tlwebaccess and tlwebadm has a security check that the private key isn't world readable. When this triggers we get:
> 2017-11-20 10:41:22 ERROR tlwebaccess: [::ffff:220.127.116.11] File is read and writeable by others than file owner.
> 2017-11-20 10:41:22 ERROR tlwebaccess: [::ffff:18.104.22.168] Failed to reliable read the certificate key from file, exiting.
Unfortunately it only checks the file itself, rather than the entire path leading to the file. This breaks certbot/letsencrypt as they secure the files via the directory:
> drwx------. 3 root root 34 Nov 20 10:38 /etc/letsencrypt/archive/
and not the files:
> -rw-r--r--. 1 root root 1704 Nov 20 10:38 /etc/letsencrypt/archive/certdemo.thinlinc.com/privkey1.pem
This means we cannot use these files directly without some modification.
This might not be true any more. Since Cerbot v0.29.0 they changed default key permissions from 0644 to 0660