Add new DNS record A sub pointed to your hosting IP and make sure it’s unproxied (DNS-only). This way you bypass Cloudflare cache, performance & security.
Otherwise, if sub-domain is proxied , you can use Configuration Rules or Page Rules to disable SSL for particular sub-domain.
Make sure HSTS is not enabled under the SSL/TLS → Edge certificates.
Hopefully your Web browser wouldn’t cause redirect issues.
If your sub-domain is a deep-level e.g. sub.sub.example.com and want it to be proxied , you’d have to purchase Advanced Certificate Manager feature so Cloudflare’s Universal SSL would cover it.