The proper proper way is probably writing an Installer plugin to letsencrypt for Prosody.
Meanwhile (while one is not written) you should use the described option of creating group, etc. You could also write a simple script for key rotation so letsencrypt writes its keys to whereever, then you copy them to canonical location on your OS with ACLs you want. (Just FYI: canonical location for certs in RH/CentOS is /etc/pki/tls/certs).