So Certbot is using the webroot plugin, but Nginx is redirecting HTTP requests to HTTPS, which would be fine, except HTTPS doesn’t work because Cloudflare considers your origin’s current certificate to be invalid.
You can get certificate renewal to succeed by excluding Let’s Encrypt’s requests from the HTTP to HTTPS redirect, or by fixing HTTPS.
Out of curiosity, could you provide the output of “
sudo certbot certificates”?
Interesting! You really don’t have DNSSEC enabled at Cloudflare! But it is enabled.
Maybe you just turned it off recently?
Are you sure you’re looking at the correct Cloudflare account? Does the main page say the domain is “Active” without any issues?