Hi @HawkMcDuck,
I don't understand exactly what Yealink means by "rebuild the CAs" either. However, Let's Encrypt (and all publicly-trusted CAs for the web) is no longer allowed to issue certificates using MD5 or SHA-1. This is a strictly-enforced industry-wide policy. So, if the device really requires certificates with SHA-1, you would probably need to create your own private/internal certificate authority (which can then issue certificates using obsolete cryptographic algorithms), and then figure out how to get this device to trust your CA, probably by importing your own root certificate.