SSL certificates are not fun. A few years ago, I found StartSSL, they issue free SSL certificates. They had a terrible interface. The process involved saving certificates to your browser. After a year I have to go and manually renews the certificate. Accessing their system from any other browser or computer involved making a request a request for certificate re-issuance that involved someone answering your request, which was very annoying.

Then came the configuration of Apache. At first it took me a few hours to make sense of the cryptic commands and different steps and filenames. Now that I just wrote down the procedure, it is much faster but still not fun.

Besides I got a bit suspicious of StartSSL. Offering certificates for free, when the procedure involves human interaction (so someone has to be paid a salary) is strange. After reading them up on Wikipedia, I find out that they are an Israeli company secretly aquired by a Chinese company. After uncovering the secret acquisition, Mozilla, Google and Apple have announced (late 2016) that they will stop trusting certificates from this company.

https://en.wikipedia.org/wiki/StartCom

Yet the good news is that I found the following site which promotes free certificates and easy configuration, and it looks much more legit. I thought fellow web-geekers would be interested:

https://letsencrypt.org/getting-started/
So what happened was that when StartSSL got purchased by WoSign (Chinese Company), their certificates became revoked because of some bad handling by WoSign. This started with Chrome and will come into effect to Edge & Safari soon enough, last I checked Safari was still accepting this certificate on mobile devices.

I found this out the hard way when one of the apps I made became unusable on Android devices and I had no idea why initially. Anyways, there are other good free solutions for SSL, the one I use now is by CloudFlare which handles that and so much more as some of you already know and it's easy to verify and get running and the ability to scale up if needed is just a plan change.
Not bad handling,they played smart ass, as they merged, they should vote as one person as i remember, and they did as two and didnt notified about merge properly, so it is violation of rules, plus WoSign did big mistakes with certificates - issued rogue certificates for someone else for google.com and etc, what made angry large companies.
Automated certification issue is normal case.
beezer wrote I found this out the hard way when one of the apps I made became unusable on Android devices and I had no idea why initially. Anyways, there are other good free solutions for SSL, the one I use now is by CloudFlare which handles that and so much more as some of you already know and it's easy to verify and get running and the ability to scale up if needed is just a plan change.
As far as I know, Cloudflare does not do "proper" SSL - as in "all the way". It offers quick encryption solution between the client and their CDN. The packets will still be decrypted by Cloudflare, and if you don't have HTTPS on your server then the connection to your server will be un-encrypted as well.
I mentioned letsencrypt a while back in here when it was in beta, everyone seemed suspicious (https://lebgeeks.com/forums/viewtopic.php?id=16846)

I have been using letsencrypt on all my sites and its been working flawlessly, plus its super easy to setup for auto renewal. I blogged about it a while back. And nowadays all shared hosts offer free ssl with letsencrypt, theres a good plugin for it on cpanel

As for cloudflare SSL, using it for sensitive data like ecommerce websites would be considered a suicide attempt, just google the recent "cloudbleed"

And on a side note, since we're talking about SSL, if you guys haven't heard, google is gonna make Symantec cry soon by removing their certs root from chrome, (https://arstechnica.com/security/2017/03/google-takes-symantec-to-the-woodshed-for-mis-issuing-30000-https-certs/)
I personally use amazon services for SSL. The problem is they only work with amazon servers, but the idea is that you just install a load balancer, and ask aws to attach a certificate for the domain to it, and that is it... just a couple of clicks, no configuration or complex payments necessary, the load balancer costs like 5$ a month.
Cloudflare lets you install an SSL cert on your server. And exploits happen, openssl with heartbleed a few years back, mongo recently, WordPress. Big guys get their stuff exploited. In the end, if you want something free, you have no right to complain hehe
a month later
Just an update; I have been using this (on Debian) like it.
Basically whenever I want to issue a certificate for a domain, I run something like: 
sudo certbot certonly -d mydomain.com,www.mydomain.com --cert-name mydomain.com
It runs through a few steps, prompting me for a few choices, and in the saves the certificates in:/etc/letsencrypt/live/mydomain.com/
Using nginx, I would just have to find the configuration for my virtual host (in /etc/nginx/sites-enabled), and add this in the server block:
  # listen for SSL connections
  listen 443 ssl;
  listen [::]:443 ssl;

  # point nginx to certificates
  ssl_certificate /etc/letsencrypt/live/mydomain.com/fullchain.pem;
  ssl_certificate_key /etc/letsencrypt/live/mydomain.com/privkey.pem;
Certbot will also make sure that the certificates are automatically renewed. I can list all certificates like that:
sudo certbot certificates

There should be a nginx module which would automate the process of updating the nginx configuration, I guess, but it does not seem to be included in my build, for some reason.

It's OK, the process is still much better then the manual procedure with apache and openssl.
Just a sidenote
Certbot stores all the certificates (expired and running) in
/etc/letsencrypt/archive/mysite.com
and it creates a symlink to the latest generated certificate in
/etc/letsencrypt/live/mysite.com


I wrote a blog post a while back to support http2 & to get an A+ grade on SSL Labs, if you're interested, this is how to do it

Generate a 2048 or 4096 bits Diffie Hellman Symmetric Key 
sudo mkdir /etc/nginx/ssl
sudo openssl dhparam -out /etc/nginx/ssl/dhparam.pem 4096

And in Nginx configuration file 
    #Listen on SSL
    listen 443 ssl http2 default_server;
 
    # ssl on;
    ssl_certificate /etc/letsencrypt/live/mysite.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/mysite.com/privkey.pem;
 
    #From cipherli.st
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_prefer_server_ciphers on;
    ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
    ssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0
    ssl_session_cache shared:SSL:10m;
    ssl_session_tickets off; # Requires nginx >= 1.5.9
    ssl_stapling on; # Requires nginx >= 1.3.7
    ssl_stapling_verify on; # Requires nginx => 1.3.7
    resolver 8.8.8.8 8.8.4.4 valid=300s;
    resolver_timeout 5s;
    ##If you're not aware of how preload works, keep it disabled for now
    ##More info on preload can be found in
    ##blog.mozilla.org/security/2012/11/01/preloading-hsts
    ##&
    ##hstspreload.org/
    #add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
    add_header Strict-Transport-Security "max-age=63072000; includeSubDomains;";
    add_header X-Frame-Options DENY;
    add_header X-Content-Type-Options nosniff;
     #Add Diffie Hellman that we have previously generated
    ssl_dhparam /etc/nginx/ssl/dhparam.pem;