I have tried two different ssl issuers first because i didn't want to install certbot. I could not figure out how to bundle all the chains, or what order to stack crt files in to convert to pem.
I can login to a root shell on my machine (yes or no, or I don't know): yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): not installing that until I get some clarity
The two certificate files for HTTPS (web-privkey.pem and web-fullchain.pem) are outputs of the ACME Client such as Certbot. Most ACME Clients have "hooks" that you use to copy these files to the location your particular application needs them. Or, refer your application directly to the client's location.
The certificate(s) and configuration of your VNC is up to you
Getting help configuring and using that docker-firefox system is probably better addressed to that community. Getting the cert from Let's Encrypt is just one small part of getting that setup.
If you explain exactly what you tried we could help better.
Did you use acme.sh to get certificates? I just realized you got certificates today from ZeroSSL and Let's Encrypt. If not acme.sh, what ACME Client did you use to get those?