How can I grant read permission for HTTPS certificates?

I'm enabling Gitea HTTPS access . On my server I got certificates using Certbot . The certificates are installed into: Certificate Path: /etc/letsencrypt/live/mydomain/fullchain.pem Private Key Path: /etc/letsencrypt/live/mydomain/privkey.pem and here their default permissions: $ ls -lh /etc/letsencrypt/live/mydomain/*.pem lrwxrwxrwx 1 root root 36 May 5 11:34 /etc/letsencrypt/live/mydomain/cert.pem -> ../../archive/mydomain/cert1.pem lrwxrwxrwx 1 root root 37 May 5 11:34 /etc/letsencrypt/live/mydomain/chain.pem -> ../../archive/mydomain/chain1.pem lrwxrwxrwx 1 root root 41 May 5 11:34 /etc/letsencrypt/live/mydomain/fullchain.pem -> ../../archive/mydomain/fullchain1.pem lrwxrwxrwx 1 root root 39 May 5 11:34 /etc/letsencrypt/live/mydomain/privkey.pem -> ../../archive/mydomain/privkey1.pem here the actual files: $ ls -lh /etc/letsencrypt/archive/mydomain/*.pem -rw-r--r-- 1 root root 1.5K May 5 11:34 /etc/letsencrypt/archive/mydomain/cert1.pem -rw-r--r-- 1 root root 1.8K May 5 11:34 /etc/letsencrypt/archive/mydomain/chain1.pem -rw-r--r-- 1 root root 3.3K May 5 11:34 /etc/letsencrypt/archive/mydomain/fullchain1.pem -rw------- 1 root root 241 May 5 11:34 /etc/letsencrypt/archive/mydomain/privkey1.pem $ ls -lh /etc/letsencrypt/archive/ total 4.0K drwxr-xr-x 2 root root 4.0K May 5 11:34 mydomain $ ls -lh /etc/letsencrypt/ total 28K drwx------ 3 root root 4.0K May 5 11:11 accounts drwx------ 3 root root 4.0K May 5 11:34 archive drwx------ 3 root root 4.0K May 5 11:34 live -rw-r--r-- 1 root root 774 May 5 11:11 options-ssl-nginx.conf drwxr-xr-x 2 root root 4.0K May 5 11:34 renewal drwxr-xr-x 5 root root 4.0K May 5 11:11 renewal-hooks -rw-r--r-- 1 root root 424 May 5 11:11 ssl-dhparams.pem They seem all readable from other users, even the parent directories until live that is readable only by root. When I run Gitea service I get the following error: May 05 11:47:53 vps gitea: 2024/05/05 11:47:53 cmd/web_https.go:170:runHTTPS() [E] Failed to load https cert file /etc/letsencrypt/live/mydomain/fullchain.pem for tcp:0.0.0> May 05 11:47:53 vps gitea: 2024/05/05 11:47:53 cmd/web.go:353:listen() [E] Failed to start server: open /etc/letsencrypt/live/mydomain/fullchain.pem: permission denied Gitea has its own user gitea. How to allow it to read the certificates? I'm concerned of just making the directory 755.