diff --git a/scripts/renew_ssl.sh b/scripts/renew_ssl.sh
index a97ed70..6d95780 100644
--- a/scripts/renew_ssl.sh
+++ b/scripts/renew_ssl.sh
@@ -49,12 +49,14 @@ for conf in /etc/nginx/conf.d/*.conf; do
                 
                 if [ -f "$LE_CERT" ]; then
                     cp "$LE_CERT" "$CRT_FILE"
+                    chmod 644 "$CRT_FILE"
                     
                     # Key file assumption: usually same name but .key/privkey.pem
                     KEY_FILE=$(grep -E "\s*ssl_certificate_key\s+" "$conf" | sed -r 's/.*ssl_certificate_key\s+(.*);/\1/' | head -n 1)
                     if [ -f "$KEY_FILE" ]; then
                         # If key path is found, copy it
                         cp "$LE_KEY" "$KEY_FILE"
+                        chmod 644 "$KEY_FILE"
                     else
                         # Fallback: try to derive key path from cert path if variable is empty
                         # (This handles edge cases where parsing failed but cert existed)
@@ -89,6 +91,8 @@ for conf in /etc/nginx/conf.d/*.conf; do
           -out "$CRT_FILE" \
           -subj "/C=BR/ST=SP/L=Bootstrap/O=ITGuys/CN=$DOMAIN"
           
+        chmod 644 "$KEY_FILE" "$CRT_FILE"
+          
         echo "[SSL-Renew] Bootstrap Cert created. Nginx should be able to start."
     fi
 done