The private key files created by certbot are world-readable.
-rw-r–r--. 1 root root 1704 Sep 30 00:53 /etc/letsencrypt/archive/colmena.biz/privkey1.pem
umask must be set appropriately (0066) before creating the private key files so that they are not compromised by unauthorized users.
refers to the permissions of the symlink itself, not the target, which is still world-readable.