The tls-sni-01 challenge that the apache plugin uses is not compatible with reverse proxy services such as CloudFlare.
You can find instructions for CloudFlare in this topic. Note that this uses the webroot plugin, which does not provide automatic installation for apache (i.e. it won’t change your apache config). It’s possible to combine the webroot and apache plugin like this:
./certbot-auto --authenticator webroot --installer apache -w /var/www/html --expand -d example.com -d www.example.com
Note that you’ll need to explicitly provide the domains as arguments, and change the value of the -w argument to your DocumentRoot if it’s not /var/www/html. The --expand flag should cause the client to replace the existing certificate and renewal config files rather than create a new lineage (a subdirectory in /etc/letsencrypt/live).