It seems we have some expired certs around our domain, for example:
Not After
2/5/2021, 10:01:00 AM (Central European Standard Time)
Apparently in some scenarios seems like acme-chief ignores the SIGHUP signal for some obscure reason, thus not refreshing certificates.
This issue was solved by restarting acme-chief by hand + run-puppet-agent on the affected servers (openstack project-proxy VMs)