Google nags me about the certificate being self-signed?


@jtoelle, see above - a check with non-SNI capable agent may result in receiving a wrong certificate from the default host. However, considering that your domain is sitting behind Cloudflare with Comodo certificates, how exactly that is related to Let’s Encrypt? You should probably try, where such problems have been already discussed many times.