diff --git a/nixos/modules/security/acme/mk-cert-ownership-assertion.nix b/nixos/modules/security/acme/mk-cert-ownership-assertion.nix
index 0339d7920ad9..64a783331656 100644
--- a/nixos/modules/security/acme/mk-cert-ownership-assertion.nix
+++ b/nixos/modules/security/acme/mk-cert-ownership-assertion.nix
@@ -4,18 +4,19 @@ lib:
 let
   catSep = builtins.concatStringsSep;
 
+  svcUser = svc: svc.serviceConfig.User or "root";
   svcGroups = svc:
     (lib.optional (svc.serviceConfig ? Group) svc.serviceConfig.Group)
     ++ lib.toList (svc.serviceConfig.SupplementaryGroups or [ ]);
 in
 {
   assertion = builtins.all (svc:
-    svc.serviceConfig.User or "root" == "root"
-    || builtins.elem svc.serviceConfig.User groups.${cert.group}.members
+    svcUser svc == "root"
+    || builtins.elem (svcUser svc) groups.${cert.group}.members
     || builtins.elem cert.group (svcGroups svc)
   ) services;
 
   message = "Certificate ${cert.domain} (group=${cert.group}) must be readable by service(s) ${
-    catSep ", " (map (svc: "${svc.name} (user=${svc.serviceConfig.User} groups=${catSep " " (svcGroups svc)})") services)
+    catSep ", " (map (svc: "${svc.name} (user=${svcUser svc} groups=${catSep "," (svcGroups svc)})") services)
   }";
 }