TLS-SNI-01 validation can't be used through Cloudflare's reverse proxy. (TLS-SNI-01 is also deprecated for other reasons.)
You can add "--preferred-challenges http-01" to use HTTP-01 validation.
However, stretch has an older version of Certbot (0.10.2), and that will probably fail.
However however, stretch-backports has a quite recent version of Certbot. You should probably enable it and upgrade Certbot.
Additionally, stretch-backports includes Certbot's Cloudflare DNS plugin in the python3-certbot-dns-cloudflare package, if you want to try it.
Edit:
Additionally additionally, for Cloudflare proxied domains, you might want to skip Certbot and Let's Encrypt and uses Cloudflare's Origin CA. (It issues certificates that are trusted by Cloudflare's CDN servers but not by browsers.)