Hello @PolGZ,
You should never change the perms under /etc/letsencrypt dir... never ever ;).
You could use a deploy script to copy the fullchain and private key from letsencrypt dir to a dir owned by the user you are using to start your radicale server and once done, issue the command to reload/restart your radicale server.
You can do this:
1.- Create a script called for example yourdomain.sh in /etc/letsencrypt/renew-hooks/deploy/
2.- The script should be something like this (I've used the same names for the files you are using in radicale conf):
#!/bin/sh
pathtoyourcertsdir="/path/to/your/certs/dir"
domain="yourdomainhere"
basedomain="$(basename $RENEWED_LINEAGE)"
youruser="here_your_username"
yourgroup="$(id -ng $youruser)"
commandtoreloadradicale="here the command you will use to reload your radicale server"
if [ "$domain" = "$basedomain" ];then
cp "$RENEWED_LINEAGE/fullchain.pem" "$pathtoyourcertsdir/server_cert.pem"
cp "$RENEWED_LINEAGE/privkey.pem" "$pathtoyourcertsdir/server_key.pem"
chown $youruser:$yourgroup "$pathtoyourcertsdir/server_cert.pem"
chown $youruser:$yourgroup "$pathtoyourcertsdir/server_key.pem"
su - $youruser -c "$commandtoreloadradicale"
fi
Note: you should change the value of variables; pathtoyourcertsdir, domain, youruser and commandtoreloadradicale
3.- Save the script file and modify its perms:
chmod 750 /etc/letsencrypt/renewal-hooks/deploy/yourdomain.sh
Next time you renew your cert, all the needed files should be copied to the right path, changed the owner and group so your radicale server can read them and if you provide a command to reload your radicale server you have all done automatically.
Good luck,
sahsanu