OPNsense/Caddy/Authentik failed to verify certificate

1. The problem I’m having:

Dear All
I am using Caddy plugin in OPNsense as reverse proxy and would like to add forward auth. According to OPNsense documentation Authentik is supported. I use the Caddy-internal ACME for certs and for Authentik I though I can simply stay with the self-signed cert and somehow make Caddy accept it. When I access the reverse proxy URL, I get the error below. I have searched documentation for OPNsense, Caddy and Authentik but could not find additional requirements for things like wildcard certificates etc.

2. Error messages and/or full log output:

"error","ts":"2024-12-20T06:09:38Z","logger":"http.log.error.log0","msg":"tls: failed to verify certificate: x509: certificate is valid for *, not s003.beuthen.net","request":{"remote_ip":"10.10.100.100","remote_port":"53841","client_ip":"10.10.100.100","proto":"HTTP/2.0","method":"GET","host":"audiobooks.beuthen.net:1443","uri":"/sw.js","headers":{"Accept-Encoding":["gzip, deflate, br"],"Cookie":["REDACTED"],"User-Agent":["Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/18.1.1 Safari/605.1.15"],"Origin":["https://audiobooks.beuthen.net:1443"],"Accept":["*/*"],"Priority":["u=5, i"],"Referer":[""],"Service-Worker":["script"],"Accept-Language":["de-DE,de;q=0.9"]},"tls":{"resumed":false,"version":772,"cipher_suite":4867,"proto":"h2","server_name":"audiobooks.beuthen.net"}},"duration":0.004089531,"status":502,"err_id":"bqkg1x29n","err_trace":"reverseproxy.statusError (reverseproxy.go:1269)"}

s003: internal hostname with self-signed cert running authentic on docker
audiobooks: public DNS domain to expose service (running on the same internal server as above) with Letsencrypt cert

3. Caddy version:

Actually, I do not know. It is OPNsense os-caddy plugin 1.7.6

4. How I installed and ran Caddy:

OPNsense plugin in Proxmox connecting to Authentik in remote NAS on Docker with Portainer

a. System environment:

b. Command:

PASTE OVER THIS, BETWEEN THE ``` LINES.
Please use the preview pane to ensure it looks nice.

c. Service/unit/compose file:

PASTE OVER THIS, BETWEEN THE ``` LINES.
Please use the preview pane to ensure it looks nice.

d. My complete Caddy config:

# DO NOT EDIT THIS FILE -- OPNsense auto-generated file


# caddy_user=www

# Global Options
{
	log {
		output net unixgram//var/run/caddy/log.sock {
		}
		format json {
			time_format rfc3339
		}
	}

	http_port 1080
	https_port 1443

	servers {
		protocols h1 h2 h3
	}

	email patric.beuthen@me.com
	grace_period 10s
	import /usr/local/etc/caddy/caddy.d/*.global
}

# Reverse Proxy Configuration


# Reverse Proxy Domain: "95bb2ca6-b136-4ff9-ad4c-0476f39eb1f8"
audiobooks.beuthen.net:1443 {
	log {
		output file /var/log/caddy/access/95bb2ca6-b136-4ff9-ad4c-0476f39eb1f8.log {
			roll_keep_for 10d
		}
	}

	handle {
		reverse_proxy /outpost.goauthentik.io/* https://s003.beuthen.net:9302 {
			header_up Host {http.reverse_proxy.upstream.hostport}
		}
		forward_auth https://s003.beuthen.net:9302 {
			uri /outpost.goauthentik.io/auth/caddy
			copy_headers X-Authentik-Username X-Authentik-Groups X-Authentik-Email X-Authentik-Name X-Authentik-Uid X-Authentik-Jwt X-Authentik-Meta-Jwks X-Authentik-Meta-Outpost X-Authentik-Meta-Provider X-Authentik-Meta-App X-Authentik-Meta-Version
		}
		reverse_proxy s003.beuthen.net:13378 {
		}
	}
}

import /usr/local/etc/caddy/caddy.d/*.conf

5. Links to relevant resources:

In Caddy | authentik I see an additional directive trusted_proxies but I do not know if that would help and where to put in in OPNsense as OPNsense generates the Caddy file.

Is it running on the same machine, or in your private network? If so, proxy over HTTP, not HTTPS.

sorry, that was a mistake. Caddy runs on OPNsense and Authentik on a Synology NAS. But I just found a fantastic guide in your Wiki on Authelia and I think I will go for that