I understand your sentiment and I did read that you are not brand-new to the platform 
- still, the certificate validation is one of the things that actually usually works at Cloudflare.
Are you sure that it’s not your server that might be intermittently presenting an invalid certificate? The custom hostname should actually not really be at play in the context of custom hostnames, but it should rather be a mismatch between the certificate and the configured maindomain.com hostnames.
Also, the 521 would point towards a completely different issue of the server not being reachable at all.
Do you have the possibility to extend your logging to also log which certificate was presented when your servers logs the SSL issue?