OK, finally managed to solve it. Currently Puppet can’t handle accessing standard Letsencrypt certificates. This I think is the underlying issue: https://github.com/jruby/jruby-openssl/issues/236
I tried deleting the expired cert from Puppet’s keystore but that made no difference. In the end I had to add an option to how the letsencrypt cert for Foreman is generated: --preferred-chain="ISRG Root X1". Annoyingly this option is not available in python3-certbot-apache on Ubuntu 18.04 so I had to install the certbot snap which you can’t manage through Puppet… blah blah sob story.
Not how I wanted to spend half of my Saturday.