Install Let's Encrypt SSL on OpenBSD 6.8

First we will configure our DNS to permit let's encrypt to sign certificates for our host. The CAA record limits entities that are permitted to sign our SSL certificates. It is recommended for enhanced security. (For example, if we specifically only permit Let's Encrypt to sign, then CA XYZ cannot sign certs for our host). This reduces the chances of a unauthorized third party impersonating our domain. (ie, SSL Bump  on transparent proxy)

We add a CAA record to our DNS zone to permit to sign our certs.
For example, in our zone file /var/nsd/etc/, add this line for host dvi:

div	IN CAA	0 issue ""

(We can also add * and www if we want to generate certs for those hosts)

Configure /etc/acme-client.conf

We can add one or more alternative domains (separated by space or comma)

ex: alternative names { }

authority letsencrypt {
  api url ""
  account key "/etc/ssl/private/letsencrypt.key"
domain {
  domain key "/etc/ssl/private/"
  domain certificate "/etc/ssl/"
  domain full chain certificate "/etc/ssl/"
  sign with letsencrypt
Configure /etc/httpd.conf
server "" {
        listen on * port 80
        log access "access.log"
        log error "error.log"
        location "/.well-known/acme-challenge/*" {
                root "/acme"
                request strip 2
Enable and start httpd:
# rcctl enable httpd
# rcctl start httpd
Create directories:
# mkdir -p -m 700 /etc/ssl/private
# mkdir -p -m 755 /var/www/acme
request certificate:
# acme-client -v

You can look at the details of the certificate:

# openssl x509 -text -noout -in /etc/ssl/

Create 4096-bit dhparam  (if you have not done so already).

# cd /etc/ssl
# openssl dhparam -out dhparam.pem 4096