Thank you sir, that appears to have done the trick.
You already know what was happening, but I'd like to document it for the next guy. :)
Keywords: FreeIPA LDAP pfSense Authentication Server OpenVPN
Scenario: When using a LDAP server, either stand alone or as part of FreeIPA, and that LDAP server is using a "real cert" such as a Let's Encrypt cert, you should use the Global Root CA when defining the Authentication Server in pfSense. Then login to the pfSense system via ssh, issue a restart command for PHP-FM via option 16, followed by a Restart webConfigurator command via option 11 before testing via Diag->Auth or requesting a list of containers via the Select Containers button.
If you are custom a self signed cert in your LDAP server as part of FreeIPA, then you should insert the Root CA cert for the FreeIPA PKI into the CA section of pfSense, then select that CA cert when defining the Authentication Server in pfSense, followed by the option 16, option 11 commands mentioned previously.
I followed the instructions at the link below which work, except for the use of a "real" cert, which you should use my modified instructions above for.
https://fattylewis.com/2018/01/19/using-freeipa-to-authenticate-openvpn-users-on-pfsense/