Yes, so I was focused on understanding what went wrong with Certbot and I somehow forgot to mention the far more important point that if you're using CloudFlare, a Let's Encrypt certificate is likely to be virtually worthless to you because they provide TLS termination for you, including getting a certificate for you. Instead, you can use a CloudFlare-issued origin certificate
(That solution doesn't work if you need to be able to access the origin server directly from a normal web browser.)