In Oct 2021 I renewed the certificate for my Asterisk server. While most SIP clients (like Android softphones) were not affected, Yealink IP phones could no longer authenticate the server using SIPS (TLS). There were no error messages anywhere, just offline phones, and this complicated the situation considerably.
Solution: remove the superfluous cross-certificate from fullchain.pem This third certificate confused the phones. They expect only two certificates: the server certificate and the intermediate certificate.
Background info: The Letsencrypt root is actually installed on W52P, hence the general advice that a missing root certificate be the problem was not helpful. However:not all Yealink phones do have the Letsencrypt roots in their firmware, and in some devices this depends on firmware version.
I am posting this here for documentation and because it may help someone.