Traefik 2 Setup with Cloudflare/Let's Encrypt issue/

Hi there! I am a begginer to Traefik and I seem to have an issue.. I am trying to follow guide, but once everything is set up and I run Traefik...

Traefik generates the certificate, seems valid, I can see it in the file itself, but I am connecting to my site with Cloudflare issued certificate, not the one I generated. Now, If I disable Universal SSL on Cloudflare and proxying I get ERR_SSL_VERSION_OR_CIPHER_MISMATCH or SSL_ERROR_NO_CYPHER_OVERLAP. So I seem to be unable to get to Let's Encrypt certificate itself, it's either Cloudflare's (and in background generated let's encrypt that is not used) or the error. What could I be doing wrong?

Ideally I would use Cloudflare certificate, but I want to have a backup option set up with self signed certificate which seems I am unable to get working.

Setup runs on Synology NAS on ports 80, 443, open to the internet, Synology nginx ports are changed so there is no interfence (and can reach Traefik if using enabled SSL on cloudflare with proxy on, but with cloudflare cert only)

My current traefik2 config:
Secrets, docker proxy etc seems to be working as in the end I can reach the container and no errors in their log, I can see Traefik creating TXT entry in clouldflare DNS and sucessing (failing if it already exists if I close app during setup, have to delete record manually then).

version: '3.7'

    container_name: Traefik
    image: 'traefik:latest'
    restart: unless-stopped
      - --global.checkNewVersion=false
      - --global.sendAnonymousUsage=false
      - --entryPoints.http.address=:80
      - --entryPoints.https.address=:443
      - --entrypoints.https.forwardedHeaders.trustedIPs=,,,,,,,,,,,,,, #
      - --entryPoints.traefik.address=:8080
      - --api=true
      - --api.insecure=false
      - --serversTransport.insecureSkipVerify=false
      - --log=true
      - --log.level=DEBUG #(Default: ERROR) DEBUG, INFO, WARN, ERROR, FATAL, PANIC
      - --accessLog=true
      - --accessLog.filePath=/Traefik.log
      - --accessLog.bufferingSize=100
      - --accessLog.filters.statusCodes=400-499
      - --providers.docker=true
      - --providers.docker.endpoint=tcp://socket-proxy:2375 #unix:///var/run/docker.sock
      - --providers.docker.defaultrule=Host(`{{ index .Labels "com.docker.compose.service" }}.$DOMAINNAME`)
      - --providers.docker.exposedByDefault=false
      - --providers.docker.swarmMode=false
      # - --providers.file.filename=/Rules.toml
      - --certificatesResolvers.dns-cloudflare.acme.caServer= #LetsEncrypt Staging Server (uncomment when testing)
      - --certificatesResolvers.dns-cloudflare.acme.dnsChallenge.provider=cloudflare
      - --certificatesResolvers.dns-cloudflare.acme.dnsChallenge.resolvers=,
      - --certificatesResolvers.dns-cloudflare.acme.dnsChallenge.delayBeforeCheck=90
      - target: 80
        published: 80
        protocol: tcp
        mode: host
      - target: 443
        published: 443
        protocol: tcp
        mode: host
      - target: 8080
        published: 8080
        protocol: tcp
        mode: host
      - no-new-privileges:true
      # - '/var/run/docker.sock:/var/run/docker.sock:ro'
      - '$SHR_DOCKER/Traefik/Rules:/Rules'
      - '$SHR_DOCKER/Traefik/ACME/acme.json:/acme.json'
      - '$SHR_DOCKER/Traefik/Traefik.log:/Traefik.log'
      - '$DIR_SHARED:/Shared'
      - CF_API_EMAIL_FILE=/run/secrets/cloudflare_email
      - CF_API_KEY_FILE=/run/secrets/cloudflare_api_key
      - "traefik.enable=true"
      ### HTTP-to-HTTPS Redirect
      - "traefik.http.routers.http-default.entrypoints=http"
      - "traefik.http.routers.http-default.rule=HostRegexp(`{host:.+}`)"
      - "traefik.http.routers.http-default.middlewares=redirect-to-https"
      - "traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https"
      ### HTTP Routers
      - "traefik.http.routers.traefik-rtr.entrypoints=https"
      - "traefik.http.routers.traefik-rtr.rule=Host(`traefik.$DOMAINNAME`)"
      - "traefik.http.routers.traefik-rtr.tls=true"
      - "traefik.http.routers.traefik-rtr.tls.certResolver=dns-cloudflare" #Comment out this line after first run of Traefik to force the use of wildcard certs
      - "[0].main=$DOMAINNAME"
      - "[0].sans=*.$DOMAINNAME"
      ### Services - API
      - "traefik.http.routers.traefik-rtr.service=api@internal"
      ### Middlewares
      - "traefik.http.routers.traefik-rtr.middlewares=middlewares-basic-auth@file"
      - cloudflare_email
      - cloudflare_api_key