Any way to make this compatible with domains hosted on cloudflare?

[ghost]

The initial certificate validation method that this container uses will fail for domains hosted on cloudflare:

As a note, the default method used for ACME authentication by the Let's Encrypt client utilizes the DVSNI method. This will fail for a domain which has CloudFlare enabled as we terminate SSL (TLS) at our edge and the ACME server will never see the certificate the client presents at the origin. Using alternate ACME validation methods, such as DNS or HTTP will complete successfully when CloudFlare is enabled.

https://support.cloudflare.com/hc/en-us/articles/214820528-How-to-Validate-a-Let-s-Encrypt-Certificate-on-a-Site-Already-Active-on-CloudFlare

But the subsequent certificate renewal method that this container uses will work for cloudflare hosted domains. Because the --standalone parameter for the initial validation is hardcoded in this container and can't be overridden, there's no way to use this container with a cloudflare domain as is.

It would be great if there were a way to make this work on cloudflare proxied domains. For example by allowing the user to choose auth methods. Or by switching to an auth method that works with cloudflare by default.

[jbtrystram]

it could be supported, but be complicated.
Reading your issue, i understand that we should start nginx with the well-known directory set up first, then retrieve the certificates. After that, we should reconfigure the nginx vhosts to use TLS and the certificates , then restart nginx.
this would add a lot of complexity to the init script.

Maybe you can think of another simpler way ? :)

[ghost]

Yeah I did, I'm now using jwilder/nginx-proxy and jrcs/letsencrypt-nginx-proxy-companion, which use the webroot method. For people who encounter the same problem, a working cloud-config with this setup can be found in my readme.

Note: I've enabled a custom rule in my cloudflare page rules that bypasses cache, ssl, etc. for all paths under ./well-known.