Thank you, thank you, thank you! I was able to figure it out with the debug info.
I wasn’t thinking that the ask endpoint would pass through Caddy as well, so it was trying to ask https://www.localhost for domain approval.
I put the ask service on another port to get around it. Working config looks more like this:
{
on_demand_tls {
ask http://localhost:7777
}
}
:80 {
https://www.{host}{uri}
}
:443 {
tls web@example.com {
on_demand
}
reverse_proxy localhost:7777
}
Thanks again!