When you put a proxy such as Cloudflare into the connection path, said proxy needs to be able to decrypt the HTTPS traffic into plain HTTP so that the proxy can do its business (sending cached responses, filtering out shenanigans, etc). This means that the HTTPS connection is actually terminating on Cloudflare’s servers, and then another connection is being made to your server (the origin). In order for the connection between Cloudflare and your origin to be similarly secure as the connection between the browser and Cloudflare, you need to setup SSL on the origin server, too.
Personally, I find the fact that Cloudflare allows this misleading setup to be deeply disappointing. They’re making the claim, “yes, your activities can’t be trivially monitored” (to those few users who look for the padlock, anyway), but in actual fact everyone between Cloudflare and your origin can see everything. Worse, because Cloudflare’s DCs are a choke point for a lot of traffic, sitting just outside Cloudflare’s DCs and capturing everything is probably going to get you a lot more interesting stuff than sniffing any but the largest transcontinental links.