diff --git a/caddyconfig/httpcaddyfile/options.go b/caddyconfig/httpcaddyfile/options.go
index bbc63ced..6a8ba0bd 100644
--- a/caddyconfig/httpcaddyfile/options.go
+++ b/caddyconfig/httpcaddyfile/options.go
@@ -345,9 +345,34 @@ func parseOptOnDemand(d *caddyfile.Dispenser, _ any) (any, error) {
 			if ond == nil {
 				ond = new(caddytls.OnDemandConfig)
 			}
+			if ond.PermissionRaw != nil {
+				return nil, d.Err("on-demand TLS permission module (or 'ask') already specified")
+			}
 			perm := caddytls.PermissionByHTTP{Endpoint: d.Val()}
 			ond.PermissionRaw = caddyconfig.JSONModuleObject(perm, "module", "http", nil)
 
+		case "permission":
+			if !d.NextArg() {
+				return nil, d.ArgErr()
+			}
+			if ond == nil {
+				ond = new(caddytls.OnDemandConfig)
+			}
+			if ond.PermissionRaw != nil {
+				return nil, d.Err("on-demand TLS permission module (or 'ask') already specified")
+			}
+			modName := d.Val()
+			modID := "tls.permission." + modName
+			unm, err := caddyfile.UnmarshalModule(d, modID)
+			if err != nil {
+				return nil, err
+			}
+			perm, ok := unm.(caddytls.OnDemandPermission)
+			if !ok {
+				return nil, d.Errf("module %s (%T) is not an on-demand TLS permission module", modID, unm)
+			}
+			ond.PermissionRaw = caddyconfig.JSONModuleObject(perm, "module", modName, nil)
+
 		case "interval":
 			if !d.NextArg() {
 				return nil, d.ArgErr()
diff --git a/caddyconfig/httploader.go b/caddyconfig/httploader.go
index e0ce4ebf..528cea6c 100644
--- a/caddyconfig/httploader.go
+++ b/caddyconfig/httploader.go
@@ -181,19 +181,13 @@ func (hl HTTPLoader) makeClient(ctx caddy.Context) (*http.Client, error) {
 			if err != nil {
 				return nil, fmt.Errorf("getting server identity credentials: %v", err)
 			}
-			if tlsConfig == nil {
-				tlsConfig = new(tls.Config)
-			}
-			tlsConfig.Certificates = certs
+			tlsConfig = &tls.Config{Certificates: certs}
 		} else if hl.TLS.ClientCertificateFile != "" && hl.TLS.ClientCertificateKeyFile != "" {
 			cert, err := tls.LoadX509KeyPair(hl.TLS.ClientCertificateFile, hl.TLS.ClientCertificateKeyFile)
 			if err != nil {
 				return nil, err
 			}
-			if tlsConfig == nil {
-				tlsConfig = new(tls.Config)
-			}
-			tlsConfig.Certificates = []tls.Certificate{cert}
+			tlsConfig = &tls.Config{Certificates: []tls.Certificate{cert}}
 		}
 
 		// trusted server certs
diff --git a/modules/caddytls/ondemand.go b/modules/caddytls/ondemand.go
index 31f6ef2d..060a3ac6 100644
--- a/modules/caddytls/ondemand.go
+++ b/modules/caddytls/ondemand.go
@@ -28,6 +28,7 @@ import (
 	"go.uber.org/zap"
 
 	"github.com/caddyserver/caddy/v2"
+	"github.com/caddyserver/caddy/v2/caddyconfig/caddyfile"
 )
 
 func init() {
@@ -117,6 +118,17 @@ func (PermissionByHTTP) CaddyModule() caddy.ModuleInfo {
 	}
 }
 
+// UnmarshalCaddyfile implements caddyfile.Unmarshaler.
+func (p *PermissionByHTTP) UnmarshalCaddyfile(d *caddyfile.Dispenser) error {
+	if !d.Next() {
+		return nil
+	}
+	if !d.AllArgs(&p.Endpoint) {
+		return d.ArgErr()
+	}
+	return nil
+}
+
 func (p *PermissionByHTTP) Provision(ctx caddy.Context) error {
 	p.logger = ctx.Logger()
 	p.replacer = caddy.NewReplacer()