Fedora here is log output:
Nov 05 22:20:36 melissa.colmena.biz systemd[1]: Starting PostgreSQL database server...
Nov 05 22:20:37 melissa.colmena.biz postgresql-ctl[11790]: FATAL: could not load server certificate file "/etc/letsencrypt/live/melissa.colmena.biz/fullchain.pem": Permission denied
Nov 05 22:20:37 melissa.colmena.biz postgresql-ctl[11790]: LOG: database system is shut down
Nov 05 22:20:38 melissa.colmena.biz postgresql-ctl[11790]: pg_ctl: could not start server
Nov 05 22:20:38 melissa.colmena.biz postgresql-ctl[11790]: Examine the log output.
Nov 05 22:20:38 melissa.colmena.biz systemd[1]: postgresql.service: Control process exited, code=exited status=1
Nov 05 22:20:38 melissa.colmena.biz systemd[1]: Failed to start PostgreSQL database server.
Nov 05 22:20:38 melissa.colmena.biz systemd[1]: postgresql.service: Unit entered failed state.
Nov 05 22:20:38 melissa.colmena.biz systemd[1]: postgresql.service: Failed with result 'exit-code'.
Why doesn’t PostgreSQL read the certificate file as root on startup before dropping privileges to user “postgres”? I am not sure I am comfortable allowing user “postgres” to read the private key file… I may use nginx instead to tunnel the connection over ssl. Are there any thoughts or general suggestions?