Problem resolved!
I cannot say what really fixed it but here is what I did:
-
For ACME, I only had my production account key. I added a staging account key.
-
Under my certificate configuration, I only had my wildcard entry for the domain. I added an entry under the wildcard for the root of the domain so that it is in the list as well.
-
In pfSense under Cert Manager, I deleted all the CA certs produced from ACME. This includes the two staging CA certs and the two production certs. [ALSO NOTE: I had a 5th cert here that looked like the one from DST Root CA X3 that expired 3 days ago! Deleted that as well]
-
I went back to ACME and issued a new cert using the staging account. I still had the same issue when I checked the cert from my android device but at least now it showed the new staging CA root in the cert info.
-
I switched the cert to use the production account key and reissued. Now it works! I shows the chain to be R3 -> ISRG Root X1.
Again, not sure what change I made here that mattered but I it now working like it should. Interested to see if this will change and have issues again in 90 days.