Caddy can get certificates for my duckdns ip address if I run it from cli, but can't, when I lauch it as a systemd service

1. The problem I’m having:

I have a dns from duckdns, which I use for my local resources. I have no public IP address, so that dns points to my private (like 192.168.2.2). When I use caddy from CLI it works fine, but systemd service fails to get certificates.

2. Error messages and/or full log output:

Jan 12 16:43:21 lgkl-server caddy[13724]: {"level":"info","ts":1768225401.753989,"logger":"tls.obtain","msg":"obtaining certificate","identifier":"lgkl.duckdns.org"}
Jan 12 16:43:21 lgkl-server caddy[13724]: {"level":"info","ts":1768225401.7540727,"logger":"tls.obtain","msg":"obtaining certificate","identifier":"*.lgkl.duckdns.org"}
Jan 12 16:43:21 lgkl-server caddy[13724]: {"level":"info","ts":1768225401.7547836,"logger":"tls","msg":"waiting on internal rate limiter","identifiers":["lgkl.duckdns.org"],"ca":"https://acme-v02.api.letsencrypt.org/directory","account":""}
Jan 12 16:43:21 lgkl-server caddy[13724]: {"level":"info","ts":1768225401.7548022,"logger":"tls","msg":"done waiting on internal rate limiter","identifiers":["lgkl.duckdns.org"],"ca":"https://acme-v02.api.letsencrypt.org/directory","account":""}
Jan 12 16:43:21 lgkl-server caddy[13724]: {"level":"info","ts":1768225401.7548,"logger":"tls.issuance.acme","msg":"waiting on internal rate limiter","identifiers":["*.lgkl.duckdns.org"],"ca":"https://acme-v02.api.letsencrypt.org/directory","account":""}
Jan 12 16:43:21 lgkl-server caddy[13724]: {"level":"info","ts":1768225401.7548156,"logger":"tls","msg":"using ACME account","account_id":"https://acme-v02.api.letsencrypt.org/acme/acct/2937047116","account_contact":[]}
Jan 12 16:43:21 lgkl-server caddy[13724]: {"level":"info","ts":1768225401.7548559,"logger":"tls.issuance.acme","msg":"done waiting on internal rate limiter","identifiers":["*.lgkl.duckdns.org"],"ca":"https://acme-v02.api.letsencrypt.org/directory","account":""}
Jan 12 16:43:21 lgkl-server caddy[13724]: {"level":"info","ts":1768225401.7548764,"logger":"tls.issuance.acme","msg":"using ACME account","account_id":"https://acme-v02.api.letsencrypt.org/acme/acct/2937047116","account_contact":[]}
Jan 12 16:43:22 lgkl-server caddy[13724]: {"level":"info","ts":1768225402.9799137,"msg":"trying to solve challenge","identifier":"lgkl.duckdns.org","challenge_type":"http-01","ca":"https://acme-v02.api.letsencrypt.org/directory"}
Jan 12 16:43:23 lgkl-server caddy[13724]: {"level":"info","ts":1768225403.3746138,"msg":"trying to solve challenge","identifier":"*.lgkl.duckdns.org","challenge_type":"dns-01","ca":"https://acme-v02.api.letsencrypt.org/directory"}
Jan 12 16:43:35 lgkl-server caddy[13724]: {"level":"error","ts":1768225415.26463,"msg":"cleaning up solver","identifier":"*.lgkl.duckdns.org","challenge_type":"dns-01","error":"no memory of presenting a DNS record for \"_acme-challenge.lgkl.duckdns.org\" (usually OK if present
ing also failed)","stacktrace":"github.com/mholt/acmez/v3.(*Client).solveChallenges.func1\n\tgithub.com/mholt/acmez/v3@v3.1.2/client.go:318\ngithub.com/mholt/acmez/v3.(*Client).solveChallenges\n\tgithub.com/mholt/acmez/v3@v3.1.2/client.go:363\ngithub.com/mholt/acmez/v3.(*Clien
t).ObtainCertificate\n\tgithub.com/mholt/acmez/v3@v3.1.2/client.go:136\ngithub.com/caddyserver/certmagic.(*ACMEIssuer).doIssue\n\tgithub.com/caddyserver/certmagic@v0.24.0/acmeissuer.go:489\ngithub.com/caddyserver/certmagic.(*ACMEIssuer).Issue\n\tgithub.com/caddyserver/certmagi
c@v0.24.0/acmeissuer.go:382\ngithub.com/caddyserver/caddy/v2/modules/caddytls.(*ACMEIssuer).Issue\n\tgithub.com/caddyserver/caddy/v2@v2.10.2/modules/caddytls/acmeissuer.go:288\ngithub.com/caddyserver/certmagic.(*Config).obtainCert.func2\n\tgithub.com/caddyserver/certmagic@v0.2
4.0/config.go:626\ngithub.com/caddyserver/certmagic.doWithRetry\n\tgithub.com/caddyserver/certmagic@v0.24.0/async.go:104\ngithub.com/caddyserver/certmagic.(*Config).obtainCert\n\tgithub.com/caddyserver/certmagic@v0.24.0/config.go:700\ngithub.com/caddyserver/certmagic.(*Config)
.ObtainCertAsync\n\tgithub.com/caddyserver/certmagic@v0.24.0/config.go:505\ngithub.com/caddyserver/certmagic.(*Config).manageOne.func1\n\tgithub.com/caddyserver/certmagic@v0.24.0/config.go:415\ngithub.com/caddyserver/certmagic.(*jobManager).worker\n\tgithub.com/caddyserver/cer
tmagic@v0.24.0/async.go:73"}
Jan 12 16:43:35 lgkl-server caddy[13724]: {"level":"error","ts":1768225415.4738026,"logger":"tls.obtain","msg":"could not get certificate from issuer","identifier":"*.lgkl.duckdns.org","issuer":"acme-v02.api.letsencrypt.org-directory","error":"[*.lgkl.duckdns.org] solving chal
lenges: presenting for challenge: could not determine zone for domain \"_acme-challenge.lgkl.duckdns.org\": unexpected response code 'SERVFAIL' for _acme-challenge.lgkl.duckdns.org. (order=https://acme-v02.api.letsencrypt.org/acme/order/2937047116/468733362286) (ca=https://acm
e-v02.api.letsencrypt.org/directory)"}
Jan 12 16:43:35 lgkl-server caddy[13724]: {"level":"error","ts":1768225415.4738839,"logger":"tls.obtain","msg":"will retry","error":"[*.lgkl.duckdns.org] Obtain: [*.lgkl.duckdns.org] solving challenges: presenting for challenge: could not determine zone for domain \"_acme-chal
lenge.lgkl.duckdns.org\": unexpected response code 'SERVFAIL' for _acme-challenge.lgkl.duckdns.org. (order=https://acme-v02.api.letsencrypt.org/acme/order/2937047116/468733362286) (ca=https://acme-v02.api.letsencrypt.org/directory)","attempt":1,"retrying_in":60,"elapsed":13.71
9893127,"max_duration":2592000}
Jan 12 16:43:53 lgkl-server caddy[13724]: {"level":"error","ts":1768225433.5526729,"msg":"challenge failed","identifier":"lgkl.duckdns.org","challenge_type":"http-01","problem":{"type":"urn:ietf:params:acme:error:dns","title":"","detail":"DNS problem: query timed out looking u
p A for lgkl.duckdns.org; no valid AAAA records found for lgkl.duckdns.org","instance":"","subproblems":null},"stacktrace":"github.com/mholt/acmez/v3.(*Client).pollAuthorization\n\tgithub.com/mholt/acmez/v3@v3.1.2/client.go:557\ngithub.com/mholt/acmez/v3.(*Client).solveChallen
ges\n\tgithub.com/mholt/acmez/v3@v3.1.2/client.go:378\ngithub.com/mholt/acmez/v3.(*Client).ObtainCertificate\n\tgithub.com/mholt/acmez/v3@v3.1.2/client.go:136\ngithub.com/caddyserver/certmagic.(*ACMEIssuer).doIssue\n\tgithub.com/caddyserver/certmagic@v0.24.0/acmeissuer.go:489\
ngithub.com/caddyserver/certmagic.(*ACMEIssuer).Issue\n\tgithub.com/caddyserver/certmagic@v0.24.0/acmeissuer.go:382\ngithub.com/caddyserver/caddy/v2/modules/caddytls.(*ACMEIssuer).Issue\n\tgithub.com/caddyserver/caddy/v2@v2.10.2/modules/caddytls/acmeissuer.go:288\ngithub.com/c
addyserver/certmagic.(*Config).obtainCert.func2\n\tgithub.com/caddyserver/certmagic@v0.24.0/config.go:626\ngithub.com/caddyserver/certmagic.doWithRetry\n\tgithub.com/caddyserver/certmagic@v0.24.0/async.go:104\ngithub.com/caddyserver/certmagic.(*Config).obtainCert\n\tgithub.com
/caddyserver/certmagic@v0.24.0/config.go:700\ngithub.com/caddyserver/certmagic.(*Config).ObtainCertAsync\n\tgithub.com/caddyserver/certmagic@v0.24.0/config.go:505\ngithub.com/caddyserver/certmagic.(*Config).manageOne.func1\n\tgithub.com/caddyserver/certmagic@v0.24.0/config.go:
415\ngithub.com/caddyserver/certmagic.(*jobManager).worker\n\tgithub.com/caddyserver/certmagic@v0.24.0/async.go:73"}
Jan 12 16:43:53 lgkl-server caddy[13724]: {"level":"error","ts":1768225433.5528336,"msg":"validating authorization","identifier":"lgkl.duckdns.org","problem":{"type":"urn:ietf:params:acme:error:dns","title":"","detail":"DNS problem: query timed out looking up A for lgkl.duckdn
s.org; no valid AAAA records found for lgkl.duckdns.org","instance":"","subproblems":null},"order":"https://acme-v02.api.letsencrypt.org/acme/order/2937047116/468733360836","attempt":1,"max_attempts":3,"stacktrace":"github.com/mholt/acmez/v3.(*Client).ObtainCertificate\n\tgith
ub.com/mholt/acmez/v3@v3.1.2/client.go:152\ngithub.com/caddyserver/certmagic.(*ACMEIssuer).doIssue\n\tgithub.com/caddyserver/certmagic@v0.24.0/acmeissuer.go:489\ngithub.com/caddyserver/certmagic.(*ACMEIssuer).Issue\n\tgithub.com/caddyserver/certmagic@v0.24.0/acmeissuer.go:382\
ngithub.com/caddyserver/caddy/v2/modules/caddytls.(*ACMEIssuer).Issue\n\tgithub.com/caddyserver/caddy/v2@v2.10.2/modules/caddytls/acmeissuer.go:288\ngithub.com/caddyserver/certmagic.(*Config).obtainCert.func2\n\tgithub.com/caddyserver/certmagic@v0.24.0/config.go:626\ngithub.co
m/caddyserver/certmagic.doWithRetry\n\tgithub.com/caddyserver/certmagic@v0.24.0/async.go:104\ngithub.com/caddyserver/certmagic.(*Config).obtainCert\n\tgithub.com/caddyserver/certmagic@v0.24.0/config.go:700\ngithub.com/caddyserver/certmagic.(*Config).ObtainCertAsync\n\tgithub.c
om/caddyserver/certmagic@v0.24.0/config.go:505\ngithub.com/caddyserver/certmagic.(*Config).manageOne.func1\n\tgithub.com/caddyserver/certmagic@v0.24.0/config.go:415\ngithub.com/caddyserver/certmagic.(*jobManager).worker\n\tgithub.com/caddyserver/certmagic@v0.24.0/async.go:73"}
Jan 12 16:43:54 lgkl-server caddy[13724]: {"level":"info","ts":1768225434.964395,"msg":"trying to solve challenge","identifier":"lgkl.duckdns.org","challenge_type":"tls-alpn-01","ca":"https://acme-v02.api.letsencrypt.org/directory"}Jan 12 16:43:21 lgkl-server caddy[13724]: {"level":"info","ts":1768225401.753989,"logger":"tls.obtain","msg":"obtaining certificate","identifier":"lgkl.duckdns.org"}
Jan 12 16:43:21 lgkl-server caddy[13724]: {"level":"info","ts":1768225401.7540727,"logger":"tls.obtain","msg":"obtaining certificate","identifier":"*.lgkl.duckdns.org"}
Jan 12 16:43:21 lgkl-server caddy[13724]: {"level":"info","ts":1768225401.7547836,"logger":"tls","msg":"waiting on internal rate limiter","identifiers":["lgkl.duckdns.org"],"ca":"https://acme-v02.api.letsencrypt.org/directory","account":""}
Jan 12 16:43:21 lgkl-server caddy[13724]: {"level":"info","ts":1768225401.7548022,"logger":"tls","msg":"done waiting on internal rate limiter","identifiers":["lgkl.duckdns.org"],"ca":"https://acme-v02.api.letsencrypt.org/directory","account":""}
Jan 12 16:43:21 lgkl-server caddy[13724]: {"level":"info","ts":1768225401.7548,"logger":"tls.issuance.acme","msg":"waiting on internal rate limiter","identifiers":["*.lgkl.duckdns.org"],"ca":"https://acme-v02.api.letsencrypt.org/directory","account":""}
Jan 12 16:43:21 lgkl-server caddy[13724]: {"level":"info","ts":1768225401.7548156,"logger":"tls","msg":"using ACME account","account_id":"https://acme-v02.api.letsencrypt.org/acme/acct/2937047116","account_contact":[]}
Jan 12 16:43:21 lgkl-server caddy[13724]: {"level":"info","ts":1768225401.7548559,"logger":"tls.issuance.acme","msg":"done waiting on internal rate limiter","identifiers":["*.lgkl.duckdns.org"],"ca":"https://acme-v02.api.letsencrypt.org/directory","account":""}
Jan 12 16:43:21 lgkl-server caddy[13724]: {"level":"info","ts":1768225401.7548764,"logger":"tls.issuance.acme","msg":"using ACME account","account_id":"https://acme-v02.api.letsencrypt.org/acme/acct/2937047116","account_contact":[]}
Jan 12 16:43:22 lgkl-server caddy[13724]: {"level":"info","ts":1768225402.9799137,"msg":"trying to solve challenge","identifier":"lgkl.duckdns.org","challenge_type":"http-01","ca":"https://acme-v02.api.letsencrypt.org/directory"}
Jan 12 16:43:23 lgkl-server caddy[13724]: {"level":"info","ts":1768225403.3746138,"msg":"trying to solve challenge","identifier":"*.lgkl.duckdns.org","challenge_type":"dns-01","ca":"https://acme-v02.api.letsencrypt.org/directory"}
Jan 12 16:43:35 lgkl-server caddy[13724]: {"level":"error","ts":1768225415.26463,"msg":"cleaning up solver","identifier":"*.lgkl.duckdns.org","challenge_type":"dns-01","error":"no memory of presenting a DNS record for \"_acme-challenge.lgkl.duckdns.org\" (usually OK if present
ing also failed)","stacktrace":"github.com/mholt/acmez/v3.(*Client).solveChallenges.func1\n\tgithub.com/mholt/acmez/v3@v3.1.2/client.go:318\ngithub.com/mholt/acmez/v3.(*Client).solveChallenges\n\tgithub.com/mholt/acmez/v3@v3.1.2/client.go:363\ngithub.com/mholt/acmez/v3.(*Clien
t).ObtainCertificate\n\tgithub.com/mholt/acmez/v3@v3.1.2/client.go:136\ngithub.com/caddyserver/certmagic.(*ACMEIssuer).doIssue\n\tgithub.com/caddyserver/certmagic@v0.24.0/acmeissuer.go:489\ngithub.com/caddyserver/certmagic.(*ACMEIssuer).Issue\n\tgithub.com/caddyserver/certmagi
c@v0.24.0/acmeissuer.go:382\ngithub.com/caddyserver/caddy/v2/modules/caddytls.(*ACMEIssuer).Issue\n\tgithub.com/caddyserver/caddy/v2@v2.10.2/modules/caddytls/acmeissuer.go:288\ngithub.com/caddyserver/certmagic.(*Config).obtainCert.func2\n\tgithub.com/caddyserver/certmagic@v0.2
4.0/config.go:626\ngithub.com/caddyserver/certmagic.doWithRetry\n\tgithub.com/caddyserver/certmagic@v0.24.0/async.go:104\ngithub.com/caddyserver/certmagic.(*Config).obtainCert\n\tgithub.com/caddyserver/certmagic@v0.24.0/config.go:700\ngithub.com/caddyserver/certmagic.(*Config)
.ObtainCertAsync\n\tgithub.com/caddyserver/certmagic@v0.24.0/config.go:505\ngithub.com/caddyserver/certmagic.(*Config).manageOne.func1\n\tgithub.com/caddyserver/certmagic@v0.24.0/config.go:415\ngithub.com/caddyserver/certmagic.(*jobManager).worker\n\tgithub.com/caddyserver/cer
tmagic@v0.24.0/async.go:73"}
Jan 12 16:43:35 lgkl-server caddy[13724]: {"level":"error","ts":1768225415.4738026,"logger":"tls.obtain","msg":"could not get certificate from issuer","identifier":"*.lgkl.duckdns.org","issuer":"acme-v02.api.letsencrypt.org-directory","error":"[*.lgkl.duckdns.org] solving chal
lenges: presenting for challenge: could not determine zone for domain \"_acme-challenge.lgkl.duckdns.org\": unexpected response code 'SERVFAIL' for _acme-challenge.lgkl.duckdns.org. (order=https://acme-v02.api.letsencrypt.org/acme/order/2937047116/468733362286) (ca=https://acm
e-v02.api.letsencrypt.org/directory)"}
Jan 12 16:43:35 lgkl-server caddy[13724]: {"level":"error","ts":1768225415.4738839,"logger":"tls.obtain","msg":"will retry","error":"[*.lgkl.duckdns.org] Obtain: [*.lgkl.duckdns.org] solving challenges: presenting for challenge: could not determine zone for domain \"_acme-chal
lenge.lgkl.duckdns.org\": unexpected response code 'SERVFAIL' for _acme-challenge.lgkl.duckdns.org. (order=https://acme-v02.api.letsencrypt.org/acme/order/2937047116/468733362286) (ca=https://acme-v02.api.letsencrypt.org/directory)","attempt":1,"retrying_in":60,"elapsed":13.71
9893127,"max_duration":2592000}
Jan 12 16:43:53 lgkl-server caddy[13724]: {"level":"error","ts":1768225433.5526729,"msg":"challenge failed","identifier":"lgkl.duckdns.org","challenge_type":"http-01","problem":{"type":"urn:ietf:params:acme:error:dns","title":"","detail":"DNS problem: query timed out looking u
p A for lgkl.duckdns.org; no valid AAAA records found for lgkl.duckdns.org","instance":"","subproblems":null},"stacktrace":"github.com/mholt/acmez/v3.(*Client).pollAuthorization\n\tgithub.com/mholt/acmez/v3@v3.1.2/client.go:557\ngithub.com/mholt/acmez/v3.(*Client).solveChallen
ges\n\tgithub.com/mholt/acmez/v3@v3.1.2/client.go:378\ngithub.com/mholt/acmez/v3.(*Client).ObtainCertificate\n\tgithub.com/mholt/acmez/v3@v3.1.2/client.go:136\ngithub.com/caddyserver/certmagic.(*ACMEIssuer).doIssue\n\tgithub.com/caddyserver/certmagic@v0.24.0/acmeissuer.go:489\
ngithub.com/caddyserver/certmagic.(*ACMEIssuer).Issue\n\tgithub.com/caddyserver/certmagic@v0.24.0/acmeissuer.go:382\ngithub.com/caddyserver/caddy/v2/modules/caddytls.(*ACMEIssuer).Issue\n\tgithub.com/caddyserver/caddy/v2@v2.10.2/modules/caddytls/acmeissuer.go:288\ngithub.com/c
addyserver/certmagic.(*Config).obtainCert.func2\n\tgithub.com/caddyserver/certmagic@v0.24.0/config.go:626\ngithub.com/caddyserver/certmagic.doWithRetry\n\tgithub.com/caddyserver/certmagic@v0.24.0/async.go:104\ngithub.com/caddyserver/certmagic.(*Config).obtainCert\n\tgithub.com
/caddyserver/certmagic@v0.24.0/config.go:700\ngithub.com/caddyserver/certmagic.(*Config).ObtainCertAsync\n\tgithub.com/caddyserver/certmagic@v0.24.0/config.go:505\ngithub.com/caddyserver/certmagic.(*Config).manageOne.func1\n\tgithub.com/caddyserver/certmagic@v0.24.0/config.go:
415\ngithub.com/caddyserver/certmagic.(*jobManager).worker\n\tgithub.com/caddyserver/certmagic@v0.24.0/async.go:73"}
Jan 12 16:43:53 lgkl-server caddy[13724]: {"level":"error","ts":1768225433.5528336,"msg":"validating authorization","identifier":"lgkl.duckdns.org","problem":{"type":"urn:ietf:params:acme:error:dns","title":"","detail":"DNS problem: query timed out looking up A for lgkl.duckdn
s.org; no valid AAAA records found for lgkl.duckdns.org","instance":"","subproblems":null},"order":"https://acme-v02.api.letsencrypt.org/acme/order/2937047116/468733360836","attempt":1,"max_attempts":3,"stacktrace":"github.com/mholt/acmez/v3.(*Client).ObtainCertificate\n\tgith
ub.com/mholt/acmez/v3@v3.1.2/client.go:152\ngithub.com/caddyserver/certmagic.(*ACMEIssuer).doIssue\n\tgithub.com/caddyserver/certmagic@v0.24.0/acmeissuer.go:489\ngithub.com/caddyserver/certmagic.(*ACMEIssuer).Issue\n\tgithub.com/caddyserver/certmagic@v0.24.0/acmeissuer.go:382\
ngithub.com/caddyserver/caddy/v2/modules/caddytls.(*ACMEIssuer).Issue\n\tgithub.com/caddyserver/caddy/v2@v2.10.2/modules/caddytls/acmeissuer.go:288\ngithub.com/caddyserver/certmagic.(*Config).obtainCert.func2\n\tgithub.com/caddyserver/certmagic@v0.24.0/config.go:626\ngithub.co
m/caddyserver/certmagic.doWithRetry\n\tgithub.com/caddyserver/certmagic@v0.24.0/async.go:104\ngithub.com/caddyserver/certmagic.(*Config).obtainCert\n\tgithub.com/caddyserver/certmagic@v0.24.0/config.go:700\ngithub.com/caddyserver/certmagic.(*Config).ObtainCertAsync\n\tgithub.c
om/caddyserver/certmagic@v0.24.0/config.go:505\ngithub.com/caddyserver/certmagic.(*Config).manageOne.func1\n\tgithub.com/caddyserver/certmagic@v0.24.0/config.go:415\ngithub.com/caddyserver/certmagic.(*jobManager).worker\n\tgithub.com/caddyserver/certmagic@v0.24.0/async.go:73"}
Jan 12 16:43:54 lgkl-server caddy[13724]: {"level":"info","ts":1768225434.964395,"msg":"trying to solve challenge","identifier":"lgkl.duckdns.org","challenge_type":"tls-alpn-01","ca":"https://acme-v02.api.letsencrypt.org/directory"}

3. Caddy version:

v2.10.2 h1:g/gTYjGMD0dec+UgMw8SnfmJ3I9+M2TdvoRL/Ovu6U8=

4. How I installed and ran Caddy:

a. System environment:

Debian 13 (trixie) x86_64
Installed caddy with xcaddy and duckdns plugin

b. Command:

in case of manual run

sudo caddy start --config /etc/caddy/Caddyfile

in case of systemd

sudo systemctl start caddy

c. Service/unit/compose file:

# caddy.service
#
# For using Caddy with a config file.
#
# Make sure the ExecStart and ExecReload commands are correct
# for your installation.
#
# See https://caddyserver.com/docs/install for instructions.
#
# WARNING: This service does not use the --resume flag, so if you
# use the API to make changes, they will be overwritten by the
# Caddyfile next time the service is restarted. If you intend to
# use Caddy's API to configure it, add the --resume flag to the
# `caddy run` command or use the caddy-api.service file instead.

[Unit]
Description=Caddy
Documentation=https://caddyserver.com/docs/
After=network.target network-online.target
Requires=network-online.target

[Service]
Type=notify
User=caddy
Group=caddy
ExecStart=/usr/bin/caddy run --environ --config /etc/caddy/Caddyfile
ExecReload=/usr/bin/caddy reload --config /etc/caddy/Caddyfile --force
TimeoutStopSec=5s
LimitNOFILE=1048576
PrivateTmp=true
ProtectSystem=full
AmbientCapabilities=CAP_NET_ADMIN CAP_NET_BIND_SERVICE

[Install]
WantedBy=multi-user.target

d. My complete Caddy config:

*.lgkl.duckdns.org {
        tls {
                dns duckdns {my-token}
                resolvers 1.1.1.1 8.8.8.8 8.8.4.4
        }
}

adguard.lgkl.duckdns.org {
        reverse_proxy localhost:3000
}

# more reverse proxies in the same fashion

5. Links to relevant resources:

You seem to have different config files when running Caddy from the CLI and via systemd.

Thanks for reply, that was a typo in my post, I use /etc/caddy/Caddyfile in both cases. One thing to note, hoewever: when I run CLI, I use sudo and caddy runs from root user (I guess), and in case of systemd it runs with caddy user and group. Might that be an issue?

It could indeed be the issue.

I am not very familiar with Debian, but you do have ProtectSystem=full in your service file.

Take a look at this, it was kind of a similar problem.

You may need to adjust ReadWritePaths accordingly and add the folders Caddy uses to store its data and logs.

Refer to the following:

or check your Caddy debug log to see where it is trying to store data.

Also, make sure caddy has read/write access to those folders.

Thanks, I’ll look into it

@timelordx I’ve tried adding ReadWritePaths=/var/lib/caddy, but it didn’t change anything. The directory has correct ownership by caddy anyway. Seems to be error with something else, as logs show errors from dns, but I can’t really understand what is wrong, because running from CLI works, nslookup resolution works and resolvers are specified in my Caddyfile

Can you check that everything underneath /var/lib/caddy is owned by caddy?

I’m just guessing here, but if you ran your CLI command before you started it as a service, the files underneath /var/lib/caddy are owned by root, and the caddy user cannot now proceed with whatever it needs to do. Just my guess.