Simple question, but I think it’s a good one to ask: Does the LE client also create DH keys when it automatically configures a server?
At least here it did not do so.
As we know it is bad to use DH keys < 2048bit, so if the keys are smaller the LE client should possibly fix it - especially as it would be bad if LE users (webadmins) use the automatic mode of the client and think everything is done, when someone tells them they are attackable (Logjam) and need to (manually) generate some keys.
This would probably impair the “one command and everything is fine” approach by LE.
Possibly related: [SOLVED] Unverified SSL (Nginx)