That makes sense. Reducing the TTL can be easier when moving from a different http server, because of the variety of http servers, versions, and config file structures.
I can also suggest a DNS challenge, but as others have noted, many DNS services don’t provide fine grain permission API keys - DigitalOcean’s allows for spinning up servers (crypto mining, yay!). However, by using Docker or file permissions, you can carefully guard that key. You also could use a different DNS server that does have fine grained permissions - you don’t have to use the same DNS server as your host or domain registrar, and it is worth considering using a different DNS service for this reason. Also if for some reason you don’t want caddy to be in docker, you can make just the ACME part in Docker by using acme-dns once it has a driver, or DuckDNS.
There’s a good amount of info that can go into this article, but I want to make it so the typical reader doesn’t have to read much, and that it’s concise.