In case where you use cPanel AutoSSL, to renew your SSL certificate at your host, make A records and start the AutoSSL process at your cPanel.
That way, it would figure it out it’s own way to your origin/host IP address and hopefully successfull renew the SSL certificate.
When it finishes successfully, turn back thoose records to and have a “Full SSL” option enabled
Another approach is to add a TXT record “DCV” to the Cloudflare dashboard.
Moreover, this method at least works for me, I just put all the records to , manually trigger autoSSL at cPanel, and when it finishes, I just turn back to
The same applies to the Let’s Encrypt renew process, because on some other domains I use LE so I also need every 3 months to repeat the same process.