I don't really need https, this site is purely a collection of static HTML pages, there isn't anything to obscure in securing client sessions. However, most browsers kick up a terrible fuss about questionable certs, never mind bare HTTP, so setting up HTTPS is a necessity today.

Certbot makes it dead easy to secure an https resource, I was able to use this great article to install and run certbot. Which is literally just installing it, there is no work to do here. Letsencrypt seems to be a one-click solution now (or I'm getting smarter, which is unlikely).

There are a few things to consider after securing web-facing content.

1. As the article suggests, go to Qualys's ssllabs test site and verify the certificate and basic HTTPS security checks. These are actually lots of interesting things about the certificate itself, its upstream verification, supported TLS versions, etc. There's a ton of neat HTTPS stuff to read in this report, it's free and yields pretty fast results. You should be seeing an A grade as a result. Anything less needs updating or a reexamination of configs.
2. You should also head to HostedScan.com and run a vulnerability scan there. They've got a nice bunch of tools for testing https compliance and standards, vulnerabilities and more, and the tools there are very good: you get a standard NMAP vuln scan, and OWASP ZAP report and an OpenVAS vuln scan on a free https evaluation. These are automated tools, so they're no replacement for a real-life pentest, but they can help a ton.

Bonus points: if you want to really get a butcher's look into what a TLS handshake looks like, go to testSSL. This script is fully open and you can go check the contents on GitHub before running it (as you should). It will show you more than you ever wanted to know about HTTPS. You will also see some checks for vulnerabilities you won't find in a fancy automated package anywhere else.