Install free SSL certificates

One time only:

wget https://dl.eff.org/certbot-auto chmod a+x certbot-auto

Creating a new certificate:

./certbot-auto certonly -w /var/www/pydocs/example.com/staging/ -d staging.example.com

This will create new certificates here:
/etc/letsencrypt/live/staging.example.com

In here are 4 files:

cert.pem chain.pem fullchain.pem privkey.pem

To implement this in Nginx:

listen 443 ssl;
server_name staging.example.com;
# add Strict-Transport-Security to prevent man in the middle attacks
add_header Strict-Transport-Security "max-age=31536000";
ssl on;
ssl_certificate /etc/letsencrypt/live/staging.example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/staging.example.com/privkey.pem;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

Also make sure, that you can proof that you're the owner of staging.example.com by adding making this path available:

http://staging.example.com/.well-known/acme-challenge/

Like so:

location ^~ /.well-known/acme-challenge/ {
alias /var/www/pydocs/example.com/staging/.well-known/acme-challenge/;
}

To make sure SSL certificates are automatically renewed, add this to your
crobtab:

30 2 * * 1 /home/michael/certbot-auto renew >> /var/log/le-renew.log
35 2 * * 1 /etc/init.d/nginx reload

To expand:

sudo ./certbot-auto certonly -w /var/www/pydocs/example.com/production -d example.com -d www.example.com

To remove an old one:

./certbot-auto revoke --cert-path /etc/letsencrypt/live/example.com/fullchain.pem