So, some experimentation and reading later. Here are some updates and simplifications.
For the Mosquitto configuration, you need to add/change /etc/mosquitto/conf.d/custom.conf
(you can call the file anything. You also seem to have to add the default port as well if you want to retain that. Mosquitto uses default settings which include the standard port but they seem to be turned off once you add your own custom settings. Note the bits in angle brackets that you need to change:
# Default Listener: 1883
port 1883
# Bind the default listener to localhost only if you want to force external connections to be TLS only
#bind_address localhost
# Secure listener
listener 8883
# TLS
## This is standard and should always be this
cafile /etc/ssl/certs/DST_Root_CA_X3.pem
## These are from your installation of LE
certfile /<path-to-LE-cert-files>/fullchain.cer
keyfile /<path-to-LE-cert-files>/<private-key-name>.key
## Forces use of modern version of TLS to avoid security issues
tls_version tlsv1.2
## Forces ALL CLIENTs to provide a valid certificate - change the node config to allow this from NR
#require_certificate true
You then need to restart the Mosquitto broker with sudo systemctl restart mosquitto
. You can check whether it has started the correct ports with sudo netstat -lptu | grep mosquitto
which should give you 4 entries:
tcp 0 0 0.0.0.0:8883 0.0.0.0:* LISTEN 17697/mosquitto
tcp 0 0 0.0.0.0:1883 0.0.0.0:* LISTEN 17697/mosquitto
tcp6 0 0 [::]:8883 [::]:* LISTEN 17697/mosquitto
tcp6 0 0 [::]:1883 [::]:* LISTEN 17697/mosquitto
Note that you do not have to make any firewall changes on the Pi, the OS does that for you and will open both ports. You can check that from another Linux/Mac device (or Windows using WSL) with telnet <IP-NAME> 1883
and telnet <IP-NAME> 8883
.
To connect securely from Node-RED, you need to configure the MQTT connection to use the TLS connection not the standard one. You also need to use the IP name rather than the IP address because otherwise, the certificate won't be valid.

Note that you need to set the URL and the port but you don't need to set the "Enable secure connection" flag. That lets you authenticate the Node-RED client connection to the broker (if you set the require_certificate
to true for example).
Many thanks to Paul for giving me both the clues and the motivation to get this done. 
To monitor what is going on with Mosquitto, you can use the command sudo tail /var/log/mosquitto/mosquitto.log -f
. This will show you connections and disconnections. If you need more information, you can change the log level in your mosquitto broker configuration file and restart the broker.
# Logging. Defaults to "error, warning, notice, information"
# debug, error, warning, notice, information, subscribe, unsubscribe, websockets, none, all
#log_type all
#log_type error
#log_type warning
#log_type notice
#log_type information
#log_type subscribe