I was messing with LetsEncrypt a few days ago and realized that with cloudflare it may be possible to avoid it all together.
I wrote about it here:
I haven’t actually tried it on my own site, but from cloudflare’s settings it certainly seems as though you can expose your site as plain http but inaccessible except through the https “surface” cloudflare provides.