As rg305 noted;
The "interesting" part is that it seems that the SIP destination requires the client to present a valid cert.
That said, here is what I tried;
Flagged "DST Root CA X3" as not used in /etc/ca-certificates.conf [it expired]
Replaced "ISG Root X1" with standalone version from LE that does not require "DST Root CA X3"
Still got "certificate expired" failure.
Thanks to a note from a user on OpenSSL.community I found out that certificates are not normally needed at all on a client, as I thought. Therefore Certbot is not needed!
I then commented out the two lines in my config file that specified the certificates. It works!!
A little more sleuthing found a post on Lets Encrypt community that indicates R3 intermediary may have expired and special steps may be needed to update it but since this is a client I'm dropping the matter!
Under normal circumstances, certificates issued by Let’s Encrypt will come from “R3”, an RSA intermediate. Currently, issuance from “E1”, an ECDSA intermediate, is possible only for ECDSA subscriber keys for allowlisted accounts. In the future, issuance from “E1” will be available for everyone.
Our other intermediates (“R4” and “E2”) are reserved for disaster recovery and will only be used should we lose the ability to issue with our primary intermediates. We do not use the X1, X2, X3, and X4 intermediates anymore.
IdenTrust has cross-signed our RSA intermediates for additional compatibility.