diff --git a/pkg/acme/acme.go b/pkg/acme/acme.go
index 21724dded..b1d139e60 100644
--- a/pkg/acme/acme.go
+++ b/pkg/acme/acme.go
@@ -77,7 +77,7 @@ func (c *certManager) IssueOrRenewCert(cfg *CertConfig, renewUnder int, verbose
 	}
 
 	log.Printf("Checking certificate [%s]", cfg.CertName)
-	if err := os.MkdirAll(filepath.Dir(c.certFile(cfg.CertName, "json")), perms); err != nil {
+	if err := os.MkdirAll(filepath.Dir(c.certFile(cfg.CertName, "json")), dirPerms); err != nil {
 		return false, err
 	}
 	existing, err := c.readCertificate(cfg.CertName)
diff --git a/pkg/acme/registration.go b/pkg/acme/registration.go
index 08a41c462..8650a927c 100644
--- a/pkg/acme/registration.go
+++ b/pkg/acme/registration.go
@@ -61,10 +61,12 @@ func (c *certManager) accountKeyFile() string {
 	return filepath.Join(c.accountDirectory(), "account.key")
 }
 
-const perms os.FileMode = 0644 // TODO: probably lock this down more
+// TODO: probably lock these down more
+const perms os.FileMode = 0644
+const dirPerms os.FileMode = 0700
 
 func (c *certManager) createAccount() error {
-	if err := os.MkdirAll(c.accountDirectory(), perms); err != nil {
+	if err := os.MkdirAll(c.accountDirectory(), dirPerms); err != nil {
 		return err
 	}
 	privateKey, err := ecdsa.GenerateKey(elliptic.P384(), rand.Reader)