In /etc/letsencrypt/, the archive/, keys/ and live/ directories are all 700, so non-root users can’t actually access any of the files inside them, and the private keys aren’t at risk. It’s weird but not actually harmful.
There’s an open bug about this, but it hasn’t been prioritized.
Hi, thank you for your response. I understand that the parent directories are set to 700, however I want to configure an ACL on the “live” directory to allow specific users access to read files within the directory, but still keep the private keys protected.
Since the files are already 644, it would be simple to change certbot so that just the keys are 600 while the directory acl’s are not touched.