I just spent the last 2 hours trying to get Let’s Encrypt to work behind Cloudflare.
The easy and kind of obvious answer (once you actually find it) is: you have to activate Authicented Orgin Pull:
After activating this, everything worked as expected with
certbot renew --dry-run.
The command I used to get the certs was:
certbot certonly --rsa-key-size 4096 --webroot --webroot-path /var/www/example.com --renew-by-default --email firstname.lastname@example.org --text --agree-tos -d example.com
Hope this gets into some documentation or something, it’s so simple, yet kinda hard to find if your fumbling in the dark.