./acme.sh --issue -d noty.im -d '.noty.im' --dns
It then told me to add TXT record, which I just manually do because I used RackSpace cloudns which has no built-in support.
I manually verify DNS with dig, when it's ready I just do:
./acme.sh --renew -d noty.im -d '.noty.im'
then the cert(private key and full chain) are stored in ~/.acme/noty.im/
These privateky and fullchain can be used directly with nginx without any modification.