What I did was the following:

setfacl -m u:cyrus:r cert.pem
setfacl -m u:cyrus:r privkey.pem

Then you can check, if cyrus can access the key with:

su -s /bin/bash cyrus -c "cat /etc/letsencrypt/live/mail.example.com/privkey.pem"

Today I had the error again.
I updated the server and I rebooted it, and now it works - don't know what's wrong with it ...