Certbot has a --dry-run mode for testing which can be very helpful for this.
As for Cloudflare, there are many options. These are just three:
One option is because Cloudflare is configured to redirect the HTTP Challenge to HTTPS you need to have your origin server handle the challenge in its HTTPS server block.
Another option is to use CF page rule so the HTTP challenge is not redirected. See linkp comment (link here) or the Cloudflare page rule docs (link here)
Another option is to use a Cloudflare Origin CA Cert on your origin server. Then, you don't use a Let's Encrypt cert on your origin at all. The CF Origin CA cert is long-lived. (link here)