Thanks for the pointers, I didn’t know it would be possible to sign such a certificate.
I was able to get a properly signed certificate using Caddy’s built-in DNS challenge, though this required a custom Caddy binary with a DNS Challenge provider (depends on how you edit your DNS records, in my case I was lucky because I do it in CloudFlare and Caddy supports that).
New config:
hidden.example.com {
tls {
dns cloudflare {$CF_API_TOKEN}
}
bind 10.0.0.1
reverse_proxy http://127.0.0.1:8080
}
Other resources that have been useful, for future reference:
DNS Challenge explained: Automatic HTTPS — Caddy Documentation
How to enable DNS provider modules: How to use DNS provider modules in Caddy 2
Module dns.providers.cloudflare documentation: Modules - Caddy Documentation
How to override Caddy’s systemd unit to define environment variables: Keep Caddy Running — Caddy Documentation