Folders in /etc/letsencrypt/ are owned by root, with permissions 700. At least that is how certbot makes them.
I think that when apache is spinning up and loading its config, it's acting as root at that early stage, and so it can see the cert files down inside the appropriate folder with 700 permission. Later apache drops its root access and the www-data or apache user is running apache or httpd, but it already has the certificate files to work with. So while the www-data or apache user cannot see into those 700 files, it doesn't matter anymore.
By contrast, I think hypnotoad is not running as root at any time, or at least not when it wants to access the certificate files. So it cannot get to them. Currently we have to adjust permissions/ownership so that whoever the hypnotoad user is can get to them. It's just a bother when certbot renews, and resets the permissions/ownership.
Is there anything we can do with the mojolicious configuration to briefly give it root access to read certificate files the same way apache/httpd works?