diff --git a/content/blog/pureftpd-letsencrypt-hook.md b/content/blog/pureftpd-letsencrypt-hook.md
new file mode 100644
index 0000000..9a4d253
--- /dev/null
+++ b/content/blog/pureftpd-letsencrypt-hook.md
@@ -0,0 +1,45 @@
+---
+title: "Pure-FTPd, Let's Encrypt and Certbot hooks"
+tags: ["pure-ftpd", "letsencrypt", "certbot", "hooks"]
+categories: ["recipe", "sysadmin"]
+description: "How to secure Pure-FTPd with a Let’s Encrypt cert"
+date: 2019-09-28T14:50:36+02:00
+author: "Ettore Dreucci"
+draft: false
+---
+
+## [[recipe]({{< ref "/categories/recipe" >}}), [sysadmin]({{< ref "/categories/sysadmin" >}})]: How to secure Pure-FTPd with a Let’s Encrypt cert
+
+[Certbot](https://certbot.eff.org/) is the [EFF](https://www.eff.org/)’s tool to obtain certs from [Let’s Encrypt](https://letsencrypt.org/).
+
+[Pure-FTPd](https://www.pureftpd.org) is a very used secure FTP server daemon.
+
+Certbot stores all of your TLS certs in `/etc/letsencrypt/live` as symlinks to `/etc/letsencrypt/archive`. Both those directories are **root-owned** and **root-only**. It provides you with a bunch of PEM-encoded file: 
+
+- `privkey.pem`: the private key for the certificate
+- `cert.pem`: the server certificate
+- `chain.pem`: the intermediate authority certificate
+- `fullchain.pem`: the concatenation of the server and the intermediate cert files
+
+Pure-FTPd on the other hand, like other daemons do, needs a bundle of the server cert and its private key that we can easily generate with `cat fullchain.pem privkey.pem > pure-ftpd.pem` and that has to be mode `0600` .
+
+Every time certbot renews the certificates the bundle must be recreated so that it contains the renewd certs.
+
+It’s therefore possible to write a script to be executed every time the certs are renewed. To automate the execution certbot provides a deploy hook that will be triggered on successful renewals:
+
+- if you renew it manually you could add the `--deploy-hook "/path/to/script.sh"` option to the `renew` command
+
+- if your renewal are automated:
+
+  - if you use cron add the previous option to the command
+
+  - you can symlink the script to `/etc/letsencrypt/renewal-hooks/deploy/` to be executed when **any** cert is renewed
+
+  - you can edit a specific cert conf file in `/etc/letsencrypt/renewal/domain.conf` and append the deploy hook directive as follow:
+
+    ```
+    [renewalparams]
+    renew_hook = /etc/letsencrypt/courier.sh
+    ```
+
+END.
\ No newline at end of file