diff --git a/tasks/certbot/install.yml b/tasks/certbot/install.yml
index a6d3060..f188595 100644
--- a/tasks/certbot/install.yml
+++ b/tasks/certbot/install.yml
@@ -1,15 +1,26 @@
 ---
+- name: Create Let's Encrypt system group
+  group:
+    name: '{{ common__certbot__group }}'
+    system: true
+
 - name: Install Certbot
   apt:
     name: certbot
 
-- name: Create directory for Let's Encrypt configuration
+- name: Create directories for Let's Encrypt configuration
   file:
     state: directory
-    path: '{{ common__certbot__conf_dir }}'
+    path: '{{ item }}'
     mode: 'u=rwx,g=rx,o=rx'
     owner: root
     group: root
+  with_items:
+    - '{{ common__certbot__conf_dir }}'
+    - '{{ common__certbot__archive_dir }}'
+    - '{{ common__certbot__archive_dir }}/{{ common__certbot__cert_name }}'
+    - '{{ common__certbot__live_dir }}'
+    - '{{ common__certbot__live_dir }}/{{ common__certbot__cert_name }}'
 
 - name: Install Let's Encrypt config
   template:
@@ -34,3 +45,42 @@
   changed_when: >-
     common__certbot__result.stdout is
     not search('Certificate not yet due for renewal; no action taken.')
+
+- name: Find Let's Encrypt certificates and chains
+  register: certs_and_chains
+  find:
+    paths: '{{ common__certbot__archive_dir }}/{{ common__certbot__cert_name }}'
+    patterns:
+      - 'cert*.pem'
+      - 'chain*.pem'
+      - 'fullchain*.pem'
+
+- name: Find Let's Encrypt private keys
+  register: privkeys
+  find:
+    paths: '{{ common__certbot__archive_dir }}/{{ common__certbot__cert_name }}'
+    patterns: 'privkey*.pem'
+
+- name: Display Let's Encrypt certificates and chains
+  debug:
+    msg: "{{ certs_and_chains.files | map(attribute='path') | list }}"
+
+- name: Display Let's Encrypt private keys
+  debug:
+    msg: "{{ privkeys.files | map(attribute='path') | list }}"
+
+- name: Change group of Let's Encrypt certificates and chains
+  file:
+    path: '{{ item }}'
+    mode: 'u=rw,g=r,o=r'
+    owner: root
+    group: root
+  with_items: "{{ certs_and_chains.files | map(attribute='path') | list }}"
+
+- name: Change group of Let's Encrypt private keys
+  file:
+    path: '{{ item }}'
+    mode: 'u=rw,g=r,o='
+    owner: root
+    group: '{{ common__certbot__group }}'
+  with_items: "{{ privkeys.files | map(attribute='path') | list }}"
diff --git a/vars/main.yml b/vars/main.yml
index 958e977..1c697f7 100644
--- a/vars/main.yml
+++ b/vars/main.yml
@@ -1,7 +1,10 @@
 ---
+common__certbot__group: 'letsencrypt'
 common__certbot__conf_dir: '/etc/letsencrypt'
 common__certbot__conf_cli: '{{ common__certbot__conf_dir }}/cli.ini'
 common__certbot__conf_nginx: '{{ common__certbot__conf_dir }}/options-ssl-nginx.conf'
+common__certbot__archive_dir: '{{ common__certbot__conf_dir }}/archive'
+common__certbot__live_dir: '{{ common__certbot__conf_dir }}/live'
 
 common__iptables__conf_dir: '/etc/iptables'
 common__iptables__conf_ipv4: '{{ common__iptables__conf_dir }}/rules.v4'