Incorrect .well-known/ permissions result in 403 during dokku letsencrypt:enable

[bitwombat]

Like #285, I was getting a 403 during the dokku letsencrypt:enable process:

$ dokku letsencrypt:enable dog-tags                                  
=====> Enabling letsencrypt for dog-tags                                                                 
-----> Enabling ACME proxy for dog-tags...                                                               
-----> Getting letsencrypt certificate for dog-tags via HTTP-01                                          
        - Domain 'dog-tags.dokku.xxxx.com.au'                                                       
2025/09/26 22:30:06 [INFO] [dog-tags.dokku.xxxx.com.au] acme: Obtaining bundled SAN certificate     
2025/09/26 22:30:07 [INFO] [dog-tags.dokku.xxxx.com.au] AuthURL: https://acme-v02.api.letsencrypt.or
g/acme/authz/26865871/5894123091                                                                     
2025/09/26 22:30:07 [INFO] [dog-tags.dokku.xxxx.com.au] acme: Could not find solver for: tls-alpn-01
2025/09/26 22:30:07 [INFO] [dog-tags.dokku.xxxx.com.au] acme: use http-01 solver                    
2025/09/26 22:30:07 [INFO] [dog-tags.dokku.xxxx.com.au] acme: Trying to solve HTTP-01               
2025/09/26 22:30:14 [INFO] Deactivating auth: https://acme-v02.api.letsencrypt.org/acme/authz/26865871/
5894123091                                                                                             
2025/09/26 22:30:14 Could not obtain certificates:                                                       
        error: one or more domains had a problem:                                                        
[dog-tags.dokku.xxxx.com.au] invalid authorization: acme: error: 403 :: urn:ietf:params:acme:error:u
nauthorized :: 209.xx.xx.xx: Invalid response from http://dog-tags.dokku.xxxx.com.au/.well-known/acm
e-challenge/hirs9TAl08dJhihPg2gRaDd2IfLcDXud_5SqY: 403                                             
-----> Certificate retrieval failed!                                                                     
-----> Disabling ACME proxy for dog-tags...                                                              
 !     Failed to setup letsencrypt                                                                       
 !     Check log output for further information on failure 

This was due to nginx not being able to read the challenge:

2025/09/26 08:06:32 [error] 230808#230808: *1 open() "/var/lib/dokku/data/letsencrypt/dog-tags/.well-know
n/acme-challenge/hirs9TAl08dJhihPg2gRaDd2IfLcDXud_5SqY" failed (13: Permission denied), client: 23.
xx.xx.xx, server: dog-tags.dokku.xxxx.com.au, request: "GET /.well-known/acme-challenge/hirs9TAl0
8dJhihPg2gRaDd2IfLcDXud_5SqY HTTP/1.1", host: "dog-tags.dokku.xxxx.com.au"

The problem was with the dog-tags dir:

# sudo -u www-data namei /var/lib/dokku/data/letsencrypt/dog-tags/.well-known/acme-challenge/
f: /var/lib/dokku/data/letsencrypt/dog-tags/.well-known/acme-challenge/
 d /
 d var
 d lib
 d dokku
 d data
 d letsencrypt
   dog-tags - Permission denied

# ls -ld /var/lib/dokku/data/letsencrypt
drwxr-x--- 4 dokku dokku 4096 Sep 26 22:13 /var/lib/dokku/data/letsencrypt

```

(Note1: This was executed as the `root `user - I don't know how sudo is setup on this image, and I don't know any of the passwords)
(Note2: How have I never heard of `namei` until today!?)

Solution was just:

```
# chmod -R 755 /var/lib/dokku/data/letsencrypt
```

Maybe dokku-letsencrypt could set the umask differently, or maybe it could create and set the mode of this dir prior to running the letsencrypt docker image.