What is the URL you are checking? The TLS certificate should installed either at your host or in Cloudflare (but it shouldn’t be an issue in this case).
I wonder if there’s something wrong with the hostname that’s set in the Health Check. Can you post a screenshot of the Health Check? It’s ok to black out the IP address.
Before we switched to Cloudflare, the site used auth.westerncentralny.aaa.com and the SSL certificate in the server is a wildcard for *.westerncentralny.aaa.com.
When we switched to Cloudflare, we couldn’t use a subdomain of aaa.com, so we created a new domain at westerncentralnyaaa.com (no dot before the aaa.com). However some of the site is still using westerncentralny.aaa.com so we couldn’t change the server certificate.
So is that the problem? What I call the SSL certificate (which I guess is technically TLS) is different from the URL.
I presume you are going directly to the origin with the check, with the new “on Cloudflare” hostname, but still using the old cert? Yep, that would be the problem. They both should be on the same cert or use two certs.
You can use a third-level subdomain on Cloudflare with a 10$/month paid cert on Cloudflare itself, if the issue is the NS that need to be the root ones then no solution a part from going the CNAME route (Business 200$/month plan, not really doable with a wildcard unfortunately).
Ok. That explains why your Health Check has that mismatch, and agrees with the setup you describe. Your server’s certificate doesn’t have the same name as your domain. Full (not strict) will use that certificate, but not care if it’s valid. Full (Strict) needs a valid certificate to work.