I solved the problem by abandoning the caddy on the synology and adding some logic in the downstream caddy - i.e. the one that calls the acme_ca in the public facing caddy.
I use the unbound DNS resolver on my pfsense router to create a couple of subdomains on my mediaserver03 web server.
media01.mediaserver03
media02.mediaserver03
Both overrides point to the ip address of mediaserver03 and caddy intelligently treats them as different URL’s and forwards them appropriately.
Now I have https on all LAN servers.
In case you are wondering - i would be - some the url’s you see are from a tailnet and some are from my unbound resolver. Just know that they are pointing to LAN ip addresses.
#BACKEND - on mediaserver03
# Global Option Block
{
# General Option
#debug
# TLS Options
# reference acme server on fileserver01
acme_ca https://acme.localserver/acme/local/directory
# copy of root.crt from the fileserver
acme_ca_root /etc/ssl/certs/root.crt
}
https://mediaserver03.mooncaptain.pn.net {
handle /sonarr* {
reverse_proxy localhost:8989
}
handle /emby* {
reverse_proxy localhost:8096
}
handle /nzbget* {
reverse_proxy localhost:6789
}
}
https://media01.mediaserver03 {
reverse_proxy http://192.168.0.218:5000
}
https://media02.mediaserver03 {
reverse_proxy http://192.168.0.19:5000
}