I've been working with @Southparkfan to support central logging on cloud-vps. We can't rely on puppet certs for TLS there since different VMs use different puppetmasters, so I've started to set up acme-chief certs for TLS from the client to the rsyslog receiver.
That is currently blocked by upstream bug https://github.com/rsyslog/rsyslog/issues/2547 which means that rsyslog can't use our acme-chief certs.
A valid fix seems to be to replace use of gtls with ossl. We can either do that fleet-wide (production and cloud-vps) or restrict the change to cloud-vps is there's a reason to avoid the change in production.