Hey, that’s why I’m here .
HTTPS certificates operate using the concept of a chain of trust. For example, Facebook talks to a entity called a Certificate Authority (CA). Specifically, they talk to DigiCert, but there are lots of CAs. CAs are responsible for verifying that a particular entity actually controls a given domain. So DigiCert goes through a process to verify that Facebook actually owns facebook.com, and then hands them a certificate that they signed (we’re talking crytographic signatures here, not something that can be faked). When you visit facebook.com, your browser looks at who signed the certificate, and says “Okay yeah, I trust DigiCert to actually verify that Facebook owns facebook.com and everything is on the up and up.” Then you don’t see a warning.
This is good, because consider the following scenario. I’m on the same network as you. I fool your computer into thinking that I’m the gateway instead of the ACTUAL gateway (this is called a man-in-the-middle attack). You then try to visit facebook.com, but you’re actually talking to me, and I’m talking to facebook.com for you. I create a certificate of my own for facebook.com and hand it to you, which means your traffic will still be encrypted, but I can decrypt it before sending it onto facebook.com for you, thereby allowing me to read all your passwords. There’s one big flaw in this attack: I won’t be able to convince any legit CAs (i.e. CAs that are trusted by Firefox) that I actually own facebook.com, so I’m going to have to hand you a certificate that is signed by someone else (probably just me, i.e. a “self-signed” certificate). Well, Firefox doesn’t trust me, so it shows you the big “HEY this is untrusted, you sure you want to do this?” You don’t typically see that when visiting facebook.com, so you should definitely click the “get me the heck outta here” button. In some cases due to other security features you may not even have the option to continue anyway, but that’s not important for this discussion.
For that type of scenario, browsers do a good job of terrifying people away from self-signed certificates, and I think you’ll agree it’s for good reason. If you think you’re visiting a legit website and you see a certificate warning, you should run the other way.
That all said, there’s nothing inherently wrong or unsafe with self-signed certificates. They can be abused, yes, but it’s all about the chain of trust. If you’re using a self-signed certificate (or any certificate for that matter that is not signed by a trusted CA), you trust yourself. Tell your browser “Hey, I trust this CA.” And voila, no security downside. Everything is encrypted properly, it’s just about trust.
Does that clear things up a little?
Your DigitalOcean droplet will probably only have one IP address. However, you can create as many domains names as you want pointing to that same IP address, and you can proxy by domain name to as many backends as you want.