From 9f067d7f56eba9c1b301686d2a89419d9e993ea1 Mon Sep 17 00:00:00 2001
From: Sergey Pashinin <sergey@pashinin.com>
Date: Mon, 10 Dec 2018 18:17:18 +0300
Subject: [PATCH] Deploy to Hashicorp Vault docs

---
 deploy/README.md | 38 +++++++++++++++++++++++++++++++++++++-
 1 file changed, 37 insertions(+), 1 deletion(-)

diff --git a/deploy/README.md b/deploy/README.md
index 5c03ce6a..cec7d773 100644
--- a/deploy/README.md
+++ b/deploy/README.md
@@ -295,4 +295,40 @@ You can then deploy the certificate as follows
 
 ```sh
 acme.sh --deploy -d www.mydomain.com --deploy-hook gitlab
-```
\ No newline at end of file
+```
+
+## 12. Deploy your cert to Hashicorp Vault
+
+```sh
+export VAULT_PREFIX="acme"
+```
+
+You can then deploy the certificate as follows
+
+```sh
+acme.sh --deploy -d www.mydomain.com --deploy-hook vault_cli
+```
+
+Your certs will be saved in Vault using this structure:
+
+```sh
+vault write "${VAULT_PREFIX}/${domain}/cert.pem"      value=@"..."
+vault write "${VAULT_PREFIX}/${domain}/cert.key"      value=@"..."
+vault write "${VAULT_PREFIX}/${domain}/chain.pem"     value=@"..."
+vault write "${VAULT_PREFIX}/${domain}/fullchain.pem" value=@"..."
+```
+
+You might be using Fabio load balancer (which can get certs from
+Vault). It needs a bit different structure of your certs in Vault. It
+gets certs only from keys that were saved in `prefix/domain`, like this:
+
+```bash
+vault write <PREFIX>/www.domain.com cert=@cert.pem key=@key.pem
+```
+
+If you want to save certs in Vault this way just set "FABIO" env
+variable to anything (ex: "1") before running `acme.sh`:
+
+```sh
+export FABIO="1"
+```