Using Cloudflare API Token requires version 2.3.1 of the python module cloudflare.
[Note : Ubuntu / Debian packages likely do not support this version. You should uninstall the provided packages (python3-acme python3-certbot certbot python3-certbot-nginx python3-certbot-dns-cloudflare) and use pip3 instead]

Install the required certbot python modules using the pip3 installer

pip3 install --upgrade pip
pip3 install certbot acme certbot-dns-cloudflare certbot-nginx

Confirm certbot is working

Note : you may need to check where it has been installed (which certbot) and call the direct path.

certbot --version

Generate new Cloudlfare API Token with the required Zone:Zone:Read and Zone:DNS:Edit permissions. This must be applied to all zones in your account.

Store your Cloudflare Token in a secure file.

sudo mkdir /root/.cloudlfare

sudo bash -c 'cat <<EOF > /root/.cloudflare/credentials.ini
# Cloudflare API token used by Certbot
dns_cloudflare_api_token = <YOUR_TOKEN_HERE>

sudo chmod 400 /root/.cloudflare/credentials.ini
sudo chmod 600 /root/.cloudflare

Register a new domain registration with Let's Encrypt

certbot certonly --dns-cloudflare --dns-cloudflare-credentials /root/.cloudflare/credentials.ini -n -d *.<YOUR_DOMAIN_HERE> --server --agree-tos --email <YOUR_EMAIL_HERE>

Reload your web service (apache or nginx)

Create a cronjob to automatically renew the let's Encrypt certificates

sudo bash -c 'cat <<EOF > /etc/cron.d/certbot
0 */12 * * * root certbot -q renew --renew-hook 'service nginx reload' >> /var/log/letsencrypt/renew.log