I have a cert for mailserver TLS and the mailserver (exim4) needs read access to its private key. I'm not sure if I'm happy, but I'm doing it according to exim's recommendations (group-readable by a group only the exim user belongs to).
I'm running certbot v31 under a cron job to check for renewal. When it renews, the final target in /archive of the symlink in /live will change from privkey1.pem to privkey2.pem.
Will certbot recreate the same permissions on privkey2 as on privkey1?
If not, I plan to do it with a --manual-cleanup-hook script, that will find the new target of the /live privkey.pem link and apply perms as root. Is that the right thing to do?
exim4 under Debian 10, certbot v31, I have root access.
Are you using the /live/ symlink or /archive/file directly?
I believe certbot will always set the same permissions on all new files.
[Ignoring any changed permissions on previous files]
I would say NO.
What I would do is use the deploy-hook script to copy the files (from their symlinks) to a dedicated EXIM accessible location.
Then on those copied files, you can make whatever permissions it requires.
[so maybe the script should clean/remove files from the EXIM folder first]
I'm superstitious about pushing things I don't completely understand. I've set myself a reminder for the day it should renew (expiry - 30 days) and will do a TLS test then.