Enabling ACME-CAA (RFC-8657) for Caddy webserver

TL;DR: Grab this value and jump to the last step:

jq -r '.location' $(sudo -u caddy caddy environ | awk -F'=' '/^caddy.AppDataDir=/{print $2"/acme/acme-v02.api.letsencrypt.org-directory/users/*/caddy.json"}')

Configuring Caddy

In your Caddyfile you should add an email to the Global Options Block:

{
	email demo@example.com
}

domain.tld {
	⋯
}

If you haven't done so, then do it now and restart caddy.

Finding Caddy AppDataDir

If you run caddy as user caddy (i.e. if installing caddy from apt and running as a systemd service), then prefix this command with sudo -u caddy:

caddy environ | grep caddy.AppDataDir

This should output something like: caddy.AppDataDir=/var/lib/caddy/.local/share/caddy

In this case your (prod) ACME directory for Let's Encrypt is:

/var/lib/caddy/.local/share/caddy/acme/acme-v02.api.letsencrypt.org-directory/users/demo@example.com/
(Note: demo@example.com from Global Options Block in Caddyfile).

In this directory you will find two files:

caddy.json:

{
	"status": "valid",
	"contact": [
		"mailto:demo@example.com"
	],
	"termsOfServiceAgreed": true,
	"orders": "",
	"location": "https://acme-v02.api.letsencrypt.org/acme/acct/1333337"
}

This contains your accounturi (stored in location).

caddy.key:

You should of course keep your .key file private! If you need to setup Caddy on a new server, for the same domain, then you need to copy the .key-file and caddy.json to the new server. Otherwise ACME requests will fail on the new server. You should consider to take a backup of this file.

Setting up DNS

In your DNS panel create a CAA record with:

flags	tag	value
128	issue	"letsencrypt.org; accounturi=https://acme-v02.api.letsencrypt.org/acme/acct/1333337"

Make sure to replace 1333337 with the value from caddy.json.
You need DNSSEC to be enabled.