Let’s Encrypt certificates work great on the NGiNX web server too. Here is the SSL configuration I used:

ssl_certificate /etc/letsencrypt/live/www.{{domain-name}}/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/www.{{domain-name}}/privkey.pem;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_dhparam /etc/ssl/certs/dhparam.pem;
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:50m;
ssl_stapling on;
ssl_stapling_verify on;
add_header Strict-Transport-Security max-age=7890000;

Note the Strict-Transport-Security header at the end of the list. That tells browsers they should only connect to this site securely for the next 180 days (15552000 seconds). The presence of this header boosts your Qualys Labs rating from A to A+. I need to add this to my Apache configurations too.

Let’s Encrypt is a new Certificate Authority:
It’s free, automated, and open.
https://letsencrypt.org/

I used the following commands to install the letsencrypt tools on my server and generate a certificate:

git clone https://github.com/letsencrypt/letsencrypt

cd letsencrypt
./letsencrypt-auto -a webroot \
-d www.{{domain-name}} -d {{domain-name}} \
--webroot-path ~{{domain-owner}/htdocs/ certonly

I enabled the Apache SSL module (a2enmod ssl) and added NameVirtualHost *:443 to ports.conf, then added the following lines to the server configuration for my site:

SSLEngine on
SSLCertificateFile /etc/letsencrypt/live/www.{{domain-name}}/cert.pem
SSLCertificateChainFile /etc/letsencrypt/live/www.{{domain-name}}/chain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/www.{{domain-name}/privkey.pem
SSLProtocol all -SSLv2 -SSLv3
SSLHonorCipherOrder on
SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS

The certificate expires after 90 days so I installed a script to automatically renew it and called it at regular intervals from /etc/crontab:

#!/bin/sh
# from https://letsencrypt.org/howitworks/
if ! /root/letsencrypt/letsencrypt-auto renew > /var/log/letsencrypt/renew.log 2>&1 ; then
echo Automated renewal failed:
cat /var/log/letsencrypt/renew.log
exit 1
fi
service apache2 reload


The site now scores an A on the Qualys SSL Labs SSL Server Test.

Update: Images were being blocked by Firefox until I updated my WordPress configuration (wp-config.php) to change the protocol to https in the following settings:

define('WP_SITEURL', 'https://' . $_SERVER['SERVER_NAME'] . '{{home-path}}');
define('WP_HOME', 'https://' . $_SERVER['SERVER_NAME'] . '/');
define('WP_CONTENT_URL', 'https://' . $_SERVER['SERVER_NAME'] . '{{content-path}}');

If these are not configured in wp-config.php you will need to update the settings in your WordPress Control Panel under Settings / General / WordPress Address and Settings / General / Site Address.

Tested on Debian Wheezy with Apache 2.2.22 and Debian Jessie with Apache 2.4.10.