When registering a new domain on Cloudflare, you need to keep two things in mind:

• They don’t allow their domains to have non Cloudflare-branded nameservers. Which means that while the domain lives on Cloudflare, its DNS records will also have to stay.
• Even newly registered domains have SSL/TLS configured to Full, so if you’re starting out with a new server, certbot will fail because HTTP traffic is not allowed.

So we’re in a deadlock where neither HTTP nor HTTPS works because while HTTP is blocked by Cloudflare, HTTPS can’t find a valid certificate. Since certbot needs to connect over HTTP to set up HTTPS traffic first, you need to temporarily turn off encryption after setting up the DNS records:

Now that HTTP can go through, you can obtain and install a certificate for your Apache web server by running:

sudo certbot --apache

Now reload the Apache configuration to activate the newly installed certificate:

sudo systemctl reload apache2

This will enable HTTPS on your website. Finally, go back to Cloudflare and turn SSL/TLS on:

Now HTTPS traffic should work.