Contributed by Peter N. M. Hansteen on from the intermediate solutions for intermediate problems dept.
However, your syspatch may fail if your local mirror uses a Let's Encrypt certificate. Patch-22! In that case, the best advice may be to try a mirror that does not use a Let's Encrypt certificate just to get past this speed bump.
From the latter:
[…] Try fetching it normally first, as a number of mirrors are either unaffected, or have a workaround on the server side, but if that fails you have two options: - edit /etc/installurl to allow you to fetch the syspatches. Either switch https to http (the updates are signed and verified anyway), or use another mirror (including ftp.usa.openbsd.org, ftp.hostserver.de, cdn.openbsd.org). - locate the expired certificate in /etc/ssl/cert.pem and remove it, it is the one with this in the header above: === /O=Digital Signature Trust Co./CN=DST Root CA X3 […]