DTLS Fingerprint blank

I have 2 near identical servers (Server #1 and Server #2). On both, updated with latest versions the SHA:256 fingerprint is blank when replying to a `INVITE` request. This causes the SIP clients to fail to authenticate because it's an invalid parameter.

When comparing the same client software with another FreePBX server that has not renewed certificate recently (Server #3), it works fine. The issue lies with the FreePBX server.

Logs from Server #2:

{noformat}
<--- Received SIP request (2761 bytes) from WSS:xxxxx:51645 --->
INVITE sip:*43@unknown SIP/2.0
Via: SIP/2.0/WSS 5di3fd8l7bul.invalid;branch=z9hG4bK8409331
To: <sip:*43@unknown>
From: "xxxxx" <sip:190@xxxxx>;tag=4b0m8ufurh
CSeq: 2 INVITE
Call-ID: sm1foo9bal78hqup6j5h
Max-Forwards: 70
Authorization: Digest algorithm=MD5, username="190", realm="asterisk", nonce="xxxxx", uri="sip:*43@unknown", response="xxxxx", opaque="xxxxx", qop=auth, cnonce="xxxxx", nc=00000001
Contact: <sip:e79gd913@5di3fd8l7bul.invalid;transport=ws;ob>
Allow: ACK,CANCEL,INVITE,MESSAGE,BYE,OPTIONS,INFO,NOTIFY,REFER
Supported: outbound
User-Agent: SIP.js/0.20.0
Content-Type: application/sdp
Content-Length: 2018

v=0
o=- 8629799328462050506 2 IN IP4 127.0.0.1
s=-
t=0 0
a=group:BUNDLE 0
a=extmap-allow-mixed
a=msid-semantic: WMS ec9c01b4-edeb-425d-aef7-e3524a05fcc8
m=audio 62551 UDP/TLS/RTP/SAVPF 111 63 103 104 9 0 8 106 105 13 110 112 113 126
c=IN IP4 xxxxx
a=rtcp:9 IN IP4 0.0.0.0
a=candidate:4252876256 1 udp 2122260223 192.168.0.194 62551 typ host generation 0 network-id 1
a=candidate:3851926045 1 udp 2122194687 172.31.192.1 62552 typ host generation 0 network-id 2
a=candidate:2083896148 1 udp 1686052607 xxxxx 62551 typ srflx raddr 192.168.0.194 rport 62551 generation 0 network-id 1
a=candidate:3019784464 1 tcp 1518280447 192.168.0.194 9 typ host tcptype active generation 0 network-id 1
a=candidate:2870232813 1 tcp 1518214911 172.31.192.1 9 typ host tcptype active generation 0 network-id 2
a=ice-ufrag:YI3c
a=ice-pwd:lVNUZyD0tKYUwFLXEzw/3Lvv
a=ice-options:trickle
a=fingerprint:sha-256 8B:0A:58:A6:D3:4C:D7:F6:2E:C2:82:0E:0F:BF:35:4E:A2:E9:BD:9E:13:23:A3:6D:24:41:BA:9C:22:10:78:E6
a=setup:actpass
a=mid:0
a=extmap:1 urn:ietf:params:rtp-hdrext:ssrc-audio-level
a=extmap:2 http://www.webrtc.org/experiments/rtp-hdrext/abs-send-time
a=extmap:3 http://www.ietf.org/id/draft-holmer-rmcat-transport-wide-cc-extensions-01
a=extmap:4 urn:ietf:params:rtp-hdrext:sdes:mid
a=sendrecv
a=msid:ec9c01b4-edeb-425d-aef7-e3524a05fcc8 50cda3f5-06de-425c-b0ef-c1051a9c264d
a=rtcp-mux
a=rtpmap:111 opus/48000/2
a=rtcp-fb:111 transport-cc
a=fmtp:111 minptime=10;useinbandfec=1
a=rtpmap:63 red/48000/2
a=fmtp:63 111/111
a=rtpmap:103 ISAC/16000
a=rtpmap:104 ISAC/32000
a=rtpmap:9 G722/8000
a=rtpmap:0 PCMU/8000
a=rtpmap:8 PCMA/8000
a=rtpmap:106 CN/32000
a=rtpmap:105 CN/16000
a=rtpmap:13 CN/8000
a=rtpmap:110 telephone-event/48000
a=rtpmap:112 telephone-event/32000
a=rtpmap:113 telephone-event/16000
a=rtpmap:126 telephone-event/8000
a=ssrc:3402883931 cname:178tS6W5au4mt0iH
a=ssrc:3402883931 msid:ec9c01b4-edeb-425d-aef7-e3524a05fcc8 50cda3f5-06de-425c-b0ef-c1051a9c264d

<--- Transmitting SIP response (307 bytes) to WSS:xxxxx:51645 --->
SIP/2.0 100 Trying
Via: SIP/2.0/WSS 5di3fd8l7bul.invalid;rport=51645;received=xxxxx;branch=z9hG4bK8409331
Call-ID: sm1foo9bal78hqup6j5h
From: "xxxxx" <sip:190@xxxxx>;tag=4b0m8ufurh
To: <sip:*43@unknown>
CSeq: 2 INVITE
Server: FPBX-16.0.21.9(18.9)
Content-Length: 0


== Using SIP RTP Audio TOS bits 184
== Using SIP RTP Audio CoS mark 5
== DTLS ECDH initialized (automatic), faster PFS enabled
– Executing [*43@from-internal:1] Set("PJSIP/190-00000001", "CONNECTEDLINE(name-charset,i)=utf8") in new stack
– Executing [*43@from-internal:2] Set("PJSIP/190-00000001", "CONNECTEDLINE(name,i)=Echo Test") in new stack
– Executing [*43@from-internal:3] Set("PJSIP/190-00000001", "CONNECTEDLINE(num,i)=*43") in new stack
– Executing [*43@from-internal:4] Answer("PJSIP/190-00000001", "") in new stack
<--- Transmitting SIP response (1259 bytes) to WSS:xxxxx:51645 --->
SIP/2.0 200 OK
Via: SIP/2.0/WSS 5di3fd8l7bul.invalid;rport=51645;received=xxxxx;branch=z9hG4bK8409331
Call-ID: sm1foo9bal78hqup6j5h
From: "Driver 9999" <sip:190@xxxxx>;tag=4b0m8ufurh
To: <sip:*43@unknown>;tag=b51dac75-3ee5-49e9-9c01-bcdda7a6756c
CSeq: 2 INVITE
Server: FPBX-16.0.21.9(18.9)
Contact: <sip:172.31.37.32:8089;transport=ws>
Allow: OPTIONS, INVITE, ACK, BYE, CANCEL, UPDATE, PRACK, REGISTER, SUBSCRIBE, NOTIFY, PUBLISH, MESSAGE, REFER
Supported: 100rel, timer, replaces, norefersub
P-Asserted-Identity: "Echo Test" <sip:*43@unknown>
Content-Type: application/sdp
Content-Length: 623

v=0
o=- 1071813834 4 IN IP4 172.31.37.32
s=Asterisk
c=IN IP4 172.31.37.32
t=0 0
a=group:BUNDLE 0
m=audio 11472 UDP/TLS/RTP/SAVPF 0 8
a=connection:new
a=setup:active
a=fingerprint:SHA-256
a=ice-ufrag:31bd2610556135cd6ce4f01f00019b57
a=ice-pwd:34a42eda7775318608d28d454d4aeea0
a=candidate:Hac1f2520 1 UDP 2130706431 172.31.37.32 11472 typ host
a=candidate:S12dbda5e 1 UDP 1694498815 18.219.218.94 11472 typ srflx raddr 172.31.37.32 rport 11472
a=rtpmap:0 PCMU/8000
a=rtpmap:8 PCMA/8000
a=ptime:20
a=maxptime:150
a=sendrecv
a=rtcp-mux
a=ssrc:930260978 cname:075d7d96-f80e-4d71-954f-ff0564393e2b
a=mid:0{noformat}

You'll notice the server response has `a=fingerprint:SHA-256` with no data after, meaning it's impossible to verify. I have a third server that hasn't been renewed and comparing the SIP messages, this is only meaningful difference. Server #3 on a different domain does report a SHA256 fingerprint hash, where as Server #1 and #2 do not.

Clients are able to register and that works fine, and in those requests, because they don't use fingerprinting. The SIP.JS error when dialing is obvious considering the field is blank:

>Failed to execute 'setRemoteDescription' on 'RTCPeerConnection': Failed to parse SessionDescription. a=fingerprint:SHA-256 Failed to create fingerprint from the digest.

The only thing I can remember doing was renewing the LetsEncrypt certificate. Note that connection to wss://server:8089/ws is fine meaning the certificate is valid. Also registration works.

What I've tried:

• Updating FreePBX to latest
• Updating Asterisk 18.9 from 18.6
• Performing an inplace install of Asterisk 18 Certified
• Force reinstalling certificate

I'm flagging this critical since no calls can be made from the system over WebRTC.