Looks like this is a special limitation of using AutoSSL in WHM:
https://forums.cpanel.net/threads/autossl-errors-not-renewing-certificate.630015/
AutoSSL will not work with a forced redirection to https at CloudFlare. The DCV check needs to be able to complete over http.
from November 2017.
Letsencrypt accepts such redirects, so it's not a Letsencrypt - limitation.