[PATCH v2 proxmox-acme 0/3] update acme.sh DNS API to upstream 3.1.2 tag

[PATCH v2 proxmox-acme 0/3] update acme.sh DNS API to upstream 3.1.2 tag

[Kefu Chai]

Changes since v1:
- Fix missing Makefile ACME_SOURCES entries for the new plugins; without
  this they were registered in the schema but not installed by the package
- Add test/verify-acme-sources-in-makefile.pl to catch this class of
  error: cross-checks dnsapi/ scripts in the submodule against the
  Makefile install list, with ACME_SOURCES passed via Make so no
  Makefile parsing is needed in Perl
- Hook the tests into dpkg-buildpackage via override_dh_auto_test so
  they run automatically on every package build

Kefu Chai (3):
  update acme.sh DNS API to upstream 3.1.2 tag
  tests: verify all dnsapi plugins are listed in Makefile ACME_SOURCES
  buildsys: run tests as part of dpkg-buildpackage

 debian/rules                                |  3 +
 src/Makefile                                |  5 +-
 src/acme.sh                                 |  2 +-
 src/dns-challenge-schema.json               | 66 ++++++++++++++++++++-
 src/test/Makefile                           |  5 +-
 src/test/verify-acme-sources-in-makefile.pl | 66 +++++++++++++++++++++
 6 files changed, 141 insertions(+), 6 deletions(-)
 create mode 100755 src/test/verify-acme-sources-in-makefile.pl

-- 
2.47.3

[PATCH v2 proxmox-acme 1/3] update acme.sh DNS API to upstream 3.1.2 tag

[Kefu Chai]

And update schema with new plugins and API changes.

This includes various fixes and improvements for existing plugins.

Fixes the following bugs:
- fix #7120: OVH DNS plugin now properly deletes TXT records
- fix #7028: Add Hetzner Cloud DNS plugin support

New plugins added:
- hetznercloud: Hetzner Cloud DNS API
- openprovider_rest: OpenProvider REST API
- spaceship: Spaceship DNS API

The active24 provider was updated to use the new v2 API, as the old
v1 API has been deprecated by Active24. Users need to re-configure
with Active24_ApiKey and Active24_ApiSecret instead of ACTIVE24_Token.
New credentials can be obtained from the Active24 admin panel.

Signed-off-by: Kefu Chai <k.chai@proxmox.com>
---
 src/Makefile                  |  3 ++
 src/acme.sh                   |  2 +-
 src/dns-challenge-schema.json | 66 +++++++++++++++++++++++++++++++++--
 3 files changed, 68 insertions(+), 3 deletions(-)

diff --git a/src/Makefile b/src/Makefile
index 9ee97c9..c948207 100644
--- a/src/Makefile
+++ b/src/Makefile
@@ -66,6 +66,7 @@ ACME_SOURCES = \
 	dnsapi/dns_he.sh \
 	dnsapi/dns_he_ddns.sh \
 	dnsapi/dns_hetzner.sh \
+	dnsapi/dns_hetznercloud.sh \
 	dnsapi/dns_hexonet.sh \
 	dnsapi/dns_hostingde.sh \
 	dnsapi/dns_huaweicloud.sh \
@@ -120,6 +121,7 @@ ACME_SOURCES = \
 	dnsapi/dns_one.sh \
 	dnsapi/dns_online.sh \
 	dnsapi/dns_openprovider.sh \
+	dnsapi/dns_openprovider_rest.sh \
 	dnsapi/dns_openstack.sh \
 	dnsapi/dns_opnsense.sh \
 	dnsapi/dns_ovh.sh \
@@ -138,6 +140,7 @@ ACME_SOURCES = \
 	dnsapi/dns_selfhost.sh \
 	dnsapi/dns_servercow.sh \
 	dnsapi/dns_simply.sh \
+	dnsapi/dns_spaceship.sh \
 	dnsapi/dns_technitium.sh \
 	dnsapi/dns_tele3.sh \
 	dnsapi/dns_tencent.sh \
diff --git a/src/acme.sh b/src/acme.sh
index 676d766..40290ad 160000
--- a/src/acme.sh
+++ b/src/acme.sh
@@ -1 +1 @@
-Subproject commit 676d76696b616c0e013ad8a9be1aedd01e4e0204
+Subproject commit 40290ad42a37aba57eb246e507c11944a52c0f68
diff --git a/src/dns-challenge-schema.json b/src/dns-challenge-schema.json
index 8669c86..b7ee5a3 100644
--- a/src/dns-challenge-schema.json
+++ b/src/dns-challenge-schema.json
@@ -24,8 +24,12 @@
    "acmeproxy": {},
    "active24": {
       "fields": {
-         "ACTIVE24_Token": {
-            "description": "The API key",
+         "Active24_ApiKey": {
+            "description": "API Key (called 'Identifier' in Active24 Admin)",
+            "type": "string"
+         },
+         "Active24_ApiSecret": {
+            "description": "API Secret (called 'Secret key' in Active24 Admin)",
             "type": "string"
          }
       },
@@ -187,6 +191,33 @@
    "he": {},
    "he_ddns": {},
    "hetzner": {},
+   "hetznercloud": {
+      "fields": {
+         "HETZNER_API": {
+            "default": "https://api.hetzner.cloud/v1",
+            "description": "Override API endpoint (default: https://api.hetzner.cloud/v1)",
+            "optional": 1,
+            "type": "string"
+         },
+         "HETZNER_MAX_ATTEMPTS": {
+            "default": 120,
+            "description": "Number of 1s polls to wait for async actions (default: 120)",
+            "optional": 1,
+            "type": "integer"
+         },
+         "HETZNER_TOKEN": {
+            "description": "API token for the Hetzner Cloud DNS API",
+            "type": "string"
+         },
+         "HETZNER_TTL": {
+            "default": 120,
+            "description": "Custom TTL for new TXT records (default: 120)",
+            "optional": 1,
+            "type": "integer"
+         }
+      },
+      "name": "Hetzner Cloud DNS"
+   },
    "hexonet": {},
    "hostingde": {},
    "huaweicloud": {},
@@ -298,6 +329,19 @@
    "one": {},
    "online": {},
    "openprovider": {},
+   "openprovider_rest": {
+      "fields": {
+         "OPENPROVIDER_REST_PASSWORD": {
+            "description": "OpenProvider Account Password",
+            "type": "string"
+         },
+         "OPENPROVIDER_REST_USERNAME": {
+            "description": "OpenProvider Account Username",
+            "type": "string"
+         }
+      },
+      "name": "OpenProvider (REST API)"
+   },
    "openstack": {},
    "opnsense": {},
    "ovh": {
@@ -368,6 +412,24 @@
    "selfhost": {},
    "servercow": {},
    "simply": {},
+   "spaceship": {
+      "fields": {
+         "SPACESHIP_API_KEY": {
+            "description": "Spaceship API Key",
+            "type": "string"
+         },
+         "SPACESHIP_API_SECRET": {
+            "description": "Spaceship API Secret",
+            "type": "string"
+         },
+         "SPACESHIP_ROOT_DOMAIN": {
+            "description": "Root domain (optional, for manual override if auto-detection fails)",
+            "optional": 1,
+            "type": "string"
+         }
+      },
+      "name": "Spaceship"
+   },
    "technitium": {},
    "tele3": {},
    "tencent": {},
-- 
2.47.3

[PATCH v2 proxmox-acme 2/3] tests: verify all dnsapi plugins are listed in Makefile ACME_SOURCES

[Kefu Chai]

Add verify-acme-sources-in-makefile.pl which cross-checks the dnsapi/
scripts present in the acme.sh submodule against the ACME_SOURCES list
in the Makefile. Plugins missing from ACME_SOURCES won't be installed,
so this catches the class of error where a plugin is added to the schema
but forgotten in the install list.

ACME_SOURCES is passed via environment from the parent Makefile so Make
expands the variable itself, avoiding fragile Makefile parsing in Perl.

Signed-off-by: Kefu Chai <k.chai@proxmox.com>
---
 src/Makefile                                |  2 +-
 src/test/Makefile                           |  5 +-
 src/test/verify-acme-sources-in-makefile.pl | 66 +++++++++++++++++++++
 3 files changed, 70 insertions(+), 3 deletions(-)
 create mode 100755 src/test/verify-acme-sources-in-makefile.pl

diff --git a/src/Makefile b/src/Makefile
index c948207..461597b 100644
--- a/src/Makefile
+++ b/src/Makefile
@@ -190,7 +190,7 @@ install:
 
 .PHONY: test
 test:
-	$(MAKE) -C test test
+	$(MAKE) -C test test ACME_SOURCES="$(ACME_SOURCES)"
 
 .PHONY: clean
 clean:
diff --git a/src/test/Makefile b/src/test/Makefile
index 5768124..ad5256a 100644
--- a/src/test/Makefile
+++ b/src/test/Makefile
@@ -1,9 +1,10 @@
+ACME_SOURCES ?=
 
 .PHONY: test test-missing-functions
-test: verify-dnsapi-plugins-in-schema.pl.t test-missing-functions
+test: verify-dnsapi-plugins-in-schema.pl.t verify-acme-sources-in-makefile.pl.t test-missing-functions
 
 %.t: %
-	./$<
+	ACME_SOURCES="$(ACME_SOURCES)" ./$<
 
 test-missing-functions:
 	./check-missing-functions | sort -u > missing-functions.actual
diff --git a/src/test/verify-acme-sources-in-makefile.pl b/src/test/verify-acme-sources-in-makefile.pl
new file mode 100755
index 0000000..7deb026
--- /dev/null
+++ b/src/test/verify-acme-sources-in-makefile.pl
@@ -0,0 +1,66 @@
+#!/usr/bin/perl
+
+use strict;
+use warnings;
+
+use lib '../';
+
+use PVE::Tools qw(dir_glob_foreach);
+
+my $dnsapi_path = '../acme.sh/dnsapi';
+
+die "cannot find dnsapi path '$dnsapi_path'!\n" if !-d $dnsapi_path;
+
+my $acme_sources = $ENV{ACME_SOURCES}
+    or die "ACME_SOURCES environment variable not set\n";
+
+my $makefile_plugins = {};
+while ($acme_sources =~ /dnsapi\/dns_(\S+)\.sh/g) {
+    $makefile_plugins->{$1} = 1;
+}
+
+my $acmesh_plugins = [];
+dir_glob_foreach(
+    $dnsapi_path,
+    qr/dns_(\S+)\.sh/,
+    sub {
+        my ($file, $provider) = @_;
+        push @$acmesh_plugins, $provider;
+    },
+);
+
+my $ok = 1;
+
+# check that all plugins in the submodule are listed in the Makefile for installation
+my $missing_from_makefile = '';
+for my $provider (sort @$acmesh_plugins) {
+    if (!$makefile_plugins->{$provider}) {
+        $missing_from_makefile .= "\tdnsapi/dns_${provider}.sh \\\n";
+        $ok = 0;
+    }
+}
+
+if ($missing_from_makefile) {
+    print STDERR "\nplugins missing from Makefile ACME_SOURCES, add:\n";
+    print STDERR $missing_from_makefile;
+}
+
+# check that all plugins in the Makefile still exist in the submodule
+my %acmesh_set = map { $_ => 1 } @$acmesh_plugins;
+my $stale_in_makefile = '';
+for my $provider (sort keys %$makefile_plugins) {
+    if (!$acmesh_set{$provider}) {
+        $stale_in_makefile .= "\tdnsapi/dns_${provider}.sh\n";
+        $ok = 0;
+    }
+}
+
+if ($stale_in_makefile) {
+    print STDERR "\nplugins in Makefile but removed/renamed upstream, remove:\n";
+    print STDERR $stale_in_makefile;
+}
+
+die "\nERROR: Makefile ACME_SOURCES not in sync with available plugins!\n\n" if !$ok;
+
+print STDERR "OK: Makefile ACME_SOURCES in sync with available plugins.\n";
+exit(0);
-- 
2.47.3

[PATCH v2 proxmox-acme 3/3] buildsys: run tests as part of dpkg-buildpackage

[Kefu Chai]

Add override_dh_auto_test to debian/rules so that make test is
automatically executed during every package build, ensuring the
schema and Makefile consistency checks are enforced at build time.

Signed-off-by: Kefu Chai <k.chai@proxmox.com>
---
 debian/rules | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/debian/rules b/debian/rules
index f00dbc2..2118ffa 100755
--- a/debian/rules
+++ b/debian/rules
@@ -5,3 +5,6 @@
 
 %:
 	dh $@
+
+override_dh_auto_test:
+	$(MAKE) -C . -f Makefile test
-- 
2.47.3

Re: [PATCH v2 proxmox-acme 3/3] buildsys: run tests as part of dpkg-buildpackage

[Thomas Lamprecht]

Am 31.03.26 um 09:10 schrieb Kefu Chai:
> Add override_dh_auto_test to debian/rules so that make test is
> automatically executed during every package build, ensuring the
> schema and Makefile consistency checks are enforced at build time.

This already happens though? dh_auto_test will already trigger any
"check" or "test" target if there's a Makefile present, and when
building a package without your patch here I can see that working.

Or am I missing something here?

> 
> Signed-off-by: Kefu Chai <k.chai@proxmox.com>
> ---
>  debian/rules | 3 +++
>  1 file changed, 3 insertions(+)
> 
> diff --git a/debian/rules b/debian/rules
> index f00dbc2..2118ffa 100755
> --- a/debian/rules
> +++ b/debian/rules
> @@ -5,3 +5,6 @@
>  
>  %:
>  	dh $@
> +
> +override_dh_auto_test:
> +	$(MAKE) -C . -f Makefile test

Re: [PATCH v2 proxmox-acme 3/3] buildsys: run tests as part of dpkg-buildpackage

[Kefu Chai]

On Wed Apr 1, 2026 at 12:15 AM CST, Thomas Lamprecht wrote:
> Am 31.03.26 um 09:10 schrieb Kefu Chai:
>> Add override_dh_auto_test to debian/rules so that make test is
>> automatically executed during every package build, ensuring the
>> schema and Makefile consistency checks are enforced at build time.
>
> This already happens though? dh_auto_test will already trigger any
> "check" or "test" target if there's a Makefile present, and when
> building a package without your patch here I can see that working.

Yeah, it's already wired into the default dh helper. I ran into 
"No rule to make target 'test'" when running "make test" from the
top-level repo dir, where only the outer Makefile is located. That's 
why I just went ahead and added this in the d/rules in hope to avoid 
the same problem. But I missed the fact that the /Makefile actually 
copies the *src* directory when building debian package. I just found
the same pattern repeats itself in proxmox-biome. Will take a closer
look at the Makefile under root directory next time.

Thanks for pointing this out!

>
> Or am I missing something here?
>
>> 
>> Signed-off-by: Kefu Chai <k.chai@proxmox.com>
>> ---
>>  debian/rules | 3 +++
>>  1 file changed, 3 insertions(+)
>> 
>> diff --git a/debian/rules b/debian/rules
>> index f00dbc2..2118ffa 100755
>> --- a/debian/rules
>> +++ b/debian/rules
>> @@ -5,3 +5,6 @@
>>  
>>  %:
>>  	dh $@
>> +
>> +override_dh_auto_test:
>> +	$(MAKE) -C . -f Makefile test

applied: [PATCH v2 proxmox-acme 0/3] update acme.sh DNS API to upstream 3.1.2 tag

[Thomas Lamprecht]

On Tue, 31 Mar 2026 15:10:38 +0800, Kefu Chai wrote:
> Changes since v1:
> - Fix missing Makefile ACME_SOURCES entries for the new plugins; without
>   this they were registered in the schema but not installed by the package
> - Add test/verify-acme-sources-in-makefile.pl to catch this class of
>   error: cross-checks dnsapi/ scripts in the submodule against the
>   Makefile install list, with ACME_SOURCES passed via Make so no
>   Makefile parsing is needed in Perl
> - Hook the tests into dpkg-buildpackage via override_dh_auto_test so
>   they run automatically on every package build
> 
> [...]

Applied, adapted the second one to parse the Makefile directly though, IMO not
that fragile as the list format is simple and under our control, thanks!

[1/3] update acme.sh DNS API to upstream 3.1.2 tag
      commit: c61e42a68a829f79f1c60dee7b504aad217e43b5
[2/3] tests: verify all dnsapi plugins are listed in Makefile ACME_SOURCES
      commit: c362090b0b49f8b0b0f2a7cedae52e909560eecd
[3/3] buildsys: run tests as part of dpkg-buildpackage
      SKIPPED