For some reason, EFF's Certbot was installed/active again (probably not removed correctly and then restored during a package upgrade process), so the Cloudflare certificates were replaced by Let's Encrypt ones. Those certificates expired after a short period and were not renewed automatically, so Cloudflare rejected the connection to the origin server.
Certbot now has been uninstalled completely and the correct certificate configuration was restored.