If you are not able to get a Yealink firmware update that has the ISRG Root installed then you probably can’t use Letsencrypt for your FreePBX SIP TLS config. (but you could use it for the web server)
You can get a comodo cert for $11 for a year at namecheap.com. If you want to keep it free, zerossl.com but you have to manually renew and reimport this every 88 days because the FreePBX certificate manager only works with Letsencrypt.
The firmware of this phone is supposed to have the correct root certificate according to Yealink!
In addition there are more than 300 extensions (in TLS) with different phone models that work very well with this certificate.
When I register this phone on a 3CX server in TLS with a Let’s Encryp certificate: no problem!
So there is a problem with FreePBX.
If there are 300+ extensions of other phone models that work correctly with that FreePBX TLS config, how are you concluding that the problem is with FreePBX?
The client logs (that is, the logs on the Yealink phones) should have more information to help troubleshoot.
When I register this phone on a 3CX server in TLS with a Let’s Encryp certificate: no problem!
When I register this phone on a FreePBX server : DST Root CA X3 certificate has expired.
In the phone log :
<131>Nov 29 07:33:52 sua [1427.1737]: NET <3+error > [255] verify error:num=10:certificate has expired:depth=3:/O=Digital Signature Trust Co./CN=DST Root CA X3
<131>Nov 29 07:33:52 sua [1427.1737]: NET <3+error > [255] X509_V_ERR_CERT_HAS_EXPIRED issuer= /O=Digital Signature Trust Co./CN=DST Root CA X3
<131>Nov 29 07:33:52 sua [1427.1737]: NET <3+error > [255] depth=3:/O=Digital Signature Trust Co./CN=DST Root CA X3
<131>Nov 29 07:33:52 sua [1427.1737]: NET <3+error > [255] depth=2:/C=US/O=Internet Security Research Group/CN=ISRG Root X1
<131>Nov 29 07:33:52 sua [1427.1737]: NET <3+error > [255] depth=1:/C=US/O=Let's Encrypt/CN=R3
<131>Nov 29 07:33:52 sua [1427.1737]: NET <3+error > [255] depth=0:/CN=sbc.xxx.net
<131>Nov 29 07:33:53 sua [1427.1737]: NET <3+error > [255] Failed to verify remote certificate(skip the verification)
<131>Nov 29 07:33:53 sua [1427.1737]: NET <3+error > [255] SSL ERROR ZERO RETURN - SHUTDOWN
This is what I have in the log at the time of the connection, which despite these errors connects correctly:
<131>Nov 30 17:42:21 sua [1435.2098]: NET <3+error > [007] New binding with 185.xxx.xxx.84 5061
<131>Nov 30 17:42:21 sua [1435.2098]: NET <3+error > [255] verify error:num=20:unable to get local issuer certificate:depth=1:/C=US/O=Let's Encrypt/CN=R3
<131>Nov 30 17:42:21 sua [1435.2098]: NET <3+error > [255] X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY issuer= /C=US/O=Internet Security Research Group/CN=ISRG Root X1
<131>Nov 30 17:42:21 sua [1435.2098]: NET <3+error > [255] verify error:num=27:certificate not trusted:depth=1:/C=US/O=Let's Encrypt/CN=R3
<131>Nov 30 17:42:21 sua [1435.2098]: NET <3+error > [255] X509_V_ERR_CERT_UNTRUSTED issuer= /C=US/O=Internet Security Research Group/CN=ISRG Root X1
<131>Nov 30 17:42:21 sua [1435.2098]: NET <3+error > [255] depth=0:/CN=xxxxxx.3cx.ch
<131>Nov 30 17:42:22 sua [1435.2098]: NET <3+error > [255] Failed to verify remote certificate(skip the verification)