exim + user domain letsencrypt + bad key permissions

[meliux]

not sure what has changed but this week I've found the following error appearing in the exim log:

(SSL_CTX_use_PrivateKey_file file=/usr/local/directadmin/data/users/admin/domains/domain.com.key): error:0200100D:system library:fopenermission denied

This is causing some remote MTAs such as gmail to fail delivery to my server because the exim process, owned by the 'mail' user, can't read the key file.

Exim is set to use the admin's main domain name letsencrypt certificate that auto renews every 3 months (mail.domain.com is one of the SANs). This has been working very nicely for ages.
It achieves this with the following in /etc/exim.variables.conf:

/etc/exim.variables.conf:tls_privatekey=${if exists{/etc/virtual/snidomains}{${lookup{$tls_in_sni}nwildlsearch{/etc/virtual/snidomains}{${if exists{/usr/local/directadmin/data/users/${extract{1}{:}{$value}}/domains/${extract{2}{:}{$value}}.key}{/usr/local/directadmin/data/users/${extract{1}{:}{$value}}/domains/${extract{2}{:}{$value}}.key}{/etc/exim.key}}}{/etc/exim.key}}}{/etc/exim.key}}

However it looks like something is changing the permissions of the key file... for some reason the key is being set to:

-rw------- 1 root root 288 Apr 22 13:36 domain.com.key

Yesterday I fixed the issue by renewing the letsencrypt certificate via the DA web interface. The renewal process reset the group to "access" with 640 permissions. The 'mail' user is a member of the 'access' group.
Today something seems to have automatically set it back to root:root and 600 again. I've now simply manually reset the ownership/permission to get the mail flowing.

Thoughts?

 

[Active8]

did not encounter this problem , but try to reset all the permissions

cd /usr/local/directadmin/scripts
./set_permissions.sh all