I think it’s due to this issue:
Cloudflare is set to redirect HTTP to HTTPS, right? But Certbot currently only configures the HTTP virtual host to pass validation. And Let’s Encrypt follows the redirect to HTTPS, requests the validation file, and gets a 404 Not Found page from WordPress.
One option is to wait and hope they fix it before your certificates expire.
Another is to disable the HTTP to HTTPS redirect on Cloudflare and configure your web servers (for every subdomain) to redirect every path except /.well-known/acme-challenge/.
Another is to use “certbot -a webroot -i apache -w /path/to/document/root -d example.com -d www.example.com” with the HTTPS virtual hosts configured appropriately to serve the files.
(Another is to use Cloudflare Workers to set up a customized HTTP to HTTPS redirect.)