Could not start Cowboy2 adapter, SSL's :keyfile not accessible

Hi all, my Phoenix server is failing to start on my EC2 instance because the server says it cannot access my SSL’s keyfile. I see this eror:

***(ArgumentError) could not start Cowboy2 adapter, the file /etc/letsencrypt/live/ required by SSL's :keyfile either does not exist, or the application does not have permission to access it***

The key file is accurately specified and exists. When I ls the folder with the symlinks (/etc/letsencrypt/live/ I get:

[ec2-user@ip-10-0-1-32 ~]$ sudo ls -l /etc/letsencrypt/live/
total 4
lrwxrwxrwx 1 root root 39 Jul 19 00:18 cert.pem -> ../../archive/
lrwxrwxrwx 1 root root 40 Jul 19 00:18 chain.pem -> ../../archive/
lrwxrwxrwx 1 root root 44 Jul 19 00:18 fullchain.pem -> ../../archive/
lrwxrwxrwx 1 root root 42 Jul 19 00:18 privkey.pem -> ../../archive/
-rw-r--r-- 1 root root 692 Jul 19 00:18 README

Those symlink to these files:

[ec2-user@ip-10-0-1-32 ~]$ sudo ls -l /etc/letsencrypt/archive/
total 20
-rw-r--r-- 1 root root 2208 Jul 19 00:18 cert1.pem
-rw-r--r-- 1 root root 3749 Jul 19 00:18 chain1.pem
-rw-r--r-- 1 root root 5957 Jul 19 00:18 fullchain1.pem
-rw------- 1 root root 3272 Jul 19 00:18 privkey1.pem

What am I missing? Why is this not working? Any help is appreciated.

1 Like

-rw------- 1 root root 3272 Jul 19 00:18 privkey1.pem

It looks like privkey1.pem is owned by root and can only be read by the owner. Maybe your app is running with a different user, which is not permitted to read the file? If so, you might need to chown or chmod the file to give the right permissions.


Thanks! Your answer pointed me on the right path to at least get the server working. It turns out, that was one of a few permissions issues I needed to fix. To get it working I needed to

sudo chmod 644 /etc/letsencrypt/archive/
sudo chmod 777 /etc/letsencrypt/archive
sudo chmod 777 /etc/letsencrypt/live

I know setting 777 for the parent folders is very poor security and the developers of Certbot do not recommend doing this: see and

Researching this has me wondering what the proper way to do permissioning for my letsencrypt files? What is the recommended approach for setting up SSL with Phoenix/Cowboy? I read the nginx will load those files as root (so the aformentioned chmodding is not needed) and then will drop privileges after loading the files. Does phoenix have a way of doing the same thing? Ideally I’d like to not touch any of the perms or ownership in the letsencrypt directory.

1 Like

Long time I don’t use Let’s Encrypt, but I think the standard way was to keep the original permissions on the archive folder, and rather copy and chown the key to a directory in the correct user home tree.

This reply to the post on the Let’s Encrypt forum that you linked above seems to confirm that.


Got it, yeah that confirms what’s on that linked post. Thanks again.


Absolutely never make key files writeable! There are ways to handle your current predicament as @lucaong said.