We use let's encrypt certs for the kafka clusters. These certs have a short expiry period, so we need to update them regularly.
The automatic updates happen (30 days before expiry) but the kafka service must be notified that the update happened. Apparently, it currently doesn't.