The proper proper way is probably writing an Installer plugin to letsencrypt
for Prosody.
Meanwhile (while one is not written) you should use the described option of creating group, etc. You could also write a simple script for key rotation so letsencrypt
writes its keys to whereever, then you copy them to canonical location on your OS with ACLs you want. (Just FYI: canonical location for certs in RH/CentOS is /etc/pki/tls/certs
).