1. Enable jessie-backports, if not already enabled on your system. As described here:

   echo deb http://ftp.debian.org/debian jessie-backports main | sudo tee /etc/apt/sources.list.d/backports.list > /dev/null
   aptitude update
   

2. Install certbot as described here:

   sudo aptitude install certbot -t jessie-backports
   

3. Configure a web server, so certbot can communicate with the outside world. I use lighttpd.

   sudo aptitude install lighttpd
   

4. Configure the web server to allow the couchdb user write access to the root directory.

   sudo chown root:couchdb /var/www/html
   sudo chmod g+rxw /var/www/html
   

5. Set up a directory to store your certificates:

   sudo mkdir /etc/couchdb/letsencrypt
   sudo chown couchdb.couchdb /etc/couchdb/letsencrypt
   sudo chmod g+rwx /etc/couchdb/letsencrypt
   

6. Generate your initial SSL certificate:

   sudo -u couchdb certbot certonly --webroot -w /var/www/html --config-dir /etc/couchdb/letsencrypt --logs-dir /var/log/couchdb -d <hostname>
   

   Follow the prompts to configure certbot.

7. Configure CouchDB as described here. Edit /etc/couchdb/local.ini to match:

   [daemons]
   httpsd = {couch_httpd, start_link, [https]}
   
   [ssl]
   cert_file = /etc/letsencrypt/live/<hostname>/cert.pem
   key_file = /etc/letsencrypt/live/<hostname>/privkey.pem
   cacert_file = /etc/letsencrypt/live/<hostname>/chain.pem
   

   And probably disable HTTP, too, by editing /etc/couchdb/default.ini and commenting out the following line in the [daemons] section:

   ;httpd={couch_httpd, start_link, []}
   

8. Test!

Visit https://<hostname>:6984/_utils, and verify that http://<hostname>:5984/_utils does not work.