I have used Certificate Manager to get a Letsencrypt certificate.
In Asterisk SIP Settings, I enable the PJSIP TLS transport and choose the certificate from the "Certificate Manager" dropdown.
In the pjsip.transports.conf file, these entries are added:
However, the cert_file is invalid - it contains the key, which PJSIP rejects. Incoming connections are rejected with the following warning:
[2019-10-02 12:29:41] WARNING: pjproject: <?>: SSL SSL_ERROR_SSL (Handshake): Level: 0 err: <337092801> <SSL routines-tls_post_process_client_hello-no shared cipher> len: 0
PJSIP requires the certificate and chain here, without the key included, and this combination is found in the /etc/asterisk/keys/MYHOSTNAME/fullchain.pem file
Tested on Asterisk 16.2.1.