.TH CERTDEPLOY 8 "MAY 2021"
.SH NAME
certdeploy \- A deploy hook script for Certbot

.SH SYNOPSIS
certdeploy
.B [OPTIONS...]
.I SOURCE_DIRECTORY TARGET_DIRECTORY

.SH DESCRIPTION
.P
CertDeploy is a "deploy hook" script for
the Certbot ACME client written in Bash.

.P
CertDeploy can be used in conjunction with the
.I --deploy-hook
option of Certbot to easily deploy (or better: "install/move") your
previously obtained X.509 certificate files and their corresponding
private key to a desired directory structure with your custom UNIX
file/directory permissions and user/group ownership applied.

.SH OPTIONS
The
.I SOURCE_DIRECTORY
is usually the path to the
.I /etc/letsencrypt/live/foo.example.org
directory provided by Certbot in which your newly issued (or renewed)
certificate files reside. In conjunction with Certbot's
.I --deploy-hook
option, you can use the content of the
.B $RENEWED_LINEAGE
variable as
.I SOURCE_DIRECTORY
(see
.B EXAMPLE
below).

The
.I TARGET_DIRECTORY
is the path to the custom directory in which the certificate files and
their corresponding private key shall be copied into by CertDeploy. If
.I TARGET_DIRECTORY
does not exist, it will be created (including all parents).


.SS Permissions for certificate files

.IP "-m mode"
Mode for target certificate files (octal notation, 3-4 digits).

.B Default:
"0600"

.IP "-o owner"
User ownership for certificate files in
.IR TARGET_DIRECTORY .

.B Default:
"$(id -u)"

.IP "-g group"
Group ownership for certificate files in
.IR TARGET_DIRECTORY .

.B Default:
"$(id -g)"

.SS Permissions for target directory

.IP "-M mode"
Mode for
.I TARGET_DIRECTORY
(octal notation, 3-4 digits).

.B Default:
"0755"

.IP "-O owner"
User ownership for
.IR TARGET_DIRECTORY .

.B Default:
"$(id -u)"

.IP "-G group"
Group ownership for
.IR TARGET_DIRECTORY .

.B Default:
"$(id -g)"

.SS Files in target directory

.IP "-K filename"
Filename for the RSA/ECDSA private key in
.IR TARGET_DIRECTORY .

.B Default:
"confidential.pem"

.IP "-I filename"
Filename for the X.509 intermediate certificate in
.IR TARGET_DIRECTORY .

.B Default:
"intermediate.pem"

.IP "-C filename"
Filename for the X.509 certificate in
.IR TARGET_DIRECTORY .

.B Default:
"certificate_only.pem"

.IP "-F filename"
Filename for the X.509 certificate+intermediate in
.IR TARGET_DIRECTORY .

.B Default:
"certificate_full.pem"

.SH EXAMPLE
.SS From command-line
$ sudo certdeploy -o daemon /etc/letsencrypt/live/foo.example.org/ /etc/certdeploy/example.org/foo/


.SS With Certbot
$ sudo certbot certonly -d voip.example.org --webroot --webroot-path /var/www --deploy-hook '/usr/local/sbin/certdeploy -o mumble-server
.B $RENEWED_LINEAGE
/etc/certdeploy/mumble/voip.example.org'

.SS With Certbot (including restart of daemon)
$ sudo certbot certonly -d voip.example.org --webroot --webroot-path /var/www --deploy-hook '/usr/local/sbin/certdeploy -o mumble-server
.B $RENEWED_LINEAGE
/etc/certdeploy/mumble/voip.example.org && systemctl is-active mumble-server && systemctl restart mumble-server'

.SH SEE ALSO
.BR certbot (1)