DNS
Before Caddy (or any proxy) can obtain a Let’s Encrypt certificate, your hostname must resolve to the VPS. Do this first — ACME fails hard if DNS is wrong.
1. Create an A record
At your DNS provider, create an A record (and optionally an AAAA record for
IPv6) for the hostname you want to use. The value is your VPS’s public IP.
Replace hiveloom.example.com below with your hostname.
2. Wait for propagation
Most providers propagate within seconds; some take minutes. Verify from a machine that is not the VPS:
dig +short hiveloom.example.com
# Must print your VPS's public IP.If dig returns nothing, wait another minute and try again. If it returns the
wrong IP, fix the record before proceeding.
From a different vantage point — useful to rule out local DNS caching:
dig +short hiveloom.example.com @1.1.1.1
dig +short hiveloom.example.com @8.8.8.8All three should agree.
3. AAAA is optional but recommended
If your VPS has an IPv6 address, add an AAAA record pointing at it. Let’s Encrypt
will validate whichever family responds first; having both means your site is
reachable from IPv6-only clients.
Common failure modes
- Wrong IP: you put the gateway/NAT address instead of the VPS’s public address.
curl ifconfig.mefrom the VPS prints the right value. - Proxied by Cloudflare: if the record shows the orange cloud icon in Cloudflare’s dashboard, Let’s Encrypt will see Cloudflare’s IP, not yours, and ACME HTTP-01 will fail. Set the record to “DNS only” (grey cloud) for the initial issuance, or use DNS-01 challenges.
- TTL too high: if you previously pointed the name somewhere else, downstream resolvers may still have the old record cached. Wait for TTL to expire, or lower TTL the day before the change.
Next: Firewall.