For some reason I can't get the mongod user to access the key/cert file when starting from systemctl. I get the following error

2019-07-07T18:12:16.706+0000 E NETWORK  [main] cannot read certificate file: /var/lib/mongo/cert/ssl.pem error:0200100D:system library:fopen:Permission denied

2019-07-07T18:12:16.707+0000 F CONTROL  [main] Failed global initialization: InvalidSSLConfiguration: Can not set up PEM key file.

I'm using a fresh Centos 7 (updated) x86 server, and have installed MongoDB using the instructions here https://docs.mongodb.com/manual/tutorial/install-mongodb-on-red-hat/

When I run the mongod process as root it works fine, so it's not a configuration issue. The problem occurs when I try and use the following command

systemctl start mongod

Config is this:

systemLog:
  destination: file
  logAppend: true
  path: /var/log/mongodb/mongod.log
 
storage:
  dbPath: /var/lib/mongo
  journal:
    enabled: true 
 
processManagement:
  fork: true  # fork and run in background
  pidFilePath: /var/run/mongodb/mongod.pid  # location of pidfile
  timeZoneInfo: /usr/share/zoneinfo
 
# network interfaces
net:
  ssl:
    mode: requireSSL
    PEMKeyFile: /var/lib/mongo/cert/ssl.pem
  port: 27017
  bindIp: 127.0.0.1  # Enter 0.0.0.0,:: to bind to all IPv4 and IPv6 addresses or, alternatively, use the net.bindIpAll setting.
 

Permissions on the ssl.pem keyfile are as follows (its in /var/lib/mongo)

File owned by mongod and group mongod with read only access to the owner (400)

Directory is owned by mongod and group mongod with rw for owner only (600)

I have also run 

chcon system_u:object_r:mongod_var_lib_t:s0 ssl.pem on the pem file

However I still get the following error

{{}}