diff --git a/playbooks/roles/letsencrypt-acme-sh-install/files/driver.sh b/playbooks/roles/letsencrypt-acme-sh-install/files/driver.sh
index 0b84f2ac4d..e6b74f515d 100644
--- a/playbooks/roles/letsencrypt-acme-sh-install/files/driver.sh
+++ b/playbooks/roles/letsencrypt-acme-sh-install/files/driver.sh
@@ -12,6 +12,9 @@ if [[ ${LETSENCRYPT_STAGING} != 0 ]]; then
     STAGING="--staging"
 fi
 
+# Ensure we don't write out files as world-readable
+umask 027
+
 echo -e  "\n--- start --- ${1} --- $(date -u '+%Y-%m-%dT%k:%M:%S%z') ---" >> ${LOG_FILE}
 
 if [[ ${1} == "issue" ]]; then
diff --git a/playbooks/roles/letsencrypt-acme-sh-install/tasks/main.yaml b/playbooks/roles/letsencrypt-acme-sh-install/tasks/main.yaml
index cc4ef4ccf1..46878127e7 100644
--- a/playbooks/roles/letsencrypt-acme-sh-install/tasks/main.yaml
+++ b/playbooks/roles/letsencrypt-acme-sh-install/tasks/main.yaml
@@ -4,6 +4,11 @@
     dest: /opt/acme.sh
     version: dev
 
+- name: Install letsencrypt group
+  group:
+    name: letsencrypt
+    state: present
+
 - name: Install driver script
   copy:
     src: driver.sh
@@ -20,4 +25,12 @@
   include_role:
     name: logrotate
   vars:
-    logrotate_file_name: /var/log/acme.sh/acme.sh.log
\ No newline at end of file
+    logrotate_file_name: /var/log/acme.sh/acme.sh.log
+
+- name: Setup top level cert directory
+  file:
+    path: /etc/letsencrypt-certs
+    state: directory
+    owner: root
+    group: letsencrypt
+    mode: u=rwx,g=rx,o=,g+s
diff --git a/testinfra/test_letsencrypt.py b/testinfra/test_letsencrypt.py
index 841a5c3da4..0a4f2bd323 100644
--- a/testinfra/test_letsencrypt.py
+++ b/testinfra/test_letsencrypt.py
@@ -45,16 +45,26 @@ def test_certs_created(host):
             '/etc/letsencrypt-certs/'
             'letsencrypt01.opendev.org/letsencrypt01.opendev.org.key')
         assert domain_one.exists
+        assert domain_one.user == "root"
+        assert domain_one.group == "letsencrypt"
+        assert domain_one.mode == 0o640
+
         domain_two = host.file(
             '/etc/letsencrypt-certs/'
             'someotherservice.opendev.org/someotherservice.opendev.org.key')
         assert domain_two.exists
+        assert domain_two.user == "root"
+        assert domain_two.group == "letsencrypt"
+        assert domain_two.mode == 0o640
 
     elif host.backend.get_hostname() == 'letsencrypt02.opendev.org':
         domain_one = host.file(
             '/etc/letsencrypt-certs/'
             'letsencrypt02.opendev.org/letsencrypt02.opendev.org.key')
         assert domain_one.exists
+        assert domain_one.user == "root"
+        assert domain_one.group == "letsencrypt"
+        assert domain_one.mode == 0o640
 
     else:
         pytest.skip()