Certificate Auto-Deploy Hooks
Run shell commands automatically after certificate issuance or renewal — complete the automation loop from request to deployment.
How it works
Configure deploy hooks in Settings > Deploy tab. After a certificate is created or renewed, CertMate executes your shell commands with cert paths passed as environment variables:
| Variable | Description |
|---|---|
CERTMATE_DOMAIN
| Domain name (e.g., example.com)
|
CERTMATE_CERT_PATH
| Path to cert.pem
|
CERTMATE_KEY_PATH
| Path to privkey.pem
|
CERTMATE_FULLCHAIN_PATH
| Path to fullchain.pem
|
CERTMATE_EVENT
| created or renewed
|
Features
- Global hooks — run for all domains (e.g.,
systemctl reload nginx) - Domain-specific hooks — run only for matching domains
- Event filtering — trigger on created, renewed, or both
- Configurable timeout — 1-300 seconds per hook
- Dry-run testing — test hooks from the UI without real certs
- Execution history — JSONL log with full audit trail
- Real-time feedback — SSE events for hook start/completion
- Security — admin-only access, commands run as CertMate process user
API Endpoints
| Method | Endpoint | Description |
|---|---|---|
GET
| /api/deploy/config
| Get deploy hooks config |
POST
| /api/deploy/config
| Save deploy hooks config |
POST
| /api/deploy/test/<hook_id>
| Dry-run test a hook |
GET
| /api/deploy/history
| Execution history |
Example
# Global hook: reload Nginx after any cert change
systemctl reload nginx
# Domain hook: sync to remote server
rsync -avz $CERTMATE_CERT_PATH $CERTMATE_KEY_PATH user@server:/etc/ssl/
ssh user@server systemctl reload nginx28 new unit tests — 146 total tests passing.
Full Changelog: v1.11.1...v1.12.0