Let’s Encrypt will only attempt to connect to your server on port 80 for the HTTP challenge, and port 443 for the ALPN challenge.
If you can’t make your server accessible on either of these ports, you’ll need to use the DNS challenge, which requires adding a plugin for your DNS provider (you can do this with the builder Docker image variant, see the docs on Docker Hub) and configure Caddy to use the that DNS plugin. There’s more instructions here:
This is all explained in the docs here:
FYI, all of these lines are redundant and unnecessary. Caddy already passes through the headers on its own.
header_up Connection {http.request.header.Connection}
header_up Upgrade {http.request.header.Upgrade}
header_up X-Forwarded-Proto {http.request.scheme}