Error loading dhparamfile - SSLV3 alert handshake failure - prevents all future SSL connections

[numericOverflow]

I am running Mosquitto v1.6.8-0 (Buster) on Ubuntu (Bionic 18.04.4 LTS) Linux (4.15.0-46), and after the service has been running a while, I notice an entry in the mosquitto logs that says:

Error loading dhparamfile /path/to/my/dh.pem

After I get that in the log, clients cannot connect and throw and SSLV3 alert handshake failure (or similar errors with SSL communication, depending on the client application's error reporting messages). The dh.pem file is still there, still readable, and hasn't been changed, but the service seems to be unable to locate it and afterwards SSL communications aren't possible until a restart of the service. After issuing a service mosquitto restart then clients can connect fine with no changes to their configuration, which leads me to believe this is a server-side issue, and not actually a client-side issue.

I know this is a pretty vague report, but I'll try capturing more logs to determine a frequency of occurrence and/or other factors that might be causing this issue.

Here's my mosquitto.conf (with a few personal bits redacted):

allow_anonymous false
#log_type all
#log_dest /var/log/mosquitto.log
log_timestamp_format %Y-%m-%d_%H:%M:%S

#Effectively block non-ssl connections, except for those coming from localhost
#listener 1883

listener 8883
protocol mqtt

#Verbose debugging for now.  YOU PROBABLY SHOULD NOT ENABLE THIS IN A PRODUCTION ENVIRONMENT!
log_type all debug

# --> works!!
#This is what we want for client verification
# Any client certs that are signed by this  private CA certificate will be allowed to connect to our instance
#cafile /etc/easyRSA/myCA/ca.crt
cafile /etc/easyRSA/myCA/ca.chain.crt
#cafile /etc/easyRSA/intermediateCA/ca.crt

#This CA file is *NOT* for SSL/TLS communication, but for client certificate authentication!!
#cafile /etc/letsencrypt/live/mqtt.mydomain.com/chain.pem

#This cert revocation list file invalidates certs to disable their access in the future.
crlfile /etc/easyRSA/myCA/crl.pem

#This is your SSL communication certificate issued by Lets Encrypt (or other big name CA)
certfile /etc/letsencrypt/live/mqtt.mydomain.com/cert.pem
keyfile /etc/letsencrypt/live/mqtt.mydomain.com/privkey.pem

# To allow the use of ephemeral DH key exchange, which provides forward
# security, the listener must load DH parameters. This can be specified with
# the dhparamfile option. The dhparamfile can be generated with the command
# e.g. "openssl dhparam -out dhparam.pem 2048"
dhparamfile /etc/easyRSA/myCA/dh.pem

require_certificate true

use_identity_as_username true

# https://github.com/eclipse/mosquitto/blob/master/mosquitto.conf
# If you wish to control which encryption ciphers are used, use the ciphers
# option. The list of available ciphers can be optained using the "openssl
# ciphers" command and should be provided in the same format as the output of
# that command.

#Explicitly use only the modern "hardened" ciphers per this page:
# https://www.acunetix.com/blog/articles/tls-ssl-cipher-hardening/
ciphers DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-CAMELLIA256-SHA:DHE-RSA-AES256-SHA:DHE-RSA-CAMELLIA128-SHA:DHE-RSA-AES128-SHA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA

# This option defines the version of the TLS protocol to use for this listener.
# The default value allows all of v1.3, v1.2 and v1.1. The valid values are
# tlsv1.3 tlsv1.2 and tlsv1.1.
#tls_version tlsv1.2 tlsv1.3
#tls_version tlsv1.3
tls_version tlsv1.2