diff --git a/caddyhttp/httpserver/server.go b/caddyhttp/httpserver/server.go
index c435b0a9a..49956ab3f 100644
--- a/caddyhttp/httpserver/server.go
+++ b/caddyhttp/httpserver/server.go
@@ -236,7 +236,7 @@ func (s *Server) serveHTTP(w http.ResponseWriter, r *http.Request) (int, error)
 	if vhost == nil {
 		// check for ACME challenge even if vhost is nil;
 		// could be a new host coming online soon
-		if caddytls.HTTPChallengeHandler(w, r, caddytls.DefaultHTTPAlternatePort) {
+		if caddytls.HTTPChallengeHandler(w, r, "localhost", caddytls.DefaultHTTPAlternatePort) {
 			return 0, nil
 		}
 		// otherwise, log the error and write a message to the client
@@ -297,7 +297,7 @@ func (s *Server) proxyHTTPChallenge(vhost *SiteConfig, w http.ResponseWriter, r
 	if vhost.TLS != nil && vhost.TLS.AltHTTPPort != "" {
 		altPort = vhost.TLS.AltHTTPPort
 	}
-	return caddytls.HTTPChallengeHandler(w, r, altPort)
+	return caddytls.HTTPChallengeHandler(w, r, vhost.ListenHost, altPort)
 }
 
 // Address returns the address s was assigned to listen on.
diff --git a/caddytls/httphandler.go b/caddytls/httphandler.go
index 8b7aebf7c..755d48583 100644
--- a/caddytls/httphandler.go
+++ b/caddytls/httphandler.go
@@ -2,6 +2,7 @@ package caddytls
 
 import (
 	"crypto/tls"
+	"fmt"
 	"log"
 	"net/http"
 	"net/http/httputil"
@@ -15,7 +16,7 @@ const challengeBasePath = "/.well-known/acme-challenge"
 // request path starts with challengeBasePath. It returns true if it
 // handled the request and no more needs to be done; it returns false
 // if this call was a no-op and the request still needs handling.
-func HTTPChallengeHandler(w http.ResponseWriter, r *http.Request, altPort string) bool {
+func HTTPChallengeHandler(w http.ResponseWriter, r *http.Request, listenHost, altPort string) bool {
 	if !strings.HasPrefix(r.URL.Path, challengeBasePath) {
 		return false
 	}
@@ -28,7 +29,7 @@ func HTTPChallengeHandler(w http.ResponseWriter, r *http.Request, altPort string
 		scheme = "https"
 	}
 
-	upstream, err := url.Parse(scheme + "://localhost:" + altPort)
+	upstream, err := url.Parse(fmt.Sprintf("%s://%s:%s", scheme, listenHost, altPort))
 	if err != nil {
 		w.WriteHeader(http.StatusInternalServerError)
 		log.Printf("[ERROR] ACME proxy handler: %v", err)
diff --git a/caddytls/httphandler_test.go b/caddytls/httphandler_test.go
index 223c31d79..48f4a971b 100644
--- a/caddytls/httphandler_test.go
+++ b/caddytls/httphandler_test.go
@@ -25,7 +25,7 @@ func TestHTTPChallengeHandlerNoOp(t *testing.T) {
 			t.Fatalf("Could not craft request, got error: %v", err)
 		}
 		rw := httptest.NewRecorder()
-		if HTTPChallengeHandler(rw, req, DefaultHTTPAlternatePort) {
+		if HTTPChallengeHandler(rw, req, "", DefaultHTTPAlternatePort) {
 			t.Errorf("Got true with this URL, but shouldn't have: %s", url)
 		}
 	}
@@ -62,7 +62,7 @@ func TestHTTPChallengeHandlerSuccess(t *testing.T) {
 	}
 	rw := httptest.NewRecorder()
 
-	HTTPChallengeHandler(rw, req, DefaultHTTPAlternatePort)
+	HTTPChallengeHandler(rw, req, "", DefaultHTTPAlternatePort)
 
 	if !proxySuccess {
 		t.Fatal("Expected request to be proxied, but it wasn't")