I think the problem is that our report and enc scrip does not trust the CA from the system store. I think on many places we hardcode the CA file. When you pass the specific CA file to the openssh library, it does not look at system truststore. You can try adding the letsencrypt CA cert to /etc/foreman-proxy/foreman_ssl_ca.pem (or files listed in /etc/puppetlabs/puppet/foreman.yaml), that could help.
There was another user trying to do the similar with other CA, see [Katello] Setting Up New SSL Certificates and this guide