diff --git a/src/error.rs b/src/error.rs
index 2c57b021..bf09b836 100644
--- a/src/error.rs
+++ b/src/error.rs
@@ -48,7 +48,7 @@ pub(crate) enum Main {
     DatabaseError(#[source] crate::utils::error::Error),
 
     #[error("failed to serve requests")]
-    Serve(#[source] std::io::Error),
+    Serve(#[from] Serve),
 }
 
 /// Observability initialization errors
@@ -97,3 +97,21 @@ pub(crate) enum ConfigSearch {
     #[error("no relevant configuration files found in XDG Base Directories")]
     NotFound,
 }
+
+/// Errors serving traffic
+// Missing docs are allowed here since that kind of information should be
+// encoded in the error messages themselves anyway.
+#[allow(missing_docs)]
+#[derive(Error, Debug)]
+pub(crate) enum Serve {
+    #[error("failed to read TLS cert and key files at {certs:?} and {key:?}")]
+    LoadCerts {
+        certs: String,
+        key: String,
+        #[source]
+        err: std::io::Error,
+    },
+
+    #[error("failed to run request listener")]
+    Listen(#[source] std::io::Error),
+}
diff --git a/src/main.rs b/src/main.rs
index bc318479..96fdbeef 100644
--- a/src/main.rs
+++ b/src/main.rs
@@ -1,6 +1,5 @@
 use std::{
     future::Future,
-    io,
     net::SocketAddr,
     process::ExitCode,
     sync::{atomic, RwLock},
@@ -127,12 +126,14 @@ async fn try_main() -> Result<(), error::Main> {
         .map_err(Error::DatabaseError)?;
 
     info!("Starting server");
-    run_server().await.map_err(Error::Serve)?;
+    run_server().await?;
 
     Ok(())
 }
 
-async fn run_server() -> io::Result<()> {
+async fn run_server() -> Result<(), error::Serve> {
+    use error::Serve as Error;
+
     let config = &services().globals.config;
     let addr = SocketAddr::from((config.address, config.port));
 
@@ -189,15 +190,20 @@ async fn run_server() -> io::Result<()> {
 
     match &config.tls {
         Some(tls) => {
-            let conf =
-                RustlsConfig::from_pem_file(&tls.certs, &tls.key).await?;
+            let conf = RustlsConfig::from_pem_file(&tls.certs, &tls.key)
+                .await
+                .map_err(|err| Error::LoadCerts {
+                    certs: tls.certs.clone(),
+                    key: tls.key.clone(),
+                    err,
+                })?;
             let server = bind_rustls(addr, conf).handle(handle).serve(app);
 
             #[cfg(feature = "systemd")]
             sd_notify::notify(true, &[sd_notify::NotifyState::Ready])
                 .expect("should be able to notify systemd");
 
-            server.await?;
+            server.await.map_err(Error::Listen)?;
         }
         None => {
             let server = bind(addr).handle(handle).serve(app);
@@ -206,7 +212,7 @@ async fn run_server() -> io::Result<()> {
             sd_notify::notify(true, &[sd_notify::NotifyState::Ready])
                 .expect("should be able to notify systemd");
 
-            server.await?;
+            server.await.map_err(Error::Listen)?;
         }
     }