Currently, the connection from an Internet client and your domain is encrypted.
But that is not end-to-end encryption - it is only client to CDN encryption.
The last half of that end-to-end connection is from the CDN to your actual server.
To encrypt that, you can either:
use a CDN provided cert [that is usually only trusted by the CDN provider]
use a globally trusted cert (like: LE)
In your specific CDN case, for everything CF, please visit their support site
[they are a for profit business and this forum is unrelated and free help]
For everything LE, you've come to the right place.
Getting an LE cert "through" a CDN requires some specific setting in the CDN and some understanding of how they handle HTTP.
In the case of CF, it means checking (or unchecking - I don't use CF) the "STRICT" https setting.
And understanding that any expected HTTP requests will never reach your server (as they would all likely be redirected to HTTPS by the CDN).
That said, if you are also using "shared hosting" and/or any type of control panel...
Well, then you are adding even more intricacies into the final equation.
That's because I haven't configured WP, as soon as I do, I expect to see an html page on the www.
I will also change the public address of blog.theapothecary for a private one, so that www is the only one the public can access.