core: Invalid config for [http]: not a file for dictionary value @ data['http']['ssl_certificate']

I’ve read about this, and i thought I’m not new to this. Running 0.104.3 on a RPi 3B with Raspbian 10. Install HASS in a virtual environment under /home/pi. The docs say I could use /etc/letsencrypt/live/… which are symlinks. User pi can read the cert and key (see below). But as long as they are symlinks then hass refuses to start and gives the error in subj. Otherwise works. What gives? The docs clearly show the symlinks.

$ whoami
pi

$ cat /etc/letsencrypt/live/domain.com/privkey.pem
-----BEGIN PRIVATE KEY-----
MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQDJlH5F4/Ab5QVR
...

$ cat /etc/letsencrypt/live/domain.com/fullchain.pem
-----BEGIN CERTIFICATE-----
MIIFWjCCBEKgAwIBAgISA0ooJwGGznIlGs6ekXdS+8KwMA0GCSqGSIb3DQEBCwUA
...

$ hass
...
2020-02-06 01:32:33 ERROR (MainThread) [homeassistant.config] Invalid config for [http]: not a file for dictionary value @ data['http']['ssl_certificate']. Got '/etc/letsencrypt/live/domain.com/fullchain.pem'
not a file for dictionary value @ data['http']['ssl_key']. Got '/etc/letsencrypt/live/domain.com/privkey.pem'. (See /home/pi/.homeassistant/configuration.yaml, line 10). Please check the docs at https://www.home-assistant.io/integrations/http
...

configuration.yaml has

http:
  base_url: box.domain.com:8123
  ssl_certificate: /etc/letsencrypt/live/domain.com/fullchain.pem
  ssl_key: /etc/letsencrypt/live/domain.com/privkey.pem

If I copy the actual .pem files (from letsencrypt/archive) as files into /home/pi/.homeassistant/{fullchain,privkey}.pem and update the .yaml accordingly then it works. if I copy them as symlinks then it fails again with the same error.

What gives?