What I did was the following:
setfacl -m u:cyrus:r cert.pem
setfacl -m u:cyrus:r privkey.pem
Then you can check, if cyrus can access the key with:
su -s /bin/bash cyrus -c "cat /etc/letsencrypt/live/mail.example.com/privkey.pem"
Today I had the error again.
I updated the server and I rebooted it, and now it works - don't know what's wrong with it ...