• create a server with servername on nginx.conf

certbot --nginx

• choose the domain
• get privkey.pem and fullchain.pem from the directory
• remove domain from nginx.conf