Install Let's Encrypt SSL on OpenBSD 6.8

First we will configure our DNS to permit let's encrypt to sign certificates for our host. The CAA record limits entities that are permitted to sign our SSL certificates. It is recommended for enhanced security. (For example, if we specifically only permit Let's Encrypt to sign, then CA XYZ cannot sign certs for our host). This reduces the chances of a unauthorized third party impersonating our domain. (ie, SSL Bump  on transparent proxy)

We add a CAA record to our DNS zone to permit letsencrypt.org to sign our certs.
For example, in our zone file /var/nsd/etc/bionkey.com.zone, add this line for host dvi:

div	IN CAA	0 issue "letsencrypt.org"

(We can also add * and www if we want to generate certs for those hosts)

Configure /etc/acme-client.conf

We can add one or more alternative domains (separated by space or comma)

ex: alternative names { d1.bionkey.com d2.bionkey.com d3.bionkey.com }

authority letsencrypt {
  api url "https://acme-v02.api.letsencrypt.org/directory"
  account key "/etc/ssl/private/letsencrypt.key"
}
domain dvi.bionkey.com {
  domain key "/etc/ssl/private/dvi.bionkey.com.key"
  domain certificate "/etc/ssl/dvi.bionkey.com.crt"
  domain full chain certificate "/etc/ssl/dvi.bionkey.com.pem"
  sign with letsencrypt
}
Configure /etc/httpd.conf
server "dvi.bionkey.com" {
        listen on * port 80
        log access "access.log"
        log error "error.log"
        location "/.well-known/acme-challenge/*" {
                root "/acme"
                request strip 2
        }
}
Enable and start httpd:
# rcctl enable httpd
# rcctl start httpd
Create directories:
# mkdir -p -m 700 /etc/ssl/private
# mkdir -p -m 755 /var/www/acme
request certificate:
# acme-client -v dvi.bionkey.com

You can look at the details of the certificate:

# openssl x509 -text -noout -in /etc/ssl/dvi.bionkey.com.pem

Create 4096-bit dhparam  (if you have not done so already).

# cd /etc/ssl
# openssl dhparam -out dhparam.pem 4096