Hi @MoHaG,
Regarding the "undocumented" --deploy-hook and "undocumented" RENEWED_LINEAGE variable:
--deploy-hook DEPLOY_HOOK
Command to be run in a shell once for each
successfully issued certificate. For this command, the
shell variable $RENEWED_LINEAGE will point to the
config live subdirectory (for example,
"/etc/letsencrypt/live/example.com") containing the
new certificates and keys; the shell variable
$RENEWED_DOMAINS will contain a space-delimited list
of renewed certificate domains (for example,
"example.com www.example.com" (default: None)
You can use --deploy-hook in your run command and it will be executed once the certificate is issued for your domain BUT keep in mind that certbot will add a parameter to your domain's renewal conf pointing to this script so every time you renew your certificate it will execute this command/script AND all the scripts you have in /etc/letsencrypt/renewal-hooks/deploy/ dir.
You could add a couple of lines to your initial script to remove the renew_hook parameter added to the renewal conf file so this initial script will run only once when you issue the cert and when the renew happens, it will use the scripts in the /etc/letsencrypt/renewal-hooks/deploy/ dir.
base=$(basename "$RENEWED_LINEAGE")
sed -i '/renew_hook/d' /etc/letsencrypt/renewal/${base}.conf
Cheers,
sahsanu