Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.
FYI, just contact Cloudflare technical support and request that they reissue your CF edge certificate using Digicert instead of Letsencrypt. CF has stated that is an acceptable request besides the other option which is paid - upgrading to Cloudflare ACM - Advanced Certificate Management product at $10/month where you can reissue your own custom CF edge certificates and choose your CA provider Digicert or Letsencrypt.
I see. If he is using Cloudflare FULL Strict SSL, they there's a validation of origin server side SSL certificate at play. You can try switching from CF Full Strict SSL to CF Full non-strict SSL mode and see if that works. If the origin server is using Letsencrypt SSL with the longer default Letsencrypt chain or if Letsencrypt SSL cert has expired, then you can possibly get a CF 526 Community Tip - Fixing Error 526: Invalid SSL certificates - Tutorials - Cloudflare Community
@willemo you can also use curl to bypass and check your origin SSL certificate/HTTPS config to see if it's returning a valid SSL certificate
so in SSH on command line populate the domain variable with your domain name and IP variable replacing your_origin_real_ip_address with your origin server's real IP address and then run the curl command and only post the output you get of that curl command
Note, you won't be able to run this curl resolve command if you have Cloudflare Authenticated Origin Pull certificates configured on your origin server as that would only allow CF Edge server requests to your origin via a client TLS certificate verification. Nor would curl command work if you are using CF Argo Tunnel and have configured a cloudflared daemon tunnel to secure your origin server from direct real IP origin access.
Also if you're using Cloudflare, you can use Cloudflare DNS API with a supporting ACME client like acme.sh to use DNS API domain validation instead of web root validation.
I would suggest trying some of the tips from @eva2000... it seems like your origin server (the one that you run, that is behind Cloudflare) has an expired certificate and you have the "full strict" option turned on, which is enforcing validation of it. If you, for example, turn that option off temporarily, it should be possible to renew your certificate on your origin server—or at least get a different and more more useful error message!