Image: Let's Encrypt
Thanks to: Santoshsrinivas

Find a directory suitable, say, home directory cd ~/ and install letsencrypt

git clone https://github.com/letsencrypt/letsencrypt
cd letsencrypt
./letsencrypt-auto --help


Obtain Certificate

Problem 1 I encountered: The server could not connect to the client for DV. This is caused by my DNS service provider which is DNSPod -- A Chinese firm. Don't really know what happened but seems like Google can't get DNS reply either. So if you see pops out, switch to another DNS provider.

Also, you need to shut downs Nginx temporarily so that port 80 can be used.

sudo service nginx stop


Manual from Let's Encrypt

Then you can generate certificate, following the instructions that will appear in terminal as you proceed.
Note: Domain name is the website address, for me, it would be blog.moelf.xyz instead of moelf.xyz

./letsencrypt-auto --agree-dev-preview --server  https://acme-v01.api.letsencrypt.org/directory auth


Then you will be greeted as the following according to santoshsrinivas which I actually saw a shorter version for no obvious reason:

IMPORTANT NOTES:
- If you lose your account credentials, you can recover through
e-mails sent to MYEMAIL@MYDOMAIN.COM.
- Congratulations! Your certificate and chain have been saved at
will expire on 2016-03-03. To obtain a new version of the
certificate in the future, simply run Let's Encrypt again.
configuration directory at /etc/letsencrypt. You should make a
secure backup of this folder now. This configuration directory will
also contain certificates and private keys obtained by Let's
Encrypt so making regular backups of this folder is ideal.
- If like Let's Encrypt, please consider supporting our work by:
Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
Donating to EFF:                    https://eff.org/donate-le
language-nginx

#### Setup Nginx for 443 ssl
You can find your Nginx config file at /etc/nginx/site-available/ghost.conf.
My version of it:


erver {
listen [::]:80;
listen 80;
server_name moelf.xyz blog.moelf.xyz;
return 301 https://blog.moelf.xyz$request_uri; location / { proxy_set_header X-Real-IP$remote_addr;
proxy_set_header Host $http_host; proxy_pass http://127.0.0.1:{YOUR GHOST PORT}; } } server { server_name blog.moelf.xyz; # Replace with your domain access_log /var/log/nginx/www_ss.log; listen [::]:443 ssl spdy; listen 443 ssl spdy; server_name moelf.xyz; ssl_certificate /etc/letsencrypt/live/blog.moelf.xyz/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/blog.moelf.xyz/privkey.pem; include /etc/nginx/h5bp/h5bp/directive-only/ssl.conf; include /etc/nginx/h5bp/h5bp/directive-only/ssl-stapling.conf; include /etc/nginx/h5bp/h5bp/directive-only/spdy.conf; location / { proxy_pass http://localhost:{YOUR GHOST PORT}; proxy_set_header X-Forwarded-For$proxy_add_x_forwarded_for;
proxy_set_header Host $http_host; proxy_set_header X-Forwarded-Proto$scheme;
proxy_buffering off;
}
}

Three lines of include was confusing for me as well. What you can do is clone this [h5bp repo](https://github.com/h5bp/server-configs-nginx) and place files inside /etc/nginx/ filder as I did. santoshsrinivas used something like include h5bp/directive-only/ssl.conf; which I can't figure our where should I put the folder at so I instead use the absolute path.

#### Restart Nginx
sudo service nginx restart and your Ghost Blog should be running with HTTPS.`