/etc/nginx/sites-enabled/site-name.conf

server {
    listen 80;
    server_name site-name;
    include letsencrypt.conf;
}
server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    server_name site-name;
    ssl_certificate /root/.acme.sh/site-name/fullchain.cer;
    ssl_certificate_key /root/.acme.sh/site-name/site-name.key;
    include ssl.conf;
    ...
}

/etc/nginx/letsencrypt.conf

location ^~ /.well-known/acme-challenge {
    root /var/www;
}
location / {
    return 301 https://$host$request_uri;
}

/etc/nginx/ssl.conf

ssl_session_timeout 1d;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets on;
ssl_session_ticket_key tls_session_ticket.key;

# Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
ssl_dhparam dhparam.pem;

# intermediate configuration. tweak to your needs.
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers 'TLS13-AES-128-GCM-SHA256:TLS13-AES-256-GCM-SHA384:TLS13-CHACHA20-POLY1305-SHA256:ECDHE:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:!COMPLEMENTOFDEFAULT';
ssl_prefer_server_ciphers on;

# HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload";

# OCSP Stapling ---
# fetch OCSP records from URL in ssl_certificate and cache them
ssl_stapling on;
ssl_stapling_verify on;

## verify chain of trust of OCSP response using Root CA and Intermediate certs
ssl_trusted_certificate /root/.acme.sh/site-name/ca.cer;

resolver 8.8.8.8;

site-nameは各々の環境で置換、CAは全ホスト共通のはずなので複数サイト運営の際はどれかのca.cerを参照させればOK。
acme.sh --issue -d site-name -w /var/wwwで証明書発行された後はacme.shのcronが更新してくれるはずなので時々nginxをreloadすればいいはず