How does Apache access SSL certs created by root user?
Root runs Apache in most situations.
Hence root is the owner of the main "parent" process.
When Apache starts, it (normally) should have been started using root (partly why you have to use sudo with the system service manager to start it correctly). Further, the parent process (running as the root user) then reads the configuration(s) in, binds to the given system ports (usually 80 and 443) and other tasks. These ports are also considered privileged (anything under 1024). Once completed, it spawns child processes (which can also use "workers" via the core modules).
Since the parent process is root and the children/workers are run under 'www-data' (or another non-privileged user), Apache can still bind to system ports and deal with root privilege files such as private SSL keys/etc in this manner.
"While the parent process is usually started as root under Unix in order to bind to port 80, the child processes and threads are launchedby the server as a less-privileged user. The User and Group directivesare used to set the privileges of the Apache HTTP Server childprocesses. The child processes must be able to read all the contentthat will be served, but should have as few privileges beyond that aspossible. In addition, unless suexec is used, these directives alsoset the privileges which will be inherited by CGI scripts.*"
From: https://httpd.apache.org/docs/2.4/mod/prefork.html#how-it-works
Only the private key is protected as the certificate is publicly available in the /etc/ssl/certs directory. The /etc/ssl/private is root only readable but ssl-cert user group is granted to execute (ssl-cert group X rights). This system group is perhaps the one involved in the SSL authentication method.
could you try :
sudo chown root:ssl-cert /etc/ssl/private/your-private.keyreload apache and check again ?
I have purged all Apache2 installations on my servers so I can't test this anymore.
Hope that helps,regards