@jerrm Thanks for your reply.
If DNS and firewall forwarding/loopback are properly configured, it should “just work.”
www.fqdn.com is working for remote IP phones in numerous locations across the internet and with other LE certs on my network, so I don’t think DNS is the problem.
There are three rules in pfSense (for the WordPress LE cert, the pfSense, and for the FreePBX LE cert) to forward TCP port 80 for LE certs. identical except for the destination NAT IP on the LAN. All are normally disabled (i.e., port 80 is closed). When I need to update the LE cert, I open up port 80 for that specific rule. The WordPress LE cert “just works” each and every time with certbot. The FreePBX LE certs not so much.
I am surprised that this is an issue because with literally millions of FreePBX installs, I expect there are more than a few who are using ACME clients, and there also must be lots of these folks with expertise in how to make this work. Right now this is my number one complaint with FreePBX. Otherwise I’m quite happy.