I use certbot version 0.31.0-1+ubuntu18.04.1+certbot+1 on Ubuntu 18.04, and have problem with generating acme-challenge file for some of domains, because nginx got "403 Access denined" error.
For most of domains certbot creates .well-known/acme-challenge/* files well with right permissons (-rw-r--r-- owned by root/root) and this file is readable via nginx well.
But for some domains on same system certbot creates files with -rw-rw---- permission, so nginx can't read it and shows "403 Access denined" error!
The command for generate certificate is same:
certbot certonly --webroot -d test1.example.com --webroot-path=/srv/test1.example.com/public_html
certbot certonly --webroot -d test2.example.com --webroot-path=/srv/test2.example.com/public_html
Differs only owner of webroot path directory (different owner - test1:test1 and test2:test2), nginx configs for both domains are similar, directory permissions are same too. Users have same group membership (own group and www-data) and umask (0002).
And for test1.example.com user all works well, but for test2.example.com - not, because of described file permission problem!
Can anybody please describe which user settings (or directory permissions) can affect to acme-challenge files permissions? And maybe exists some way to manually force some permissions via command line argument?