I knew my issues were all related to CA, and I ran into some not just on the fact/report upload side, but also related to smart_proxy. So I dug into things a bit more and found a post by @ekohl a couple of years back (but more recent than the advice to edit the config files) with an example of using the foreman-installer to do this.
So I took that and pointed it at my letsencrypt files, changed ca-bundle.crt to ca-certificates.crt and let fly.
This seems to have resolved all of my SSL related issues, but I believe the ce portions may not be what I should be doing for security (–puppet-server-foreman-ssl-ca /etc/ssl/certs/ca-certificates.crt --foreman-proxy-foreman-ssl-ca /etc/ssl/certs/ca-certificates.crt).
Is that essentially saying that any SSL usable on a browser on my system would be able to authenticate to foreman to upload facts, interact with the smart-proxy, etc? And if so, conceptually what should those ca files be that limits access appropriately?