Maybe take a look at this discussion: Let’s Encrypt (LE) certificate request and installation / auto-renewal configuration and pay particular attention to responses from @dicko. I’m now on FreePBX 17 / Debian 12, so my approach is a bit different from before. I use the acme.sh script with DNS challenge which I prefer to HTTP challenge, and switched back from ZeroSSL to Let’s Encrypt. I don’t have the certificate renewal (particularly updating/importing/installing on the FreePBX side) process entirely automated, but I think I can get there or very close with the acme.sh Le_RenewHook variable. With my approach, the better I understand acme.sh and fwconsole certificates (certificate manager / certman module), I think the closer I can get to fully automating certificate renewal. I don’t (currently/yet) use HAProxy with FreePBX as @dicko suggests, but that seems like a reasonable approach and could make the certificate renewal process more simple.
Maybe one day we’ll see a robust Let’s Encrypt implementation in FreePBX, including DNS challenge support. Until then, I think using acme.sh is a better option.