I don't really understand this - wouldn't you need a redirect command to make this work correctly? As stated - the browser thinks it's going to careers.domain.com, but that's being redirected via cname to joes.website.com, and joe's has a TLS cert.
Wouldn't the correct way be to have a server accept the request for careers.domain.com and execute a redirect to a new URL (joes.website.com) and now the browser will know it's going to joes site and accept the cert?
Any good proxy will do this. CloudFlare is one of the best.
Create a CNAME entry for careers.domain.com pointing somewhere.
Make sure the orange cloud is on. This makes the actual destination not matter because the IP will return as CloudFlare.
But you want it to be something intelligent in case of problems as the OP found out.
Create a redirect rule in CloudFlare.
This is no different than the redirect 301 that you would use on your NginX proxy or other system.
Well - there's your website I mentioned - the proxy. It's doing the redirect. OK - fine, it's not really a website (at least not likely), but you get the point - and I'm learning .. so thanks.
But my general thinking was along the same lines as your setup.