Is localhost:9876 configured to reject requests for domains you don’t want certificates for?
- ask will cause Caddy to make an HTTP request to the given URL, asking whether a domain is allowed to have a certificate issued.
The request has a query string of?domain=containing the value of the domain name.
If the endpoint returns a2xxstatus code, Caddy will be authorized to obtain a certificate for that name. Any other status code will result in cancelling issuance of the certificate and erroring the TLS handshake.—https://caddyserver.com/docs/caddyfile/options#on-demand-tls
If the ask endpoint does not properly reject bad domains, anyone across the internet can craft an SNI request for arbitrary hostnames on your server and prompt an ACME challenge from your Caddy instance. This leaves you open to abuse and should be rectified. Upstream ACME providers will have rate limits to mitigate your server abusing theirs, but you may find yourself with cluttered logs and have your renewal attempts rejected later due to said rate limit abuse.
To protect yourself, the listener at localhost:9876 must return non-200 responses for any domain other than the ones you actually want to serve.