When on an Ubuntu system (I don’t know about Debian or others) the default ssl directories in /etc have a group set to “ssl-cert” and read permissions for that group on the directory that holds the private keys. When on a system like that, your software should use that group to be compliant with the configuration. That group is used to not force root access to software daemons running that need access to the keys.
In particular, the mumble-server (murmurd) has this issue. I also had minor issues with apache2 and tomcat with permissions that were fixed by doing a chown command on the folders so that the ssl-cert group had access.
Love the product.