Just remember that the files in /tmp/acme/ are volatile and will vanish when pfSense is rebooted/restarted.
As for the scripts... I had to completely retool my scripts to NOT modify fullchain. using the E series chain.
grep -c "BEGIN CERTIFICATE" /tmp/acme/example.com/example.com/fullchain.cer
Will show 4 certs in the chain if you get it right.
Open a new help thread if you need help.
Good Luck
Thank god I found this thread. On renewal yesterday I got this issue also, and specifically it broke docker mailserver which automatically gets the new certs upon renew. I ended up on YR1, and got it sorted like this:
download ISRG Root X1:
curl -o isrgrootx1.pem https://letsencrypt.org/certs/isrgrootx1.pem
build correct fullchain:
cat example.com.cer ca.cer isrgrootx1.pem > fullchain-fixed.pem
verify:
openssl verify -CAfile isrgrootx1.pem -untrusted ca.cer example.com.cer
fullchain-fixed.pem is the file that in my case becomes public.crt in the custom-certs folder in docker mailserver by moving/copying or editing.
Most TLS servers don't need or use the ISRG Root X1 in their chain. TLS Clients use the cert chain sent by the server to match to that trusted root that already exists on their system. That's how they know it is trusted.
But, if yours does how is what you did any different than what you did before? The X1 root has not changed. Nor was it ever in the intermediate from Let's Encrypt that is getting "truncated" in the pfSense /conf/acme directory.