I know it is not a security issue per se, but certain applications (hello sendmail) will refuse to use a group (or world) readable keyfile.
Dec 7 15:03:20 lupus sendmail[17357]: STARTTLS=server: file /etc/letsencrypt/live/mail.olen.net/privkey.pem unsafe: World readable file
It does not matter that the parent directory is not accessible, it actually checks the permissions of the key-file itself.
So currently the permissions in the archive directory is:
drwxr-xr-x. 2 root root 4096 Dec 6 15:44 .
drwx------. 7 root root 4096 Dec 6 15:44 …
-rw-r–r--. 1 root root 1809 Dec 6 15:44 cert1.pem
-rw-r–r--. 1 root root 1675 Dec 6 15:44 chain1.pem
-rw-r–r--. 1 root root 3484 Dec 6 15:44 fullchain1.pem
-rw-r–r--. 1 root root 1708 Dec 6 15:44 privkey1.pem
Removing the r-bit from privkey1.pem:
chmod 600 privkey1.pem
will make sendmail happy again.