“acme-client is an Automatic Certificate Management Environment (ACME) client: it looks in its configuration for a domain section corresponding to the domain given as command line argument and uses that configuration to retrieve an X.509 certificate which can be used to provide domain name validation”

## first setup httpd well known acme location in "/etc/httpd.conf"
server "www.example.com" {
    alias "example.com"
    listen on * port 80
    root "/htdocs/www.example.com"
    location "/.well-known/acme-challenge/*" {
        root "/acme"
        request strip 2
    }
}

## testing "httpd.conf" file
> httpd -nf /etc/httpd.conf

## start httpd forced
> rcctl -f start httpd

## enable httpd
> rcctl enable httpd

## create /etc/acme-client.conf
authority letsencrypt {
	api url "https://acme-v02.api.letsencrypt.org/directory"
	account key "/etc/acme/letsencrypt-privkey.pem"
}

authority letsencrypt-staging {
	api url "https://acme-staging-v02.api.letsencrypt.org/directory"
	account key "/etc/acme/letsencrypt-staging-privkey.pem"
}

domain example.com {
	alternative names { secure.example.com }
	domain key "/etc/ssl/private/example.com.key"
	domain full chain certificate "/etc/ssl/example.com.fullchain.pem"
	sign with letsencrypt
}

## create acme certificate
> acme-client -v www.example.com

Note: Certificates are default load from
/etc/ssl/private/server.key
/etc/ssl/server.crt

to load acme certificates we need to instruct httpd where these stored

## configure "/etc/httpd.conf"
server "www.example.com" {
    alias "example.com"
    listen on * port 80
    listen on * tls port 443
    root "/htdocs/www.example.com"
    tls certificate "/etc/ssl/acme/fullchain.pem"
    tls key "/etc/ssl/acme/private/privkey.pem"
    location "/.well-known/acme-challenge/*" {
        root "/acme"
        request strip 2
    }
    # this will redirect traffic to tls port 443
    block return 301 "https://$SERVER_NAME$REQUEST_URI"
}

## we need to reload config for httpd
> rcctl reload httpd

so we want to make shure that we route every traffic over https with relayd

## add to /etc/relayd.conf
relay "proxyssl" {
         listen on $gateway  port https
         protocol "httpproxy"

         forward to <new-webserver>  port https
}

to automatic renew our certificates we need to speak to daily(8) (openbsd crontab)

## renew acme certificate every night
## edit crontab(8) to automate
~	*	*	*	*	acme-client example.com && rcctl reload httpd

as script

#!/bin/sh
acme-client example.com www.example.com
if [ $? -eq 0 ]
then
        rcctl reload httpd
fi