This is mostly for myself, but maybe the googlebot will pick it up and help some others.
Basically, patch-tag encourages https: browsing post log in because, well, it’s the right thing to do. (IMHO, https should be the default option for web browsing, and there is a school of thought about that, but I’m in too much hurry to track it down. Comments welcome 
)
So, I bought my ssl cert from godaddy to make it possible. And it expired, and I couldn’t remember how to make it work again.
After a bit of mucking around, I chose “renew ssl cert” in godaddy, and paid their pound of flash. Downloaded a little zipped bundle patch-tag.com.zip from godaddy. Contained 2 .crt files, patch-tag.com.crt and gd_bundle.crt.
To get things using the new cert, I edited
/etc/stunnel/stunnel.pem
leaving the top portion (pk) unchanged, and swapping out the bottom portion (cert) with the contents of patch-tag.com.crt file from godaddy.
I then did /etc/init.d/stunnel4 restart
afaict, good to go.
Not sure what that other cert file (gd_bundle.crt) is for.
That’s all folks.
Happy tagging!
PS This page was also helpful for configuring stunnel with a godaddy ssl certificate
If you want a decent CA I’d suggest you have a look at StartCom.
They provide free SSL certificates and have their Root CA available in Widnows, Mac, Linux and the major browsers.
As an added bonus you can request as much free certificates as you want as long as you can prove ownership of the domain.
Depending on the level of payment a few verification levels allow for extra functionality such as wildcard certificates or EV. For about 60$ you get a Class 2 Verification which gives you the wildcards and your new certificates then are valid for two years.
Even SSL Extended Validation (the green address bar in IE and Fx) is very affordable through them compared to any other certificate provider around.