Using my own certificates with caddy not working

I would like to have a vaultwarden instance running and am struggling with the certificates for caddy. I would like to have the vaultwarden only available internally (LAN) and have wildcardcertificates for my local domain as well as control over local DNS. I also have already an apache up and running serving already as reverse proxy for other web things (tomcat,…), so if there is an easy way to use this already existing reverseproxy, I’d also be pleased but I’d also be fin using the suggested caddy docker container.
What happened:
I’ve made a fresh virtual machine (artix 6.7.7) and at first I created a directory for vaultwarden to live in: /vw-data/. Then I used this command to create a docker network:

docker ntwork create vaultwarden_network

and proceeded with:

docker run --rm -it vaultwarden/server /vaultwarden hash

Vaultwarden seemed to do what it was supposed to do and asked for a password. After setting the password, I got the ADMIN Token as described. I created a docker-compose.yaml with the following content at the /vw-data location:

version: '3'

services:
  vaultwarden:
    image: vaultwarden/server:latest
    container_name: vaultwarden
    labels:
      caddy: vaultwarden.2f-leuchten.com
      caddy.reverse_proxy: "{{upstreams}}"
    restart: always
    environment:
      - WEBSOCKET_ENABLED=true
      - SIGNUPS_ALLOWED=true
      - INVITATIONS_ALLOWED=false
      - ADMIN_TOKEN=THE-TOKEN-FROM-EARLIER
      - DOMAIN=https://vaultwarden.2f-leuchten.com
    volumes:
      - vaultwarden_data:/data
    networks:
      - vaultwarden_network
    depends_on:
      - caddy

  caddy:
    image: lucaslorentz/caddy-docker-proxy:ci-alpine
    container_name: reverse-proxy
    ports:
      - 80:80
      - 443:443
    environment:
      - CADDY_INGRESS_NETWORKS=vaultwarden_network
      - DOMAIN=https://vaultwarden.2f-leuchten.com
        EMAIL=administrator@2f-leuchten.com
    networks:
      - vaultwarden_network
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
      - caddy_data:/data
    restart: unless-stopped

networks:
  vaultwarden_network:
    external: true
volumes:
  vaultwarden_data: {}
  caddy_data: {}

after starting the whole thing now with:

docker-compose up -d

while standing in the directory with the docker-compose.yaml I get messages at

docker-compose logs vaultwarden
stating, that the atuomatic certificate generation with let’s encrypt is not working properly as the required DNS entries are missing (which is correct, as we only want to use our internal DNS for the whole shebang, which is not accessible by Let’s Encrypt). I tried to add an entry to the caddy part of docker-compose.yaml(part of “volumes” in the caddy part) as follows:

 - ./Caddyfile:/etc/caddy/Caddyfile:ro

and made a Caddyfile at /etc/caddy on the host in the hopes this would help. The Caddyfile looks like this:
{
# Causes all certificates to be issued internally by default,
# rather than through a (public) ACME CA such as Let’s Encrypt.
local_certs
}
vaultwarden.2f-leuchten.com:443, localhost:443 {
# Or uncomment this if you’re providing your own cert. You would also
# use this option if you’re running behind Cloudflare.
tls /etc/ssl/certs/2f-leuchten.com.pem /etc/ssl/certs/2f-leuchten.com.key
}

I also placed the certificate files to the given path on the host (/etc/ssl/certs/2f-leuchten.com.pem as well as /etc/ssl/certs/2f-leuchten.com.key
After doing that and restarting the containers via docker-compose down → docker-compose up -d, when I check the log with

docker-compose logs vaultwarden
I only get the following output. No further errors of any Certificate issuing going wrong:
[vaultwarden vw-data]# docker-compose logs vaultwarden
vaultwarden  | /--------------------------------------------------------------------\
vaultwarden  | |                        Starting Vaultwarden                        |
vaultwarden  | |                           Version 1.30.5                           |
vaultwarden  | |--------------------------------------------------------------------|
vaultwarden  | | This is an *unofficial* Bitwarden implementation, DO NOT use the   |
vaultwarden  | | official channels to report bugs/features, regardless of client.   |
vaultwarden  | | Send usage/configuration questions or feature requests to:         |
vaultwarden  | |   https://github.com/dani-garcia/vaultwarden/discussions or        |
vaultwarden  | |   https://vaultwarden.discourse.group/                             |
vaultwarden  | | Report suspected bugs/issues in the software itself at:            |
vaultwarden  | |   https://github.com/dani-garcia/vaultwarden/issues/new            |
vaultwarden  | \--------------------------------------------------------------------/
vaultwarden  | 
vaultwarden  | [2024-03-05 15:57:13.761][start][INFO] Rocket has launched from http://0.0.0.0:80
vaultwarden  | [2024-03-05 15:57:13.761][vaultwarden::api::notifications][INFO] Starting WebSockets server on 0.0.0.0:3012

But when I browse the URL via browser I get no certificate on response and an error stating:Error code: SSL_ERROR_INTERNAL_ERROR_ALERT
When I check on the host, what ports are open, I get the following output:

[vaultwarden vw-data]# sudo netstat -tulpn
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name    
tcp        0      0 127.0.0.1:42177         0.0.0.0:*               LISTEN      2290/containerd     
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      7024/docker-proxy   
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      3109/sshd: /usr/bin 
tcp        0      0 0.0.0.0:443             0.0.0.0:*               LISTEN      7004/docker-proxy   
tcp6       0      0 :::80                   :::*                    LISTEN      7028/docker-proxy   
tcp6       0      0 :::22                   :::*                    LISTEN      3109/sshd: /usr/bin 
tcp6       0      0 :::443                  :::*                    LISTEN      7008/docker-proxy

and when I check from outside the host I’ll get the following:

[manoca@lumpy ~]$ nmap vaultwarden.2f-leuchten.com
Starting Nmap 7.94 ( https://nmap.org ) at 2024-03-05 17:01 CET
Nmap scan report for vaultwarden.2f-leuchten.com (30.0.99.96)
Host is up (0.00082s latency).
Not shown: 997 closed tcp ports (conn-refused)
PORT    STATE SERVICE
22/tcp  open  ssh
80/tcp  open  http
443/tcp open  https

Nmap done: 1 IP address (1 host up) scanned in 0.04 seconds

So the ports seem all open and fine, but Caddy is not serving my certificates.
As you might already have noticed, I have no idea about docker containers, and therefore am struggling quite a bit figuring things out. So every hint on how this is supposed to be set up is highly appreciated :wink: