Buy

Buy an SSL cert, I'm getting a PositiveSSL Wildcard for 5 years ($39 USD/yr): https://www.ssls.com/
Let them generate the key and CSR, it's easier
Get the domain ownership verification email sent to admin@thighhighs.top and follow the steps to enter the verification code
Wait for domain validation to happen on their backend
Download the archive containing the cert and CA chain bundle

Install

Concatenate the cert and the chain/bundle, in that order, this is a general purpose cert file now (apps that only want the leaf cert will just read the first cert in the file)
```
cat STAR_thighhighs_top.crt STAR.thighhighs.top.ca-bundle > STAR_thighhighs_top.combined.pem
```
Dump files in directory, like /etc/ssl/
- Dont' forget the private key as well
Do the various configs
- Pihole with lighttpd: servers/calico#TLS_support
- nginx support
```
    server {
        listen 80;
        listen 443 ssl;

        server_name thighhighs.top ;

        ...

        ssl on;
        ssl_certificate     /etc/ssl/STAR_thighhighs_top.combined.pem;
        ssl_certificate_key /etc/ssl/STAR_thighhighs_top.key;

        ssl_stapling on;
        ssl_stapling_verify on;
        resolver 8.8.8.8 8.8.4.4;

        include /etc/nginx/fragment/gzip;
    }
```
  - Restart nginx, add session caching and whatnot if you want: http://nginx.org/en/docs/http/configuring_https_servers.html#optimization
- Fix up the Unifi controller, these notes are a bit stale as it's not containerised, but it's basically correct: UnifiController#A_real_signed_SSL_cert_for_the_controller
- The Synology NAS uses individual key/cert/chain files; instead of Action-Renew just use Add-Replace; set it as the default system cert
Test:
- https://ssllabs.com/ssltest/
- https://weakdh.org/sysadmin.html

Now figured out what to make of...

Exactly which certs need to be where is unclear

Should be as easy as adding a header, best to split your http/https blocks in the config and redirect to HTTPS always.