Image: Let's Encrypt
Thanks to: Santoshsrinivas

Prepare Your VPS' Environment

Find a directory suitable, say, home directory cd ~/ and install letsencrypt

git clone  
cd letsencrypt  
./letsencrypt-auto --help

Obtain Certificate

Problem 1 I encountered: The server could not connect to the client for DV. This is caused by my DNS service provider which is DNSPod -- A Chinese firm. Don't really know what happened but seems like Google can't get DNS reply either. So if you see pops out, switch to another DNS provider.

Also, you need to shut downs Nginx temporarily so that port 80 can be used.

sudo service nginx stop

Manual from Let's Encrypt

Then you can generate certificate, following the instructions that will appear in terminal as you proceed.
Note: Domain name is the website address, for me, it would be instead of

./letsencrypt-auto --agree-dev-preview --server auth

Then you will be greeted as the following according to santoshsrinivas which I actually saw a shorter version for no obvious reason:

 - If you lose your account credentials, you can recover through
   e-mails sent to MYEMAIL@MYDOMAIN.COM.
 - Congratulations! Your certificate and chain have been saved at
   /etc/letsencrypt/live/ Your cert
   will expire on 2016-03-03. To obtain a new version of the
   certificate in the future, simply run Let's Encrypt again.
 - Your account credentials have been saved in your Let's Encrypt
   configuration directory at /etc/letsencrypt. You should make a
   secure backup of this folder now. This configuration directory will
   also contain certificates and private keys obtained by Let's
   Encrypt so making regular backups of this folder is ideal.
 - If like Let's Encrypt, please consider supporting our work by:
   Donating to ISRG / Let's Encrypt:
   Donating to EFF:          

#### Setup Nginx for 443 ssl
You can find your Nginx config file at `/etc/nginx/site-available/ghost.conf`.  
My version of it:

erver {
listen [::]:80;
listen 80;
return 301$request_uri;
location / {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $http_host;
proxy_pass{YOUR GHOST PORT};
server {
server_name; # Replace with your domain
access_log /var/log/nginx/www_ss.log;
listen [::]:443 ssl spdy;
listen 443 ssl spdy;
ssl_certificate /etc/letsencrypt/live/;
ssl_certificate_key /etc/letsencrypt/live/;
include /etc/nginx/h5bp/h5bp/directive-only/ssl.conf;
include /etc/nginx/h5bp/h5bp/directive-only/ssl-stapling.conf;
include /etc/nginx/h5bp/h5bp/directive-only/spdy.conf;
location / {
proxy_pass http://localhost:{YOUR GHOST PORT};
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_buffering off;

Three lines of `include` was confusing for me as well. What you can do is clone this [h5bp repo]( and place files inside `/etc/nginx/` filder as I did. `santoshsrinivas` used something like `include h5bp/directive-only/ssl.conf;` which I can't figure our where should I put the folder at so I instead use the absolute path.

#### Restart Nginx
`sudo service nginx restart` and your Ghost Blog should be running with HTTPS.