so, what actually worked for me was this:
Out of a lar I pressed “re-obtain” and lo and behold: plinth and dashboard now work with the cert that correspond to the hostname! So I did not try your suggestion.
For me the important thing is this:
if creating letsencrypt certificates (with certbot) using e.g. the DNS challange (i used [1]) then it looks like certbot (and thereby freedombox) is able to renew and install the certificate after the initial issuing. Just hit “re-obtain”. I’m pretty sure that your suggestion (replacing the self singed certs with the manually installed) would have worked as well. But i guess in that case one would have to move/copy it with each renewal?
Thanks for your help!
[1] certbot-plugin-gandi from github, link in first post.
PS: The wiki can only be edieted after writing an email to wiki@debian.org. My suggestion would be to add this to the manual (can somebody please double-check, and maybe post this if it is ok)?
8.4. Obtaining Letsencrypt certificates by modifying DNS
Currently freedombox automates getting certificates for systems that expose port 80 to the internet. If you do not want to do that but have the full control over a domain name, you can use certbot directly with one of the DNS plugins. Please refer to https://certbot.eff.org/docs/using.html#getting-certificates-and-choosing-plugins and following.
once you get your certificate, go to system -> letsencrypt in plinth you should see that you have a valid certificate but “Web Security” will show “Disabled”. If you press the “Re-obtain” button, certbot and freedombox will work together to update and install the certificate for you! If all works as expected it even should review automatically from now on