diff --git a/CHANGES.d/20240812_122949_sweh_sweh_certificate_acl.md b/CHANGES.d/20240812_122949_sweh_sweh_certificate_acl.md
new file mode 100644
index 0000000..a7e30c0
--- /dev/null
+++ b/CHANGES.d/20240812_122949_sweh_sweh_certificate_acl.md
@@ -0,0 +1 @@
+- Set correct acl for `ssl.Certificates` on certificate renew.
diff --git a/src/batou_ext/resources/cert.sh b/src/batou_ext/resources/cert.sh
index 50d07da..f31aedd 100644
--- a/src/batou_ext/resources/cert.sh
+++ b/src/batou_ext/resources/cert.sh
@@ -17,6 +17,7 @@ source /etc/profile
     --preferred-chain "{{component.letsencrypt_alternative_chain}}" \
 {%- endif %}
     -c "$@"
+setfacl -Rm u:{{component.granted_user}}:rX {{component.workdir}}/"$@"
 {% if component.extracommand %}
 {{component.extracommand}}
 {% endif %}