This is... unadvisable, since certs obtained with certbot --csr are not autorenewable (unless smart usage of hooks and shell magic can generate the csr... haven't tried).
When I did this, I switched the machine to using acme.sh, and I am still bitter its documentation is not even close to being as good as certbot's.
I had my config on here, this is the upgraded version:
(this will not get you 100-100-100-100 A+, but only 100-100-100-90 A+. read the linked thread to know why 
)
ssl_protocols TLSv1.3 TLSv1.2;
ssl_prefer_server_ciphers off;
ssl_ciphers ECDHE+AESGCM:DHE+AESGCM:ECDHE+ECDSA+AES+SHA256;
ssl_ecdh_curve secp521r1:X448:secp384r1:secp256k1;
ssl_dhparam dhparams.pem;
ssl_stapling on;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
add_header Content-Security-Policy "upgrade-insecure-requests" always;
ssl_certificate acme.sh/quake/fullchain.pem;
ssl_certificate_key acme.sh/quake/key.pem;
ssl_certificate acme.sh/quake/fullchain-ecc.pem;
ssl_certificate_key acme.sh/quake/key-ecc.pem;
(it includes one cipher that ssllabs marks as weak, it's on purpose, for client compatibility.)