Sangoma S500 Lets Encrypt Failing Validation

Certificate chain
 0 s:/CN=ausstellung.telefonanlage.mitterhuemer.at
   i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
-----BEGIN CERTIFICATE-----
MIIGNjCCBR6gAwIBAgISA4MDRzGgrSG2bp2SCEkTklrvMA0GCSqGSIb3DQEBCwUA
MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD
ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0xNzAzMzAxMTM0MDBaFw0x
NzA2MjgxMTM0MDBaMDQxMjAwBgNVBAMTKWF1c3N0ZWxsdW5nLnRlbGVmb25hbmxh
Z2UubWl0dGVyaHVlbWVyLmF0MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKC
AgEA1jrkWz7DJHpypkUdg3xuVaIB16ZEaThb8o6yxtmF2oF383+zAR4VVQmtNfKN
d8g/XDsatSAXdlih0azYIkARxEPlTzmYjHUIABP+Fhzx0vy9f7+9wZwCu0ZMTALl
SKTs4/KLvyuPBwCb8xw3G41tAWEU/SDp6PKgM69NuxUp6r4Qt+t/4uoOFcHPez+N
xm0NzqCR0oUqCLjWoWg7XpqFaBEiku6FB47M/mNXf9nh0SNxm0oCAmr39DVgpj8a
WkSqRbd8NzeDE9iaCxXhrsZP5QwEQykafWFpcWr42SsOPCFhv2m2hMRibTB/+O/h
HvuL13J+8Xxl46gW5zBQsglQ0M3g0FeSNd7/cD2BTWH51sxeNN8AGDimq6GsnVQX
f63lTuLIqRFJeceCSLK8MB8eKdRTlnRqfWU0y5hsfXeNEEw7X0FEpPXUhRZ/CCv8
jgQADaUejkv3DQ08OY0G0ZPsxSmOV4gPCJgW1YCzgN3BBhH64/IJbZU8uwOSJllz
ceQfAjoE3dJvmo0JiBxqR6W4hnNspB6wWpIN8pf6F8m1FyD+gQGkK9DvlpgBkFCS
GpIxWUQjCvZ4hbohSgyougXKClwAfIbBoQHGZn4mgXKQzAlsO1jvA5oravU1GAE6
OSZrK9eIV8vClYStzkoyzRUkjo6K3G44jV2UmulGkz8gilECAwEAAaOCAiowggIm
MA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIw
DAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQUe+yWtle6e58PM6yovs4jZmDLeZwwHwYD
VR0jBBgwFoAUqEpqYwR93brm0Tm3pkVl7/Oo7KEwcAYIKwYBBQUHAQEEZDBiMC8G
CCsGAQUFBzABhiNodHRwOi8vb2NzcC5pbnQteDMubGV0c2VuY3J5cHQub3JnLzAv
BggrBgEFBQcwAoYjaHR0cDovL2NlcnQuaW50LXgzLmxldHNlbmNyeXB0Lm9yZy8w
NAYDVR0RBC0wK4IpYXVzc3RlbGx1bmcudGVsZWZvbmFubGFnZS5taXR0ZXJodWVt
ZXIuYXQwgf4GA1UdIASB9jCB8zAIBgZngQwBAgEwgeYGCysGAQQBgt8TAQEBMIHW
MCYGCCsGAQUFBwIBFhpodHRwOi8vY3BzLmxldHNlbmNyeXB0Lm9yZzCBqwYIKwYB
BQUHAgIwgZ4MgZtUaGlzIENlcnRpZmljYXRlIG1heSBvbmx5IGJlIHJlbGllZCB1
cG9uIGJ5IFJlbHlpbmcgUGFydGllcyBhbmQgb25seSBpbiBhY2NvcmRhbmNlIHdp
dGggdGhlIENlcnRpZmljYXRlIFBvbGljeSBmb3VuZCBhdCBodHRwczovL2xldHNl
bmNyeXB0Lm9yZy9yZXBvc2l0b3J5LzANBgkqhkiG9w0BAQsFAAOCAQEAhLIpauAH
G+UrEfU41J90RFiPaNH10oeFgirYCDKOngRK6Iz/PT87ztTLUAa03hcf6cwcLjkA
+8dN4Ei4vD26un/X8laToU3Kd4fbf/YUeaSvR0JeAaQn8RIBK7QJ4A33IZHb7h7o
sTsPN+bnWlXEP7PoYOIFsj768oWg9qACAcVUY+8CqfvmYNPLh4EcIsfQckVDCJBc
WRHV2YyIvdEFks0A628jMjxxTHcRgpPLFeNm+PJC/a/h58JqHA3jeFNtjCG0oR9V
SO6OBiRAkhFa3YcadcmmJQLrfsfcmBejeopp0VX3y9gqUuPIq0eZlOt9NQgfSSG9
TLItwIi5PcRC5A==
-----END CERTIFICATE-----
 1 s:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
   i:/O=Digital Signature Trust Co./CN=DST Root CA X3
-----BEGIN CERTIFICATE-----
MIIEkjCCA3qgAwIBAgIQCgFBQgAAAVOFc2oLheynCDANBgkqhkiG9w0BAQsFADA/
MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
DkRTVCBSb290IENBIFgzMB4XDTE2MDMxNzE2NDA0NloXDTIxMDMxNzE2NDA0Nlow
SjELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUxldCdzIEVuY3J5cHQxIzAhBgNVBAMT
GkxldCdzIEVuY3J5cHQgQXV0aG9yaXR5IFgzMIIBIjANBgkqhkiG9w0BAQEFAAOC
AQ8AMIIBCgKCAQEAnNMM8FrlLke3cl03g7NoYzDq1zUmGSXhvb418XCSL7e4S0EF
q6meNQhY7LEqxGiHC6PjdeTm86dicbp5gWAf15Gan/PQeGdxyGkOlZHP/uaZ6WA8
SMx+yk13EiSdRxta67nsHjcAHJyse6cF6s5K671B5TaYucv9bTyWaN8jKkKQDIZ0
Z8h/pZq4UmEUEz9l6YKHy9v6Dlb2honzhT+Xhq+w3Brvaw2VFn3EK6BlspkENnWA
a6xK8xuQSXgvopZPKiAlKQTGdMDQMc2PMTiVFrqoM7hD8bEfwzB/onkxEz0tNvjj
/PIzark5McWvxI0NHWQWM6r6hCm21AvA2H3DkwIDAQABo4IBfTCCAXkwEgYDVR0T
AQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8EBAMCAYYwfwYIKwYBBQUHAQEEczBxMDIG
CCsGAQUFBzABhiZodHRwOi8vaXNyZy50cnVzdGlkLm9jc3AuaWRlbnRydXN0LmNv
bTA7BggrBgEFBQcwAoYvaHR0cDovL2FwcHMuaWRlbnRydXN0LmNvbS9yb290cy9k
c3Ryb290Y2F4My5wN2MwHwYDVR0jBBgwFoAUxKexpHsscfrb4UuQdf/EFWCFiRAw
VAYDVR0gBE0wSzAIBgZngQwBAgEwPwYLKwYBBAGC3xMBAQEwMDAuBggrBgEFBQcC
ARYiaHR0cDovL2Nwcy5yb290LXgxLmxldHNlbmNyeXB0Lm9yZzA8BgNVHR8ENTAz
MDGgL6AthitodHRwOi8vY3JsLmlkZW50cnVzdC5jb20vRFNUUk9PVENBWDNDUkwu
Y3JsMB0GA1UdDgQWBBSoSmpjBH3duubRObemRWXv86jsoTANBgkqhkiG9w0BAQsF
AAOCAQEA3TPXEfNjWDjdGBX7CVW+dla5cEilaUcne8IkCJLxWh9KEik3JHRRHGJo
uM2VcGfl96S8TihRzZvoroed6ti6WqEBmtzw3Wodatg+VyOeph4EYpr/1wXKtx8/
wApIvJSwtmVi4MFU5aMqrSDE6ea73Mj2tcMyo5jMd6jmeWUHK8so/joWUoHOUgwu
X4Po1QYz+3dszkDqMp4fklxBwXRsW10KXzPMTZ+sOPAveyxindmjkW8lGy+QsRlG
PfZ+G6Z6h7mjem0Y+iWlkYcV4PIWL1iwBi8saCbGS5jN2p8M+X+Q7UNKEkROb3N6
KOqkqm57TH2H3eDJAkSnh6/DNFu0Qg==
-----END CERTIFICATE-----
---
Server certificate
subject=/CN=ausstellung.telefonanlage.mitterhuemer.at
issuer=/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
---
No client certificate CA names sent
Server Temp Key: DH, 1024 bits
---
SSL handshake has read 3904 bytes and written 439 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES128-GCM-SHA256
Server public key is 4096 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : DHE-RSA-AES128-GCM-SHA256
    Session-ID: 0C70160BCED9E62712620D96561DF25B6F37E6896072D4A591DD06E5077F48A2
    Session-ID-ctx:
    Master-Key: 037ACE1C13766BD6F8A5B1BAAEC295446FEE54D922A2A14B295DC6702A799AFBB87FBA66AB4610E238D74BEC4B2A4DD1
    Key-Arg   : None
    Krb5 Principal: None
    PSK identity: None
    PSK identity hint: None
    TLS session ticket lifetime hint: 300 (seconds)
    TLS session ticket:
    0000 - 3f a1 cf 69 ee 39 2b 55-31 7a 22 30 5c 56 ea 78   ?..i.9+U1z"0\V.x
    0010 - 69 77 7b 55 75 dd ba f5-b7 ff 13 f7 a1 7c ac bb   iw{Uu........|..
    0020 - 4e b3 95 57 61 b4 2f ea-81 e6 e3 18 fc ed 2d d9   N..Wa./.......-.
    0030 - 68 f8 28 f2 23 4e e7 6b-6a 8b 33 92 fb 64 e4 51   h.(.#N.kj.3..d.Q
    0040 - 3f 94 81 c3 4f df 66 78-05 dd 76 69 cb f5 bf ab   ?...O.fx..vi....
    0050 - ae 44 51 b4 ad bb 57 ba-32 0d 15 49 80 20 dc fb   .DQ...W.2..I. ..
    0060 - 9f 9f 80 5e b4 c6 92 14-b9 b2 96 cd c0 11 9a ff   ...^............
    0070 - 1c 7d 6d 64 de e6 c3 66-59 50 45 1e 7e 23 85 56   .}md...fYPE.~#.V
    0080 - d5 0d 50 12 a8 c5 ba fe-63 6b b2 c8 a6 8d 5f ed   ..P.....ck...._.
    0090 - 2a 0e f5 c7 04 ff 6e cf-ba d1 f1 b7 6d ec 0b 84   *.....n.....m...
    00a0 - 37 a2 bc 9f e1 d0 ff ba-4a 8c b6 55 ae 8d 2b 53   7.......J..U..+S
    00b0 - 9e dd f8 31 84 fc 6d ac-19 e6 9f a5 7c 0f 6e ec   ...1..m.....|.n.

    Start Time: 1492976729
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---

Verify Return code is 0. The full chain is provided. You should run that same command against your Asterisk TLS port. It’ll work.

Example:

Andrews-MacBook-Pro:~ andrew$ openssl s_client -showcerts -connect asterisk.server:5061
CONNECTED(00000003)
depth=1 /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
verify error:num=20:unable to get local issuer certificate
verify return:0
---
Certificate chain
 0 s:/CN=asterisk.server
   i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
-----BEGIN CERTIFICATE-----
MIIGEjCCBPqgAwIBAgISA5x79sNkkCrQadZqsreWPRbzMA0GCSqGSIb3DQEBCwUA
MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD
ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0xNzA0MTIxNzI2MDBaFw0x
NzA3MTExNzI2MDBaMCIxIDAeBgNVBAMTF2ZyZWVwYnhkZXYxLnNhbmdvbWEubmV0
MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAy9dCHULW/dFHY3DgcIm7
oinCMYF6NYjPIwWnJp927L2svLAW0K5nt59u7IVdAN2zgs9qR3HA+u9WRe/zGIfZ
wbzQ0UMNErhUHqlLOTCcC62uJMXxUCij1H7BzTpv67AYqFetpSOfiPTMjsgEHUZq
D471LGYIscGBj0/aT87ksAWHRt9q5HgN9bpiDLdqbiILTun+keb0VTOUMH1SER1O
QJ8IHQHhVW8YxBYHxr3Y2lV3n7CmOT7ncJuFghNlXinnL/cfoACo8rnlkzh3zRQi
W/b93k3Q0RulcUxBavopdCZlTSRaqJHQSjcrARY1OfIrN5wkQjJcFf8YjNGzPuE4
TWVQJ+Z5K+xJmj8UCglIROWkuTu3zASCXJvM8MMz/aataYCCX38VzqLYCgfg2NpR
O+iIM8KaOZsjl5rEehH6V7W1Hz0G9Za3YNb88LCcemv3Feoktif/P3zRW6snd9NF
kfIX/r9kOuKBxbvBLsIwbd29T33S86rOM8R/zvxvYpVFdJMQ7eYSS4L4YU+aZ8oW
JMWutx0WFcONP8qGOHCcS2GPyyC3UmNoUwHNPw4+3l4D8paJy29Xv/HwoFV6s2GC
IaawbZ8alxQn1r1SijDkJIbY0WiJhXNSA5l3ll7+WHgo+7iFSsPReuLwDNx7Obd5
C4lKOm1sQjN55uu3rhKCeD8CAwEAAaOCAhgwggIUMA4GA1UdDwEB/wQEAwIFoDAd
BgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwDAYDVR0TAQH/BAIwADAdBgNV
HQ4EFgQUpZi87voD6NgZJ/y3y9dzdPGOvecwHwYDVR0jBBgwFoAUqEpqYwR93brm
0Tm3pkVl7/Oo7KEwcAYIKwYBBQUHAQEEZDBiMC8GCCsGAQUFBzABhiNodHRwOi8v
b2NzcC5pbnQteDMubGV0c2VuY3J5cHQub3JnLzAvBggrBgEFBQcwAoYjaHR0cDov
L2NlcnQuaW50LXgzLmxldHNlbmNyeXB0Lm9yZy8wIgYDVR0RBBswGYIXZnJlZXBi
eGRldjEuc2FuZ29tYS5uZXQwgf4GA1UdIASB9jCB8zAIBgZngQwBAgEwgeYGCysG
AQQBgt8TAQEBMIHWMCYGCCsGAQUFBwIBFhpodHRwOi8vY3BzLmxldHNlbmNyeXB0
Lm9yZzCBqwYIKwYBBQUHAgIwgZ4MgZtUaGlzIENlcnRpZmljYXRlIG1heSBvbmx5
IGJlIHJlbGllZCB1cG9uIGJ5IFJlbHlpbmcgUGFydGllcyBhbmQgb25seSBpbiBh
Y2NvcmRhbmNlIHdpdGggdGhlIENlcnRpZmljYXRlIFBvbGljeSBmb3VuZCBhdCBo
dHRwczovL2xldHNlbmNyeXB0Lm9yZy9yZXBvc2l0b3J5LzANBgkqhkiG9w0BAQsF
AAOCAQEALuZTuS0/LbZsQHQE/Qk8HOkcdL9FxrCpDI7RZLAwjujUnB/YbkhOMp/6
gUuqQe8kw/iZhXDXmjEuYCPZKT2OgfWGxbk4RX6reEy+HN98XHmj4kyORFtrn4Eg
O8lEbvOmQtrHGbrVyY4OABvehC4PLZZML2I5QOmgwSSm3ImH/oGYgAu0V/BQS0Dy
GNp0e5BZp/ewWJ1J5u/ljGeWmKTbqNNERgthgcOE6BM+jgrXc7f/hjOQhnbH4HwD
JaX+Yks2kV/JF1sWN3DiI3wKizOo+CD0svjsoRhljzMeT/rFAkzTDFMBXPZBHfy4
VNJEPl5ZTFenY0/dCKGgHr8kql76iw==
-----END CERTIFICATE-----
 1 s:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
   i:/O=Digital Signature Trust Co./CN=DST Root CA X3
-----BEGIN CERTIFICATE-----
MIIEkjCCA3qgAwIBAgIQCgFBQgAAAVOFc2oLheynCDANBgkqhkiG9w0BAQsFADA/
MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
DkRTVCBSb290IENBIFgzMB4XDTE2MDMxNzE2NDA0NloXDTIxMDMxNzE2NDA0Nlow
SjELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUxldCdzIEVuY3J5cHQxIzAhBgNVBAMT
GkxldCdzIEVuY3J5cHQgQXV0aG9yaXR5IFgzMIIBIjANBgkqhkiG9w0BAQEFAAOC
AQ8AMIIBCgKCAQEAnNMM8FrlLke3cl03g7NoYzDq1zUmGSXhvb418XCSL7e4S0EF
q6meNQhY7LEqxGiHC6PjdeTm86dicbp5gWAf15Gan/PQeGdxyGkOlZHP/uaZ6WA8
SMx+yk13EiSdRxta67nsHjcAHJyse6cF6s5K671B5TaYucv9bTyWaN8jKkKQDIZ0
Z8h/pZq4UmEUEz9l6YKHy9v6Dlb2honzhT+Xhq+w3Brvaw2VFn3EK6BlspkENnWA
a6xK8xuQSXgvopZPKiAlKQTGdMDQMc2PMTiVFrqoM7hD8bEfwzB/onkxEz0tNvjj
/PIzark5McWvxI0NHWQWM6r6hCm21AvA2H3DkwIDAQABo4IBfTCCAXkwEgYDVR0T
AQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8EBAMCAYYwfwYIKwYBBQUHAQEEczBxMDIG
CCsGAQUFBzABhiZodHRwOi8vaXNyZy50cnVzdGlkLm9jc3AuaWRlbnRydXN0LmNv
bTA7BggrBgEFBQcwAoYvaHR0cDovL2FwcHMuaWRlbnRydXN0LmNvbS9yb290cy9k
c3Ryb290Y2F4My5wN2MwHwYDVR0jBBgwFoAUxKexpHsscfrb4UuQdf/EFWCFiRAw
VAYDVR0gBE0wSzAIBgZngQwBAgEwPwYLKwYBBAGC3xMBAQEwMDAuBggrBgEFBQcC
ARYiaHR0cDovL2Nwcy5yb290LXgxLmxldHNlbmNyeXB0Lm9yZzA8BgNVHR8ENTAz
MDGgL6AthitodHRwOi8vY3JsLmlkZW50cnVzdC5jb20vRFNUUk9PVENBWDNDUkwu
Y3JsMB0GA1UdDgQWBBSoSmpjBH3duubRObemRWXv86jsoTANBgkqhkiG9w0BAQsF
AAOCAQEA3TPXEfNjWDjdGBX7CVW+dla5cEilaUcne8IkCJLxWh9KEik3JHRRHGJo
uM2VcGfl96S8TihRzZvoroed6ti6WqEBmtzw3Wodatg+VyOeph4EYpr/1wXKtx8/
wApIvJSwtmVi4MFU5aMqrSDE6ea73Mj2tcMyo5jMd6jmeWUHK8so/joWUoHOUgwu
X4Po1QYz+3dszkDqMp4fklxBwXRsW10KXzPMTZ+sOPAveyxindmjkW8lGy+QsRlG
PfZ+G6Z6h7mjem0Y+iWlkYcV4PIWL1iwBi8saCbGS5jN2p8M+X+Q7UNKEkROb3N6
KOqkqm57TH2H3eDJAkSnh6/DNFu0Qg==
-----END CERTIFICATE-----
---
Server certificate
subject=/CN=asterisk.server
issuer=/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
---
No client certificate CA names sent
---
SSL handshake has read 2904 bytes and written 712 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 4096 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : AES256-SHA
    Session-ID: E794A49BE51C6AE38E525FEDE4C8BB1AD8372CAF806D0346433F517BC93F9D58
    Session-ID-ctx:
    Master-Key: AC5F30C17497F640A918C1D151D4309953C830CF12E6E2B29EB807290BEDFE9B16A24F68FC0085094A65A5C74178C158
    Key-Arg   : None
    Start Time: 1492976979
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---

Already did this, i get the full chain.Phones do not register. I think that this cert is missing, because with this the phones work:

CONNECTED(00000003)
depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
verify return:1
depth=0 CN = ausstellung.telefonanlage.mitterhuemer.at
verify return:1
---
Certificate chain
 0 s:/CN=ausstellung.telefonanlage.mitterhuemer.at
   i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
-----BEGIN CERTIFICATE-----
MIIGNjCCBR6gAwIBAgISA4MDRzGgrSG2bp2SCEkTklrvMA0GCSqGSIb3DQEBCwUA
MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD
ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0xNzAzMzAxMTM0MDBaFw0x
NzA2MjgxMTM0MDBaMDQxMjAwBgNVBAMTKWF1c3N0ZWxsdW5nLnRlbGVmb25hbmxh
Z2UubWl0dGVyaHVlbWVyLmF0MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKC
AgEA1jrkWz7DJHpypkUdg3xuVaIB16ZEaThb8o6yxtmF2oF383+zAR4VVQmtNfKN
d8g/XDsatSAXdlih0azYIkARxEPlTzmYjHUIABP+Fhzx0vy9f7+9wZwCu0ZMTALl
SKTs4/KLvyuPBwCb8xw3G41tAWEU/SDp6PKgM69NuxUp6r4Qt+t/4uoOFcHPez+N
xm0NzqCR0oUqCLjWoWg7XpqFaBEiku6FB47M/mNXf9nh0SNxm0oCAmr39DVgpj8a
WkSqRbd8NzeDE9iaCxXhrsZP5QwEQykafWFpcWr42SsOPCFhv2m2hMRibTB/+O/h
HvuL13J+8Xxl46gW5zBQsglQ0M3g0FeSNd7/cD2BTWH51sxeNN8AGDimq6GsnVQX
f63lTuLIqRFJeceCSLK8MB8eKdRTlnRqfWU0y5hsfXeNEEw7X0FEpPXUhRZ/CCv8
jgQADaUejkv3DQ08OY0G0ZPsxSmOV4gPCJgW1YCzgN3BBhH64/IJbZU8uwOSJllz
ceQfAjoE3dJvmo0JiBxqR6W4hnNspB6wWpIN8pf6F8m1FyD+gQGkK9DvlpgBkFCS
GpIxWUQjCvZ4hbohSgyougXKClwAfIbBoQHGZn4mgXKQzAlsO1jvA5oravU1GAE6
OSZrK9eIV8vClYStzkoyzRUkjo6K3G44jV2UmulGkz8gilECAwEAAaOCAiowggIm
MA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIw
DAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQUe+yWtle6e58PM6yovs4jZmDLeZwwHwYD
VR0jBBgwFoAUqEpqYwR93brm0Tm3pkVl7/Oo7KEwcAYIKwYBBQUHAQEEZDBiMC8G
CCsGAQUFBzABhiNodHRwOi8vb2NzcC5pbnQteDMubGV0c2VuY3J5cHQub3JnLzAv
BggrBgEFBQcwAoYjaHR0cDovL2NlcnQuaW50LXgzLmxldHNlbmNyeXB0Lm9yZy8w
NAYDVR0RBC0wK4IpYXVzc3RlbGx1bmcudGVsZWZvbmFubGFnZS5taXR0ZXJodWVt
ZXIuYXQwgf4GA1UdIASB9jCB8zAIBgZngQwBAgEwgeYGCysGAQQBgt8TAQEBMIHW
MCYGCCsGAQUFBwIBFhpodHRwOi8vY3BzLmxldHNlbmNyeXB0Lm9yZzCBqwYIKwYB
BQUHAgIwgZ4MgZtUaGlzIENlcnRpZmljYXRlIG1heSBvbmx5IGJlIHJlbGllZCB1
cG9uIGJ5IFJlbHlpbmcgUGFydGllcyBhbmQgb25seSBpbiBhY2NvcmRhbmNlIHdp
dGggdGhlIENlcnRpZmljYXRlIFBvbGljeSBmb3VuZCBhdCBodHRwczovL2xldHNl
bmNyeXB0Lm9yZy9yZXBvc2l0b3J5LzANBgkqhkiG9w0BAQsFAAOCAQEAhLIpauAH
G+UrEfU41J90RFiPaNH10oeFgirYCDKOngRK6Iz/PT87ztTLUAa03hcf6cwcLjkA
+8dN4Ei4vD26un/X8laToU3Kd4fbf/YUeaSvR0JeAaQn8RIBK7QJ4A33IZHb7h7o
sTsPN+bnWlXEP7PoYOIFsj768oWg9qACAcVUY+8CqfvmYNPLh4EcIsfQckVDCJBc
WRHV2YyIvdEFks0A628jMjxxTHcRgpPLFeNm+PJC/a/h58JqHA3jeFNtjCG0oR9V
SO6OBiRAkhFa3YcadcmmJQLrfsfcmBejeopp0VX3y9gqUuPIq0eZlOt9NQgfSSG9
TLItwIi5PcRC5A==
-----END CERTIFICATE-----
 1 s:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
   i:/O=Digital Signature Trust Co./CN=DST Root CA X3
-----BEGIN CERTIFICATE-----
MIIEkjCCA3qgAwIBAgIQCgFBQgAAAVOFc2oLheynCDANBgkqhkiG9w0BAQsFADA/
MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
DkRTVCBSb290IENBIFgzMB4XDTE2MDMxNzE2NDA0NloXDTIxMDMxNzE2NDA0Nlow
SjELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUxldCdzIEVuY3J5cHQxIzAhBgNVBAMT
GkxldCdzIEVuY3J5cHQgQXV0aG9yaXR5IFgzMIIBIjANBgkqhkiG9w0BAQEFAAOC
AQ8AMIIBCgKCAQEAnNMM8FrlLke3cl03g7NoYzDq1zUmGSXhvb418XCSL7e4S0EF
q6meNQhY7LEqxGiHC6PjdeTm86dicbp5gWAf15Gan/PQeGdxyGkOlZHP/uaZ6WA8
SMx+yk13EiSdRxta67nsHjcAHJyse6cF6s5K671B5TaYucv9bTyWaN8jKkKQDIZ0
Z8h/pZq4UmEUEz9l6YKHy9v6Dlb2honzhT+Xhq+w3Brvaw2VFn3EK6BlspkENnWA
a6xK8xuQSXgvopZPKiAlKQTGdMDQMc2PMTiVFrqoM7hD8bEfwzB/onkxEz0tNvjj
/PIzark5McWvxI0NHWQWM6r6hCm21AvA2H3DkwIDAQABo4IBfTCCAXkwEgYDVR0T
AQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8EBAMCAYYwfwYIKwYBBQUHAQEEczBxMDIG
CCsGAQUFBzABhiZodHRwOi8vaXNyZy50cnVzdGlkLm9jc3AuaWRlbnRydXN0LmNv
bTA7BggrBgEFBQcwAoYvaHR0cDovL2FwcHMuaWRlbnRydXN0LmNvbS9yb290cy9k
c3Ryb290Y2F4My5wN2MwHwYDVR0jBBgwFoAUxKexpHsscfrb4UuQdf/EFWCFiRAw
VAYDVR0gBE0wSzAIBgZngQwBAgEwPwYLKwYBBAGC3xMBAQEwMDAuBggrBgEFBQcC
ARYiaHR0cDovL2Nwcy5yb290LXgxLmxldHNlbmNyeXB0Lm9yZzA8BgNVHR8ENTAz
MDGgL6AthitodHRwOi8vY3JsLmlkZW50cnVzdC5jb20vRFNUUk9PVENBWDNDUkwu
Y3JsMB0GA1UdDgQWBBSoSmpjBH3duubRObemRWXv86jsoTANBgkqhkiG9w0BAQsF
AAOCAQEA3TPXEfNjWDjdGBX7CVW+dla5cEilaUcne8IkCJLxWh9KEik3JHRRHGJo
uM2VcGfl96S8TihRzZvoroed6ti6WqEBmtzw3Wodatg+VyOeph4EYpr/1wXKtx8/
wApIvJSwtmVi4MFU5aMqrSDE6ea73Mj2tcMyo5jMd6jmeWUHK8so/joWUoHOUgwu
X4Po1QYz+3dszkDqMp4fklxBwXRsW10KXzPMTZ+sOPAveyxindmjkW8lGy+QsRlG
PfZ+G6Z6h7mjem0Y+iWlkYcV4PIWL1iwBi8saCbGS5jN2p8M+X+Q7UNKEkROb3N6
KOqkqm57TH2H3eDJAkSnh6/DNFu0Qg==
-----END CERTIFICATE-----
---
Server certificate
subject=/CN=ausstellung.telefonanlage.mitterhuemer.at
issuer=/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
---
No client certificate CA names sent
Server Temp Key: ECDH, prime256v1, 256 bits
---
SSL handshake has read 3702 bytes and written 395 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-SHA
Server public key is 4096 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : ECDHE-RSA-AES256-SHA
    Session-ID: F2F895C553244940F70F9831978EFFD091F9CE9D65B1DFC8F697BFB2208D0871
    Session-ID-ctx:
    Master-Key: 140DBCDF4C8CBC7390B248025CD19322BEC6C48EE26B74609ED15D5589B9457C0DE760FAED600B4ED67686C80CF55237
    Key-Arg   : None
    Krb5 Principal: None
    PSK identity: None
    PSK identity hint: None
    TLS session ticket lifetime hint: 7200 (seconds)
    TLS session ticket:
    0000 - 58 0f fa f0 43 da 28 cc-75 74 4c 43 a1 53 8d 21   X...C.(.utLC.S.!
    0010 - d7 01 40 66 c1 d7 c5 dc-9c 47 61 fb 0c ab 5d 16   [email protected]...].
    0020 - d1 a8 5c a7 12 f1 17 da-03 a3 8e c7 3d da 96 83   ..\.........=...
    0030 - db 59 32 04 4a c1 fb 08-17 0f 22 06 3a 15 f6 96   .Y2.J.....".:...
    0040 - 1b e5 ae f8 fa 48 64 2e-e9 d3 cb 5e 68 fa 78 71   .....Hd....^h.xq
    0050 - fb 69 9f 31 63 5d 7b 90-15 70 e6 0d f1 5f 3b 6b   .i.1c]{..p..._;k
    0060 - 7b 6d 5e 8d 93 e5 3d 90-dc 97 e3 93 ad cc 8b de   {m^...=.........
    0070 - 30 42 60 7b 1d 93 7a 45-3b 3c 33 6b 49 6b d5 00   0B`{..zE;<3kIk..
    0080 - be 27 8d f2 bd 24 a9 64-a9 82 64 a1 98 f0 b5 b9   .'...$.d..d.....
    0090 - eb 70 9c e5 49 8f 84 b0-66 09 7f 7e d1 38 df 17   .p..I...f..~.8..

    Start Time: 1492976922
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---

I got the phones working now without line P20179

For testing i modified the ca-bundle file located in /etc/asterisk/keys

and added this to the end of the file:
Then i restarted Asterisk and the phones got working.
https://identrust.com/certificates/trustid/root-download-x3.html

-----BEGIN CERTIFICATE-----
MIIDSjCCAjKgAwIBAgIQRK+wgNajJ7qJMDmGLvhAazANBgkqhkiG9w0BAQUFADA/
MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
DkRTVCBSb290IENBIFgzMB4XDTAwMDkzMDIxMTIxOVoXDTIxMDkzMDE0MDExNVow
PzEkMCIGA1UEChMbRGlnaXRhbCBTaWduYXR1cmUgVHJ1c3QgQ28uMRcwFQYDVQQD
Ew5EU1QgUm9vdCBDQSBYMzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
AN+v6ZdQCINXtMxiZfaQguzH0yxrMMpb7NnDfcdAwRgUi+DoM3ZJKuM/IUmTrE4O
rz5Iy2Xu/NMhD2XSKtkyj4zl93ewEnu1lcCJo6m67XMuegwGMoOifooUMM0RoOEq
OLl5CjH9UL2AZd+3UWODyOKIYepLYYHsUmu5ouJLGiifSKOeDNoJjj4XLh7dIN9b
xiqKqy69cK3FCxolkHRyxXtqqzTWMIn/5WgTe1QLyNau7Fqckh49ZLOMxt+/yUFw
7BZy1SbsOFU5Q9D8/RhcQPGX69Wam40dutolucbY38EVAjqr2m7xPi71XAicPNaD
aeQQmxkqtilX4+U9m5/wAl0CAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNV
HQ8BAf8EBAMCAQYwHQYDVR0OBBYEFMSnsaR7LHH62+FLkHX/xBVghYkQMA0GCSqG
SIb3DQEBBQUAA4IBAQCjGiybFwBcqR7uKGY3Or+Dxz9LwwmglSBd49lZRNI+DT69
ikugdB/OEIKcdBodfpga3csTS7MgROSR6cz8faXbauX+5v3gTt23ADq1cEmv8uXr
AvHRAosZy5Q6XkjEGB5YGV8eAlrwDPGxrancWYaLbumR9YbK+rlmM6pZW87ipxZz
R8srzJmwN0jP41ZL9c8PDHIyh8bwRLtTcm1D9SZImlJnt1ir/md2cXjbDaJWFBM5
JDGFoqgCWjBH4d1QB7wCCZAA62RjYJsWvIjJEubSfZGL+T0yjWW06XyxV3bqxbYo
Ob8VZRzI9neWagqNdwvYkQsEjgfbKbYK7p2CNTUQ
-----END CERTIFICATE-----

openssl s_client -showcerts -connect server:TLSPORT_SIP

[root@ausstellung ~]# openssl s_client -showcerts -connect ausstellung.telefonan                                                                                                                                                             lage.mitterhuemer.at:5161
CONNECTED(00000003)
depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
verify return:1
depth=0 CN = ausstellung.telefonanlage.mitterhuemer.at
verify return:1
---
Certificate chain
 0 s:/CN=ausstellung.telefonanlage.mitterhuemer.at
   i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
-----BEGIN CERTIFICATE-----
MIIGNjCCBR6gAwIBAgISA4MDRzGgrSG2bp2SCEkTklrvMA0GCSqGSIb3DQEBCwUA
MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD
ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0xNzAzMzAxMTM0MDBaFw0x
NzA2MjgxMTM0MDBaMDQxMjAwBgNVBAMTKWF1c3N0ZWxsdW5nLnRlbGVmb25hbmxh
Z2UubWl0dGVyaHVlbWVyLmF0MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKC
AgEA1jrkWz7DJHpypkUdg3xuVaIB16ZEaThb8o6yxtmF2oF383+zAR4VVQmtNfKN
d8g/XDsatSAXdlih0azYIkARxEPlTzmYjHUIABP+Fhzx0vy9f7+9wZwCu0ZMTALl
SKTs4/KLvyuPBwCb8xw3G41tAWEU/SDp6PKgM69NuxUp6r4Qt+t/4uoOFcHPez+N
xm0NzqCR0oUqCLjWoWg7XpqFaBEiku6FB47M/mNXf9nh0SNxm0oCAmr39DVgpj8a
WkSqRbd8NzeDE9iaCxXhrsZP5QwEQykafWFpcWr42SsOPCFhv2m2hMRibTB/+O/h
HvuL13J+8Xxl46gW5zBQsglQ0M3g0FeSNd7/cD2BTWH51sxeNN8AGDimq6GsnVQX
f63lTuLIqRFJeceCSLK8MB8eKdRTlnRqfWU0y5hsfXeNEEw7X0FEpPXUhRZ/CCv8
jgQADaUejkv3DQ08OY0G0ZPsxSmOV4gPCJgW1YCzgN3BBhH64/IJbZU8uwOSJllz
ceQfAjoE3dJvmo0JiBxqR6W4hnNspB6wWpIN8pf6F8m1FyD+gQGkK9DvlpgBkFCS
GpIxWUQjCvZ4hbohSgyougXKClwAfIbBoQHGZn4mgXKQzAlsO1jvA5oravU1GAE6
OSZrK9eIV8vClYStzkoyzRUkjo6K3G44jV2UmulGkz8gilECAwEAAaOCAiowggIm
MA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIw
DAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQUe+yWtle6e58PM6yovs4jZmDLeZwwHwYD
VR0jBBgwFoAUqEpqYwR93brm0Tm3pkVl7/Oo7KEwcAYIKwYBBQUHAQEEZDBiMC8G
CCsGAQUFBzABhiNodHRwOi8vb2NzcC5pbnQteDMubGV0c2VuY3J5cHQub3JnLzAv
BggrBgEFBQcwAoYjaHR0cDovL2NlcnQuaW50LXgzLmxldHNlbmNyeXB0Lm9yZy8w
NAYDVR0RBC0wK4IpYXVzc3RlbGx1bmcudGVsZWZvbmFubGFnZS5taXR0ZXJodWVt
ZXIuYXQwgf4GA1UdIASB9jCB8zAIBgZngQwBAgEwgeYGCysGAQQBgt8TAQEBMIHW
MCYGCCsGAQUFBwIBFhpodHRwOi8vY3BzLmxldHNlbmNyeXB0Lm9yZzCBqwYIKwYB
BQUHAgIwgZ4MgZtUaGlzIENlcnRpZmljYXRlIG1heSBvbmx5IGJlIHJlbGllZCB1
cG9uIGJ5IFJlbHlpbmcgUGFydGllcyBhbmQgb25seSBpbiBhY2NvcmRhbmNlIHdp
dGggdGhlIENlcnRpZmljYXRlIFBvbGljeSBmb3VuZCBhdCBodHRwczovL2xldHNl
bmNyeXB0Lm9yZy9yZXBvc2l0b3J5LzANBgkqhkiG9w0BAQsFAAOCAQEAhLIpauAH
G+UrEfU41J90RFiPaNH10oeFgirYCDKOngRK6Iz/PT87ztTLUAa03hcf6cwcLjkA
+8dN4Ei4vD26un/X8laToU3Kd4fbf/YUeaSvR0JeAaQn8RIBK7QJ4A33IZHb7h7o
sTsPN+bnWlXEP7PoYOIFsj768oWg9qACAcVUY+8CqfvmYNPLh4EcIsfQckVDCJBc
WRHV2YyIvdEFks0A628jMjxxTHcRgpPLFeNm+PJC/a/h58JqHA3jeFNtjCG0oR9V
SO6OBiRAkhFa3YcadcmmJQLrfsfcmBejeopp0VX3y9gqUuPIq0eZlOt9NQgfSSG9
TLItwIi5PcRC5A==
-----END CERTIFICATE-----
 1 s:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
   i:/O=Digital Signature Trust Co./CN=DST Root CA X3
-----BEGIN CERTIFICATE-----
MIIEkjCCA3qgAwIBAgIQCgFBQgAAAVOFc2oLheynCDANBgkqhkiG9w0BAQsFADA/
MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
DkRTVCBSb290IENBIFgzMB4XDTE2MDMxNzE2NDA0NloXDTIxMDMxNzE2NDA0Nlow
SjELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUxldCdzIEVuY3J5cHQxIzAhBgNVBAMT
GkxldCdzIEVuY3J5cHQgQXV0aG9yaXR5IFgzMIIBIjANBgkqhkiG9w0BAQEFAAOC
AQ8AMIIBCgKCAQEAnNMM8FrlLke3cl03g7NoYzDq1zUmGSXhvb418XCSL7e4S0EF
q6meNQhY7LEqxGiHC6PjdeTm86dicbp5gWAf15Gan/PQeGdxyGkOlZHP/uaZ6WA8
SMx+yk13EiSdRxta67nsHjcAHJyse6cF6s5K671B5TaYucv9bTyWaN8jKkKQDIZ0
Z8h/pZq4UmEUEz9l6YKHy9v6Dlb2honzhT+Xhq+w3Brvaw2VFn3EK6BlspkENnWA
a6xK8xuQSXgvopZPKiAlKQTGdMDQMc2PMTiVFrqoM7hD8bEfwzB/onkxEz0tNvjj
/PIzark5McWvxI0NHWQWM6r6hCm21AvA2H3DkwIDAQABo4IBfTCCAXkwEgYDVR0T
AQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8EBAMCAYYwfwYIKwYBBQUHAQEEczBxMDIG
CCsGAQUFBzABhiZodHRwOi8vaXNyZy50cnVzdGlkLm9jc3AuaWRlbnRydXN0LmNv
bTA7BggrBgEFBQcwAoYvaHR0cDovL2FwcHMuaWRlbnRydXN0LmNvbS9yb290cy9k
c3Ryb290Y2F4My5wN2MwHwYDVR0jBBgwFoAUxKexpHsscfrb4UuQdf/EFWCFiRAw
VAYDVR0gBE0wSzAIBgZngQwBAgEwPwYLKwYBBAGC3xMBAQEwMDAuBggrBgEFBQcC
ARYiaHR0cDovL2Nwcy5yb290LXgxLmxldHNlbmNyeXB0Lm9yZzA8BgNVHR8ENTAz
MDGgL6AthitodHRwOi8vY3JsLmlkZW50cnVzdC5jb20vRFNUUk9PVENBWDNDUkwu
Y3JsMB0GA1UdDgQWBBSoSmpjBH3duubRObemRWXv86jsoTANBgkqhkiG9w0BAQsF
AAOCAQEA3TPXEfNjWDjdGBX7CVW+dla5cEilaUcne8IkCJLxWh9KEik3JHRRHGJo
uM2VcGfl96S8TihRzZvoroed6ti6WqEBmtzw3Wodatg+VyOeph4EYpr/1wXKtx8/
wApIvJSwtmVi4MFU5aMqrSDE6ea73Mj2tcMyo5jMd6jmeWUHK8so/joWUoHOUgwu
X4Po1QYz+3dszkDqMp4fklxBwXRsW10KXzPMTZ+sOPAveyxindmjkW8lGy+QsRlG
PfZ+G6Z6h7mjem0Y+iWlkYcV4PIWL1iwBi8saCbGS5jN2p8M+X+Q7UNKEkROb3N6
KOqkqm57TH2H3eDJAkSnh6/DNFu0Qg==
-----END CERTIFICATE-----
 2 s:/O=Digital Signature Trust Co./CN=DST Root CA X3
   i:/O=Digital Signature Trust Co./CN=DST Root CA X3
-----BEGIN CERTIFICATE-----
MIIDSjCCAjKgAwIBAgIQRK+wgNajJ7qJMDmGLvhAazANBgkqhkiG9w0BAQUFADA/
MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
DkRTVCBSb290IENBIFgzMB4XDTAwMDkzMDIxMTIxOVoXDTIxMDkzMDE0MDExNVow
PzEkMCIGA1UEChMbRGlnaXRhbCBTaWduYXR1cmUgVHJ1c3QgQ28uMRcwFQYDVQQD
Ew5EU1QgUm9vdCBDQSBYMzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
AN+v6ZdQCINXtMxiZfaQguzH0yxrMMpb7NnDfcdAwRgUi+DoM3ZJKuM/IUmTrE4O
rz5Iy2Xu/NMhD2XSKtkyj4zl93ewEnu1lcCJo6m67XMuegwGMoOifooUMM0RoOEq
OLl5CjH9UL2AZd+3UWODyOKIYepLYYHsUmu5ouJLGiifSKOeDNoJjj4XLh7dIN9b
xiqKqy69cK3FCxolkHRyxXtqqzTWMIn/5WgTe1QLyNau7Fqckh49ZLOMxt+/yUFw
7BZy1SbsOFU5Q9D8/RhcQPGX69Wam40dutolucbY38EVAjqr2m7xPi71XAicPNaD
aeQQmxkqtilX4+U9m5/wAl0CAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNV
HQ8BAf8EBAMCAQYwHQYDVR0OBBYEFMSnsaR7LHH62+FLkHX/xBVghYkQMA0GCSqG
SIb3DQEBBQUAA4IBAQCjGiybFwBcqR7uKGY3Or+Dxz9LwwmglSBd49lZRNI+DT69
ikugdB/OEIKcdBodfpga3csTS7MgROSR6cz8faXbauX+5v3gTt23ADq1cEmv8uXr
AvHRAosZy5Q6XkjEGB5YGV8eAlrwDPGxrancWYaLbumR9YbK+rlmM6pZW87ipxZz
R8srzJmwN0jP41ZL9c8PDHIyh8bwRLtTcm1D9SZImlJnt1ir/md2cXjbDaJWFBM5
JDGFoqgCWjBH4d1QB7wCCZAA62RjYJsWvIjJEubSfZGL+T0yjWW06XyxV3bqxbYo
Ob8VZRzI9neWagqNdwvYkQsEjgfbKbYK7p2CNTUQ
-----END CERTIFICATE-----
---
Server certificate
subject=/CN=ausstellung.telefonanlage.mitterhuemer.at
issuer=/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
---
No client certificate CA names sent
Server Temp Key: ECDH, prime256v1, 256 bits
---
SSL handshake has read 4535 bytes and written 375 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 4096 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: 604548087C3794DED596214F54F9DC74C864B9638B6AA7D94F638266CA4021C1
    Session-ID-ctx:
    Master-Key: 1057DE8BFE30C26FC3F0491F0057A133688362ED360262C576488D9578E84E84                                                                                                                                                             07CC56FE50F536B372A09653F8D4A00C
    Key-Arg   : None
    Krb5 Principal: None
    PSK identity: None
    PSK identity hint: None
    TLS session ticket lifetime hint: 300 (seconds)
    TLS session ticket:
    0000 - e9 a5 08 47 d3 0f a0 db-85 d6 59 ca 6c 58 6b e8   ...G......Y.lXk.
    0010 - 16 a8 97 27 9d fb 09 73-e8 06 f8 d8 21 6b 7a 4b   ...'...s....!kzK
    0020 - dd cd f9 20 b6 ab 77 7a-65 61 f9 44 d6 4a 40 3d   ... ..wzea.D.J@=
    0030 - 5d 4e bd 91 ee 2f 9d bb-61 44 75 8a 26 ab b9 b1   ]N.../..aDu.&...
    0040 - 2e 67 f0 79 c1 ce c3 46-2e 6b 24 75 dc 2f 36 4d   .g.y...F.k$u./6M
    0050 - 02 6c 39 bc 1d 75 b9 87-15 3b 36 64 bf c9 63 3b   .l9..u...;6d..c;
    0060 - ec 62 1a 11 17 fb 26 ed-bf da e6 d7 c3 3e ed d4   .b....&......>..
    0070 - 2b dc 39 db c8 62 c2 5b-16 a0 cb 0c 4e ef 1c 48   +.9..b.[....N..H
    0080 - 82 0d 47 85 9f 3f c7 3f-c3 bc 97 14 9e 51 21 c1   ..G..?.?.....Q!.
    0090 - 51 2a 01 f8 12 c0 94 5e-1f ee de b1 18 1a 9a 1e   Q*.....^........

    Start Time: 1492979838
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---

The file you modified comes directly from let’s encrypt. Every 90 days you will have to redo your changes and you won’t really know when you need to do this so it’s best to not modify the files you modified as somewhere around 90 days your phones will stop registering

Also you are missing a step or two. You say you added this to the CA-bundle but that file is not referenced anywhere. It’s used to generate the certificate.pem which means the step you have forgotten to state is that you went in and set the default certificate again so that the certificate.pem would be updated.

Seems this is more your issue: https://community.letsencrypt.org/t/root-s-missing-main-cert-chain-not-supported/3191

Which again is the fact that we should just add IdenTrust DST CA X3 to the list of root certificates on the phones. https://groups.google.com/a/letsencrypt.org/forum/#!msg/client-dev/I-iFKihZ4Vo/kyw2EuaNlB0J

Or we can just include the X3 root as part of the certificate.pem chain which certificate manager automatically takes care of. I think this might be a better solution moving forward but I need to confirm that doing it this way won’t break other services.

I talked with @xrobau he confirmed we should just include the root CA (which is cross signed) in our certificate.pem (https://identrust.com/certificates/trustid/root-download-x3.html) through Certificate Manager.

This is a feature that will only exist when using Certificate Manager in FreePBX, it won’t work with any other automatic lets encrypt tools which is why we recommend doing this through FreePBX.

https://issues.freepbx.org/browse/FREEPBX-14631

1 Like