I raised this as a support ticket and was directed to post it in the community forum. Hopefully this is the correct place.
From rfc 3986 (rfc3986):
The rightmost domain
label of a fully qualified domain name in DNS may be followed by a
single “.” and should be if it is necessary to distinguish between
the complete domain name and some local domain.
This is present on all the cloudflare hosted sites I’ve tried, including https://cloudflare.com./
The main thing I noticed from the wrong certificate, it is does not list any ciphers.
This openssl command contains more information about the wrong certificate being served:
openssl s_client -servername jakechampion.name. -connect jakechampion.name.:443 -tlsextdebug CONNECTED(00000005) 4516851308:error:14004410:SSL routines:CONNECT_CR_SRVR_HELLO:sslv3 alert handshake failure:/AppleInternal/BuildRoot/Library/Caches/com.apple.xbs/Sources/libressl/libressl-47.140.1/libressl-2.8/ssl/ssl_pkt.c:1200:SSL alert number 40 4516851308:error:140040E5:SSL routines:CONNECT_CR_SRVR_HELLO:ssl handshake failure:/AppleInternal/BuildRoot/Library/Caches/com.apple.xbs/Sources/libressl/libressl-47.140.1/libressl-2.8/ssl/ssl_pkt.c:585: --- no peer certificate available --- No client certificate CA names sent --- SSL handshake has read 7 bytes and written 0 bytes --- New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : TLSv1.2 Cipher : 0000 Session-ID: Session-ID-ctx: Master-Key: Start Time: 1621423898 Timeout : 7200 (sec) Verify return code: 0 (ok) ---