Caddy Tailscale Cloudflare issue

I use caddy with tailscale in a LXC on proxmox.
I run tailscale with --tun=userspace-networking in a scrren session.
Homarr resides on another LXC on proxmox where i also run tailscale.
Both Machines are available in the tailscale admin panel.

In Cloudflare i registered stfborn.org
I set up CNAME hummer, pointed it to homarr.hippocampus-toad.ts.net.
dig hummer.stfborn.org returns the following:
; <<>> DiG 9.18.28-1~deb12u2-Debian <<>> hummer.stfborn.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 16477
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1`

;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 1232 ;; QUESTION SECTION: ;hummer.stfborn.org. IN A

;; ANSWER SECTION: hummer.stfborn.org. 60 IN CNAME homarr.hippocampus-toad.ts.net.

;; AUTHORITY SECTION: ts.net. 300 IN SOA ns1.dnsimple.com. admin.dnsimple.com. 1617046202 86400 7200 604800 300

Here is my Caddyfile:
hummer.stfborn.org { tls { get_certificate tailscale } reverse_proxy 192.168.1.7:3000 }

Here is the caddy log:

root@caddy:/etc/caddy# caddy run --config /etc/caddy/Caddyfile 2024/12/16 09:05:58.467 INFO using config from file {"file": "/etc/caddy/Caddyfile"} 2024/12/16 09:05:58.470 INFO adapted config to JSON {"adapter": "caddyfile"} 2024/12/16 09:05:58.470 WARN Caddyfile input is not formatted; run 'caddy fmt --overwrite' to fix inconsistencies {"adapter": "caddyfile", "file": "/etc/caddy/Caddyfile", "line": 3} 2024/12/16 09:05:58.474 INFO admin admin endpoint started {"address": "localhost:2019", "enforce_origin": false, "origins": ["//localhost:2019", "//[::1]:2019", "//127.0.0.1:2019"]} 2024/12/16 09:05:58.475 INFO http.auto_https server is listening only on the HTTPS port but has no TLS connection policies; adding one to enable TLS {"server_name": "srv0", "https_port": 443} 2024/12/16 09:05:58.475 INFO http.auto_https enabling automatic HTTP->HTTPS redirects {"server_name": "srv0"} 2024/12/16 09:05:58.475 INFO http enabling HTTP/3 listener {"addr": ":443"} 2024/12/16 09:05:58.475 INFO failed to sufficiently increase receive buffer size (was: 208 kiB, wanted: 7168 kiB, got: 416 kiB). See https://github.com/quic-go/quic-go/wiki/UDP-Buffer-Sizes for details. 2024/12/16 09:05:58.476 INFO http.log server running {"name": "srv0", "protocols": ["h1", "h2", "h3"]} 2024/12/16 09:05:58.476 INFO http.log server running {"name": "remaining_auto_https_redirects", "protocols": ["h1", "h2", "h3"]} 2024/12/16 09:05:58.476 INFO http enabling automatic TLS certificate management {"domains": ["hummer.stfborn.org"]} 2024/12/16 09:05:58.476 INFO autosaved config (load with --resume flag) {"file": "/root/.config/caddy/autosave.json"} 2024/12/16 09:05:58.476 INFO serving initial configuration 2024/12/16 09:05:58.478 INFO tls storage cleaning happened too recently; skipping for now {"storage": "FileStorage:/root/.local/share/caddy", "instance": "28653582-0684-400c-84db-bfae9ae67b7e", "try_again": "2024/12/17 09:05:58.478", "try_again_in": 86399.999999282} 2024/12/16 09:05:58.478 INFO tls finished cleaning storage units 2024/12/16 09:05:58.479 INFO tls.cache.maintenance started background certificate maintenance {"cache": "0xc0000eb500"}

Http resolves to https so it seems that the tailscale certs are being used. But i can’t access hummer.stfborn.org in my browser. Am i missing somethin here?
I haven’t set up an API token in cloudflare, becaus i use the CNAME setting, is that correct?

Any help appreciated
stf

Your post’s formatting is quite messy, so it’s hard to follow the information. Also, you didn’t fill out the help topic template as per the forum rules. Please do so.