Accessing the backend host directly doesn’t work for me either but this is expected. Unless you install the root CA in your browser.
Iv’e setup my split-DNS to redirect to the frontend Caddy ie nextcloud.mydomain.com goes straight to 192.168.2.2
Just an extra warning; I lost a lot of time debugging a working config because my browsers had something in the cache that would prevent a successful connection. I also had very different (cache) behaviour between Chrome and Firefox. I think the best results for me was to clear the browser cache and then close all browser windows before reconnecting again.
I also noticed that Caddy can get into a condition where the certificate renewal doesn’t work correctly:
I empty the Caddy storage ie rm -rf /.local/share on both the frontend and backend
I restart Caddy frontend to generate a new root CA for the internal ACME server
I copy the new certificate to the backend
I start Caddy on the backend
New certificates are being issues but connecting to the services gives me a certificate error similar to
"x509: certificate signed by unknown authority"
but there was an additional message which I lost and although I could reproduce this 3 times, not anymore…
Restarting Caddy may solve this but I don’t have solid proof (yet). When I do I’ll report this in a separate topic.