I have similar issue.
I have website using Let’s Encrypt certificate for last few years. All this time LE certificate was re-issuing automatically every 3 month.
I have signed up Cloudflare’s Free plan for CDN.
I’ve got a message from Lets Encrypt said I cant get new certificate unless I change A-record to IP address of my hosting.
I contact hosting, they said it’s because I’m using Cloudflare’s DNS. They recommended to turn off DNS - DNS Records - A (www and no-www) during LE certificate re-issuing. Unclick orange cloud to grey cloud.
I’ve got new certificate from LE and clicked clouds back to orange.
How to set it up to get new certificate automatically without clicking / unclicking clouds and manually re-issuing certificate on hosting every 3 month?
“For visitors Cloudflare’s, for the origin connection Lets Encrypt.” - this solution looks good for me.