I forget that when I allow cloudflare to proxy a URL for me, then I get SSL for free.

And previously, I turned off the proxying for my git server so that I can connect over SSH. So I ran certbot to get a certificate I can use with that subdomain.

And this morning I noticed that I needed a cert for my photos server too. So converted to a wildcard cert for all top level subdomains