diff --git a/README.md b/README.md
index 50da4d5d..20348d87 100644
--- a/README.md
+++ b/README.md
@@ -155,103 +155,108 @@ Detailed documentation is available [here](https://go-acme.github.io/lego/dns).
| Joker |
Joohoi's ACME-DNS |
+ KeyHelp |
Liara |
- Lima-City |
+ | Lima-City |
Linode (v4) |
Liquid Web |
Loopia |
- LuaDNS |
+ | LuaDNS |
Mail-in-a-Box |
ManageEngine CloudDNS |
Manual |
- Metaname |
+ | Metaname |
Metaregistrar |
mijn.host |
Mittwald |
- myaddr.{tools,dev,io} |
+ | myaddr.{tools,dev,io} |
MyDNS.jp |
MythicBeasts |
Name.com |
- Namecheap |
+ | Namecheap |
Namesilo |
NearlyFreeSpeech.NET |
Netcup |
- Netlify |
+ | Netlify |
Nicmanager |
NIFCloud |
Njalla |
- Nodion |
+ | Nodion |
NS1 |
Open Telekom Cloud |
Oracle Cloud |
- OVH |
+ | OVH |
plesk.com |
Porkbun |
PowerDNS |
- Rackspace |
+ | Rackspace |
Rain Yun/雨云 |
RcodeZero |
reg.ru |
- Regfish |
+ | Regfish |
RFC2136 |
RimuHosting |
RU CENTER |
- Sakura Cloud |
+ | Sakura Cloud |
Scaleway |
Selectel |
Selectel v2 |
- SelfHost.(de|eu) |
+ | SelfHost.(de|eu) |
Servercow |
Shellrent |
Simply.com |
- Sonic |
+ | Sonic |
Spaceship |
Stackpath |
Technitium |
- Tencent Cloud DNS |
+ | Tencent Cloud DNS |
Tencent EdgeOne |
Timeweb Cloud |
TransIP |
- UKFast SafeDNS |
+ | UKFast SafeDNS |
Ultradns |
Variomedia |
VegaDNS |
- Vercel |
+ | Vercel |
Versio.[nl|eu|uk] |
VinylDNS |
VK Cloud |
- Volcano Engine/火山引擎 |
+ | Volcano Engine/火山引擎 |
Vscale |
Vultr |
Webnames |
- Websupport |
+ | Websupport |
WEDOS |
West.cn/西部数码 |
Yandex 360 |
- Yandex Cloud |
+ | Yandex Cloud |
Yandex PDD |
Zone.ee |
ZoneEdit |
+
| Zonomi |
+ |
+ |
+ |
diff --git a/cmd/zz_gen_cmd_dnshelp.go b/cmd/zz_gen_cmd_dnshelp.go
index 7c43bb2a..55199386 100644
--- a/cmd/zz_gen_cmd_dnshelp.go
+++ b/cmd/zz_gen_cmd_dnshelp.go
@@ -94,6 +94,7 @@ func allDNSCodes() string {
"ipv64",
"iwantmyname",
"joker",
+ "keyhelp",
"liara",
"lightsail",
"limacity",
@@ -1921,6 +1922,27 @@ func displayDNSHelp(w io.Writer, name string) error {
ew.writeln()
ew.writeln(`More information: https://go-acme.github.io/lego/dns/joker`)
+ case "keyhelp":
+ // generated from: providers/dns/keyhelp/keyhelp.toml
+ ew.writeln(`Configuration for KeyHelp.`)
+ ew.writeln(`Code: 'keyhelp'`)
+ ew.writeln(`Since: 'v4.26.0'`)
+ ew.writeln()
+
+ ew.writeln(`Credentials:`)
+ ew.writeln(` - "KEYHELP_API_KEY": API key`)
+ ew.writeln(` - "KEYHELP_BASE_URL": Server URL`)
+ ew.writeln()
+
+ ew.writeln(`Additional Configuration:`)
+ ew.writeln(` - "KEYHELP_HTTP_TIMEOUT": API request timeout in seconds (Default: 30)`)
+ ew.writeln(` - "KEYHELP_POLLING_INTERVAL": Time between DNS propagation check in seconds (Default: 2)`)
+ ew.writeln(` - "KEYHELP_PROPAGATION_TIMEOUT": Maximum waiting time for DNS propagation in seconds (Default: 60)`)
+ ew.writeln(` - "KEYHELP_TTL": The TTL of the TXT record used for the DNS challenge in seconds (Default: 120)`)
+
+ ew.writeln()
+ ew.writeln(`More information: https://go-acme.github.io/lego/dns/keyhelp`)
+
case "liara":
// generated from: providers/dns/liara/liara.toml
ew.writeln(`Configuration for Liara.`)
diff --git a/docs/content/dns/zz_gen_keyhelp.md b/docs/content/dns/zz_gen_keyhelp.md
new file mode 100644
index 00000000..2886a0a8
--- /dev/null
+++ b/docs/content/dns/zz_gen_keyhelp.md
@@ -0,0 +1,69 @@
+---
+title: "KeyHelp"
+date: 2019-03-03T16:39:46+01:00
+draft: false
+slug: keyhelp
+dnsprovider:
+ since: "v4.26.0"
+ code: "keyhelp"
+ url: "https://www.keyweb.de/en/keyhelp/keyhelp/"
+---
+
+
+
+
+
+
+Configuration for [KeyHelp](https://www.keyweb.de/en/keyhelp/keyhelp/).
+
+
+
+
+- Code: `keyhelp`
+- Since: v4.26.0
+
+
+Here is an example bash command using the KeyHelp provider:
+
+```bash
+KEYHELP_BASE_URL="https://keyhelp.example.com" \
+KEYHELP_API_KEY="xxx" \
+lego --email you@example.com --dns keyhelp -d '*.example.com' -d example.com run
+```
+
+
+
+
+## Credentials
+
+| Environment Variable Name | Description |
+|-----------------------|-------------|
+| `KEYHELP_API_KEY` | API key |
+| `KEYHELP_BASE_URL` | Server URL |
+
+The environment variable names can be suffixed by `_FILE` to reference a file instead of a value.
+More information [here]({{% ref "dns#configuration-and-credentials" %}}).
+
+
+## Additional Configuration
+
+| Environment Variable Name | Description |
+|--------------------------------|-------------|
+| `KEYHELP_HTTP_TIMEOUT` | API request timeout in seconds (Default: 30) |
+| `KEYHELP_POLLING_INTERVAL` | Time between DNS propagation check in seconds (Default: 2) |
+| `KEYHELP_PROPAGATION_TIMEOUT` | Maximum waiting time for DNS propagation in seconds (Default: 60) |
+| `KEYHELP_TTL` | The TTL of the TXT record used for the DNS challenge in seconds (Default: 120) |
+
+The environment variable names can be suffixed by `_FILE` to reference a file instead of a value.
+More information [here]({{% ref "dns#configuration-and-credentials" %}}).
+
+
+
+
+## More information
+
+- [API documentation](https://app.swaggerhub.com/apis-docs/keyhelp/api/)
+
+
+
+
diff --git a/docs/data/zz_cli_help.toml b/docs/data/zz_cli_help.toml
index ea5b037f..6e788392 100644
--- a/docs/data/zz_cli_help.toml
+++ b/docs/data/zz_cli_help.toml
@@ -152,7 +152,7 @@ To display the documentation for a specific DNS provider, run:
$ lego dnshelp -c code
Supported DNS providers:
- acme-dns, active24, alidns, allinkl, arvancloud, auroradns, autodns, axelname, azion, azure, azuredns, baiducloud, binarylane, bindman, bluecat, bookmyname, brandit, bunny, checkdomain, civo, clouddns, cloudflare, cloudns, cloudru, cloudxns, conoha, conohav3, constellix, corenetworks, cpanel, derak, desec, designate, digitalocean, directadmin, dnshomede, dnsimple, dnsmadeeasy, dnspod, dode, domeneshop, dreamhost, duckdns, dyn, dyndnsfree, dynu, easydns, edgedns, edgeone, efficientip, epik, exec, exoscale, f5xc, freemyip, gandi, gandiv5, gcloud, gcore, glesys, godaddy, googledomains, hetzner, hostingde, hosttech, httpnet, httpreq, huaweicloud, hurricane, hyperone, ibmcloud, iij, iijdpf, infoblox, infomaniak, internetbs, inwx, ionos, ipv64, iwantmyname, joker, liara, lightsail, limacity, linode, liquidweb, loopia, luadns, mailinabox, manageengine, manual, metaname, metaregistrar, mijnhost, mittwald, myaddr, mydnsjp, mythicbeasts, namecheap, namedotcom, namesilo, nearlyfreespeech, netcup, netlify, nicmanager, nicru, nifcloud, njalla, nodion, ns1, oraclecloud, otc, ovh, pdns, plesk, porkbun, rackspace, rainyun, rcodezero, regfish, regru, rfc2136, rimuhosting, route53, safedns, sakuracloud, scaleway, selectel, selectelv2, selfhostde, servercow, shellrent, simply, sonic, spaceship, stackpath, technitium, tencentcloud, timewebcloud, transip, ultradns, variomedia, vegadns, vercel, versio, vinyldns, vkcloud, volcengine, vscale, vultr, webnames, websupport, wedos, westcn, yandex, yandex360, yandexcloud, zoneedit, zoneee, zonomi
+ acme-dns, active24, alidns, allinkl, arvancloud, auroradns, autodns, axelname, azion, azure, azuredns, baiducloud, binarylane, bindman, bluecat, bookmyname, brandit, bunny, checkdomain, civo, clouddns, cloudflare, cloudns, cloudru, cloudxns, conoha, conohav3, constellix, corenetworks, cpanel, derak, desec, designate, digitalocean, directadmin, dnshomede, dnsimple, dnsmadeeasy, dnspod, dode, domeneshop, dreamhost, duckdns, dyn, dyndnsfree, dynu, easydns, edgedns, edgeone, efficientip, epik, exec, exoscale, f5xc, freemyip, gandi, gandiv5, gcloud, gcore, glesys, godaddy, googledomains, hetzner, hostingde, hosttech, httpnet, httpreq, huaweicloud, hurricane, hyperone, ibmcloud, iij, iijdpf, infoblox, infomaniak, internetbs, inwx, ionos, ipv64, iwantmyname, joker, keyhelp, liara, lightsail, limacity, linode, liquidweb, loopia, luadns, mailinabox, manageengine, manual, metaname, metaregistrar, mijnhost, mittwald, myaddr, mydnsjp, mythicbeasts, namecheap, namedotcom, namesilo, nearlyfreespeech, netcup, netlify, nicmanager, nicru, nifcloud, njalla, nodion, ns1, oraclecloud, otc, ovh, pdns, plesk, porkbun, rackspace, rainyun, rcodezero, regfish, regru, rfc2136, rimuhosting, route53, safedns, sakuracloud, scaleway, selectel, selectelv2, selfhostde, servercow, shellrent, simply, sonic, spaceship, stackpath, technitium, tencentcloud, timewebcloud, transip, ultradns, variomedia, vegadns, vercel, versio, vinyldns, vkcloud, volcengine, vscale, vultr, webnames, websupport, wedos, westcn, yandex, yandex360, yandexcloud, zoneedit, zoneee, zonomi
More information: https://go-acme.github.io/lego/dns
"""
diff --git a/providers/dns/keyhelp/internal/client.go b/providers/dns/keyhelp/internal/client.go
new file mode 100644
index 00000000..3c731fc4
--- /dev/null
+++ b/providers/dns/keyhelp/internal/client.go
@@ -0,0 +1,174 @@
+package internal
+
+import (
+ "bytes"
+ "context"
+ "encoding/json"
+ "errors"
+ "fmt"
+ "io"
+ "net/http"
+ "net/url"
+ "strconv"
+ "time"
+
+ "github.com/go-acme/lego/v4/providers/dns/internal/errutils"
+)
+
+// APIKeyHeader API key header.
+const APIKeyHeader = "X-Api-Key"
+
+// Client the KeyHelp API client.
+type Client struct {
+ apiKey string
+
+ baseURL *url.URL
+ HTTPClient *http.Client
+}
+
+// NewClient creates a new Client.
+func NewClient(baseURL, apiKey string) (*Client, error) {
+ if baseURL == "" {
+ return nil, errors.New("missing base URL")
+ }
+
+ if apiKey == "" {
+ return nil, errors.New("credentials missing")
+ }
+
+ base, err := url.Parse(baseURL)
+ if err != nil {
+ return nil, fmt.Errorf("parse base URL: %w", err)
+ }
+
+ return &Client{
+ apiKey: apiKey,
+ baseURL: base.JoinPath("api", "v2"),
+ HTTPClient: &http.Client{Timeout: 10 * time.Second},
+ }, nil
+}
+
+func (c *Client) do(req *http.Request, result any) error {
+ req.Header.Set(APIKeyHeader, c.apiKey)
+
+ resp, err := c.HTTPClient.Do(req)
+ if err != nil {
+ return errutils.NewHTTPDoError(req, err)
+ }
+
+ defer func() { _ = resp.Body.Close() }()
+
+ if resp.StatusCode/100 != 2 {
+ return parseError(req, resp)
+ }
+
+ if result == nil {
+ return nil
+ }
+
+ raw, err := io.ReadAll(resp.Body)
+ if err != nil {
+ return errutils.NewReadResponseError(req, resp.StatusCode, err)
+ }
+
+ err = json.Unmarshal(raw, result)
+ if err != nil {
+ return errutils.NewUnmarshalError(req, resp.StatusCode, raw, err)
+ }
+
+ return nil
+}
+
+func (c *Client) ListDomains(ctx context.Context) ([]Domain, error) {
+ endpoint := c.baseURL.JoinPath("domains")
+
+ query := endpoint.Query()
+ query.Set("sort", "domain_utf8")
+ endpoint.RawQuery = query.Encode()
+
+ req, err := newJSONRequest(ctx, http.MethodGet, endpoint, nil)
+ if err != nil {
+ return nil, err
+ }
+
+ var result []Domain
+
+ err = c.do(req, &result)
+ if err != nil {
+ return nil, err
+ }
+
+ return result, nil
+}
+
+func (c *Client) ListDomainRecords(ctx context.Context, domainID int) (*DomainRecords, error) {
+ endpoint := c.baseURL.JoinPath("dns", strconv.Itoa(domainID))
+
+ req, err := newJSONRequest(ctx, http.MethodGet, endpoint, nil)
+ if err != nil {
+ return nil, err
+ }
+
+ var result DomainRecords
+
+ err = c.do(req, &result)
+ if err != nil {
+ return nil, err
+ }
+
+ return &result, nil
+}
+
+func (c *Client) UpdateDomainRecords(ctx context.Context, domainID int, records DomainRecords) (*DomainID, error) {
+ endpoint := c.baseURL.JoinPath("dns", strconv.Itoa(domainID))
+
+ req, err := newJSONRequest(ctx, http.MethodPut, endpoint, records)
+ if err != nil {
+ return nil, err
+ }
+
+ var result DomainID
+
+ err = c.do(req, &result)
+ if err != nil {
+ return nil, err
+ }
+
+ return &result, nil
+}
+
+func newJSONRequest(ctx context.Context, method string, endpoint *url.URL, payload any) (*http.Request, error) {
+ buf := new(bytes.Buffer)
+
+ if payload != nil {
+ err := json.NewEncoder(buf).Encode(payload)
+ if err != nil {
+ return nil, fmt.Errorf("failed to create request JSON body: %w", err)
+ }
+ }
+
+ req, err := http.NewRequestWithContext(ctx, method, endpoint.String(), buf)
+ if err != nil {
+ return nil, fmt.Errorf("unable to create request: %w", err)
+ }
+
+ req.Header.Set("Accept", "application/json")
+
+ if payload != nil {
+ req.Header.Set("Content-Type", "application/json")
+ }
+
+ return req, nil
+}
+
+func parseError(req *http.Request, resp *http.Response) error {
+ raw, _ := io.ReadAll(resp.Body)
+
+ var errAPI APIError
+ err := json.Unmarshal(raw, &errAPI)
+ if err != nil {
+ return errutils.NewUnexpectedStatusCodeError(req, resp.StatusCode, raw)
+ }
+
+ return &errAPI
+}
diff --git a/providers/dns/keyhelp/internal/client_test.go b/providers/dns/keyhelp/internal/client_test.go
new file mode 100644
index 00000000..80b21495
--- /dev/null
+++ b/providers/dns/keyhelp/internal/client_test.go
@@ -0,0 +1,169 @@
+package internal
+
+import (
+ "net/http"
+ "net/http/httptest"
+ "testing"
+
+ "github.com/go-acme/lego/v4/platform/tester/servermock"
+ "github.com/stretchr/testify/assert"
+ "github.com/stretchr/testify/require"
+)
+
+func mockBuilder() *servermock.Builder[*Client] {
+ return servermock.NewBuilder[*Client](
+ func(server *httptest.Server) (*Client, error) {
+ client, err := NewClient(server.URL, "secret")
+ if err != nil {
+ return nil, err
+ }
+
+ client.HTTPClient = server.Client()
+
+ return client, nil
+ },
+ servermock.CheckHeader().
+ With(APIKeyHeader, "secret").
+ WithJSONHeaders(),
+ )
+}
+
+func TestClient_ListDomains(t *testing.T) {
+ client := mockBuilder().
+ Route("GET /api/v2/domains",
+ servermock.ResponseFromFixture("get_domains.json"),
+ servermock.CheckQueryParameter().
+ With("sort", "domain_utf8").
+ Strict()).
+ Build(t)
+
+ domains, err := client.ListDomains(t.Context())
+ require.NoError(t, err)
+
+ expected := []Domain{{
+ ID: 8,
+ UserID: 4,
+ ParentDomainID: 0,
+ Status: 1,
+ Domain: "example.com",
+ DomainUTF8: "example.com",
+ IsEmailDomain: true,
+ }}
+
+ assert.Equal(t, expected, domains)
+}
+
+func TestClient_ListDomains_error(t *testing.T) {
+ client := mockBuilder().
+ Route("GET /api/v2/domains",
+ servermock.ResponseFromFixture("error.json").
+ WithStatusCode(http.StatusUnauthorized)).
+ Build(t)
+
+ _, err := client.ListDomains(t.Context())
+
+ require.EqualError(t, err, "401 Unauthorized: API key is missing or invalid.")
+}
+
+func TestClient_ListDomainRecords(t *testing.T) {
+ client := mockBuilder().
+ Route("GET /api/v2/dns/123",
+ servermock.ResponseFromFixture("get_domain_records.json")).
+ Build(t)
+
+ domainRecords, err := client.ListDomainRecords(t.Context(), 123)
+ require.NoError(t, err)
+
+ expected := &DomainRecords{
+ DkimRecord: `default._domainkey IN TXT ( "v=DKIM1; k=rsa; s=email; " "...DKIM KEY..." )`,
+ Records: &Records{
+ Soa: &SOARecord{
+ TTL: 86400,
+ PrimaryNs: "ns.example.com.",
+ RName: "root.example.com.",
+ Refresh: 14400,
+ Retry: 1800,
+ Expire: 604800,
+ Minimum: 3600,
+ },
+ Other: []Record{{
+ Host: "@",
+ TTL: 86400,
+ Type: "A",
+ Value: "192.168.178.1",
+ }},
+ },
+ }
+
+ assert.Equal(t, expected, domainRecords)
+}
+
+func TestClient_ListDomainRecords_error(t *testing.T) {
+ client := mockBuilder().
+ Route("GET /api/v2/dns/8",
+ servermock.ResponseFromFixture("error.json").
+ WithStatusCode(http.StatusUnauthorized)).
+ Build(t)
+
+ _, err := client.ListDomainRecords(t.Context(), 8)
+
+ require.EqualError(t, err, "401 Unauthorized: API key is missing or invalid.")
+}
+
+func TestClient_UpdateDomainRecords(t *testing.T) {
+ client := mockBuilder().
+ Route("PUT /api/v2/dns/8",
+ servermock.ResponseFromFixture("update_domain_records.json"),
+ servermock.CheckRequestJSONBodyFromFixture("update_domain_records-request.json")).
+ Build(t)
+
+ records := DomainRecords{
+ DkimRecord: `default._domainkey IN TXT ( "v=DKIM1; k=rsa; s=email; " "...DKIM KEY..." )`,
+ Records: &Records{
+ Soa: &SOARecord{
+ TTL: 86400,
+ PrimaryNs: "ns.example.com.",
+ RName: "root.example.com.",
+ Refresh: 14400,
+ Retry: 1800,
+ Expire: 604800,
+ Minimum: 3600,
+ },
+ Other: []Record{
+ {
+ Host: "@",
+ TTL: 86400,
+ Type: "A",
+ Value: "192.168.178.1",
+ },
+ {
+ Host: "_acme-challenge",
+ TTL: 120,
+ Type: "TXT",
+ Value: "ADw2sEd82DUgXcQ9hNBZThJs7zVJkR5v9JeSbAb9mZY",
+ },
+ },
+ },
+ }
+
+ domainID, err := client.UpdateDomainRecords(t.Context(), 8, records)
+ require.NoError(t, err)
+
+ expected := &DomainID{ID: 8}
+
+ assert.Equal(t, expected, domainID)
+}
+
+func TestClient_UpdateDomainRecords_error(t *testing.T) {
+ client := mockBuilder().
+ Route("PUT /api/v2/dns/123",
+ servermock.ResponseFromFixture("error.json").
+ WithStatusCode(http.StatusUnauthorized)).
+ Build(t)
+
+ records := DomainRecords{}
+
+ _, err := client.UpdateDomainRecords(t.Context(), 123, records)
+
+ require.EqualError(t, err, "401 Unauthorized: API key is missing or invalid.")
+}
diff --git a/providers/dns/keyhelp/internal/fixtures/error.json b/providers/dns/keyhelp/internal/fixtures/error.json
new file mode 100644
index 00000000..4fdf5e8f
--- /dev/null
+++ b/providers/dns/keyhelp/internal/fixtures/error.json
@@ -0,0 +1,4 @@
+{
+ "code": "401 Unauthorized",
+ "message": "API key is missing or invalid."
+}
diff --git a/providers/dns/keyhelp/internal/fixtures/get_domain_records.json b/providers/dns/keyhelp/internal/fixtures/get_domain_records.json
new file mode 100644
index 00000000..50483bb8
--- /dev/null
+++ b/providers/dns/keyhelp/internal/fixtures/get_domain_records.json
@@ -0,0 +1,24 @@
+{
+ "is_custom_dns": false,
+ "is_dns_disabled": false,
+ "dkim_record": "default._domainkey IN TXT ( \"v=DKIM1; k=rsa; s=email; \" \"...DKIM KEY...\" )",
+ "records": {
+ "soa": {
+ "ttl": 86400,
+ "primary_ns": "ns.example.com.",
+ "rname": "root.example.com.",
+ "refresh": 14400,
+ "retry": 1800,
+ "expire": 604800,
+ "minimum": 3600
+ },
+ "other": [
+ {
+ "host": "@",
+ "ttl": 86400,
+ "type": "A",
+ "value": "192.168.178.1"
+ }
+ ]
+ }
+}
diff --git a/providers/dns/keyhelp/internal/fixtures/get_domain_records2.json b/providers/dns/keyhelp/internal/fixtures/get_domain_records2.json
new file mode 100644
index 00000000..cd49fd6d
--- /dev/null
+++ b/providers/dns/keyhelp/internal/fixtures/get_domain_records2.json
@@ -0,0 +1,30 @@
+{
+ "is_custom_dns": false,
+ "is_dns_disabled": false,
+ "dkim_record": "default._domainkey IN TXT ( \"v=DKIM1; k=rsa; s=email; \" \"...DKIM KEY...\" )",
+ "records": {
+ "soa": {
+ "ttl": 86400,
+ "primary_ns": "ns.example.com.",
+ "rname": "root.example.com.",
+ "refresh": 14400,
+ "retry": 1800,
+ "expire": 604800,
+ "minimum": 3600
+ },
+ "other": [
+ {
+ "host": "@",
+ "ttl": 86400,
+ "type": "A",
+ "value": "192.168.178.1"
+ },
+ {
+ "host": "_acme-challenge",
+ "ttl": 120,
+ "type": "TXT",
+ "value": "ADw2sEd82DUgXcQ9hNBZThJs7zVJkR5v9JeSbAb9mZY"
+ }
+ ]
+ }
+}
diff --git a/providers/dns/keyhelp/internal/fixtures/get_domains.json b/providers/dns/keyhelp/internal/fixtures/get_domains.json
new file mode 100644
index 00000000..28ae0887
--- /dev/null
+++ b/providers/dns/keyhelp/internal/fixtures/get_domains.json
@@ -0,0 +1,41 @@
+[
+ {
+ "id": 8,
+ "id_user": 4,
+ "id_parent_domain": 0,
+ "status": 1,
+ "domain": "example.com",
+ "domain_utf8": "example.com",
+ "created_at": "2019-08-15T11:29:13+02:00",
+ "php_version": "",
+ "traffic": 32434624,
+ "is_disabled": false,
+ "delete_on": "2025-09-02T19:31:14+0000",
+ "dkim_selector": "default",
+ "dkim_record": "default._domainkey IN TXT ( \"v=DKIM1; k=rsa; s=email; \" \"...DKIM KEY...\" )",
+ "is_custom_dns": false,
+ "is_dns_disabled": false,
+ "is_subdomain": false,
+ "is_system_domain": false,
+ "is_email_domain": true,
+ "is_email_sending_only": false,
+ "target": {
+ "target": "https://www.keyhelp.de",
+ "is_forwarding": true,
+ "forwarding_type": 301
+ },
+ "security": {
+ "id_certificate": 0,
+ "lets_encrypt": true,
+ "is_prefer_https": true,
+ "is_hsts": true,
+ "hsts_max_age": 10368000,
+ "hsts_include": true,
+ "hsts_preload": true
+ },
+ "apache": {
+ "http_directives": "# My custom HTTP directives",
+ "https_directives": "# My custom HTTPS directives"
+ }
+ }
+]
diff --git a/providers/dns/keyhelp/internal/fixtures/update_domain_records-request.json b/providers/dns/keyhelp/internal/fixtures/update_domain_records-request.json
new file mode 100644
index 00000000..6f83ead1
--- /dev/null
+++ b/providers/dns/keyhelp/internal/fixtures/update_domain_records-request.json
@@ -0,0 +1,28 @@
+{
+ "dkim_record": "default._domainkey IN TXT ( \"v=DKIM1; k=rsa; s=email; \" \"...DKIM KEY...\" )",
+ "records": {
+ "soa": {
+ "ttl": 86400,
+ "primary_ns": "ns.example.com.",
+ "rname": "root.example.com.",
+ "refresh": 14400,
+ "retry": 1800,
+ "expire": 604800,
+ "minimum": 3600
+ },
+ "other": [
+ {
+ "host": "@",
+ "ttl": 86400,
+ "type": "A",
+ "value": "192.168.178.1"
+ },
+ {
+ "host": "_acme-challenge",
+ "ttl": 120,
+ "type": "TXT",
+ "value": "ADw2sEd82DUgXcQ9hNBZThJs7zVJkR5v9JeSbAb9mZY"
+ }
+ ]
+ }
+}
diff --git a/providers/dns/keyhelp/internal/fixtures/update_domain_records-request2.json b/providers/dns/keyhelp/internal/fixtures/update_domain_records-request2.json
new file mode 100644
index 00000000..3ebb2ee7
--- /dev/null
+++ b/providers/dns/keyhelp/internal/fixtures/update_domain_records-request2.json
@@ -0,0 +1,22 @@
+{
+ "dkim_record": "default._domainkey IN TXT ( \"v=DKIM1; k=rsa; s=email; \" \"...DKIM KEY...\" )",
+ "records": {
+ "soa": {
+ "ttl": 86400,
+ "primary_ns": "ns.example.com.",
+ "rname": "root.example.com.",
+ "refresh": 14400,
+ "retry": 1800,
+ "expire": 604800,
+ "minimum": 3600
+ },
+ "other": [
+ {
+ "host": "@",
+ "ttl": 86400,
+ "type": "A",
+ "value": "192.168.178.1"
+ }
+ ]
+ }
+}
diff --git a/providers/dns/keyhelp/internal/fixtures/update_domain_records.json b/providers/dns/keyhelp/internal/fixtures/update_domain_records.json
new file mode 100644
index 00000000..a335b5ba
--- /dev/null
+++ b/providers/dns/keyhelp/internal/fixtures/update_domain_records.json
@@ -0,0 +1,3 @@
+{
+ "id": 8
+}
diff --git a/providers/dns/keyhelp/internal/types.go b/providers/dns/keyhelp/internal/types.go
new file mode 100644
index 00000000..8716fa0c
--- /dev/null
+++ b/providers/dns/keyhelp/internal/types.go
@@ -0,0 +1,63 @@
+package internal
+
+import (
+ "fmt"
+)
+
+type APIError struct {
+ Code string `json:"code,omitempty"`
+ Message string `json:"message,omitempty"`
+}
+
+func (a *APIError) Error() string {
+ return fmt.Sprintf("%s: %s", a.Code, a.Message)
+}
+
+type Domain struct {
+ ID int `json:"id,omitempty"`
+ UserID int `json:"id_user,omitempty"`
+ ParentDomainID int `json:"id_parent_domain,omitempty"`
+ Status int `json:"status,omitempty"`
+ Domain string `json:"domain,omitempty"`
+ DomainUTF8 string `json:"domain_utf8,omitempty"`
+ IsDisabled bool `json:"is_disabled,omitempty"`
+ IsCustomDNS bool `json:"is_custom_dns,omitempty"`
+ IsDNSDisabled bool `json:"is_dns_disabled,omitempty"`
+ IsSubdomain bool `json:"is_subdomain,omitempty"`
+ IsSystemDomain bool `json:"is_system_domain,omitempty"`
+ IsEmailDomain bool `json:"is_email_domain,omitempty"`
+ IsEmailSendingOnly bool `json:"is_email_sending_only,omitempty"`
+}
+
+type DomainID struct {
+ ID int `json:"id,omitempty"`
+}
+
+type DomainRecords struct {
+ IsCustomDNS bool `json:"is_custom_dns,omitempty"`
+ IsDNSDisabled bool `json:"is_dns_disabled,omitempty"`
+ DkimRecord string `json:"dkim_record,omitempty"`
+ Records *Records `json:"records,omitempty"`
+}
+
+type Records struct {
+ Soa *SOARecord `json:"soa,omitempty"`
+ Other []Record `json:"other,omitempty"`
+}
+
+type SOARecord struct {
+ TTL int `json:"ttl,omitempty"`
+ PrimaryNs string `json:"primary_ns,omitempty"`
+ RName string `json:"rname,omitempty"`
+ Refresh int `json:"refresh,omitempty"`
+ Retry int `json:"retry,omitempty"`
+ Expire int `json:"expire,omitempty"`
+ Minimum int `json:"minimum,omitempty"`
+}
+
+type Record struct {
+ Host string `json:"host"`
+ TTL int `json:"ttl"`
+ Type string `json:"type"`
+ Value string `json:"value"`
+}
diff --git a/providers/dns/keyhelp/keyhelp.go b/providers/dns/keyhelp/keyhelp.go
new file mode 100644
index 00000000..dfe3af55
--- /dev/null
+++ b/providers/dns/keyhelp/keyhelp.go
@@ -0,0 +1,220 @@
+// Package keyhelp implements a DNS provider for solving the DNS-01 challenge using KeyHelp.
+package keyhelp
+
+import (
+ "context"
+ "errors"
+ "fmt"
+ "net/http"
+ "sync"
+ "time"
+
+ "github.com/go-acme/lego/v4/challenge/dns01"
+ "github.com/go-acme/lego/v4/platform/config/env"
+ "github.com/go-acme/lego/v4/providers/dns/keyhelp/internal"
+)
+
+// Environment variables names.
+const (
+ envNamespace = "KEYHELP_"
+
+ EnvBaseURL = envNamespace + "BASE_URL"
+ EnvAPIKey = envNamespace + "API_KEY"
+
+ EnvTTL = envNamespace + "TTL"
+ EnvPropagationTimeout = envNamespace + "PROPAGATION_TIMEOUT"
+ EnvPollingInterval = envNamespace + "POLLING_INTERVAL"
+ EnvHTTPTimeout = envNamespace + "HTTP_TIMEOUT"
+)
+
+// Config is used to configure the creation of the DNSProvider.
+type Config struct {
+ BaseURL string
+ APIKey string
+
+ PropagationTimeout time.Duration
+ PollingInterval time.Duration
+ TTL int
+ HTTPClient *http.Client
+}
+
+// NewDefaultConfig returns a default configuration for the DNSProvider.
+func NewDefaultConfig() *Config {
+ return &Config{
+ TTL: env.GetOrDefaultInt(EnvTTL, dns01.DefaultTTL),
+ PropagationTimeout: env.GetOrDefaultSecond(EnvPropagationTimeout, dns01.DefaultPropagationTimeout),
+ PollingInterval: env.GetOrDefaultSecond(EnvPollingInterval, dns01.DefaultPollingInterval),
+ HTTPClient: &http.Client{
+ Timeout: env.GetOrDefaultSecond(EnvHTTPTimeout, 30*time.Second),
+ },
+ }
+}
+
+// DNSProvider implements the challenge.Provider interface.
+type DNSProvider struct {
+ config *Config
+ client *internal.Client
+
+ domainIDs map[string]int
+ domainIDsMu sync.Mutex
+}
+
+// NewDNSProvider returns a DNSProvider instance configured for KeyHelp.
+func NewDNSProvider() (*DNSProvider, error) {
+ values, err := env.Get(EnvBaseURL, EnvAPIKey)
+ if err != nil {
+ return nil, fmt.Errorf("keyhelp: %w", err)
+ }
+
+ config := NewDefaultConfig()
+ config.BaseURL = values[EnvBaseURL]
+ config.APIKey = values[EnvAPIKey]
+
+ return NewDNSProviderConfig(config)
+}
+
+// NewDNSProviderConfig return a DNSProvider instance configured for KeyHelp.
+func NewDNSProviderConfig(config *Config) (*DNSProvider, error) {
+ if config == nil {
+ return nil, errors.New("keyhelp: the configuration of the DNS provider is nil")
+ }
+
+ client, err := internal.NewClient(config.BaseURL, config.APIKey)
+ if err != nil {
+ return nil, fmt.Errorf("keyhelp: %w", err)
+ }
+
+ if config.HTTPClient != nil {
+ client.HTTPClient = config.HTTPClient
+ }
+
+ return &DNSProvider{
+ config: config,
+ client: client,
+ domainIDs: make(map[string]int),
+ }, nil
+}
+
+// Present creates a TXT record using the specified parameters.
+func (d *DNSProvider) Present(domain, token, keyAuth string) error {
+ info := dns01.GetChallengeInfo(domain, keyAuth)
+
+ authZone, err := dns01.FindZoneByFqdn(info.EffectiveFQDN)
+ if err != nil {
+ return fmt.Errorf("keyhelp: could not find zone for domain %q: %w", domain, err)
+ }
+
+ ctx := context.Background()
+
+ domainInfo, err := d.findDomain(ctx, dns01.UnFqdn(authZone))
+ if err != nil {
+ return fmt.Errorf("keyhelp: %w", err)
+ }
+
+ domainRecords, err := d.client.ListDomainRecords(ctx, domainInfo.ID)
+ if err != nil {
+ return fmt.Errorf("keyhelp: list domain records: %w", err)
+ }
+
+ subDomain, err := dns01.ExtractSubDomain(info.EffectiveFQDN, authZone)
+ if err != nil {
+ return fmt.Errorf("keyhelp: %w", err)
+ }
+
+ records := domainRecords.Records.Other
+ records = append(records, internal.Record{
+ Host: subDomain,
+ TTL: d.config.TTL,
+ Type: "TXT",
+ Value: info.Value,
+ })
+
+ req := internal.DomainRecords{
+ DkimRecord: domainRecords.DkimRecord,
+ Records: &internal.Records{
+ Soa: domainRecords.Records.Soa,
+ Other: records,
+ },
+ }
+
+ _, err = d.client.UpdateDomainRecords(ctx, domainInfo.ID, req)
+ if err != nil {
+ return fmt.Errorf("keyhelp: update domain records (add): %w", err)
+ }
+
+ d.domainIDsMu.Lock()
+ d.domainIDs[token] = domainInfo.ID
+ d.domainIDsMu.Unlock()
+
+ return nil
+}
+
+// CleanUp removes the TXT record matching the specified parameters.
+func (d *DNSProvider) CleanUp(domain, token, keyAuth string) error {
+ ctx := context.Background()
+
+ info := dns01.GetChallengeInfo(domain, keyAuth)
+
+ // get the domain's unique ID from when we created it
+ d.domainIDsMu.Lock()
+ domainID, ok := d.domainIDs[token]
+ d.domainIDsMu.Unlock()
+ if !ok {
+ return fmt.Errorf("keyhelp: unknown record ID for '%s'", info.EffectiveFQDN)
+ }
+
+ domainRecords, err := d.client.ListDomainRecords(ctx, domainID)
+ if err != nil {
+ return fmt.Errorf("keyhelp: list domain records: %w", err)
+ }
+
+ var records []internal.Record
+ for _, record := range domainRecords.Records.Other {
+ if record.Type == "TXT" && record.Value == info.Value {
+ continue
+ }
+
+ records = append(records, record)
+ }
+
+ req := internal.DomainRecords{
+ DkimRecord: domainRecords.DkimRecord,
+ Records: &internal.Records{
+ Soa: domainRecords.Records.Soa,
+ Other: records,
+ },
+ }
+
+ _, err = d.client.UpdateDomainRecords(ctx, domainID, req)
+ if err != nil {
+ return fmt.Errorf("keyhelp: update domain records (delete): %w", err)
+ }
+
+ // Delete domain ID from map
+ d.domainIDsMu.Lock()
+ delete(d.domainIDs, token)
+ d.domainIDsMu.Unlock()
+
+ return nil
+}
+
+// Timeout returns the timeout and interval to use when checking for DNS propagation.
+// Adjusting here to cope with spikes in propagation times.
+func (d *DNSProvider) Timeout() (timeout, interval time.Duration) {
+ return d.config.PropagationTimeout, d.config.PollingInterval
+}
+
+func (d *DNSProvider) findDomain(ctx context.Context, zone string) (internal.Domain, error) {
+ domains, err := d.client.ListDomains(ctx)
+ if err != nil {
+ return internal.Domain{}, fmt.Errorf("list domains: %w", err)
+ }
+
+ for _, domain := range domains {
+ if domain.DomainUTF8 == zone || domain.Domain == zone {
+ return domain, nil
+ }
+ }
+
+ return internal.Domain{}, fmt.Errorf("domain not found: %s", zone)
+}
diff --git a/providers/dns/keyhelp/keyhelp.toml b/providers/dns/keyhelp/keyhelp.toml
new file mode 100644
index 00000000..d6f84e34
--- /dev/null
+++ b/providers/dns/keyhelp/keyhelp.toml
@@ -0,0 +1,24 @@
+Name = "KeyHelp"
+Description = ''''''
+URL = "https://www.keyweb.de/en/keyhelp/keyhelp/"
+Code = "keyhelp"
+Since = "v4.26.0"
+
+Example = '''
+KEYHELP_BASE_URL="https://keyhelp.example.com" \
+KEYHELP_API_KEY="xxx" \
+lego --email you@example.com --dns keyhelp -d '*.example.com' -d example.com run
+'''
+
+[Configuration]
+ [Configuration.Credentials]
+ KEYHELP_BASE_URL= "Server URL"
+ KEYHELP_API_KEY = "API key"
+ [Configuration.Additional]
+ KEYHELP_POLLING_INTERVAL = "Time between DNS propagation check in seconds (Default: 2)"
+ KEYHELP_PROPAGATION_TIMEOUT = "Maximum waiting time for DNS propagation in seconds (Default: 60)"
+ KEYHELP_TTL = "The TTL of the TXT record used for the DNS challenge in seconds (Default: 120)"
+ KEYHELP_HTTP_TIMEOUT = "API request timeout in seconds (Default: 30)"
+
+[Links]
+ API = "https://app.swaggerhub.com/apis-docs/keyhelp/api/"
diff --git a/providers/dns/keyhelp/keyhelp_test.go b/providers/dns/keyhelp/keyhelp_test.go
new file mode 100644
index 00000000..bdcf26ad
--- /dev/null
+++ b/providers/dns/keyhelp/keyhelp_test.go
@@ -0,0 +1,195 @@
+package keyhelp
+
+import (
+ "net/http/httptest"
+ "testing"
+
+ "github.com/go-acme/lego/v4/platform/tester"
+ "github.com/go-acme/lego/v4/platform/tester/servermock"
+ "github.com/go-acme/lego/v4/providers/dns/keyhelp/internal"
+ "github.com/stretchr/testify/assert"
+ "github.com/stretchr/testify/require"
+)
+
+const envDomain = envNamespace + "DOMAIN"
+
+var envTest = tester.NewEnvTest(EnvBaseURL, EnvAPIKey).
+ WithDomain(envDomain)
+
+func TestNewDNSProvider(t *testing.T) {
+ testCases := []struct {
+ desc string
+ envVars map[string]string
+ expected string
+ }{
+ {
+ desc: "success",
+ envVars: map[string]string{
+ EnvBaseURL: "https://keyhelp.example.com",
+ EnvAPIKey: "secret",
+ },
+ },
+ {
+ desc: "missing base URL",
+ envVars: map[string]string{
+ EnvAPIKey: "secret",
+ },
+ expected: "keyhelp: some credentials information are missing: KEYHELP_BASE_URL",
+ },
+ {
+ desc: "missing API key",
+ envVars: map[string]string{
+ EnvBaseURL: "https://keyhelp.example.com",
+ },
+ expected: "keyhelp: some credentials information are missing: KEYHELP_API_KEY",
+ },
+ {
+ desc: "missing credentials",
+ envVars: map[string]string{},
+ expected: "keyhelp: some credentials information are missing: KEYHELP_BASE_URL,KEYHELP_API_KEY",
+ },
+ }
+
+ for _, test := range testCases {
+ t.Run(test.desc, func(t *testing.T) {
+ defer envTest.RestoreEnv()
+ envTest.ClearEnv()
+
+ envTest.Apply(test.envVars)
+
+ p, err := NewDNSProvider()
+
+ if test.expected == "" {
+ require.NoError(t, err)
+ require.NotNil(t, p)
+ require.NotNil(t, p.config)
+ require.NotNil(t, p.client)
+ } else {
+ require.EqualError(t, err, test.expected)
+ }
+ })
+ }
+}
+
+func TestNewDNSProviderConfig(t *testing.T) {
+ testCases := []struct {
+ desc string
+ baseURL string
+ apiKey string
+ expected string
+ }{
+ {
+ desc: "success",
+ baseURL: "https://keyhelp.example.com",
+ apiKey: "secret",
+ },
+ {
+ desc: "missing base URL",
+ apiKey: "secret",
+ expected: "keyhelp: missing base URL",
+ },
+ {
+ desc: "missing API key",
+ baseURL: "https://keyhelp.example.com",
+ expected: "keyhelp: credentials missing",
+ },
+ {
+ desc: "missing credentials",
+ expected: "keyhelp: missing base URL",
+ },
+ }
+
+ for _, test := range testCases {
+ t.Run(test.desc, func(t *testing.T) {
+ config := NewDefaultConfig()
+ config.BaseURL = test.baseURL
+ config.APIKey = test.apiKey
+
+ p, err := NewDNSProviderConfig(config)
+
+ if test.expected == "" {
+ require.NoError(t, err)
+ require.NotNil(t, p)
+ require.NotNil(t, p.config)
+ require.NotNil(t, p.client)
+ } else {
+ require.EqualError(t, err, test.expected)
+ }
+ })
+ }
+}
+
+func TestLivePresent(t *testing.T) {
+ if !envTest.IsLiveTest() {
+ t.Skip("skipping live test")
+ }
+
+ envTest.RestoreEnv()
+ provider, err := NewDNSProvider()
+ require.NoError(t, err)
+
+ err = provider.Present(envTest.GetDomain(), "", "123d==")
+ require.NoError(t, err)
+}
+
+func TestLiveCleanUp(t *testing.T) {
+ if !envTest.IsLiveTest() {
+ t.Skip("skipping live test")
+ }
+
+ envTest.RestoreEnv()
+ provider, err := NewDNSProvider()
+ require.NoError(t, err)
+
+ err = provider.CleanUp(envTest.GetDomain(), "", "123d==")
+ require.NoError(t, err)
+}
+
+func mockBuilder() *servermock.Builder[*DNSProvider] {
+ return servermock.NewBuilder(func(server *httptest.Server) (*DNSProvider, error) {
+ config := NewDefaultConfig()
+ config.HTTPClient = server.Client()
+ config.APIKey = "secret"
+ config.BaseURL = server.URL
+
+ return NewDNSProviderConfig(config)
+ },
+ servermock.CheckHeader().
+ With(internal.APIKeyHeader, "secret"),
+ )
+}
+
+func TestDNSProvider_Present(t *testing.T) {
+ provider := mockBuilder().
+ Route("GET /api/v2/domains",
+ servermock.ResponseFromInternal("get_domains.json"),
+ servermock.CheckQueryParameter().
+ With("sort", "domain_utf8").
+ Strict()).
+ Route("GET /api/v2/dns/8",
+ servermock.ResponseFromInternal("get_domain_records.json")).
+ Route("PUT /api/v2/dns/8",
+ servermock.ResponseFromInternal("update_domain_records.json"),
+ servermock.CheckRequestJSONBodyFromInternal("update_domain_records-request.json")).
+ Build(t)
+
+ err := provider.Present("example.com", "abc", "123d==")
+ require.NoError(t, err)
+
+ assert.Equal(t, 8, provider.domainIDs["abc"])
+}
+
+func TestDNSProvider_CleanUp(t *testing.T) {
+ provider := mockBuilder().
+ Route("GET /api/v2/dns/8",
+ servermock.ResponseFromInternal("get_domain_records2.json")).
+ Route("PUT /api/v2/dns/8",
+ servermock.ResponseFromInternal("update_domain_records.json"),
+ servermock.CheckRequestJSONBodyFromInternal("update_domain_records-request2.json")).
+ Build(t)
+
+ provider.domainIDs["abc"] = 8
+
+ err := provider.CleanUp("example.com", "abc", "123d==")
+ require.NoError(t, err)
+}
diff --git a/providers/dns/zz_gen_dns_providers.go b/providers/dns/zz_gen_dns_providers.go
index 44ab9d49..04e7eb5e 100644
--- a/providers/dns/zz_gen_dns_providers.go
+++ b/providers/dns/zz_gen_dns_providers.go
@@ -88,6 +88,7 @@ import (
"github.com/go-acme/lego/v4/providers/dns/ipv64"
"github.com/go-acme/lego/v4/providers/dns/iwantmyname"
"github.com/go-acme/lego/v4/providers/dns/joker"
+ "github.com/go-acme/lego/v4/providers/dns/keyhelp"
"github.com/go-acme/lego/v4/providers/dns/liara"
"github.com/go-acme/lego/v4/providers/dns/lightsail"
"github.com/go-acme/lego/v4/providers/dns/limacity"
@@ -335,6 +336,8 @@ func NewDNSChallengeProviderByName(name string) (challenge.Provider, error) {
return iwantmyname.NewDNSProvider()
case "joker":
return joker.NewDNSProvider()
+ case "keyhelp":
+ return keyhelp.NewDNSProvider()
case "liara":
return liara.NewDNSProvider()
case "lightsail":