It is helpful to understand that Cloudflare is a reverse proxy service.
When you have a certificate on your origin (the Let’s Encrypt certificate), and also use Cloudflare, there are two separate SSL connections involved:
- Between the Origin and Cloudflare (the Let’s Encrypt certificate is used).
- Between Cloudflare and the visitor (Cloudflare’s SSL certificate is used).
Cloudflare is essentially just decrypting, inspecting/modifying, and then re-encrypting the traffic from your server. In order to do this, they have to use a different certificate to the one on your Origin (since they don’t have access to the private key of that certificate).