diff --git a/modules/caddyhttp/headers/caddyfile.go b/modules/caddyhttp/headers/caddyfile.go
index c1444d0ea..55ad99178 100644
--- a/modules/caddyhttp/headers/caddyfile.go
+++ b/modules/caddyhttp/headers/caddyfile.go
@@ -105,6 +105,9 @@ func parseReqHdrCaddyfile(h httpcaddyfile.Helper) (caddyhttp.MiddlewareHandler,
 		}
 		if h.NextArg() {
 			replacement = h.Val()
+			if h.NextArg() {
+				return nil, h.ArgErr()
+			}
 		}
 
 		if hdr.Request == nil {
diff --git a/modules/caddytls/acmemanager.go b/modules/caddytls/acmemanager.go
index 31c954ff6..8e6018328 100644
--- a/modules/caddytls/acmemanager.go
+++ b/modules/caddytls/acmemanager.go
@@ -78,7 +78,7 @@ type ACMEManagerMaker struct {
 
 	// Optionally configure a separate storage module associated with this
 	// manager, instead of using Caddy's global/default-configured storage.
-	Storage json.RawMessage `json:"storage,omitempty"`
+	Storage json.RawMessage `json:"storage,omitempty" caddy:"namespace=caddy.storage inline_key=module"`
 
 	// An array of files of CA certificates to accept when connecting to the
 	// ACME CA. Generally, you should only use this if the ACME CA endpoint
diff --git a/modules/caddytls/tls.go b/modules/caddytls/tls.go
index 1b155b0e9..f9beb6f48 100644
--- a/modules/caddytls/tls.go
+++ b/modules/caddytls/tls.go
@@ -107,10 +107,10 @@ func (t *TLS) Provision(ctx caddy.Context) error {
 			// special case; these will be loaded in later
 			// using our automation facilities, which we
 			// want to avoid during provisioning
-			var ok bool
-			t.automateNames, ok = modIface.([]string)
-			if !ok {
-				return fmt.Errorf("loading certificates with 'automate' requires []string, got: %#v", modIface)
+			if automateNames, ok := modIface.(*AutomateLoader); ok && automateNames != nil {
+				t.automateNames = []string(*automateNames)
+			} else {
+				return fmt.Errorf("loading certificates with 'automate' requires array of strings, got: %T", modIface)
 			}
 			continue
 		}