Requesting the Certificate
First generate a new key and certificate request file using openssl.
openssl req -new -newkey rsa:2048 -nodes -keyout talk.vanhack.ca.key -out talk.vanhack.ca.csr
Get your request (the .csr file) signed by someone. At the time of this writing I picked namecheap.com and ordered the PositiveSSL at ~$9/year.
The site might ask you to verify ownership of the domain, in my case it was in the form of an e-mail to email@example.com.
Installing the Certificate
If your certificate comes in several parts this will have to be concatinated in to one certificate. With namecheap this is how it was done:
cat talk_hackspace_ca.crt COMODORSADomainValidationSecureServerCA.crt COMODORSAAddTrustCA.crt AddTrustExternalCARoot.crt > ssl.crt
Order matters here, it starts with your cert, then your providers certs all the way up to the added trust for root.
Upload the ssl.crt file and talk.vanhack.ca.key to the host(s) and rename talk.vanhack.ca.key to ssl.key. Move both of these files to /var/discourse/shared/standalone/
Reloading nginx config
SSH in to the docker container:
/var/discourse/launcher ssh app
service nginx reload
Note this only applies for renowing the SSL certs, if this is the first install the container app.yml needs to be updated to include web.ssl.template and ports 443 need to be forwarded.