Certbot uses Mozilla’s “intermediate compatibility” TLS configuration.
It does enable weak settings, but it puts them at the bottom of the list. Modern clients will use more secure settings.
TLS settings can be debated, and there are a number of tradeoffs, but it’s not an egregiously terrible configuration.
Still, you might prefer other settings, like Mozilla’s “modern” configuration or something else.
If you want to change things, I’m unfortunately not sure what the best option is. If you edit
/etc/letsencrypt/options-ssl-nginx.conf I don’t know if Certbot will overwrite it later.
I believe it would work to remove “
include /etc/letsencrypt/options-ssl-nginx.conf;” from the Nginx configuration and paste in equivalent settings, but I don’t know if it’s the best strategy.