When you buy a Domain Name from a registrar (e.g. GoDaddy) to host a website, there is high probability that you would also use their DNS zone hosting services too. However, a secure website requires an SSL certificate, which is not free. Therefore, some people utilize Cloudflare services to get a free SSL bundled with their DNS services.
You might have many reasons to choose Cloudflare as your preferred DNS service provider, but you realize very soon that it has started posing new challenges due to some inaccurate configurations. In fact, there is nothing wrong at the Cloudflare-side. It's merely due to lack of our understanding and insufficient documentation for novice users.
Imagine a scenario where you subscribed to a web-based application that is hosted by a third-party (e.g. Okta, Zoho). It simply means that you do not have direct access to their web-server instance. You would assume that a simple CNAME record configuration in Cloudflare's DNS setting should be enough to start serving your website. It's not that straight forward.
Firstly, you must understand that the Cloudflare is running an HTTP proxy server (i.e. kind of a web-broker) that has two sides to be managed. Being a web-proxy, the Cloudflare allows two different options to you. First option is a Proxy-mode (i.e. traffic intercepted by the Cloudflare) and another one is a DNS-only mode (i.e. traffic sent directly to web origin servers without changing anything).
On one side, it is accepting web request from your user's web browser (e.g. Chrome, Safari) that expects a secure traffic (i.e. HTTPS) therefore the SSL certificates used by Cloudflare must be compatible and acceptable to your user's web browser. This SSL certificate is a major hurdle many times in the configuration.
On the other side, the Cloudflare must contact the web-application's origin servers that might be expecting a secure traffic (i.e. HTTPS) therefore SSL certificates acceptable to your origin servers must be used by Cloudflare in a proxy-mode else choose DNS-only mode.
Many times people choose to use DNS-only, but the website is not served properly yet. Perhaps, additional configuration is required in Page Rules to route the traffic in right manner to origin servers.
Sometimes the problem is due to type of SSL certificate you are using. Also, have some patience while you migrate from some other DNS provider because DNS settings propagation time could also frustrate sometimes. Typically, it takes approx. 24 ~ 48 hours to get DNS settings working properly after you make changes. Acquire some knowledge related to SSL certificates verification method as well, if you are a novice.
Some companies (e.g. Okta) have simplified configuration of DNS settings using Cloudflare. I enjoy using Cloudflare due to its analytics capabilities and simple to use user interface.