I'm now using Nginx 1.21.
I've noticed Nginx actually runs with variable in ssl certificate path, but the certificate itself doesn't run.
ssl_certificate /etc/letsencrypt/live/$host/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/$host/privkey.pem; # managed by Certbot

I double checked the $host variable using a special header and curl, to know if $host variable is the exact value of my folder there, and it is correct.

add_header X-Host $host;


Now checking Nginx error.log it indicates maybe it is because file permissions
2021/10/20 17:16:07 [error] 2408#2408: *412 cannot load certificate "/etc/letsencrypt/live/XXXXX/fullchain.pem": BIO_new_file() failed (SSL: error:0200100D:system library:fopen:Permission denied:fopen('/etc/letsencrypt/live/XXXX/fullchain.pem','r') error:2006D002:BIO routines:BIO_new_file:system lib) while SSL handshaking, client: 54.236.1.11, server: 0.0.0.0:443

But strangely enough it runs OK if I don't use the $host variable. I would like to keep permissions so when Certbot updates I don't have any surprises.
Thanks