Sorry for reviving this thread, but for future searchers having this issue, if you are using the certbot client, a post-renew script to copy certs to the correct places (and make any modifications necessary for the target servers) works very well. The script can be setup so that it does not change the permissions of the target files. For example:
#!/bin/sh
echo "Letsencrypt renewal hook running..."
echo "RENEWED_DOMAINS=$RENEWED_DOMAINS"
echo "RENEWED_LINEAGE=$RENEWED_LINEAGE"
if grep --quiet "my.jabber.domain" <<< "$RENEWED_DOMAINS"; then
# jabberd requires the private key and cert chain together
> /etc/jabberd/server.pem
cat \
$RENEWED_LINEAGE/privkey.pem \
$RENEWED_LINEAGE/fullchain.pem > /etc/jabberd/server.pem
systemctl restart jabberd
echo "jabberd server.pem updated and jabberd restarted"
fi
if grep --quiet "my.postfix.domain" <<< "$RENEWED_DOMAINS"; then
> /etc/pki/postfix/my.postfix.domain-key.pem
> /etc/pki/postfix/my.postfix.domain.pem
cat $RENEWED_LINEAGE/privkey.pem > /etc/pki/postfix/my.postfix.domain-key.pem
cat $RENEWED_LINEAGE/fullchain.pem > /etc/pki/postfix/my.postfix.domain.pem
systemctl restart postfix
echo "postfix key and cert chain updated and postfix restarted"
fi
This approach does not require any permissions machinations on the letsencrypt directories.