tlsgatling.
So. After much too long I've gotten off my butt and managed to enable https on this here very webserver. The software in use is gatling by fefe. Still using a CAcert certificate, I'm afraid, but at this point I'm just waiting until let's encrypt is operational.
I've used gatling since for-fucking-ever but never really looked at the tlsgatling part because I was too lazy. Turns out, the instructions on how to build it aren't actually part of gatling because you need to start earlier, you need to have openssl built with dietlibc in order for this to work. If you have that, the instructions in the README.tls of gatling do work.
Now I just need to figure out a policy on http vs https and whether to redirect all http connects to https or not. Probably better to do that when I'm no longer on CAcert, though.