centrallog2002 was moved to puppet7 and thus new certificates, though end hosts now are failing to validate the new cert, for example:
Nov 14 09:33:26 mw2392 rsyslogd[48013]: not permitted to talk to peer, certificate invalid: signer not found [v8.1901.0] Nov 14 09:33:26 mw2392 rsyslogd[48013]: invalid cert info: peer provided 3 certificate(s). Certificate 1 info: certificate valid from Sun Nov 12 12:37:08 2023 to Sat Nov 11 12:37:08 2028; Certificate public key: RSA; DN: CN=centrallog2002.codfw.wmnet; Issuer DN: C=US,L=San Francisco,O=Wikimedia Foundation\, Inc,OU=SRE Foundations,CN=puppet_rsa; SAN:DNSname: centrallog2002.codfw.wmnet; [v8.1901.0]