As @jared.m said, you can use a
--post-hook to perform these actions using your own script once your cert is renewed.
Note: Since certbot version 0.17.0
--renew-hook is named
--deploy-hook you could still use
--renew-hook it will work but it is better that if you are using this or new version use
Note 2: If you are using certbot 0.19.0 instead of using
--deploy-hook you could put your script on dir
So, you need a script to concatenate
fullchain.pem in another file, let’s call it
$RENEWED_LINEAGE is passed by certbot to the script):
cat "$privkey" "$fullchain" > "$combined"
chmod 400 $combined
Note 3: Remember to give executable permissions to this script.
So, if you run
certbot renew --renew-hook /path/to/combine-certs-for-pound.sh every time it renew your certs it will concatenate the files, so, for example, if you cert name is
domain.tld you will have the combined cert here
Note 4: Keep in mind that this script will run on every renew fo each of your certs so it will concatenate the files for all your certs (each one in its own dir of course). Also, you could add a command to restart/reload your pound service so it loads the renewed cert (you can also use
--post-hook to accomplish this task) or you can copy the combined cert to another location, etc. Take it as an example and you should review and modify it to accomodate the script to your goals and conf.
Note 5: No more notes
For more info about renew and hooks take a look to certbot doc.