I have a cert for mailserver TLS and the mailserver (exim4) needs read access to its private key. I'm not sure if I'm happy, but I'm doing it according to exim's recommendations (group-readable by a group only the exim user belongs to).
I'm running certbot v31 under a cron job to check for renewal. When it renews, the final target in /archive of the symlink in /live will change from privkey1.pem to privkey2.pem.
Will certbot recreate the same permissions on privkey2 as on privkey1?
If not, I plan to do it with a --manual-cleanup-hook
script, that will find the new target of the /live privkey.pem link and apply perms as root. Is that the right thing to do?
exim4 under Debian 10, certbot v31, I have root access.