The ESP32 HTTPS over the air update mechanism requires you to know the SSL certificate used by the web server. This is problematic in a letsencrypt, fast expiring certificate world, but also for devices which will be deployed for long time frames.
It is possible to disable the SSL using the CONFIG_OTA_ALLOW_HTTP option. The SDK will tell you this should only be used for development, but if you also used signed firmware it is safe for deployed use.
Rather than protect the pipe the firmware traverses and blindly accepting anything coming down that pipe, you will instead not trust the pipe and validate the firmware as it arrives.
See the Secure OTA Updates Without Secure boot section. In a nutshell, you will make a private signing key and the OTA updates will be checked against that key.
Notes Thee Well!
If your firmware itself is sensitive, then don't do this. It can be snooped in transit. On the other hand, in the regular HTTPS scheme there is a URL which provides a copy of your firmware, so you are probably already working on something for that.