Do you have your Cloudflare entries “orange-cloud” or “grey-cloud”?
When they’re orange-cloud, Cloudflare doesn’t actually respond to DNS queries with your IP address - they hide your origin server and direct visitors to themselves. Then, when a client connects to Cloudflare, Cloudflare connects to your origin.
This unfortunately means that when LetsEncrypt connects to the host indicated by DNS, they don’t actually talk to Caddy, so Caddy can’t solve the TLS-ALPN challenge - which takes place during TLS negotiation - because Cloudflare is actually negotiating TLS with the client.
You can check in your Cloudflare dashboard (for the orange cloud next to the DNS records), or you can dig your domain name and check whether Cloudflare returns your actual IP address or a pair of their own IP addresses instead.
Cloudflare is relatively unique in this offering, so I’ve written a bit in the past about the kind of issues that can pop up. See also: Infinite redirection - #5 by Whitestrake