With the default nginx config Internet.nl is now complaining in the "Hashfunctie voor sleuteluitwisseling" section. Specifically, SHA-224 is supported (only for TLS 1.2, TLS1.3 only uses safe default values).

This can be fixed by updating the conf.d/ssl.conf file and adding:

ssl_conf_command SignatureAlgorithms "ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:rsa_pss_pss_sha256:rsa_pss_pss_sha384:rsa_pss_pss_sha512:rsa_pss_rsae_sha256:rsa_pss_rsae_sha384:rsa_pss_rsae_sha512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ed25519";

Now the internet.nl tests are passed because only SHA-256, SHA-384 and SHA-512 are supported. Something to update by default?