cluster/services/certificates: setfacl for extra groups doesn't apply properly
Seems like it only applies to full.pem
# file: var/lib/acme/internal.privatevoid.net/cert.pem
# owner: acme
# group: nginx
user::rw-
group::r--
other::---
# file: var/lib/acme/internal.privatevoid.net/chain.pem
# owner: acme
# group: nginx
user::rw-
group::r--
other::---
# file: var/lib/acme/internal.privatevoid.net/fullchain.pem
# owner: acme
# group: nginx
user::rw-
group::r--
other::---
# file: var/lib/acme/internal.privatevoid.net/full.pem
# owner: acme
# group: nginx
user::rw-
group::r--
group:nginx:r--
group:kanidm:r--
mask::r--
other::---
# file: var/lib/acme/internal.privatevoid.net/key.pem
# owner: acme
# group: nginx
user::rw-
group::r--
other::---