Does the LE client also care for the Diffie Hellman keys?


Simple question, but I think it’s a good one to ask: Does the LE client also create DH keys when it automatically configures a server?
At least here it did not do so.

As we know it is bad to use DH keys < 2048bit, so if the keys are smaller the LE client should possibly fix it - especially as it would be bad if LE users (webadmins) use the automatic mode of the client and think everything is done, when someone tells them they are attackable (Logjam) and need to (manually) generate some keys.
This would probably impair the “one command and everything is fine” approach by LE.

Possibly related: [SOLVED] Unverified SSL (Nginx)

HOWTO: A+ with all 100%'s on SSL Labs test using apache2.4 (READ WARNINGS)
How does Let's Encrypt create the private key?

Found a GitHub issue tracking this:

Still a human-friendly explanation here would be nice. :wink:


Hi Simple howto is under


My question is not how to generate a DH key - my question is whether (and how) this can be automatised in the LE client.