Cloudflare encrypts the data between them & the browser. They offer several options with encrypting the traffic between your server and their edge service:
You can run a self-signed, you can use their Origin Cert, or you can use your own Certificate, like Let’s Encrypt.
I personally use LE Certificates on my server anyway while Cloudflare provides their own Certs for the traffic to their service. Mainly because I like having control over the security of the data transfer from my server to Cloudflare.
Now I could turn their SSL off and bypass to go straight to my server for the HTTPS redirect, but I am also using their caching service, which saves me bandwidth.