com
 Docs: github.com/acmesh-official/acme.sh/wiki/dnsapi2#dns_infoblox_uddi
 Options:
 Infoblox_UDDI_Key API Key for Infoblox UDDI
 Infoblox_Portal URL, e.g. "csp.infoblox.com" or "csp.eu.infoblox.com"
 Issues: github.com/acmesh-official/acme.sh/issues
 Author: Stefan Riegel
 '
 Infoblox_UDDI_Api="https://"
 ########  Public functions #####################
 #Usage: dns_infoblox_uddi_add _acme-challenge.www.domain.com "XKrxpRBosdIKFzxW_CT3KLZNf6q0HG9i01zxXp5CPBs"
 dns_infoblox_uddi_add() {
  fulldomain=$1
  txtvalue=$2
  Infoblox_UDDI_Key="${Infoblox_UDDI_Key:-$(_readaccountconf_mutable Infoblox_UDDI_Key)}"
  Infoblox_Portal="${Infoblox_Portal:-$(_readaccountconf_mutable Infoblox_Portal)}"
  _info "Using Infoblox UDDI API"
  _debug fulldomain "$fulldomain"
  _debug txtvalue "$txtvalue"
  if [ -z "$Infoblox_UDDI_Key" ] || [ -z "$Infoblox_Portal" ]; then
    Infoblox_UDDI_Key=""
    Infoblox_Portal=""
    _err "You didn't specify the Infoblox UDDI key or server (Infoblox_UDDI_Key; Infoblox_Portal)."
    _err "Please set them via EXPORT Infoblox_UDDI_Key=your_key, EXPORT Infoblox_Portal=csp.infoblox.com and try again."
    return 1
  fi
  _saveaccountconf_mutable Infoblox_UDDI_Key "$Infoblox_UDDI_Key"
  _saveaccountconf_mutable Infoblox_Portal "$Infoblox_Portal"
  export _H1="Authorization: Token $Infoblox_UDDI_Key"
  export _H2="Content-Type: application/json"
  _debug "First detect the root zone"
  if ! _get_root "$fulldomain"; then
    _err "invalid domain"
    return 1
  fi
  _debug _domain_id "$_domain_id"
  _debug _sub_domain "$_sub_domain"
  _debug _domain "$_domain"
  _debug "Getting existing txt records"
  _infoblox_rest GET "dns/record?_filter=type%20eq%20'TXT'%20and%20name_in_zone%20eq%20'$_sub_domain'%20and%20zone%20eq%20'$_domain_id'"
  _info "Adding record"
  body="{\"type\":\"TXT\",\"name_in_zone\":\"$_sub_domain\",\"zone\":\"$_domain_id\",\"ttl\":120,\"inheritance_sources\":{\"ttl\":{\"action\":\"override\"}},\"rdata\":{\"text\":\"$txtvalue\"}}"
  if _infoblox_rest POST "dns/record" "$body"; then
    if _contains "$response" "$txtvalue"; then
      _info "Added, OK"
      return 0
    elif _contains "$response" '"error"'; then
      # Check if record already exists
      if _contains "$response" "already exists" || _contains "$response" "duplicate"; then
        _info "Already exists, OK"
        return 0
      else
        _err "Add txt record error."
        _err "Response: $response"
        return 1
      fi
    else
      _info "Added, OK"
      return 0
    fi
  fi
  _err "Add txt record error."
  return 1
 }
 #Usage: dns_infoblox_uddi_rm _acme-challenge.www.domain.com "XKrxpRBosdIKFzxW_CT3KLZNf6q0HG9i01zxXp5CPBs"
 dns_infoblox_uddi_rm() {
  fulldomain=$1
  txtvalue=$2
  Infoblox_UDDI_Key="${Infoblox_UDDI_Key:-$(_readaccountconf_mutable Infoblox_UDDI_Key)}"
  Infoblox_Portal="${Infoblox_Portal:-$(_readaccountconf_mutable Infoblox_Portal)}"
  if [ -z "$Infoblox_UDDI_Key" ] || [ -z "$Infoblox_Portal" ]; then
    _err "Credentials not found"
    return 1
  fi
  _info "Using Infoblox UDDI API"
  _debug fulldomain "$fulldomain"
  _debug txtvalue "$txtvalue"
  export _H1="Authorization: Token $Infoblox_UDDI_Key"
  export _H2="Content-Type: application/json"
  _debug "First detect the root zone"
  if ! _get_root "$fulldomain"; then
    _err "invalid domain"
    return 1
  fi
  _debug _domain_id "$_domain_id"
  _debug _sub_domain "$_sub_domain"
  _debug _domain "$_domain"
  _debug "Getting txt records to delete"
  # Filter by txtvalue to support wildcard certs (multiple TXT records)
  filter="type%20eq%20'TXT'%20and%20name_in_zone%20eq%20'$_sub_domain'%20and%20zone%20eq%20'$_domain_id'%20and%20rdata.text%20eq%20'$txtvalue'"
  _infoblox_rest GET "dns/record?_filter=$filter"
  if ! _contains "$response" '"results"'; then
    _info "Don't need to remove, record not found."
    return 0
  fi
  record_id=$(echo "$response" | _egrep_o '"id":[[:space:]]*"[^"]*"' | _head_n 1 | cut -d '"' -f 4)
  _debug "record_id" "$record_id"
  if [ -z "$record_id" ]; then
    _info "Don't need to remove, record not found."
    return 0
  fi
  # Extract UUID from the full record ID (format: dns/record/uuid)
  record_uuid=$(echo "$record_id" | sed 's|.*/||')
  _debug "record_uuid" "$record_uuid"
  if ! _infoblox_rest DELETE "dns/record/$record_uuid"; then
    _err "Delete record error."
    return 1
  fi
  _info "Removed record successfully"
  return 0
 }
 ####################  Private functions below ##################################
 #_acme-challenge.www.domain.com
 #returns
 # _sub_domain=_acme-challenge.www
 # _domain=domain.com
 # _domain_id=dns/auth_zone/xxxx-xxxx
 _get_root() {
  domain=$1
  i=1
  p=1
  # Remove _acme-challenge prefix if present
  domain_no_acme=$(echo "$domain" | sed 's/^_acme-challenge\.//')
  while true; do
    h=$(printf "%s" "$domain_no_acme" | cut -d . -f "$i"-100)
    _debug h "$h"
    if [ -z "$h" ]; then
      # not valid
      return 1
    fi
    # Query for the zone with both trailing dot and without
    filter="fqdn%20eq%20'$h.'%20or%20fqdn%20eq%20'$h'"
    if ! _infoblox_rest GET "dns/auth_zone?_filter=$filter"; then
      # API error - don't continue if we get auth errors
      if _contains "$response" "401" || _contains "$response" "Authorization"; then
        _err "Authentication failed. Please check your Infoblox_UDDI_Key."
        return 1
      fi
      # For other errors, continue to parent domain
      p=$i
      i=$((i + 1))
      continue
    fi
    # Check if response contains results (even if empty)
    if _contains "$response" '"results"'; then
      # Extract zone ID - must match the pattern dns/auth_zone/...
      zone_id=$(echo "$response" | _egrep_o '"id":[[:space:]]*"dns/auth_zone/[^"]*"' | _head_n 1 | cut -d '"' -f 4)
      if [ -n "$zone_id" ]; then
        # Found the zone
        _domain="$h"
        _domain_id="$zone_id"
        # Calculate subdomain
        if [ "$_domain" = "$domain" ]; then
          _sub_domain=""
        else
          _cutlength=$((${#domain} - ${#_domain} - 1))
          _sub_domain=$(printf "%s" "$domain" | cut -c "1-$_cutlength")
        fi
        return 0
      fi
    fi
    p=$i
    i=$((i + 1))
  done
  return 1
 }
 # _infoblox_rest GET "dns/record?_filter=..."
 # _infoblox_rest POST "dns/record" "{json body}"
 # _infoblox_rest DELETE "dns/record/uuid"
 _infoblox_rest() {
  method=$1
  ep="$2"
  data="$3"
  _debug "$ep"
  # Ensure credentials are available (when called from _get_root)
  Infoblox_UDDI_Key="${Infoblox_UDDI_Key:-$(_readaccountconf_mutable Infoblox_UDDI_Key)}"
  Infoblox_Portal="${Infoblox_Portal:-$(_readaccountconf_mutable Infoblox_Portal)}"
  Infoblox_UDDI_Api="https://$Infoblox_Portal/api/ddi/v1"
  export _H1="Authorization: Token $Infoblox_UDDI_Key"
  export _H2="Content-Type: application/json"
  # Debug (masked)
  _tok_len=$(printf "%s" "$Infoblox_UDDI_Key" | wc -c | tr -d ' \n')
  _debug2 "Auth header set" "Token len=${_tok_len} on $Infoblox_Portal"
  if [ "$method" != "GET" ]; then
    _debug data "$data"
    response="$(_post "$data" "$Infoblox_UDDI_Api/$ep" "" "$method")"
  else
    response="$(_get "$Infoblox_UDDI_Api/$ep")"
  fi
  _ret="$?"
  _debug2 response "$response"
  if [ "$_ret" != "0" ]; then
    _err "Error: $ep"
    return 1
  fi
  return 0
 }
--- a/dnsapi/dns_inwx.sh
+++ b/dnsapi/dns_inwx.sh
@@ -6,6 +6,7 @@ Docs: github.com/acmesh-official/acme.sh/wiki/dnsapi#dns_inwx
 Options:
 INWX_User Username
 INWX_Password Password
 INWX_Shared_Secret 2 Factor Authentication Shared Secret (optional requires oathtool)
 '
 # Dependencies:
@@ -110,11 +111,17 @@ dns_inwx_rm() {
        <string>%s</string>
       </value>
      </member>
      <member>
       <name>content</name>
       <value>
        <string>%s</string>
       </value>
      </member>
     </struct>
    </value>
   </param>
  </params>
-  </methodCall>' "$_domain" "$_sub_domain")
+  </methodCall>' "$_domain" "$_sub_domain" "$txtvalue")
  response="$(_post "$xml_content" "$INWX_Api" "" "POST")"
  if ! _contains "$response" "Command completed successfully"; then
@@ -125,7 +132,7 @@ dns_inwx_rm() {
  if ! printf "%s" "$response" | grep "count" >/dev/null; then
    _info "Do not need to delete record"
  else
-    _record_id=$(printf '%s' "$response" | _egrep_o '.*(<member><name>record){1}(.*)([0-9]+){1}' | _egrep_o '<name>id<\/name><value><int>[0-9]+' | _egrep_o '[0-9]+')
+    _record_id=$(printf '%s' "$response" | _egrep_o '.*(<member><name>record){1}(.*)([0-9]+){1}' | _egrep_o '<name>id<\/name><value><string>[0-9]+' | _egrep_o '[0-9]+')
    _info "Deleting record"
    _inwx_delete_record "$_record_id"
  fi
@@ -324,7 +331,7 @@ _inwx_delete_record() {
      <member>
       <name>id</name>
       <value>
-        <int>%s</int>
+        <string>%s</string>
       </value>
      </member>
     </struct>
@@ -362,7 +369,7 @@ _inwx_update_record() {
      <member>
       <name>id</name>
       <value>
-        <int>%s</int>
+        <string>%s</string>
       </value>
      </member>
     </struct>
--- a/dnsapi/dns_mgwm.sh
+++ b/dnsapi/dns_mgwm.sh
@@ -0,0 +1,109 @@
 #!/usr/bin/env sh
 # shellcheck disable=SC2034
 dns_mgwm_info='mgw-media.de
 Site: mgw-media.de
 Docs: github.com/acmesh-official/acme.sh/wiki/dnsapi2#dns_mgwm
 Options:
 MGWM_CUSTOMER Your customer number
 MGWM_API_HASH Your API Hash
 Issues: github.com/acmesh-official/acme.sh/issues/6669
 '
 # Base URL for the mgw-media.de API
 MGWM_API_BASE="https://api.mgw-media.de/record"
 ########  Public functions #####################
 # This function is called by acme.sh to add a TXT record.
 dns_mgwm_add() {
  fulldomain=$1
  txtvalue=$2
  _info "Using mgw-media.de DNS API for domain $fulldomain (add record)"
  _debug "fulldomain: $fulldomain"
  _debug "txtvalue: $txtvalue"
  # Call the new private function to handle the API request.
  # The 'add' action, fulldomain, type 'txt' and txtvalue are passed.
  if _mgwm_request "add" "$fulldomain" "txt" "$txtvalue"; then
    _info "TXT record for $fulldomain successfully added via mgw-media.de API."
    _sleep 10 # Wait briefly for DNS propagation, a common practice in DNS-01 hooks.
    return 0
  else
    # Error message already logged by _mgwm_request, but a specific one here helps.
    _err "mgwm_add: Failed to add TXT record for $fulldomain."
    return 1
  fi
 }
 # This function is called by acme.sh to remove a TXT record after validation.
 dns_mgwm_rm() {
  fulldomain=$1
  txtvalue=$2 # This txtvalue is now used to identify the specific record to be removed.
  _info "Removing TXT record for $fulldomain using mgw-media.de DNS API (remove record)"
  _debug "fulldomain: $fulldomain"
  _debug "txtvalue: $txtvalue"
  # Call the new private function to handle the API request.
  # The 'rm' action, fulldomain, type 'txt' and txtvalue are passed.
  if _mgwm_request "rm" "$fulldomain" "txt" "$txtvalue"; then
    _info "TXT record for $fulldomain successfully removed via mgw-media.de API."
    return 0
  else
    # Error message already logged by _mgwm_request, but a specific one here helps.
    _err "mgwm_rm: Failed to remove TXT record for $fulldomain."
    return 1
  fi
 }
 ####################  Private functions below ##################################
 # _mgwm_request() encapsulates the API call logic, including
 # loading credentials, setting the Authorization header, and executing the request.
 # Arguments:
 #   $1: action (e.g., "add", "rm")
 #   $2: fulldomain
 #   $3: type (e.g., "txt")
 #   $4: content (the txtvalue)
 _mgwm_request() {
  _action="$1"
  _fulldomain="$2"
  _type="$3"
  _content="$4"
  _debug "Calling _mgwm_request for action: $_action, domain: $_fulldomain, type: $_type, content: $_content"
  # Load credentials from environment or acme.sh config
  MGWM_CUSTOMER="${MGWM_CUSTOMER:-$(_readaccountconf_mutable MGWM_CUSTOMER)}"
  MGWM_API_HASH="${MGWM_API_HASH:-$(_readaccountconf_mutable MGWM_API_HASH)}"
  # Check if credentials are set
  if [ -z "$MGWM_CUSTOMER" ] || [ -z "$MGWM_API_HASH" ]; then
    _err "You didn't specify one or more of MGWM_CUSTOMER or MGWM_API_HASH."
    _err "Please check these environment variables and try again."
    return 1
  fi
  # Save credentials for automatic renewal and future calls
  _saveaccountconf_mutable MGWM_CUSTOMER "$MGWM_CUSTOMER"
  _saveaccountconf_mutable MGWM_API_HASH "$MGWM_API_HASH"
  # Create the Basic Auth Header. acme.sh's _base64 function is used for encoding.
  _credentials="$(printf "%s:%s" "$MGWM_CUSTOMER" "$MGWM_API_HASH" | _base64)"
  export _H1="Authorization: Basic $_credentials"
  _debug "Set Authorization Header: Basic <credentials_encoded>" # Log debug message without sensitive credentials
  # Construct the API URL based on the action and provided parameters.
  _request_url="${MGWM_API_BASE}/${_action}/${_fulldomain}/${_type}/${_content}"
  _debug "Constructed mgw-media.de API URL for action '$_action': ${_request_url}"
  # Execute the HTTP GET request with the Authorization Header.
  # The 5th parameter of _get is where acme.sh expects custom HTTP headers like Authorization.
  response="$(_get "$_request_url")"
  _debug "mgw-media.de API response for action '$_action': $response"
  # Check the API response for success. The API returns "OK" on success.
  if [ "$response" = "OK" ]; then
    _info "mgw-media.de API action '$_action' for record '$_fulldomain' successful."
    return 0
  else
    _err "Failed mgw-media.de API action '$_action' for record '$_fulldomain'. Unexpected API Response: '$response'"
    return 1
  fi
 }
--- a/dnsapi/dns_omglol.sh
+++ b/dnsapi/dns_omglol.sh
@@ -4,8 +4,8 @@ dns_omglol_info='omg.lol
 Site: omg.lol
 Docs: github.com/acmesh-official/acme.sh/wiki/dnsapi2#dns_omglol
 Options:
- OMG_ApiKey API Key. This is accessible from the bottom of the account page at https://home.omg.lol/account
+ OMG_ApiKey - API Key. This is accessible from the bottom of the account page at https://home.omg.lol/account
- OMG_Address Address. This is your omg.lol address, without the preceding @ - you can see your list on your dashboard at https://home.omg.lol/dashboard
+ OMG_Address - Address. This is your omg.lol address, without the preceding @ - you can see your list on your dashboard at https://home.omg.lol/dashboard
 Issues: github.com/acmesh-official/acme.sh/issues/5299
 Author: @Kholin <kholin+acme.omglolapi@omg.lol>
 '
@@ -35,7 +35,7 @@ dns_omglol_add() {
  _debug "omg.lol Address" "$OMG_Address"
  omg_validate "$OMG_ApiKey" "$OMG_Address" "$fulldomain"
-  if [ ! $? ]; then
+  if [ 1 = $? ]; then
    return 1
  fi
@@ -67,7 +67,7 @@ dns_omglol_rm() {
  _debug "omg.lol Address" "$OMG_Address"
  omg_validate "$OMG_ApiKey" "$OMG_Address" "$fulldomain"
-  if [ ! $? ]; then
+  if [ 1 = $? ]; then
    return 1
  fi
@@ -100,18 +100,49 @@ omg_validate() {
  fi
  _endswith "$fulldomain" "omg.lol"
-  if [ ! $? ]; then
+  if [ 1 = $? ]; then
    _err "Domain name requested is not under omg.lol"
    return 1
  fi
  _endswith "$fulldomain" "$omg_address.omg.lol"
-  if [ ! $? ]; then
+  if [ 1 = $? ]; then
    _err "Domain name is not a subdomain of provided omg.lol address $omg_address"
    return 1
  fi
-  _debug "Required environment parameters are all present"
+  omg_testconnect "$omg_apikey" "$omg_address"
  if [ 1 = $? ]; then
    _err "Authentication to omg.lol for address $omg_address using provided API key failed"
    return 1
  fi
  _debug "Required environment parameters are all present and validated"
 }
 # Validate that the address and API key are both correct and associated to each other
 omg_testconnect() {
  omg_apikey=$1
  omg_address=$2
  _debug2 "Function" "omg_testconnect"
  _secure_debug2 "omg.lol API key" "$omg_apikey"
  _debug2 "omg.lol Address" "$omg_address"
  authheader="$(_createAuthHeader "$omg_apikey")"
  export _H1="$authheader"
  endpoint="https://api.omg.lol/address/$omg_address/info"
  _debug2 "Endpoint for validation" "$endpoint"
  response=$(_get "$endpoint" "" 30)
  _jsonResponseCheck "$response" "status_code" 200
  if [ 1 = $? ]; then
    _debug2 "Failed to query omg.lol for $omg_address with provided API key"
    _secure_debug2 "API Key" "omg_apikey"
    _secure_debug3 "Raw response" "$response"
    return 1
  fi
 }
 # Add (or modify) an entry for a new ACME query
--- a/dnsapi/dns_sotoon.sh
+++ b/dnsapi/dns_sotoon.sh
@@ -0,0 +1,319 @@
 #!/usr/bin/env sh
 # shellcheck disable=SC2034
 dns_sotoon_info='Sotoon.ir
 Site: Sotoon.ir
 Docs: github.com/acmesh-official/acme.sh/wiki/dnsapi2#dns_sotoon
 Options:
 Sotoon_Token API Token
 Sotoon_WorkspaceUUID Workspace UUID
 Sotoon_WorkspaceName Workspace Name
 Issues: github.com/acmesh-official/acme.sh/issues/6656
 Author: Erfan Gholizade
 '
 SOTOON_API_URL="https://api.sotoon.ir/delivery/v2/global"
 ########  Public functions #####################
 #Adding the txt record for validation.
 #Usage: dns_sotoon_add   fulldomain   TXT_record
 #Usage: dns_sotoon_add   _acme-challenge.www.domain.com   "XKrxpRBosdIKFzxW_CT3KLZNf6q0HG9i01zxXp5CPBs"
 dns_sotoon_add() {
  fulldomain=$1
  txtvalue=$2
  _info_sotoon "Using Sotoon"
  Sotoon_Token="${Sotoon_Token:-$(_readaccountconf_mutable Sotoon_Token)}"
  Sotoon_WorkspaceUUID="${Sotoon_WorkspaceUUID:-$(_readaccountconf_mutable Sotoon_WorkspaceUUID)}"
  Sotoon_WorkspaceName="${Sotoon_WorkspaceName:-$(_readaccountconf_mutable Sotoon_WorkspaceName)}"
  if [ -z "$Sotoon_Token" ]; then
    _err_sotoon "You didn't specify \"Sotoon_Token\" token yet."
    _err_sotoon "You can get yours from here https://ocean.sotoon.ir/profile/tokens"
    return 1
  fi
  if [ -z "$Sotoon_WorkspaceUUID" ]; then
    _err_sotoon "You didn't specify \"Sotoon_WorkspaceUUID\" Workspace UUID yet."
    _err_sotoon "You can get yours from here https://ocean.sotoon.ir/profile/workspaces"
    return 1
  fi
  if [ -z "$Sotoon_WorkspaceName" ]; then
    _err_sotoon "You didn't specify \"Sotoon_WorkspaceName\" Workspace Name yet."
    _err_sotoon "You can get yours from here https://ocean.sotoon.ir/profile/workspaces"
    return 1
  fi
  #save the info to the account conf file.
  _saveaccountconf_mutable Sotoon_Token "$Sotoon_Token"
  _saveaccountconf_mutable Sotoon_WorkspaceUUID "$Sotoon_WorkspaceUUID"
  _saveaccountconf_mutable Sotoon_WorkspaceName "$Sotoon_WorkspaceName"
  _debug_sotoon "First detect the root zone"
  if ! _get_root "$fulldomain"; then
    _err_sotoon "invalid domain"
    return 1
  fi
  _info_sotoon "Adding record"
  _debug_sotoon _domain_id "$_domain_id"
  _debug_sotoon _sub_domain "$_sub_domain"
  _debug_sotoon _domain "$_domain"
  # First, GET the current domain zone to check for existing TXT records
  # This is needed for wildcard certs which require multiple TXT values
  _info_sotoon "Checking for existing TXT records"
  if ! _sotoon_rest GET "$_domain_id"; then
    _err_sotoon "Failed to get domain zone"
    return 1
  fi
  # Check if there are existing TXT records for this subdomain
  _existing_txt=""
  if _contains "$response" "\"$_sub_domain\""; then
    _debug_sotoon "Found existing records for $_sub_domain"
    # Extract existing TXT values from the response
    # The format is: "_acme-challenge":[{"TXT":"value1","type":"TXT","ttl":10},{"TXT":"value2",...}]
    _existing_txt=$(echo "$response" | _egrep_o "\"$_sub_domain\":\[[^]]*\]" | sed "s/\"$_sub_domain\"://")
    _debug_sotoon "Existing TXT records: $_existing_txt"
  fi
  # Build the new record entry
  _new_record="{\"TXT\":\"$txtvalue\",\"type\":\"TXT\",\"ttl\":120}"
  # If there are existing records, append to them; otherwise create new array
  if [ -n "$_existing_txt" ] && [ "$_existing_txt" != "[]" ] && [ "$_existing_txt" != "null" ]; then
    # Check if this exact TXT value already exists (avoid duplicates)
    if _contains "$_existing_txt" "\"$txtvalue\""; then
      _info_sotoon "TXT record already exists, skipping"
      return 0
    fi
    # Remove the closing bracket and append new record
    _combined_records="$(echo "$_existing_txt" | sed 's/]$//'),$_new_record]"
    _debug_sotoon "Combined records: $_combined_records"
  else
    # No existing records, create new array
    _combined_records="[$_new_record]"
  fi
  # Prepare the DNS record data in Kubernetes CRD format
  _dns_record="{\"spec\":{\"records\":{\"$_sub_domain\":$_combined_records}}}"
  _debug_sotoon "DNS record payload: $_dns_record"
  # Use PATCH to update/add the record to the domain zone
  _info_sotoon "Updating domain zone $_domain_id with TXT record"
  if _sotoon_rest PATCH "$_domain_id" "$_dns_record"; then
    if _contains "$response" "$txtvalue" || _contains "$response" "\"$_sub_domain\""; then
      _info_sotoon "Added, OK"
      return 0
    else
      _debug_sotoon "Response: $response"
      _err_sotoon "Add txt record error."
      return 1
    fi
  fi
  _err_sotoon "Add txt record error."
  return 1
 }
 #Remove the txt record after validation.
 #Usage: dns_sotoon_rm   fulldomain   TXT_record
 #Usage: dns_sotoon_add   _acme-challenge.www.domain.com   "XKrxpRBosdIKFzxW_CT3KLZNf6q0HG9i01zxXp5CPBs"
 dns_sotoon_rm() {
  fulldomain=$1
  txtvalue=$2
  _info_sotoon "Using Sotoon"
  _debug_sotoon fulldomain "$fulldomain"
  _debug_sotoon txtvalue "$txtvalue"
  Sotoon_Token="${Sotoon_Token:-$(_readaccountconf_mutable Sotoon_Token)}"
  Sotoon_WorkspaceUUID="${Sotoon_WorkspaceUUID:-$(_readaccountconf_mutable Sotoon_WorkspaceUUID)}"
  Sotoon_WorkspaceName="${Sotoon_WorkspaceName:-$(_readaccountconf_mutable Sotoon_WorkspaceName)}"
  _debug_sotoon "First detect the root zone"
  if ! _get_root "$fulldomain"; then
    _err_sotoon "invalid domain"
    return 1
  fi
  _debug_sotoon _domain_id "$_domain_id"
  _debug_sotoon _sub_domain "$_sub_domain"
  _debug_sotoon _domain "$_domain"
  _info_sotoon "Removing TXT record"
  # First, GET the current domain zone to check for existing TXT records
  if ! _sotoon_rest GET "$_domain_id"; then
    _err_sotoon "Failed to get domain zone"
    return 1
  fi
  # Check if there are existing TXT records for this subdomain
  _existing_txt=""
  if _contains "$response" "\"$_sub_domain\""; then
    _debug_sotoon "Found existing records for $_sub_domain"
    _existing_txt=$(echo "$response" | _egrep_o "\"$_sub_domain\":\[[^]]*\]" | sed "s/\"$_sub_domain\"://")
    _debug_sotoon "Existing TXT records: $_existing_txt"
  fi
  # If no existing records, nothing to remove
  if [ -z "$_existing_txt" ] || [ "$_existing_txt" = "[]" ] || [ "$_existing_txt" = "null" ]; then
    _info_sotoon "No TXT records found, nothing to remove"
    return 0
  fi
  # Remove the specific TXT value from the array
  # This handles the case where there are multiple TXT values (wildcard certs)
  _remaining_records=$(echo "$_existing_txt" | sed "s/{\"TXT\":\"$txtvalue\"[^}]*},*//g" | sed 's/,]/]/g' | sed 's/\[,/[/g')
  _debug_sotoon "Remaining records after removal: $_remaining_records"
  # If no records remain, set to null to remove the subdomain entirely
  if [ "$_remaining_records" = "[]" ] || [ -z "$_remaining_records" ]; then
    _dns_record="{\"spec\":{\"records\":{\"$_sub_domain\":null}}}"
  else
    _dns_record="{\"spec\":{\"records\":{\"$_sub_domain\":$_remaining_records}}}"
  fi
  _debug_sotoon "Remove record payload: $_dns_record"
  # Use PATCH to remove the record from the domain zone
  if _sotoon_rest PATCH "$_domain_id" "$_dns_record"; then
    _info_sotoon "Record removed, OK"
    return 0
  else
    _debug_sotoon "Response: $response"
    _err_sotoon "Error removing record"
    return 1
  fi
 }
 ####################  Private functions below ##################################
 _get_root() {
  domain=$1
  i=1
  p=1
  _debug_sotoon "Getting root domain for: $domain"
  _debug_sotoon "Sotoon WorkspaceUUID: $Sotoon_WorkspaceUUID"
  _debug_sotoon "Sotoon WorkspaceName: $Sotoon_WorkspaceName"
  while true; do
    h=$(printf "%s" "$domain" | cut -d . -f "$i"-100)
    _debug_sotoon "Checking domain part: $h"
    if [ -z "$h" ]; then
      #not valid
      _err_sotoon "Could not find valid domain"
      return 1
    fi
    _debug_sotoon "Fetching domain zones from Sotoon API"
    if ! _sotoon_rest GET ""; then
      _err_sotoon "Failed to get domain zones from Sotoon API"
      _err_sotoon "Please check your Sotoon_Token, Sotoon_WorkspaceUUID, and Sotoon_WorkspaceName"
      return 1
    fi
    _debug2_sotoon "API Response: $response"
    # Check if the response contains our domain
    # Sotoon API uses Kubernetes CRD format with spec.origin for domain matching
    if _contains "$response" "\"origin\":\"$h\""; then
      _debug_sotoon "Found domain by origin: $h"
      # In Kubernetes CRD format, the metadata.name is the resource identifier
      # The name can be either:
      # 1. Same as origin
      # 2. Origin with dots replaced by hyphens
      # We check both patterns in the response to determine which one exists
      # Convert origin to hyphenated version for checking
      _h_hyphenated=$(echo "$h" | tr '.' '-')
      # Check if the hyphenated name exists in the response
      if _contains "$response" "\"name\":\"$_h_hyphenated\""; then
        _domain_id="$_h_hyphenated"
        _debug_sotoon "Found domain ID (hyphenated): $_domain_id"
      # Check if the origin itself is used as name
      elif _contains "$response" "\"name\":\"$h\""; then
        _domain_id="$h"
        _debug_sotoon "Found domain ID (same as origin): $_domain_id"
      else
        # Fallback: use the hyphenated version (more common)
        _domain_id="$_h_hyphenated"
        _debug_sotoon "Using hyphenated domain ID as fallback: $_domain_id"
      fi
      if [ -n "$_domain_id" ]; then
        _sub_domain=$(printf "%s" "$domain" | cut -d . -f 1-"$p")
        _domain=$h
        _debug_sotoon "Domain ID (metadata.name): $_domain_id"
        _debug_sotoon "Sub domain: $_sub_domain"
        _debug_sotoon "Domain (origin): $_domain"
        return 0
      fi
      _err_sotoon "Found domain $h but could not extract domain ID"
      return 1
    fi
    p=$i
    i=$(_math "$i" + 1)
  done
  return 1
 }
 _sotoon_rest() {
  mtd="$1"
  resource_id="$2"
  data="$3"
  token_trimmed=$(echo "$Sotoon_Token" | tr -d '"')
  # Construct the API endpoint
  _api_path="$SOTOON_API_URL/workspaces/$Sotoon_WorkspaceUUID/namespaces/$Sotoon_WorkspaceName/domainzones"
  if [ -n "$resource_id" ]; then
    _api_path="$_api_path/$resource_id"
  fi
  _debug_sotoon "API Path: $_api_path"
  _debug_sotoon "Method: $mtd"
  # Set authorization header - Sotoon API uses Bearer token
  export _H1="Authorization: Bearer $token_trimmed"
  if [ "$mtd" = "GET" ]; then
    # GET request
    _debug_sotoon "GET" "$_api_path"
    response="$(_get "$_api_path")"
  elif [ "$mtd" = "PATCH" ]; then
    # PATCH Request
    export _H2="Content-Type: application/merge-patch+json"
    _debug_sotoon data "$data"
    response="$(_post "$data" "$_api_path" "" "$mtd")"
  else
    _err_sotoon "Unknown method: $mtd"
    return 1
  fi
  _debug2_sotoon response "$response"
  return 0
 }
 #Wrappers for logging
 _info_sotoon() {
  _info "[Sotoon]" "$@"
 }
 _err_sotoon() {
  _err "[Sotoon]" "$@"
 }
 _debug_sotoon() {
  _debug "[Sotoon]" "$@"
 }
 _debug2_sotoon() {
  _debug2 "[Sotoon]" "$@"
 }