This is a well-known issue (e.g. https://puppet.atlassian.net/browse/SERVER-2518) and currently the centrallog certs are affected (golang-side issue, with comments from @jbond too! https://github.com/golang/go/issues/31440)
Opening this task for tracking, if we can bandaid it in the meantime that'd be great I think. The proverbial nail in the coffin is T324623: Switch rsyslog from gtls to ossl though