Let’s Encrypt is a free, automated, and open certificate authority (CA), run for the public’s benefit. Let’s Encrypt is a service provided by the Internet Security Research Group (ISRG).

Install certbot client:

wget https://dl.eff.org/certbot-auto
chmod a+x certbot-auto

If you don't have any app server running on port 80:

./path/to/certbot-auto certonly --standalone -d example.com -d www.example.com

If you have an existing web server running on port 80:

./path/to/certbot-auto certonly --webroot -w /path/to/public -d example.com -d www.example.com

Make sure you enter a valid email for recovery and agree to the terms. Then you should see a "cert is successfully generated" message. Example:

 - Congratulations! Your certificate and chain have been saved at
   Your cert will expire on YYYY-MM-DD. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot-auto
   again. To non-interactively renew *all* of your certificates, run
   "certbot-auto renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

Now edit your nginx server block to use the generated certs and restart your server.

ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem; 
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;

Note that Let's Encrypt cert expires every 3 months, but you can use a scheduled job to automatically renew it. Such as crontab.

crontab -e

Edit the crontab, add this line:

#Ubuntu 14.04
1 2 * * * /path/to/certbot-auto renew --no-self-upgrade  >> /path/to/letsencrypt_crontab.log
2 2 * * * sudo /etc/init.d/nginx restart >> /path/to/letsencrypt_crontab.log
#Ubuntu 16.04
1 2 * * * /usr/bin/letsencrypt renew >> /path/to/letsencrypt_crontab.log
2 2 * * * /etc/init.d/nginx restart >> /path/to/letsencrypt_crontab.log

You should use a random minute, and invoke this job not more than twice a day.