CF Origin SLL on LiteSpeed with cyberpanel

Question

I have a VPS with Litespeed server + cyberpanel installed on it. Problem is that it only allows self sign via panel. And that's not enough for some apps I use. So I need to do it manually. I need full encryption from host to CloudFlare end to end Strict. CF gives only two files .crt and .key. I put them both on a server and point to them via vhost and httpd cfg files.

But nothing happens it just brakes with 521 error, or works only with edge certificates from CF, or if I turn off CF proxy complains something about bad ciphers. Looks like listener is open correctly and I touched only those two line with path to SSL files:

listener SSL {
  address                 *:443
  secure                  1
  keyFile                  /etc/letsencrypt/live/domain.com/privkey.pem
  certFile                 /etc/letsencrypt/live/domain.com/fullchain.pem
  certChain               1
  sslProtocol             24
  ciphers                 EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH:ECDHE-RSA-AES128-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA128:DHE-RSA-AES128-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA128:$  enableECDHE             1
  renegProtection         1
  sslSessionCache         1
  enableSpdy              15
  enableStapling           1
  ocspRespMaxAge           86400
  map                     domain.com domain.com
}

I have checked defaults selfsigned certificates, and they are 3 files and all in PEM format, but I only have two .crt and .key. What am I missing? Do I have to do something additional in CF DNS records too, if I choose Full (strict) on CF and create their free origin SSL? Because now it does look something like this:

Where spending hours in SSH debugging, but seems like I am missing something stupid, or is it really that complicated?