CF is at the mercy of the CAs (DigiCert/Comodo), and at least based on LetsEncrypt's stance [0], they should be OK to issue .ir certificates as long as the customer is not a Gov't entity. The only issue is that these CA's are just playing it safe by not issuing any .ir domains, making CF also unable to issue .ir.

I believe CF is working on LetsEncrypt certificates, at least based on letsencrypt.org being included in the 'automatic' CAA records[1].

0: https://community.letsencrypt.org/t/issuance-criteria-for-ir...

1: https://support.cloudflare.com/hc/en-us/articles/11500031083...