Fixed, the problem was user error! The openssl verify in the previous comment was done on my local machine where CA exists. I scp’d the file across to my VPS the other day but somehow must have flipped the filenames so my caddyfile was effectively loading the leaf file into the trust_pool and not the root file. 
Caddy didn’t pick up on the fact it wasn’t a root file though - but I guess it was a valid PEM so caddy just ran with it. Thanks for all your tips and pointers, much appreciated.
1 Like