Continuing the discussion from
I believe that 2048 bit dhparams is too weak. I was the guy who introduced this PR – to make it more secure.
I think we should make this a configuration option that is passed to the ssl template. Let’s open a discussion about how this could be done. 4096 bits is the right way to go about.
If none of this works for the majority – nginx will work fine without dhparams. You can boot discourse, and then generate dhparams while it is running by entering the web container. It’d add a manual step, but you can get your site up and go and grab a cup of coffee or tea while it does its magic.