I do not want my private keys to be readable by the user that runs Caddy. Apache, for example, handles this by loading the TLS certs as root and then running the the servers as the www user.
Caddy doesn’t have privilege de-escalation, because it runs as a single process.
That requirement also doesn’t make sense with how Caddy is designed, with config reloading at its core. Caddy needs to reload the certs/keys on config reload because it’s swapping out the entire config in-memory.
Why aren’t you letting Caddy issue your certs automatically, since you seem to be using a cert from Let’s Encrypt? That’s one of Caddy’s biggest strengths. Caddy has the most robust ACME client implementation out there.
At the moment I am not only using Caddy, but also other services and tools with Let’s Encrypt. So I prefer, for now, to manage all of them in another stand-alone tool.
I suppose the easiest way is to provide a copy of the certs that are readable by Caddy usergroup.
That’s not necessary. Caddy will issue new ones immediately. It’s much more effort than it’s worth to try to move the certs/keys into the exact storage locations Caddy would expect.
There’s no actual reason to keep the certs/accounts the same between deployments. As long as the certificates are signed by a publicly trusted CA, and your private keys are kept secret, it’s secure.