The nginx must be started as root so it can read certs of root user. Then the nginx will start workers on behalf of www-data user.It's similar too Apache httpdHow does Apache access SSL certs created by root user?Speaking about where to place certs: there is no a clear answer https://serverfault.com/questions/259302/best-location-to-keep-ssl-certificates-and-private-keys-on-ubuntu-servers
↧
Answer by Sergey Ponomarev for Access permissions for SSL certificates acquired with Let's encrypt
↧