Hi Jeff,
I think what you had in your initial email of July 6th was mostly correct. I was able to use letsencrypt by manually getting a certificate, concatenating the full chain and key into a single file and starting mongod with that file as the sslPEMKeyFile
$ cat privkey.pem fullchain.pem > mongo.pem
$ mongod --sslMode=requireSSL --sslPEMKeyFile=/path/to/mongo.pem
The --sslCAFile option to mongod is somewhat tricky. Technically, if the certificate/key file contains the entire chain (and it does in this case), the --sslCAFile option is not required. The --sslCAFile option has a double meaning of use the certificates in this file to negotiate a connection, and require all clients to have a client certificate signed by this CA. That's why it worked as long as the client also had mongo.pem. You could use the --sslCAFile option with letsencrypt by doing:
$ cat privkey.pem cert.pem > mongo.pem
$ mongod --sslMode=requireSSL \
--sslPEMKeyFile=/path/to/mongo.pem \
--sslCAFile=/path/to/chain.pem \
--sslAllowConnectionsWithoutCertificates
The difference between these two configurations is that the latter will allow client certificates and the former won't. You probably don't want to setup client certificates, so the first configuration is probably what you want. When you renew the certificate, you'll have to restart mongod with the new key/cert, but you shouldn't have to do anything else. On the client side, you may have to specify --sslCAFile=/path/to/chain.pem (a file containing just the CA certs) so that the client can verify the server's certificate, but since letsencrypt is trusted by most browsers you shouldn't have to even do that. I was able to connect just by running mongo --ssl hostname.
Hope this helps, and let me know if you have any more questions.
Jonathan