You’ve got two parts here, name resolution and certs. Make sure name resolution works first.
I don’t know if Porkbun is different, but in namecheap, I created a wildcard record. Let’s say I have the domain example.com, and my server is server.example.com, and it hosts a bunch of docker containers like jellyfin and radarr, at jellyfin.example.com and radarr.example.com. So I created a wildcard A record with name * and value 192.168.1.20. This means when I try any domain under example.com that doesn’t have a more specific record, I get that IP back.
You can test name resolution from your own PC with dig (Linux) or nslookup (Windows). Be mindful of which server you’re using for lookups when you do this. To check the perspective of a client outside my network, I like digwebinterface.com. And always remember that it takes time for DNS changes to propagate.
After that I just used acme plugins for Proxmox and traefik to get let’s encrypt certs individually and automatically, but you could also get a wildcard cert for *.example.com by any method, from any provider, and install it yourself.