Caddy does obtain a lock when it obtains certificates. What is the log output? Run with -log stderr to get log printed to stderr (or you can specify a filename of course).
Stalling there usually means that the ACME server is not able to connect to your site for the domain you’re trying to obtain a certificate for. Check your DNS settings, make sure it’s reachable, etc.
It is/(was 20 minutes ago) reachable & the DNS settings are correct. The server runs fine if i remove that one domain from the caddyfile, but if the problem isn’t limited to just that host this means that renewing the certificates for the other hosts will probably fail too when they’re due.
I have fixed the issue.
Commenting out CapabilityBoundingSetAmbientCapabilities and NoNewPrivileges in the systemd unit file have fixed the issue for me.
There is clearly some other reason than the systemd version that is making it fail as I have always had 220+ and it has always failed with the capabilities. Currently running the latest in Arch Linux.