First step, you'll want to add your domains to your app in Hatchbox on the Domains tab. This helps NGINX sort requests that come to your server to the correct app and it gives us a list of domains to register with Let's Encrypt.
You can enable SSL in one of three ways:
Let's Encrypt with wildcard support
Yep! Wildcard certificates require a DNS validation, so you must have your domain managed by one of the DNS providers supported.
Absolutely. You'll want to upload your certificate chain and key after selecting "Custom SSL" option. Your certificate chain is your SSL certificate, plus any intermediate certificates appended into the same file. Combine the intermediate certificates and your SSL certificate into one and then paste it into the certificate box. Paste your SSL key file's contents into the key box and then click update.
These files will be uploaded to your server and NGINX will be reconfigured to use SSL pointing to those certificates.