Install Certbot
Generate certificate for a domain
Certbot automatically edits the matching Nginx server block (the one with the matching server_name) to add the SSL config and redirect HTTP → HTTPS.
Make sure the domain’s DNS A record already points to this VPS’s IP, and that Nginx is already serving that server_name on port 80, before running Certbot — otherwise the HTTP-01 challenge will fail.
Auto-renewal
Certbot installs a systemd timer automatically. Verify it:
Multiple domains
Repeat per subdomain/app:
Useful checks
After Certbot edits the Nginx config, run sudo nginx -t to confirm syntax is valid, then sudo systemctl reload nginx if you made any further manual changes.