One way to do it is through a reverse proxy so the connection would kind of go like:
client----encrypted—>ssl reverse terminating proxy------> unencrypted----->freenas
or you could just install the LE cert directly on FreeNAS and just skip the reverse proxy all together so it would be:
The tutorial on how to install LE certs on FreeNAS is here (and I’ve verified it actually works) https://www.ixsystems.com/community/resources/lets-encrypt-with-freenas-11-1-and-later.82/
The only issue with obtaining LE certs – is that the cert provider (Let’s Encrypt in this case) has to verify that you “own” the domain or in other words need some mechanism of proof of identity. Let’s Encrypt validation boils down in a nutshell to either placing a file on your local server (either through a web page or directly on the computer) or being able to write a temporary DNS record into your DNS host. Personally I believe the DNS method is far easier and “possibly safer — use that term loosely” since nothing is being written to your computer. In order to use DNS validation however, your domain name must be serviced with one of the providers supported by Let’s Encrypt (there about 20 of them). Personally I use Cloudflare (I’m not sponsered by Cloudflare). For basic usage its free and its easy to configure DNS records and obtain LE certs.
The freenas tutorial with Lets Encrypt specifically talks about Cloudflare validation, however just be aware this isn’t the only mechanism that could be utilized.
If you are accessing your freenas box from inside your LAN (which it sounds like you are since you are using the 192.168.3.x address block, the only other thing I’d probably recommend is adding a DNS Host Override at the bottom of the pfsense Server/Resolver section. You basically would add an entry that would say pfsense.domain.com–>(IP address of FreeNas box). This alone would allow you to access your pfsense box by hostname rather than IP address.
The pfsense tutorial on LetsEncrypt uses the acme.sh client for obtaining new certificates and for certificate renewal. The other popular client you’ll here a lot about is certbot which I think is written by the people at Let’s Encrypt. I use both clients on various machines however in my humble opinion I really like the acme client. The syntax is a tad more challenging in you’ve never used it before, but what I like about it is that it initially sets up a crontab entry for automatic renewal. I think with certbot you have to set this up manually, however even that isn’t that difficult.
If you need more instructions, let me know. There are many ways to solve the answer the question you are proposing.