acme.sh --issue -d example.com -d *.example.com --dns --yes-I-know-dns-manual-mode-enough-go-ahead-pleaseacme.sh --renew -d example.com -d *.example.com --yes-I-know-dns-manual-mode-enough-go-ahead-pleaselisten 443 ssl http2 default_server;
server_name domain.com www.domain.com;
ssl_session_cache shared:SSL:50m;
ssl_session_timeout 1d;
ssl_session_tickets off;
ssl_certificate /path/to/fullchain.cer;
ssl_trusted_certificate /path/to/fullchain.cer;
ssl_certificate_key /path/to/cert.key;
ssl_dhparam /path/to/dhparam.pem;
ssl_protocols TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384';
ssl_ecdh_curve secp384r1:secp521r1;
ssl_stapling on;
ssl_stapling_verify on;
ssl_verify_depth 3;
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 10s;
add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload";
add_header X-Farme-Options "DENY";
add_header X-Content-Type-Options "nosniff";
add_header X-XSS-Protection "1; mode=block";
charset utf-8;
server_tokens off;
root /path/to/root;