I have a crazy issue where somewhere in 2019 / 2020 all Blink and Zoiper5 Android and Windows softphones would stop registering to pjsip over TLS, claiming Error 924 - cert validation error.
Sysadmin Pro and Certman managed Letsencrypt cert. Worked fine for years until some point.
Thinking it may have to do with CA changes at Letsencrypt I initially pulled certman from edge and used the (new at the time) “Remove DST Root CA X3” feature. This did not help.
Upgraded to FreePBX 16 - no change.
Ran testssl.sh against my.pbx.com:5061 and all checked out OK. SSL23 disabled, TLS1.0+ enabled, no cert problems come up.
Eventually found this thread where someone had a multi-year battle with Yealink phone provisioning that went away when using certbot. There was a solution to modify certman to reduce the key size to 2048
sed -i 's/4096/2048/g' /var/www/html/admin/modules/certman/vendor/analogic/lescript/Lescript.php
I tried this just for kicks and wouldn’t you know… The softphones all register now, albeit complaining that the cert is invalid. When I ask them to show me the cert (“display technical details”) they show me a perfectly valid cert. In Blink it will register now if I disable cert verification. This kind of defeats the purpose of having a “real” cert but at least we are up and running for now.
Now that the certman key length patch has been applied I guess it could be a Zoiper issue. Perhaps they have a trusted CA store hard coded into the app. Android 12 itself has no problem with these new Letsencrypt certs.
Just putting this out here if anyone uses Zoiper 5 with PJSIP over TLS and certman letsencrypt certs getting 924 errors on registration, the key size patch here Yealink T4XG phones will not autoprovision over HTTPS with FreePBX 14 - #77 by sorvani might be a workaround for you.
A productive feature request might be for certman to support other issuers. There are some letsencrypt alternatives that speak ACME. ZeroSSL and buypass.no for example.