Ok I solved it. Two issues: 1. the ca.crt file differed on various VMs, possibly due to bitrot
2. the -C option for syslogd to use the ca.crt as distributed to all VMs now (wasn't the case as I would append it's content to /etc/ssl/cert.pem and that was sufficient up till now) allows for normal logging over TLS once again. Thanks Stuart for the suggestion on that.
Not sure why it had to break on moving 7.4 but at least it's working again.
Cheers, Noth
