This is FreePBX causing problems by trying to be smart, but really being dumb.
This happens if the address the outbound request comes from does not match the resolved IP address of the cert dns name.
Common causes are NAT configuration or multi-homed machines where the default route is not using the same IP as the cert dns address.
If possible remove the device from any kind of NAT, configure 1-to-1 NAT for the server, adjust the outbound default route, or at least for any traffic destined for mirror1.freepbx.org.
There is nothing necessarily wrong with your setup, this is 100% a Sangoma/FreePBX self-inflicted problem. There is no requirement for such nonsense by LetsEncrypt or the acme protocol. There are many possible valid configs where the outbound request IP is not going to match dns cert IP.
I opened a ticket here: https://issues.freepbx.org/browse/FREEPBX-21681. Give it some visibility, follow it, vote for it, make a “me too” comment.
If your not opposed to applying a patch, I can send you one that disables the Sangoma phone-home idiocy that causes the problem.