This will give root execute permission, and read/execute permissions to all other users. For some reason permissions are very restrictive - only read/write to root and none to other users when files are generated by DuckDNS/Let’s Encrypt plugin.
Worked for me and for a number of people on the epic topic mentioned by @tom_l
I had the same issue but i noticed the files that @thermseekr mentioned were symbolic links and the files they linked to did not have the same permissions as the symbolic links. So i ran the code for the other generated files and I was good to go. Seems homeassistant can’t read the cert files.
Maybe it is not the same on your setup but that is what resolved the same error for me. I followed this post minus the nginx setup because cox blocks port 80 and I have to do a 443 only call.