diff --git a/src/freedombone-addcert b/src/freedombone-addcert
index 73a5e02d..acb853f3 100755
--- a/src/freedombone-addcert
+++ b/src/freedombone-addcert
@@ -240,6 +240,7 @@ function add_cert_letsencrypt {
         echo $"Failed to install letsencrypt for domain $LETSENCRYPT_HOSTNAME"
         echo $'Also see https://letsencrypt.status.io to check for any service outages'
         chgrp -R ssl-cert /etc/letsencrypt
+        chmod -R 600 /etc/letsencrypt
         chmod -R g=rX /etc/letsencrypt
         systemctl start nginx
         exit 63216
@@ -288,6 +289,7 @@ function add_cert_letsencrypt {
     # this group can be used to assign read permissions for
     # application user accounts
     chgrp -R ssl-cert /etc/letsencrypt
+    chmod -R 600 /etc/letsencrypt
     chmod -R g=rX /etc/letsencrypt
 
     nginx_ensite ${LETSENCRYPT_HOSTNAME}
diff --git a/src/freedombone-utils-setup b/src/freedombone-utils-setup
index 0e0966ac..c0dae843 100755
--- a/src/freedombone-utils-setup
+++ b/src/freedombone-utils-setup
@@ -560,6 +560,10 @@ function lockdown_permissions {
     if [ -d /var/lib/prosody ]; then
         chown -R prosody /var/lib/prosody
     fi
+    if [ -d /etc/letsencrypt ]; then
+        chmod -R 600 /etc/letsencrypt
+        chmod -R g=rX /etc/letsencrypt
+    fi
 }
 
 function disable_core_dumps {