More info here. Ensure you have server blocks for example.com and www.example.com, and that the port 443 is allowed through the firewall.
sudo add-apt-repository ppa:certbot/certbot
sudo apt install python-certbot-nginx
sudo certbot --nginx -d example.com -d www.example.com
sudo certbot renew --dry-run # to check that the auto-renewal works well