so @dwight you just helped me with something from a couple years ago now.
Since I had the demopbx.domain.com certbot certificate on my PBX, I made it active for apache and changed my desk phone and it worked… So i changed a few other phones and they all worked too.
So, I will now need to schedule taking my system down and actually implementing something like I just described so I can fully use TLS for all the things.