diff --git a/nixos/modules/security/acme.nix b/nixos/modules/security/acme.nix
index e08c7e965eef..71ba03b88a38 100644
--- a/nixos/modules/security/acme.nix
+++ b/nixos/modules/security/acme.nix
@@ -210,6 +210,12 @@ in
                   environment.REQUESTS_CA_BUNDLE = "/etc/ssl/certs/ca-certificates.crt";
                   serviceConfig = {
                     Type = "oneshot";
+                    # With RemainAfterExit the service is considered active even
+                    # after the main process having exited, which means when it
+                    # gets changed, the activation phase restarts it, meaning
+                    # the permissions of the StateDirectory get adjusted
+                    # according to the specified group
+                    RemainAfterExit = true;
                     SuccessExitStatus = [ "0" "1" ];
                     User = data.user;
                     Group = data.group;