It produced this output:
mail dovecot: imap(mouse)<1794>: Panic: Settings check unexpectedly failed: ssl_client_ca_dir: access(/etc/letsencrypt/live/mail.servicemouse.com) failed: Permission denied
My web server is (include version):
The operating system my web server runs on is (include version):
Ubuntu 20.04
My hosting provider, if applicable, is:
I can login to a root shell on my machine (yes or no, or I don't know):
yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
No
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 0.40.0
I wonder why you even set that. It is not required and will instead use the default system CA store. From dovecot docs:
By default Dovecot uses OpenSSL’s default system CAs to verify SSL certificates for outgoing connections. This can be overridden by specifying either ssl_client_ca_dir or ssl_client_ca_file. Using ssl_client_ca_dir is preferred because it uses less memory.
The folder you named is not a list of CA roots anyway. It is all the related files for the cert which includes the leaf, intermediates, and privkey. I do not know dovecot well so I may be misunderstanding your requirement but seems best to just let it default.
I agree, if you really do need such a separate directory, you may need to cp the latest chain.pem file from the /live/ folder to a newly created folder [with proper permissions] designated for this purpose.
Then add that cp line to the certbot deployment hook [and also restart/reload your email server].
But I doubt that file can add anything more than should already be found in the ca-cert system.
I too agree, I don't see any reason to set ssl_client_ca_dir to any directory in the /etc/letsencrypt/ path, if you want to set that option to anything anyway indeed, as already explained by @MikeMcQ.
Please allow us to understand what the actual goal is what you're trying to achieve.