Traefik 2 Setup with Cloudflare/Let's Encrypt issue/

Traefik Traefik v2
1

Hi there! I am a begginer to Traefik and I seem to have an issue.. I am trying to follow https://www.smarthomebeginner.com/traefik-2-docker-tutorial guide, but once everything is set up and I run Traefik...

Traefik generates the certificate, seems valid, I can see it in the file itself, but I am connecting to my site with Cloudflare issued certificate, not the one I generated. Now, If I disable Universal SSL on Cloudflare and proxying I get ERR_SSL_VERSION_OR_CIPHER_MISMATCH or SSL_ERROR_NO_CYPHER_OVERLAP. So I seem to be unable to get to Let's Encrypt certificate itself, it's either Cloudflare's (and in background generated let's encrypt that is not used) or the error. What could I be doing wrong?

Ideally I would use Cloudflare certificate, but I want to have a backup option set up with self signed certificate which seems I am unable to get working.

Setup runs on Synology NAS on ports 80, 443, open to the internet, Synology nginx ports are changed so there is no interfence (and can reach Traefik if using enabled SSL on cloudflare with proxy on, but with cloudflare cert only)

My current traefik2 config:
Secrets, docker proxy etc seems to be working as in the end I can reach the container and no errors in their log, I can see Traefik creating TXT entry in clouldflare DNS and sucessing (failing if it already exists if I close app during setup, have to delete record manually then).

version: '3.7'

services:
  traefik:
    container_name: Traefik
    image: 'traefik:latest'
    restart: unless-stopped
    command:
      - --global.checkNewVersion=false
      - --global.sendAnonymousUsage=false
      - --entryPoints.http.address=:80
      - --entryPoints.https.address=:443
      - --entrypoints.https.forwardedHeaders.trustedIPs=103.21.244.0/22,103.22.200.0/22,103.31.4.0/22,104.16.0.0/13,104.24.0.0/14,108.162.192.0/18,131.0.72.0/22,141.101.64.0/18,162.158.0.0/15,172.64.0.0/13,173.245.48.0/20,188.114.96.0/20,190.93.240.0/20,197.234.240.0/22,198.41.128.0/17 #https://www.cloudflare.com/ips/
      - --entryPoints.traefik.address=:8080
      - --api=true
      - --api.insecure=false
      - --serversTransport.insecureSkipVerify=false
      - --log=true
      - --log.level=DEBUG #(Default: ERROR) DEBUG, INFO, WARN, ERROR, FATAL, PANIC
      - --accessLog=true
      - --accessLog.filePath=/Traefik.log
      - --accessLog.bufferingSize=100
      - --accessLog.filters.statusCodes=400-499
      - --providers.docker=true
      - --providers.docker.endpoint=tcp://socket-proxy:2375 #unix:///var/run/docker.sock
      - --providers.docker.defaultrule=Host(`{{ index .Labels "com.docker.compose.service" }}.$DOMAINNAME`)
      - --providers.docker.exposedByDefault=false
      - --providers.docker.network=WEB
      - --providers.docker.swarmMode=false
      - --providers.file.directory=/Rules
      # - --providers.file.filename=/Rules.toml
      - --providers.file.watch=true
      - --certificatesResolvers.dns-cloudflare.acme.caServer=https://acme-staging-v02.api.letsencrypt.org/directory #LetsEncrypt Staging Server (uncomment when testing)
      - --certificatesResolvers.dns-cloudflare.acme.email=$EMAIL
      - --certificatesResolvers.dns-cloudflare.acme.storage=/acme.json
      - --certificatesResolvers.dns-cloudflare.acme.dnsChallenge.provider=cloudflare
      - --certificatesResolvers.dns-cloudflare.acme.dnsChallenge.resolvers=1.1.1.1:53,1.0.0.1:53
      - --certificatesResolvers.dns-cloudflare.acme.dnsChallenge.delayBeforeCheck=90
    networks:
      WEB:
        ipv4_address: 10.11.1.253
      Socket_Proxy:
    ports:
      - target: 80
        published: 80
        protocol: tcp
        mode: host
      - target: 443
        published: 443
        protocol: tcp
        mode: host
      - target: 8080
        published: 8080
        protocol: tcp
        mode: host
    security_opt:
      - no-new-privileges:true
    volumes:
      # - '/var/run/docker.sock:/var/run/docker.sock:ro'
      - '$SHR_DOCKER/Traefik/Rules:/Rules'
      - '$SHR_DOCKER/Traefik/ACME/acme.json:/acme.json'
      - '$SHR_DOCKER/Traefik/Traefik.log:/Traefik.log'
      - '$DIR_SHARED:/Shared'
    environment:
      - CF_API_EMAIL_FILE=/run/secrets/cloudflare_email
      - CF_API_KEY_FILE=/run/secrets/cloudflare_api_key
    labels:
      - "traefik.enable=true"
      ### HTTP-to-HTTPS Redirect
      - "traefik.http.routers.http-default.entrypoints=http"
      - "traefik.http.routers.http-default.rule=HostRegexp(`{host:.+}`)"
      - "traefik.http.routers.http-default.middlewares=redirect-to-https"
      - "traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https"
      ### HTTP Routers
      - "traefik.http.routers.traefik-rtr.entrypoints=https"
      - "traefik.http.routers.traefik-rtr.rule=Host(`traefik.$DOMAINNAME`)"
      - "traefik.http.routers.traefik-rtr.tls=true"
      - "traefik.http.routers.traefik-rtr.tls.certResolver=dns-cloudflare" #Comment out this line after first run of Traefik to force the use of wildcard certs
      - "traefik.http.routers.traefik-rtr.tls.domains[0].main=$DOMAINNAME"
      - "traefik.http.routers.traefik-rtr.tls.domains[0].sans=*.$DOMAINNAME"
      ### Services - API
      - "traefik.http.routers.traefik-rtr.service=api@internal"
      ### Middlewares
      - "traefik.http.routers.traefik-rtr.middlewares=middlewares-basic-auth@file"
    secrets:
      - cloudflare_email
      - cloudflare_api_key