I’m not exactly sure why you’re getting that TLS error, but there are a couple issues with your Caddyfile.
Path matching is exact-match in Caddy v2, so /loki will only match exactly /loki and not /loki/foo for example. And / will only match /. Also, you said you wanted loclahost:3100 to proxy to loki, but you never tell Caddy to serve a site on port 3100.
I think this is closer to what you want:
{
debug
}
localhost {
metrics /metrics
reverse_proxy golang:4200
}
localhost:3100 {
reverse_proxy loki:3100
}
When Caddy is trying to set up the self signed CA, it’s trying to install it inside of the container. Caddy isn’t aware of the host machine at all, so it’s not able to install it on the host. You’d need to install it yourself by pulling the CA cert out of the container. It should be stored in /data/pki/authorities/local/root.crt
Those certutil warnings are harmless, it just means Caddy wasn’t able to install the cert to web browser trust stores inside of the container, because the container doesn’t have web browsers nor the appropriate libs installed. You can ignore those.