:host: 0.0.0.0
:port: 80
↓
:host: 127.0.0.1
:port: 9869

:vnc_proxy_port: 29876
:vnc_proxy_support_wss: no
:vnc_proxy_cert:
:vnc_proxy_key:
:vnc_proxy_ipv6: false
:vnc_request_password: false
↓
:vnc_proxy_port: 29876
:vnc_proxy_support_wss: yes
:vnc_proxy_cert: /etc/letsencrypt/live/hoge.hogehoge.com/fullchain.pem
:vnc_proxy_key: /etc/letsencrypt/live/hoge.hogehoge.com/privkey.pem
:vnc_proxy_ipv6: false
:vnc_request_password: false

#### OpenNebula Sunstone upstream
upstream sunstone {
    server 127.0.0.1:9869;
}

upstream websocketproxy {
    server 127.0.0.1:29876;
}

#### cloudserver.org HTTP virtual host
server {
        listen 80;
        server_name hoge.hogehoge.com;
	root /usr/share/nginx/html;
        ### Permanent redirect to HTTPS (optional)
        #return 301 https://$server_name:8443;
}

#### cloudserver.org HTTPS virtual host
server {
    listen 443;
    server_name hoge.hogehoge.com;

    ### SSL Parameters
    ssl on;
    ssl_session_timeout 24h;
    ssl_certificate /etc/letsencrypt/live/hoge.hogehoge.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/hoge.hogehoge.com/privkey.pem;

    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    
    client_max_body_size 10G;

    ### Proxy requests to upstream
    location / {
        proxy_pass http://sunstone;
    }

    location /websockify {
        proxy_pass http://websocketproxy;
}

oneadminでアクセスできないと、下記のエラーになります。

xxx.xx.xxx.xxx: SSL connection but '/etc/letsencrypt/live/hoge.hogehoge.com/fullchain.pem' not found
xxx.xx.xxx.xxx: SSL connection but '/etc/letsencrypt/live/hoge.hogehoge.com/fullchain.pem' not found

# chmod 755 /etc/letsencrypt/live /etc/letsencrypt/archive
# chmod 644 /etc/letsencrypt/archive/hoge.hogehoge.com/privkey*

certbot-auto renew --force-renew --post-hook "service opennebula-sunstone restart"