Create specific folder for certs and allow user to have permission based on group

mkdir /etc/nginx/certs
chmod 770 /etc/nginx/certs
chown root:www-data /etc/nginx/certs
groupmod -a www-data -U dhorn

Add www-data group to sudoers for service (service restart nginx)

echo "%www-data ALL=(ALL:ALL) NOPASSWD:/usr/sbin/service" >/etc/sudoers.d/20_nginx

Shell snippet to let acme service push certificates to nginx

HOST=unifi
dest_name=dhorn
dest_folder="/etc/nginx/certs/"
dest_basename=${HOST}
date 1>&2
scp /conf/acme/${HOST}.key ${dest_name}@${HOST}:${dest_folder}${dest_basename}.key 1>&2
scp /conf/acme/${HOST}.fullchain ${dest_name}@${HOST}:${dest_folder}${dest_basename}.crt 1>&2
ssh ${dest_name}@${HOST} "sudo /usr/sbin/service nginx restart && echo Completed" 1>&2

Snippet of /etc/nginx/nginx.conf

server {
                listen 443 ssl;
                listen [::]:443 ssl;

                server_name unifi.mydomain.com;
                ssl_certificate     /etc/nginx/certs/unifi.crt;
                ssl_certificate_key /etc/nginx/certs/unifi.key;

                location /wss {
                        proxy_pass https://localhost:8443;
                        proxy_http_version 1.1;
                        proxy_buffering off;
                        proxy_set_header Upgrade $http_upgrade;
                        proxy_set_header Connection "Upgrade";
                        proxy_read_timeout 86400;
                        proxy_set_header Host $host;
                }

                location / {
                        proxy_pass https://localhost:8443;
                        proxy_set_header Host $host;
                        proxy_set_header X-Real-IP $remote_addr;
                        proxy_set_header X-Forward-For $proxy_add_x_forwarded_for;
                }
        }