The interface can use a lot of polishing for this, but this is the key point: you may have the CNAME records setup, but there are TXT records returned by your nameservers that are preventing the CNAME record from taking effect.
Specifically, this is caused by Cloudflare injecting hidden DNS records in their domain, so they can validate your domain against certificate providers to obtain the certificates they use to secure the connection between your visitors and their infrastructure.
As far as I know, there is not much you can do about that, except wait for Cloudflare to finish doing it’s thing.
However, since you are using Cloudflare, you don’t really need the Let’s Encrypt certificate in the first place. You can just use Cloudflare’s Full SSL mode right now, and it will use our default self-signed certificate to secure the connection, which is functionally identical, and almost as secure.