Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.
Hi @markcarey and welcome to the LE community forum
Ubuntu 14 is extremely outdated and seems to be suffering from a lack of trust store updates.
This is a known problem and I believe some solutions have been found for it.
You can find help on how to add the new (since 2015) LE root "ISRG Root X1" and also the workaround solution for OpenSSL throughout this site, and also somewhat summarized here: Production Chain Changes - #4 by jillian
If it hasn't been mentioned, nor occurred to you yet, you really should NOT be using such an outdated system connected to the Internet. Please upgrade it ASAP.
Moving just the DNS to Cloudflare does not change where SSL is terminated. Did you mean to say setup a CDN in Cloudflare? That would handle SSL to client and offers options between the CDN edge and your Ubuntu origin server.