Thanks…yes please… 
I don’t understand the concept of TLS. Doesn’t the phone need a certificate too? Where does it come from? Security is nice, but it shouldn’t be that complicated. It took me an hour just to activate the letsEncrypt certificate on the freePBX server. This is a local machine with a mobile internet connection and a variable IP. Believe me, it was really tricky to find a solution for the port-80-feedback from LetsEncrypt 
Alright, so we gotta work through this because there is a lot of information here.
No, the phone doesnt need a cert on it too…
Do you have HTTPS configured on your PBX? Do you have a FQDN setup and does it resolve to your PBX?? Do you have a Valid LetsEncrypt cert setup and applied?
Do you have HTTPS Phone Apps turned on in template?
Because of your mobile internet connection with DynamicIP this is going to he tricky to get HTTPS working… What FQDN did you create your LetsEncrypt cert with? How does that resolve to your PBX with a dynamic IP?? Do you have a DDNS with an updater running on the WAN of this mobile internet connection? This is how I do it for PBX’s that are on Dynamic IP’s…But a little more tricky and more steps that when you just have a static IP that you create a FQDN and point the A record to your WAN Static and port forward 80 to the PBX…I also port forward HTTPS Provisioning port and TLS Port.
I think it is still the case that neither side needs a certificate, although without one you are vulnerable to man in the middle attacks. However, it is possible that certificate-less key negotiation has been dropped from TLS and/or that Asterisk doesn’t support it.
The most common use of TLS is for web sites, and it is very unusual for both sides to have a certificate, although it is possible; normally the server is the only one with a certificate.
If you don’t have a phone certificate, the phone won’t even send authentication until it is sure that it has an encrypted connection between it and the authenticated server. I think the key negotiation is done in such a way that it depends on something only known to the client, so a man in the middle can’t find the key.
It is calls towards the phone where there is some problem, as the phone never gets authenticated, so a deep fake of the callee could take the call. The real callee can still defend against man in the middle, although I don’t know that phones actually check the identity of the server that well, or just accept anything signed by a trusted CA.
You only need a valid cert running on the PBX…
Here is my valid and assigned as Default cert in Admin>Certificate Management. The FQDN on this LetsEncrypt cert resolves to my PBX both internally (locally) and externally to my WAN IP… From there any external requests forward on to the PBX based on port forwarding (HTTPS Provisioning Port, TLS Port)
Internally, if I ping my FQDN it resolves to my PBX LAN Static IP
It is 22:50h in Austria and I am 50 kilometers away from the freePBX machine in question
Yes, I have a valid LE certificate and I did it with a dynDNS setup and a Fritzbox router.
I loaded the certificate in Apache too.
I activated the default ports in system admin port configuration.
Yet, everytime I activate TLS and encryption in the extension settings, the P370 cannot connect anymore.
I activated TLS in the Asterisk SIP settings…
Let me step back and ask because it sounds like you are having 2 issues. Getting Phone Apps (Call Logs, VM, Parking Calls) working… Second, you are trying to setup the phone to use TLS Protocol??
ok…I see…I didn’t check the LE certificate details, once it was confirmed. I will do that. The ping is also a good idea.
Regarding the dpma server settings: the should be udp not tls right?
What are your extension settings? Tls or udp?
I have the Transport set to Auto in Extension>Advanced… Then in EPM>DPMA Management I have TLS set and my TLS port set and my discovery address is again my FQDN on my LetsEncrypt cert. And that TLS port is port forwarded to my PBX…
ok thanks that helps a lot. I read somewhere that for the initial setup of a D80 dpma server should use udp not tls…that’s obviously wrong
I have been using the above EPM>DPMA Mgmt settings with TLS for quite some time with my D80… I didnt change any of it when I implemented the P370… I kinda am treating the P370 as a D80 when it comes to EPM/setup/settings…
Did you activate media encryption in the extension settings?
No I dont believe its working… But I have to say, I havent tried in a quite a few firmware updates. Ill try again right now… It works great on my D80 thats sitting right here next to my P370…
I did not use the external domain for the discovery address…that might be the main issue. I will test it tomorrow.
Thanks a lot 
Im actually not positive SRTP is not working based off what this message says…
"Media Encryption
Determines whether res_pjsip will use and enforce usage of media encryption for this endpoint. Auto will enable SRTP via in-SDP encyption if TLS is enabled in SIPSettings"
Interesting…I always switched it on…I thought that TLS has to be encrypted…
Yea… I did too… But I am not positive on how that is working based off this message and TLS enabled in PJSIP Settings and DPMA Mgmt on P370…
@lgaetz would probably be best to answer if TLS is working and SRTP is working on the P370 based on the settings above I posted???
Ok…thanks my friend…I will proceed with testing tomorrow based on your valued feedback
Good night!
Anytime, let me know how you make out! have a good night