I think if you’re using fly certs create {domain} then it’s best to disable cloudfalre full ssl mode, not sure tho cos i’m not an expert. You can use fly certs show {domain} to see if it’s using cf ssl or fly’s.
You have to disable the proxy so it’s dns only (gray cloud), then use the fly CLI to create the cert. Wait a few minutes and then turn on the proxy (orange cloud)