I recall that there is a short period of time between when the zone is added to the account before a “real” certificate is issued. It is possible that you encountered the error as your Universal SSL certificate was not yet active.
As Sandro has said, if your client does not support SANs you are in trouble. The Common Name (CN) is no longer required, according to the Baseline Requirements it is:
Deprecated (Discouraged, but not prohibited)
Certificates for your zone where issued on 17th June at approx 21:36:30 UTC (according to crt.sh). Does that match the time you saw the error, which is just before you started this thread?
I see on the CRT logs that you had certificates for *.api.legion.work. The Cloudflare issued free certificates only cover one level of your domain, so legion.work or api.legion.work would be fine, example.api.legion.work would cause an error if , so make sure you are not using such subdomains through Cloudflare without a Dedicated Certificate.
Right now the certificates being hosted on Cloudflare for your domain look OK to me:
michael$ openssl s_client -connect cloudflare.net:443 -servername enterprise.legion.work | openssl x509 -noout -text | grep DNS: DNS:ssl953255.cloudflaressl.com, DNS:*.legion.work, DNS:legion.work