The following is sufficient:

server {
    listen              443 ssl http2;
    server_name         домен_здесь;
    ssl_certificate     /путь/к/сертификату;
    ssl_certificate_key /путь/к/ключу;

    тут ваш location {}
}

If you redirect from HTTP to HTTPS then add above:

server {
    listen      80;
    server_name домен_здесь;
    return      301 https://$server_name$request_uri;
}

I also recommend looking at https://mozilla.github.io/server-side-tls/ssl-conf... - depending on the version of Nginx and OpenSSL, as well as your preferences, it allows you to choose the latest ciphers to maintain the highest possible level of security .
I /etc/nginx/conf.d/tls.confput in quite strict settings for myself without old protocols and weak ciphers, which are as secure as possible, but only work in current versions of browsers (IE9-10, ancient Firefox, Chrome and Safari may not work at all):

ssl_session_timeout       1d;
ssl_session_cache         shared:SSL:50m;
ssl_session_tickets       off;

ssl_dhparam               /etc/ssl/dhparam.pem;

ssl_protocols             TLSv1.2;
ssl_ciphers               ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256;
ssl_prefer_server_ciphers on;

add_header                Strict-Transport-Security "max-age=31536000;";

ssl_stapling              on;
ssl_stapling_verify       on;

This is a fairly minimalistic config without tinsel and without editing native Nginx configuration files (simplifies updating). dhparam.pem you will have to generate, I recommend 4096bit, how to find it is very easy.
These options are more than enough, just look for what each of the options means and adjust to taste.

> make them free to
letsencrypt
https://serversforhackers.com/series/ssl-certificates
https://serversforhackers.com/video/letsencrypt-fo...