All my servers (including this site) are reachable via TLS and show certificates issued by CAcert since a few months ago, instead of the self-signed certificates of a custom CA I had before.
CAcert.org is a community-driven Certificate Authority that issues free class 3 certificates after a first-hand verification through the community.
For others running servers: I am a CAcert assurer now, so I can assure you in case we meet in person, but you'll need other assures as well.
To contact this site or my servers via https without warnings, you can either store the certificate as before or import the CAcert certificates:
Bonus: If everything worked out, you now can visit e.g. the Chaos Computer Club via https without a warning, too.
DNSSEC / DANE
I'd love to enable DNSSEC and DANE, but my domain registrar only supports DNSSEC in case you run your own authoritative DNS server instead of theirs. :/ (See the knowledge base of inwx, Can I use DNSSEC?). But I'll try to set one up when I find the time.