I discovered that that the upgrade in at least ISPConfig3.1.4, probably an earlier version, changed the way Let's Encrypt certificates were aquired. ISPConfig would first try to test the DNS entry for the hosted site and fail if you were running NAT without route reflection enabled. It only took all day of trying to find the right log combined with just the right google search to find that issue. After enabling NAT rout reflection in pfsense, ISPConfig can now determine the domain/DNS entry is correct and request the certificate from Let's Encrypt (verified in the logs). I was hoping that would fix the issue, but alas, I still can not get a secure connection to my test site, https://www.sternnenterprises.com. I will have to delve into the logs some more and hopefully figure it out.