This is how you’re serving your PHP app:
So it follows that your https:// site should also do the same thing, if you also want to serve your PHP app from any domain allowed by ask.
If all you want is subdomains for jatra.app, then you probably don’t need On-Demand TLS, and you can instead just get a wildcard certificate for *.jatra.app. But for that you’ll need a build of Caddy with the ACME DNS plugin for your DNS provider. See How to use DNS provider modules in Caddy 2
A wildcard cert is ideal because it would mean you only have two certificates (i.e. one for your apex domain, and one wildcard for every subdomain), whereas with On-Demand TLS you’d need a certificate for each subdomain you want to support, which could be infinite depending on what the subdomain is (username?)
On-Demand TLS is best used for domains you do not control, i.e. the domain of a customer of yours that they want to point to your server, to provide a “custom domains” feature for your product.