It's possible that these files being readable by the ubuntu user is by design. The environment is configured here so etcdctl can be run as the ubuntu user: https://github.com/swalladge/layer-etcd/blob/60c755e56867e7c2508c21559193386ea6dc3ec6/reactive/etcd.py#L632-L645 Also with some experimenting today, it seems that something other than the tls-client layer is manipulating the file permissions. After updating the tls-client layer with new permissions and logging the os.stat output (which shows as expected), the files are still the same as before: ``` swalladge@server:~$ juju debug-log -i etcd --replay | grep -i writ ... unit-etcd-0: 05:51:33 INFO unit.etcd/0.juju-log certificates:70: Writing client certificate to /var/snap/etcd/common/client.crt unit-etcd-0: 05:51:33 INFO unit.etcd/0.juju-log certificates:70: Written /var/snap/etcd/common/client.crt, stat: os.stat_result(st_mode=33056, st_ino=1057374, st_dev=64514, st_nlink=1, st_uid=0, st_gid=0, st_size=1443, st_atime=1674539493, st_mtime=1674539493, st_ctime=1674539493) unit-etcd-0: 05:51:34 DEBUG unit.etcd/0.juju-log certificates:70: tracer: set flag tls_client.client.certificate.written unit-etcd-0: 05:51:34 INFO unit.etcd/0.juju-log certificates:70: Writing client key to /var/snap/etcd/common/client.key unit-etcd-0: 05:51:34 INFO unit.etcd/0.juju-log certificates:70: Written /var/snap/etcd/common/client.key, stat: os.stat_result(st_mode=33056, st_ino=1057392, st_dev=64514, st_nlink=1, st_uid=0, st_gid=0, st_size=1678, st_atime=1674539494, st_mtime=1674539494, st_ctime=1674539494) unit-etcd-0: 05:51:34 INFO unit.etcd/0.juju-log certificates:70: Writing CA certificate to /var/snap/etcd/common/ca.crt unit-etcd-0: 05:51:34 INFO unit.etcd/0.juju-log certificates:70: Written /var/snap/etcd/common/ca.crt, stat: os.stat_result(st_mode=33056, st_ino=1057393, st_dev=64514, st_nlink=1, st_uid=0, st_gid=0, st_size=1245, st_atime=1674539494, st_mtime=1674539494, st_ctime=1674539494) unit-etcd-0: 05:51:34 DEBUG unit.etcd/0.juju-log certificates:70: tracer: set flag tls_client.ca.written unit-etcd-0: 05:51:34 INFO unit.etcd/0.juju-log certificates:70: Writing CA certificate to /usr/local/share/ca-certificates/etcd.crt unit-etcd-0: 05:51:34 INFO unit.etcd/0.juju-log certificates:70: Written /usr/local/share/ca-certificates/etcd.crt, stat: os.stat_result(st_mode=33060, st_ino=805100, st_dev=64514, st_nlink=1, st_uid=0, st_gid=0, st_size=1245, st_atime=1674539494, st_mtime=1674539494, st_ctime=1674539494) unit-etcd-0: 05:51:34 INFO unit.etcd/0.juju-log certificates:70: Writing server certificate to /var/snap/etcd/common/server.crt unit-etcd-0: 05:51:34 INFO unit.etcd/0.juju-log certificates:70: Written /var/snap/etcd/common/server.crt, stat: os.stat_result(st_mode=33056, st_ino=1057394, st_dev=64514, st_nlink=1, st_uid=0, st_gid=0, st_size=1496, st_atime=1674539494, st_mtime=1674539494, st_ctime=1674539494) unit-etcd-0: 05:51:34 DEBUG unit.etcd/0.juju-log certificates:70: tracer: set flag tls_client.server.certificate.written unit-etcd-0: 05:51:34 INFO unit.etcd/0.juju-log certificates:70: Writing server key to /var/snap/etcd/common/server.key unit-etcd-0: 05:51:34 INFO unit.etcd/0.juju-log certificates:70: Written /var/snap/etcd/common/server.key, stat: os.stat_result(st_mode=33056, st_ino=1057395, st_dev=64514, st_nlink=1, st_uid=0, st_gid=0, st_size=1678, st_atime=1674539494, st_mtime=1674539494, st_ctime=1674539494) ... swalladge@server:~$ juju ssh etcd/0 -- ls -hlsa /var/snap/etcd/common/ total 32K 4.0K drwxrwx--- 2 root ubuntu 4.0K Jan 24 05:51 . 4.0K drwxr-xr-x 4 root root 4.0K Jan 24 05:37 .. 4.0K -r--r----- 1 root ubuntu 1.3K Jan 24 05:51 ca.crt 4.0K -r--r----- 1 root ubuntu 1.5K Jan 24 05:51 client.crt 4.0K -r--r----- 1 root ubuntu 1.7K Jan 24 05:51 client.key 4.0K -r--r--r-- 1 root ubuntu 3.9K Jan 24 05:51 etcd.conf.yml 4.0K -r--r----- 1 root ubuntu 1.5K Jan 24 05:51 server.crt 4.0K -r--r----- 1 root ubuntu 1.7K Jan 24 05:51 server.key Connection to 192.168.151.177 closed. ```