Cloudflare explicitly supports customers placing insecure HTTP only sites behind a cloudflare HTTPS.

It's one of the more controversial parts of the business, it makes the fact that the traffic is unencrypted on public networks invisible to the end user.

You could use a self-signed cert, since cloudflare doesn't care about that.