diff --git a/rattail/fablib/certbot.py b/rattail/fablib/certbot.py
index 2a308bfd..d4b29b7e 100644
--- a/rattail/fablib/certbot.py
+++ b/rattail/fablib/certbot.py
@@ -26,7 +26,8 @@ Fabric library for Let's Encrypt certbot
 
 from __future__ import unicode_literals, absolute_import
 
-from fabric.api import sudo, abort
+from fabric.api import sudo, cd, abort
+from fabric.contrib.files import exists
 
 from rattail.fablib import apt, get_debian_version
 
@@ -37,12 +38,19 @@ def install():
     """
     version = get_debian_version()
 
+    # debian 7 wheezy
+    if 7 <= version < 8:
+        if not exists('/usr/local/src/certbot'):
+            with cd('/usr/local/src'):
+                sudo('git clone https://github.com/certbot/certbot')
+        sudo('ln --symbolic --force /usr/local/src/certbot/certbot-auto /usr/local/bin/certbot')
+
     # debian 8 jessie
-    if 8 <= version < 9:
+    elif 8 <= version < 9:
         apt.add_source('deb http://ftp.debian.org/debian jessie-backports main')
         apt.install('python-certbot-apache', target_release='jessie-backports')
 
-    # previous / unsupported..?
+    # other..? will have to investigate when this comes up
     else:
         abort("don't know how to install certbot on debian version {}".format(version))
 
diff --git a/rattail/fablib/core.py b/rattail/fablib/core.py
index 0ed9d7aa..9c75bee3 100644
--- a/rattail/fablib/core.py
+++ b/rattail/fablib/core.py
@@ -164,7 +164,7 @@ class Deployer(object):
         if not exists(final_path):
             mkdir(paths, mode='0700')
             with cd(final_path):
-                self.deploy('{}/private_key.json'.format(localdir), 'private_key.json')
+                self.deploy('{}/private_key.json'.format(localdir), 'private_key.json', mode='0600')
                 self.deploy('{}/meta.json'.format(localdir), 'meta.json')
                 self.deploy('{}/regr.json'.format(localdir), 'regr.json')