Everything is quite simple.
Here is painted as Nginx handles requests. Now immediately it is clear what You broke, because if a subdomain is not configured addresses on port 80, then simply, you can configure the default virtual host and it for example you can redirect to the primary or to deny access, Yes, actually like. But if the case is on 443 for ssl, then the connection has held the required certificate, which does not exist for each subdomain You have. Out several.
1. Here in this configuration to add a configuration with the self-subscription certificate, the drawback is that if you go man he will see that the site is not safe and God knows what they might think about the main domain), if he is not educated enough to understand why it shows this message and take You to a swindler.
listen 443 default_server;
Question, why send the logs to the zeros??? Not easier to turn them off, what kind of wildness)
2. To purchase a certificate which immediately protects itself and the domain and all its subdomains and tie it there, in this case everything will be as smooth as in the case of port 80, unless of course someone doesn't decide to burst at the third level domains)))
3. In DNS to send to the server only the domains and subdomains which really is, in this case, all the rest will seem like this.
Read more documentation)