Getting it to work the first time was a pain. Basically, you want to disable cloudflare (just untick the box so that it goes directly to your server, you can keep using cloudflare's dns server), then obtain the normal way, and reactivate Cloudflare. But I would highly recommend using cerbot's cloduflare dns plugin[1] instead so that you can (re)create the certificate w/o disabling cloudflare.

1: https://certbot-dns-cloudflare.readthedocs.io/en/latest/