Websocket problems; Letsencrypt / Certbot config for Plug with Phoenix 1.4 (non proxy)?

I am trying to simplify my life and try to only use Cowboy, Plug and Phoenix 1.4 i.e. no Nginx or other proxy for now

websockets are connecting, they crash in production

HTML pages are served up ok

wget https://phxmono.domain.com
--2018-05-28 20:10:51--  https://phxmono.domain.com/
Resolving phxmono.domain.com (phxmono.domain.com)... 45.33.96.32
Connecting to phxmono.domain.com (phxmono.domain.com)|45.33.96.32|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 19035 (19K) [text/html]
Saving to: ‘index.html’

index.html                                         100%[================================================================================================================>]  18.59K  --.-KB/s    in 0s      

2018-05-28 20:10:51 (171 MB/s) - ‘index.html’ saved [19035/19035]

my config/prod.exs

config :www_domain_com_web, WwwDomaintCom.Web.Endpoint,
  url: [host: "my.domain.com", port: 443, scheme: "https"],
  https: [
    port: 443,
    otp_app: :www_domain_com_web,
    keyfile: "/etc/letsencrypt/live/my.domain.com/privkey.pem",
    cacertfile: "/etc/letsencrypt/live/my.domain.com/chain.pem",
    certfile: "/etc/letsencrypt/live/my.domain.com/cert.pem",
    secure_renegotiate: true,
    reuse_sessions: true
  ],
  force_ssl: [hsts: true],
  code_reloader: false,
  check_origin: true,
  cache_static_manifest: "priv/static/cache_manifest.json",
  debug_errors: true,
  server: true,
  root: ".",
  version: 1,
  load_from_system_env: false

I am getting an error

> 19:42:54.521 [info]  Child {:acceptor, #PID<0.2955.0>, 99} of Supervisor #PID<0.2955.0> (:ranch_acceptors_sup) started
> Pid: #PID<0.3054.0>
> Start Call: :ranch_acceptor.start_link(#Port<0.26503>, :ranch_tcp, #PID<0.2954.0>)
> Restart: :permanent
> Shutdown: :brutal_kill
> Type: :worker
> 
> 19:42:54.521 [info]  Child {:acceptor, #PID<0.2955.0>, 100} of Supervisor #PID<0.2955.0> (:ranch_acceptors_sup) started
> Pid: #PID<0.3055.0>
> 19:42:54.625 [info] ['TLS', 32, 'server', 58, 32, 73, 110, 32, 115, 116, 97, 116, 101, 32, 'connection', 32, 'received CLIENT ALERT: Fatal - Bad Certificate', 10]

the channel crashes and restarts

> ==> error.log <==
> 19:43:14.128 [error] Ranch protocol #PID<0.3059.0> of listener WwwDomainCom.Web.Endpoint.HTTPS (cowboy_protocol) terminated
> ** (exit) exited in: Phoenix.Endpoint.CowboyWebSocket.resume()
>     ** (EXIT) an exception was raised:
>         ** (ArgumentError) argument error
>             :erlang.phash2({#PID<0.3059.0>, #Reference<0.2100111952.431489025.212712>}, 0)
>             (phoenix) lib/phoenix/socket/pool_supervisor.ex:11: Phoenix.Socket.PoolSupervisor.start_child/3
>             (phoenix) lib/phoenix/channel/server.ex:45: anonymous fn/3 in Phoenix.Channel.Server.join/4
>             (www_domain_com_web) lib/www_domain_com_web/endpoint.ex:1: WwwFolkbotCom.Web.Endpoint.instrument/4
>             (phoenix) lib/phoenix/socket.ex:590: Phoenix.Socket.handle_in/4
>             (phoenix) lib/phoenix/endpoint/cowboy_websocket.ex:84: Phoenix.Endpoint.CowboyWebSocket.websocket_handle/3
>             (cowboy) /var/www/www_domain_com_umbrella/deps/cowboy/src/cowboy_websocket.erl:588: :cowboy_websocket.handler_call/7
>             (phoenix) lib/phoenix/endpoint/cowboy_websocket.ex:54: Phoenix.Endpoint.CowboyWebSocket.resume/3
>             (cowboy) /var/www/www_domain_com_umbrella/deps/cowboy/src/cowboy_protocol.erl:442: :cowboy_protocol.execute/4

mix.exs

defmodule WwwDomainCom.Web.Mixfile do
  use Mix.Project

  def project do
    [app: :www_domain_com_web,
     version: "0.0.1",
     build_path: "../../_build",
     config_path: "../../config/config.exs",
     deps_path: "../../deps",
     lockfile: "../../mix.lock",
     elixir: "~> 1.4",
     elixirc_paths: elixirc_paths(Mix.env),
     compilers: [:phoenix, :gettext] ++ Mix.compilers,
     start_permanent: Mix.env == :prod,
     aliases: aliases(),
     deps: deps()]
  end

  def application do
    [mod: {WwwDomainCom.Web.Application, []},
     applications: [:www_domain_com, :phoenix, :phoenix_html, :cowboy, :logger, :gettext,
                    :phoenix_ecto, :postgrex, :comeonin, :runtime_tools, :logger_file_backend, :phoenix_html_simplified_helpers]]
  end

  defp elixirc_paths(:test), do: ["lib", "test/support"]
  defp elixirc_paths(:ci),   do: ["lib", "web", "test/support"]
  defp elixirc_paths(_),     do: ["lib"]

  defp deps do
    [{:arc, "~> 0.8.0"},
     {:arc_ecto, "~> 0.7.0"},
     {:bamboo, "~> 0.7"},
     {:burnex, "~> 1.0"},
     {:bcrypt_elixir, "~> 1.0"},
     {:cloak, "~> 0.6.2"},
     {:comeonin, "~> 4.1"},
     {:cowboy, "~> 1.0"},
     {:ex_money, "~> 1.0"},
     {:gettext, "~> 0.11"},
     {:poison, "~> 2.2"},
     {:jose, "~> 1.4"},
     {:logger_file_backend, "~> 0.0.10"},
     {:phoenix, github: "phoenixframework/phoenix", override: true},
     {:phoenix_active_link, "~> 0.2.0"},
     {:phoenix_pubsub, "~> 1.0.2"},
     {:phoenix_ecto, "~> 3.3"},
     {:phoenix_html, "~> 2.10.2"},
     {:phoenix_live_reload, "~> 1.1.5"},
     {:phoenix_html_simplified_helpers, "~> 1.3"},
     {:phoenix_markdown, "~> 1.0"},
     {:phoenix_integration, "~> 0.5.0"},
     {:timex, "~> 3.1"},
     {:www_domain_com, in_umbrella: true}]
  end

  defp aliases do
    ["ecto.setup": ["ecto.create", "ecto.migrate", "run priv/repo/seeds.exs"],
     "ecto.reset": ["ecto.drop", "ecto.setup"],
     "db.archive": ["ecto.dump"],
     "db.migrate": ["ecto.migrate", "ecto.dump"],
     "db.rollback": ["ecto.rollback", "ecto.dump"],
     "test": ["ecto.drop", "ecto.create", "ecto.migrate", "test"]]
  end
end

more

$ iex --app ssl
Erlang/OTP 20 [erts-9.2] [source] [64-bit] [smp:1:1] [ds:1:1:10] [async-threads:10] [kernel-poll:false]

Interactive Elixir (1.6.5) - press Ctrl+C to exit (type h() ENTER for help)
iex(1)> :ssl.cipher_suites
[
  {:ecdhe_ecdsa, :aes_256_gcm, :null, :sha384},
  {:ecdhe_rsa, :aes_256_gcm, :null, :sha384},
  {:ecdhe_ecdsa, :aes_256_cbc, :sha384, :sha384},
  {:ecdhe_rsa, :aes_256_cbc, :sha384, :sha384},
  {:ecdh_ecdsa, :aes_256_gcm, :null, :sha384},
  {:ecdh_rsa, :aes_256_gcm, :null, :sha384},
  {:ecdh_ecdsa, :aes_256_cbc, :sha384, :sha384},
  {:ecdh_rsa, :aes_256_cbc, :sha384, :sha384},
  {:ecdhe_ecdsa, :chacha20_poly1305, :null, :sha256},
  {:ecdhe_rsa, :chacha20_poly1305, :null, :sha256},
  {:dhe_rsa, :chacha20_poly1305, :null, :sha256},
  {:dhe_rsa, :aes_256_gcm, :null, :sha384},
  {:dhe_dss, :aes_256_gcm, :null, :sha384},
  {:dhe_rsa, :aes_256_cbc, :sha256},
  {:dhe_dss, :aes_256_cbc, :sha256},
  {:rsa, :aes_256_gcm, :null, :sha384},
  {:rsa, :aes_256_cbc, :sha256},
  {:ecdhe_ecdsa, :aes_128_gcm, :null, :sha256},
  {:ecdhe_rsa, :aes_128_gcm, :null, :sha256},
  {:ecdhe_ecdsa, :aes_128_cbc, :sha256, :sha256},
  {:ecdhe_rsa, :aes_128_cbc, :sha256, :sha256},
  {:ecdh_ecdsa, :aes_128_gcm, :null, :sha256},
  {:ecdh_rsa, :aes_128_gcm, :null, :sha256},
  {:ecdh_ecdsa, :aes_128_cbc, :sha256, :sha256},
  {:ecdh_rsa, :aes_128_cbc, :sha256, :sha256},
  {:dhe_rsa, :aes_128_gcm, :null, :sha256},
  {:dhe_dss, :aes_128_gcm, :null, :sha256},
  {:dhe_rsa, :aes_128_cbc, :sha256},
  {:dhe_dss, :aes_128_cbc, :sha256},
  {:rsa, :aes_128_gcm, :null, :sha256},
  {:rsa, :aes_128_cbc, :sha256},
  {:ecdhe_ecdsa, :aes_256_cbc, :sha},
  {:ecdhe_rsa, :aes_256_cbc, :sha},
  {:dhe_rsa, :aes_256_cbc, :sha},
  {:dhe_dss, :aes_256_cbc, :sha},
  {:ecdh_ecdsa, :aes_256_cbc, :sha},
  {:ecdh_rsa, :aes_256_cbc, :sha},
  {:rsa, :aes_256_cbc, :sha},
  {:ecdhe_ecdsa, :aes_128_cbc, :sha},
  {:ecdhe_rsa, :aes_128_cbc, :sha},
  {:dhe_rsa, :aes_128_cbc, :sha},
  {:dhe_dss, :aes_128_cbc, :sha},
  {:ecdh_ecdsa, :aes_128_cbc, :sha},
  {:ecdh_rsa, :aes_128_cbc, :sha},
  {:rsa, :aes_128_cbc, :sha},
  {:ecdhe_ecdsa, :"3des_ede_cbc", :sha},
  {:ecdhe_rsa, :"3des_ede_cbc", :sha},
  {:dhe_rsa, :"3des_ede_cbc", ...},
  {:dhe_dss, ...},
  {...},
  ...
]

seems like the front facing Letsencrypt works ok

root@phxmono:~# openssl s_client -connect phxmono.domain.com:443
CONNECTED(00000003)
depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
verify return:1
depth=0 CN = phxmono.domain.com
verify return:1
---
Certificate chain
 0 s:/CN=phxmono.domain.com
   i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
 1 s:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
   i:/O=Digital Signature Trust Co./CN=DST Root CA X3
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIGKzCCBROgAwIBAgISA36FyBc2ncKCOV/PHC1udJ6tMA0GCSqGSIb3DQEBCwUA
MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD
ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0xODA1MjYyMTQ2MjJaFw0x
ODA4MjQyMTQ2MjJaMB4xHDAaBgNVBAMTE3BoeG1vbm8uZm9sa2JvdC5jb20wggEi

REDACTED

21IYAUYUXxHXv0sBFtNoPwJzCRywSVtxU3ReV6JeVJz+3fZq5gl6U0OemW1mXxnP
t2M39LKMi6p+8byj4exaQrGMLOHRuunY9pbPKBZhfGIK5AmtJ+ZZuqilUatvcihK
hej3+n8DD4hpDiOAcipYVjKAc58yp7xNVSBaI6z277MxbyNK3S94Vi8OVTL80YBl
aqexqRP4JHlVMf5SG3JBBzyoV38WTuKWNJRPdRSFgOsvwkDqmdfm+QjaYblLMKU=
-----END CERTIFICATE-----
subject=/CN=phxmono.domain.com
issuer=/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 3265 bytes and written 302 bytes
Verification: OK
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: A665C2AF3D3A3REDACTED5E6849FFF
    Session-ID-ctx: 
    Master-Key: 3D876REDACTED3DF3
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1527537943
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no
---
closed