I think this thread is OK, even though it’s a slightly different question.
For the domains that go over Cloudflare, does it answer on port 80? If so, you can probably get certificates with the --webroot method, specifying the top of your web content directory with -w.
Cloudflare provides a free cert from a different CA for the client-to-CDN part of the connection. If you do get a Let’s Encrypt cert for a domain name that’s behind Cloudflare, you can only use it for the CDN-to-origin part of the connection. Cloudflare also provides a separate option to get a non-publicly-trusted origin certificate, issued by them, which can be used for that part of the connection, which provides equivalent security.