First of all, add a space between com and the opening brace, otherwise Caddy cannot know where the site name ends and the block begins
Secondly, you’re adding on_demand, which tells Caddy to keep issuing single SAN certificates and rely on the ask URL to accept or reject the domain name.
Lastly, for wildcard certificates, you need to first remove on_demand and use the DNS challenge which require a custom built Caddy (built with xcaddy command or our download page). You can follow the instructions here: