Most everything makes use of ACME.sh, with auto-renewing certificates from LetsEncrypt and Cloudflare domain verification.

1. Set environment variables

export CF_Token="pybhqsynervfirelpbby"
export CF_Account_ID="pybhqsynervfirelpbby"
export CF_Zone_ID="pybhqsynervfirelpbby"

2. Generate cert

acme.sh --issue --dns dns_cf -d example.com

acme.sh --issue -d example.com -w /var/www/example.com/

export DOMAIN=example.com
 
# 1. Create Certificate Path
mkdir -p /etc/nginx/acme.sh/${DOMAIN}/
 
# 2. Tell acme.sh about it
acme.sh --install-cert -d ${DOMAIN} \
--cert-file /etc/nginx/acme.sh/${DOMAIN}/cert \
--key-file /etc/nginx/acme.sh/${DOMAIN}/key \
--fullchain-file /etc/nginx/acme.sh/${DOMAIN}/fullchain \
--reloadcmd "systemctl reload nginx.service"

Then in NGINX config…

ssl_certificate /etc/nginx/acme.sh/example.com/fullchain;
ssl_certificate_key /etc/nginx/acme.sh/example.com/key;