If you're using a service like Let's Enrypt, then your certificates are all in directory structure somewhere and owned by root. You don’t want to run Phoebe as root and therefore Phoebe has no access to the certificates. What do you do? You could make copies and change the permissions of the the copies… or you could use groups!

All the certs are going to belong to a certain group, and then we start Phoebe via systemd using that group.

First, let’s check if you already have an appropriate group:

grep cert /etc/group

Chances are, there’s a group called “ssl-cert”. If there is not, create the group, as root:

sudo addgroup ssl-cert

Add the directory and all its files to the group, as root:

sudo chgrp -R ssl-cert /var/lib/dehydrated/certs/

Make the certs readable for everybody in the group; and make all the directories executable for everybody in the group. As root:

sudo chmod -R g+r /var/lib/dehydrated/certs/
sudo find /var/lib/dehydrated/certs -type d \
  -exec chmod g+x '{}' ';'

Now, start phoebe with the “ssl-cert” group in your phoebe.systemd

service file that you have linked from “/etc/systemd/system”. Just change the Group line:

[Unit]
Description=Phoebe
After=network.target
[Service]
Type=simple
WorkingDirectory=/home/alex/farm
ExecStart=/home/alex/farm/phoebe
Restart=always
User=alex
Group=ssl-cert
[Install]
WantedBy=multi-user.target

Reload systemd, restart Phoebe, and check the log:

sudo systemctl daemon-reload
sudo systemctl start phoebe
sudo journalctl --unit phoebe -f

Good luck! 🥳🚀