I have attached a few screenshots showing my configuration.
For the mail services etc. the “R3” certificate is used, so LetsEncrypt.
The error still occurs though, I’m just wondering how this can happen so apruptly as there was no problem at all yesterday and definitely none of the certificates have expired, no configurations have changed in Cloudflare or on the mail server either.
I would understand the current behavior if any configuration or similar had changed, but that the Cloudflare Cert is simply classified as untrusted from one day to the next, I find strange, especially since on our part definitely no changes were made to the configuration, neither on the server nor in Cloudflare.
The ACME HTTP-01 challenge works by providing a file that you need to make available under http://example.com/.well-known/acme-challenge/<filename>.
LetsEncrypt will then try to download the file. If they find it, that serves as proof that you control that particular (sub)domain and they will issue you a certificate for it.
Cloudflare interferes in that process in many different ways, and you have to basically disable all Cloudflare features for that path. You can do this with a Configuration Rule. I haven’t tried it personally as I use the DNS challenge (certbot with certbot-dns-cloudflare plugin), but that only really works if you have root access to the system or they provide an API to update the certificate.
The Configuration Rule should probably look like this:
Custom filter expression
URI Path starts with /.well-known/acme-challenge/
Then settings are…
Automatic HTTPS Rewrites off
Browser Integrity Check off
Security Level Essentially Off
If you use Caching, you also need to make sure that this path is excluded.
That should probably be enough, though I could give it a try tomorrow. But you should then be able to use the built-in LetsEncrypt auto-renewal of your panel.