This worked for me to get subdomains and TLS certificates working on a similar setup: https://blog.mni.li/posts/internal-tls-with-caddy/