I tested something internally and confirmed that when Cloudflare DNS proxy is ON and “Always Use HTTPS” is OFF, HTTP-01 challenge requests from Let’s Encrypt can reach to Render server and successfully issue a certificate. Therefore when the certificate is going to renew you don’t need to disable DNS proxy.
The certificate issued by Let’s Encrypted will be valid for 90 days. It is recommend to renew it every 60 days. This is why renew happened when 29 days left.