Websocket problems; Letsencrypt / Certbot config for Plug with Phoenix 1.4 (non proxy)?

I am trying to simplify my life and try to only use Cowboy, Plug and Phoenix 1.4 i.e. no Nginx or other proxy for now

websockets are connecting, they crash in production

HTML pages are served up ok

wget https://phxmono.domain.com
--2018-05-28 20:10:51--  https://phxmono.domain.com/
Resolving phxmono.domain.com (phxmono.domain.com)...
Connecting to phxmono.domain.com (phxmono.domain.com)||:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 19035 (19K) [text/html]
Saving to: ‘index.html’

index.html                                         100%[================================================================================================================>]  18.59K  --.-KB/s    in 0s      

2018-05-28 20:10:51 (171 MB/s) - ‘index.html’ saved [19035/19035]

my config/prod.exs

config :www_domain_com_web, WwwDomaintCom.Web.Endpoint,
  url: [host: "my.domain.com", port: 443, scheme: "https"],
  https: [
    port: 443,
    otp_app: :www_domain_com_web,
    keyfile: "/etc/letsencrypt/live/my.domain.com/privkey.pem",
    cacertfile: "/etc/letsencrypt/live/my.domain.com/chain.pem",
    certfile: "/etc/letsencrypt/live/my.domain.com/cert.pem",
    secure_renegotiate: true,
    reuse_sessions: true
  force_ssl: [hsts: true],
  code_reloader: false,
  check_origin: true,
  cache_static_manifest: "priv/static/cache_manifest.json",
  debug_errors: true,
  server: true,
  root: ".",
  version: 1,
  load_from_system_env: false

I am getting an error

> 19:42:54.521 [info]  Child {:acceptor, #PID<0.2955.0>, 99} of Supervisor #PID<0.2955.0> (:ranch_acceptors_sup) started
> Pid: #PID<0.3054.0>
> Start Call: :ranch_acceptor.start_link(#Port<0.26503>, :ranch_tcp, #PID<0.2954.0>)
> Restart: :permanent
> Shutdown: :brutal_kill
> Type: :worker
> 19:42:54.521 [info]  Child {:acceptor, #PID<0.2955.0>, 100} of Supervisor #PID<0.2955.0> (:ranch_acceptors_sup) started
> Pid: #PID<0.3055.0>
> 19:42:54.625 [info] ['TLS', 32, 'server', 58, 32, 73, 110, 32, 115, 116, 97, 116, 101, 32, 'connection', 32, 'received CLIENT ALERT: Fatal - Bad Certificate', 10]

the channel crashes and restarts

> ==> error.log <==
> 19:43:14.128 [error] Ranch protocol #PID<0.3059.0> of listener WwwDomainCom.Web.Endpoint.HTTPS (cowboy_protocol) terminated
> ** (exit) exited in: Phoenix.Endpoint.CowboyWebSocket.resume()
>     ** (EXIT) an exception was raised:
>         ** (ArgumentError) argument error
>             :erlang.phash2({#PID<0.3059.0>, #Reference<0.2100111952.431489025.212712>}, 0)
>             (phoenix) lib/phoenix/socket/pool_supervisor.ex:11: Phoenix.Socket.PoolSupervisor.start_child/3
>             (phoenix) lib/phoenix/channel/server.ex:45: anonymous fn/3 in Phoenix.Channel.Server.join/4
>             (www_domain_com_web) lib/www_domain_com_web/endpoint.ex:1: WwwFolkbotCom.Web.Endpoint.instrument/4
>             (phoenix) lib/phoenix/socket.ex:590: Phoenix.Socket.handle_in/4
>             (phoenix) lib/phoenix/endpoint/cowboy_websocket.ex:84: Phoenix.Endpoint.CowboyWebSocket.websocket_handle/3
>             (cowboy) /var/www/www_domain_com_umbrella/deps/cowboy/src/cowboy_websocket.erl:588: :cowboy_websocket.handler_call/7
>             (phoenix) lib/phoenix/endpoint/cowboy_websocket.ex:54: Phoenix.Endpoint.CowboyWebSocket.resume/3
>             (cowboy) /var/www/www_domain_com_umbrella/deps/cowboy/src/cowboy_protocol.erl:442: :cowboy_protocol.execute/4


defmodule WwwDomainCom.Web.Mixfile do
  use Mix.Project

  def project do
    [app: :www_domain_com_web,
     version: "0.0.1",
     build_path: "../../_build",
     config_path: "../../config/config.exs",
     deps_path: "../../deps",
     lockfile: "../../mix.lock",
     elixir: "~> 1.4",
     elixirc_paths: elixirc_paths(Mix.env),
     compilers: [:phoenix, :gettext] ++ Mix.compilers,
     start_permanent: Mix.env == :prod,
     aliases: aliases(),
     deps: deps()]

  def application do
    [mod: {WwwDomainCom.Web.Application, []},
     applications: [:www_domain_com, :phoenix, :phoenix_html, :cowboy, :logger, :gettext,
                    :phoenix_ecto, :postgrex, :comeonin, :runtime_tools, :logger_file_backend, :phoenix_html_simplified_helpers]]

  defp elixirc_paths(:test), do: ["lib", "test/support"]
  defp elixirc_paths(:ci),   do: ["lib", "web", "test/support"]
  defp elixirc_paths(_),     do: ["lib"]

  defp deps do
    [{:arc, "~> 0.8.0"},
     {:arc_ecto, "~> 0.7.0"},
     {:bamboo, "~> 0.7"},
     {:burnex, "~> 1.0"},
     {:bcrypt_elixir, "~> 1.0"},
     {:cloak, "~> 0.6.2"},
     {:comeonin, "~> 4.1"},
     {:cowboy, "~> 1.0"},
     {:ex_money, "~> 1.0"},
     {:gettext, "~> 0.11"},
     {:poison, "~> 2.2"},
     {:jose, "~> 1.4"},
     {:logger_file_backend, "~> 0.0.10"},
     {:phoenix, github: "phoenixframework/phoenix", override: true},
     {:phoenix_active_link, "~> 0.2.0"},
     {:phoenix_pubsub, "~> 1.0.2"},
     {:phoenix_ecto, "~> 3.3"},
     {:phoenix_html, "~> 2.10.2"},
     {:phoenix_live_reload, "~> 1.1.5"},
     {:phoenix_html_simplified_helpers, "~> 1.3"},
     {:phoenix_markdown, "~> 1.0"},
     {:phoenix_integration, "~> 0.5.0"},
     {:timex, "~> 3.1"},
     {:www_domain_com, in_umbrella: true}]

  defp aliases do
    ["ecto.setup": ["ecto.create", "ecto.migrate", "run priv/repo/seeds.exs"],
     "ecto.reset": ["ecto.drop", "ecto.setup"],
     "db.archive": ["ecto.dump"],
     "db.migrate": ["ecto.migrate", "ecto.dump"],
     "db.rollback": ["ecto.rollback", "ecto.dump"],
     "test": ["ecto.drop", "ecto.create", "ecto.migrate", "test"]]


$ iex --app ssl
Erlang/OTP 20 [erts-9.2] [source] [64-bit] [smp:1:1] [ds:1:1:10] [async-threads:10] [kernel-poll:false]

Interactive Elixir (1.6.5) - press Ctrl+C to exit (type h() ENTER for help)
iex(1)> :ssl.cipher_suites
  {:ecdhe_ecdsa, :aes_256_gcm, :null, :sha384},
  {:ecdhe_rsa, :aes_256_gcm, :null, :sha384},
  {:ecdhe_ecdsa, :aes_256_cbc, :sha384, :sha384},
  {:ecdhe_rsa, :aes_256_cbc, :sha384, :sha384},
  {:ecdh_ecdsa, :aes_256_gcm, :null, :sha384},
  {:ecdh_rsa, :aes_256_gcm, :null, :sha384},
  {:ecdh_ecdsa, :aes_256_cbc, :sha384, :sha384},
  {:ecdh_rsa, :aes_256_cbc, :sha384, :sha384},
  {:ecdhe_ecdsa, :chacha20_poly1305, :null, :sha256},
  {:ecdhe_rsa, :chacha20_poly1305, :null, :sha256},
  {:dhe_rsa, :chacha20_poly1305, :null, :sha256},
  {:dhe_rsa, :aes_256_gcm, :null, :sha384},
  {:dhe_dss, :aes_256_gcm, :null, :sha384},
  {:dhe_rsa, :aes_256_cbc, :sha256},
  {:dhe_dss, :aes_256_cbc, :sha256},
  {:rsa, :aes_256_gcm, :null, :sha384},
  {:rsa, :aes_256_cbc, :sha256},
  {:ecdhe_ecdsa, :aes_128_gcm, :null, :sha256},
  {:ecdhe_rsa, :aes_128_gcm, :null, :sha256},
  {:ecdhe_ecdsa, :aes_128_cbc, :sha256, :sha256},
  {:ecdhe_rsa, :aes_128_cbc, :sha256, :sha256},
  {:ecdh_ecdsa, :aes_128_gcm, :null, :sha256},
  {:ecdh_rsa, :aes_128_gcm, :null, :sha256},
  {:ecdh_ecdsa, :aes_128_cbc, :sha256, :sha256},
  {:ecdh_rsa, :aes_128_cbc, :sha256, :sha256},
  {:dhe_rsa, :aes_128_gcm, :null, :sha256},
  {:dhe_dss, :aes_128_gcm, :null, :sha256},
  {:dhe_rsa, :aes_128_cbc, :sha256},
  {:dhe_dss, :aes_128_cbc, :sha256},
  {:rsa, :aes_128_gcm, :null, :sha256},
  {:rsa, :aes_128_cbc, :sha256},
  {:ecdhe_ecdsa, :aes_256_cbc, :sha},
  {:ecdhe_rsa, :aes_256_cbc, :sha},
  {:dhe_rsa, :aes_256_cbc, :sha},
  {:dhe_dss, :aes_256_cbc, :sha},
  {:ecdh_ecdsa, :aes_256_cbc, :sha},
  {:ecdh_rsa, :aes_256_cbc, :sha},
  {:rsa, :aes_256_cbc, :sha},
  {:ecdhe_ecdsa, :aes_128_cbc, :sha},
  {:ecdhe_rsa, :aes_128_cbc, :sha},
  {:dhe_rsa, :aes_128_cbc, :sha},
  {:dhe_dss, :aes_128_cbc, :sha},
  {:ecdh_ecdsa, :aes_128_cbc, :sha},
  {:ecdh_rsa, :aes_128_cbc, :sha},
  {:rsa, :aes_128_cbc, :sha},
  {:ecdhe_ecdsa, :"3des_ede_cbc", :sha},
  {:ecdhe_rsa, :"3des_ede_cbc", :sha},
  {:dhe_rsa, :"3des_ede_cbc", ...},
  {:dhe_dss, ...},

seems like the front facing Letsencrypt works ok

root@phxmono:~# openssl s_client -connect phxmono.domain.com:443
depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
verify return:1
depth=0 CN = phxmono.domain.com
verify return:1
Certificate chain
 0 s:/CN=phxmono.domain.com
   i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
 1 s:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
   i:/O=Digital Signature Trust Co./CN=DST Root CA X3
Server certificate


issuer=/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits
SSL handshake has read 3265 bytes and written 302 bytes
Verification: OK
New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: A665C2AF3D3A3REDACTED5E6849FFF
    Master-Key: 3D876REDACTED3DF3
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1527537943
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no