reorder

deployhooks.md

@@ -630,12 +630,13 @@ After a few updates, we simplified the process, so we can now act as the same as
 The default device name is `CertRenewal`, you can select another name as your own wish by exporting it as `SYNO_Device_Name`.
 
 ### Additional optional parameters
-When issuing a certificate (e.g., Let's Encrypt) for the first time instead of renewing it, `export SYNO_Create=1` must be executed _once_.
-Any subsequent run won't need that variable, hence it's not saved within your configuration file at all.
 
 It's recommended to set `SYNO_Scheme` to `https`, `SYNO_Port` to `5001` and `SYNO_Hostname` to your actual DSM's domain (e.g., `nas.example.com`)  instead of the defaults. Which increased security by TLS-based connection.
 However, using `https` & `localhost` requires addition of the [`--insecure` command line argument](https://github.com/acmesh-official/acme.sh/wiki/Options-and-Params) to successfully deploy the certificate to DSM. Though, enabling HTTP/2 still might give you a `curl 16 error` warning, although the script succeeded anyways.
 
+When issuing a certificate (e.g., Let's Encrypt) for the first time instead of renewing it, `export SYNO_Create=1` must be executed _once_.
+Any subsequent run won't need that variable, hence it's not saved within your configuration file at all.
+
 `SYNO_Certificate` is set as empty string by default, so the script will replace "default synology certificate" by your domain certificate, it should be all fine. however if you don't want to do so, you can always change it's value to anything you want to describe the certificate.
 The deployed certificate should show up inside `Control Panel` -> `Security` -> `Certificates`, it can be assigned to specific services (or set as the default certificate).