You’re changing too much and deviating from the right path. You’re closer to the solution with the config in this comment than now
I assume you’ve used the cert.pem file with your upstream server that serves rp-tailscale.esco.ghaar:8443. Use chain.pem.
If you want Caddy to issue certificates to itself, then you’ll need to configure the pki app and/or use tls directive with the appropriate configuration which I won’t go into here.
Caddy can also act as CA because it embeds step-ca. You can configure that with the acme_server directive. That’s also a different path than the original question here.
To summarize, your upstream server should be using chain.pem, and you configure tls_trust_pool inside transport in reverse_proxy to trust the root certificate only.