Nginx cannot load some certificate or files owned by root with permission 0600, even though master process is root.
Best security practices from Apache are to run the master process by root, while children are owned by another user: www or www-data

However, I constantly get these errors for root-owned files with 0600 when I restart nginx:

[emerg] 31246#31246: cannot load certificate "/etc/letsencrypt/live/site/fullchain.pem": BIO_new_file() failed (SSL: error:0200100D:system library:fopen('/etc/letsencrypt/live/site/fullchain.pem','r') error:2006D002:BIO routines:BIO_new_file:system lib)
[emerg] 2742#2742: open() "/etc/nginx/conf.d/globalblacklist.conf" failed (13: Permission denied) in /etc/nginx/nginx.conf:66

and also

[warn] 2742#2742: the "user" directive makes sense only if the master process runs with super-user privileges, ignored in /etc/nginx/nginx.conf:11

To restart nginx i use 'sudo service nginx restart'
The master process is owned by root and the children by www-data, as expected:
root 2610 1 - 0.0 01:36 ? 00:00:00 nginx: master process /usr/sbin/nginx -g daemon on; master_process on;
www-data 2611 2610 - 0.0 01:36 ? 00:00:00 nginx: worker process
www-data 2612 2610 - 0.0 01:36 ? 00:00:00 nginx: worker process


/etc/nginx is also owned by root. The permissions for let's encrypt private keys are handled by certbot and I am warry of changing them.

What am I doing wrong??