I have my own server (no panel) and use Nginx + dhparam etc.
I got my new .pem
Congratulations! Your certificate has been saved at
/xxx/xxx/cert.pem and will expire
on 2016-01-21. To obtain a new version of the certificate in the
future, simply run Let’s Encrypt again.
But I can't figure out how to use it with dhparam. Here's my actual ssl.conf
###
# SSL Settings
###
ssl_protocols TLSv1.2;
ssl_dhparam /etc/nginx/ssl/dhparam.pem;
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256$
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:3m; # a 1mb cache can hold about 4000 sessions, so we can hold 40000 sessions
ssl_session_timeout 12h;
add_header Strict-Transport-Security "max-age=15768000; includeSubDomains";
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
ssl_certificate /etc/nginx/ssl/ssl.crt;
ssl_certificate_key /etc/nginx/ssl/ssl.key;
The Diffie-Hellman parameters should be entirely independent of the certificate; if you have an existing dhparam.pem that is valid, you shouldn’t need to change it. You should only need to change the ssl_certificate and ssl_certificate_key lines to refer to the location of the certificate and key that were provided by the Let’s Encrypt software.
This site uses HTTP Strict Transport Security (HSTS) to specify that Firefox only connect to it securely. As a result, it is not possible to add an exception for this certificate.
The certificate is not trusted because the issuer certificate is unknown.
The server might not be sending the appropriate intermediate certificates.
An additional root certificate may need to be imported.
(Error code: sec_error_unknown_issuer)
Yes, there is about HSTS I'll have to manage too but I also think FF (41.0.2 Linux) doesn't trust the issuer.
Did you change those values? Should be something like /etc/letsencrypt/live/www.example.com/fullchain.pem and /etc/letsencrypt/live/www.example.com/privkey.pem.