To clarify things: on step 4 you are either issuing a new self-signed cerficate, or create a CSR file which you then can upload to some CA and get a proper singed, universally trusted certificate from them. In your case I suppose you need to check LetsEncrypt docs about the proper procedures.
>I went through and changed the idp-signing and idp-encryption certs to my new cert and unfortunately that did not change anything either
Those have nothing to do with OIDC flows, they only matter if you use SAML flows.
>One thing to note is that I only received .key and .crt files from my CA
That's all you need.
>What role does .csr pay?
It's a certificate request usually needed to get a signed certificate from CA. Procedures may differ on per CA basis, though. We don't cover such specifics under community support.
Let's put it this way: if when you try to access your Gluu Server's own pages you see in your browser that SSL/TLS connection is established using your updated certificate, then you succeeded with updating Apache's certificate, at least.
If you still see "x509: certificate signed by unknown authority" error in your app, you may need to start investigating issue from its side, as I don't see what else could be wrong here, OIDC RPs don't deal with other certificates usually. We don't usually cover troubleshooting of products either than our own under Community support, unfortunately. You may need to ask in groups dedicated to your application instead. Apparently, it still doesn't trust your new certificate for some reason. You need to find out why.