I have a service (ejabberd, though this question isn't specific to ejabberd) that runs as a non-root user. I want it to use a letsencrypt-provided certificate.
Ideally I would like letsencrypt to put/update a cert into the service's configuration dir. I haven't been able to find a way to do that; there is a --cert-path option, but it either doesn't work or doesn't do what I think it does.
Alternately, I could adjust permissions on /etc/letsencrypt; if that's my only option, what are the minimum necessary permissions? I'd prefer not to have a single letsencrypt group for the purpose, because I might have multiple services that shouldn't have access to each others' keys. But the directory structure makes it awkward to give a user access to just a single key set.
