Node-RED normally runs as a 'user', and Letsencrypt creates the certificates in etc/letsencrypt/live/
with root ownership, and therefore without changing the ownership of the certificates to pi
, node_RED would not be able to read them.
So... rather than start altering files that sit within the Letsencrypt directory, I prefer to copy the certificates to the node-RED user directory and then use chown to make them readable (it's all done by the script).
That then keeps the two services independent, and for me has the advantage that when I back-up node-RED, it also backs up the node-RED certificates in the NR user dir. If I ever needed to quickly restore the backup, I could be back online, complete with https in minutes without having to worry about Letsencrypt/Certbot.