And yet a paradoxical result came out of this story. The site rested with all its fibers or whatever. We managed to get a normal result only with the help of iconv and forced conversion to UTF-8. Only after that did all the functions work. Here you are, grandmother, and St. George's Day!

first open through one browser, and then close and open through another

Spared the site.

Where do you store? How do you get it? Precisely everything is in utf? Connection, charset in puff and Apache, tables in the database?

The encoding is iso-8859, but the conversion to utf-8 gives krakozyabry.

Perhaps by the fact that you are trying to recode? Since it is already in utf (since the subset is the same), nothing needs to be recoded.

It's all pretty banal.
https://nginx.ru/ru/docs/http/request_processing.html
Here is how Nginx processes requests. Now it’s immediately clear what you are stuck on, because if an unconfigured subdomain accesses port 80, it’s quite simple here, you can configure a default virtual host and, for example, redirect it to the main one or deny access, but in general, whatever. But if the call goes to 443 via ssl, then in order for the connection to take place, you need a certificate, which you do not have for each non-existing subdomain. There are several ways out.
1. Add a setting with a self-signed certificate to this configuration, the downside is that if a person goes over, he will see that the site is not safe and God knows what he might think about the main domain) Suddenly he is not educated enough to understand why this message is shown to him and will accept you for a scammer.

server {
listen 443 default_server;
server_name _;
access_log /dev/null;
error_log /dev/null;
return 403;
}

The question is, why send logs to zero ??? It's not easier to turn them off, what a wildness)
2. Buy a certificate that immediately protects both the domain itself and all its subdomains and fasten it there, in this case everything will be as smooth as in the case of port 80, unless of course someone decides to break into third-level domains)))
3. In the DNS, send to the server only those domains and subdomains that really exist, in this case, this will be shown to everyone else.
Read more documentation)

If the https request has already arrived at the server, then the server must have a valid certificate, otherwise a warning about an invalid certificate will be displayed in the browser.
Option 1: forget about the invalidity of the certificate, still give 403.
Option 2: get a *.site2.ru wildcard certificate
Option 3: explicitly register all subdomains in the NS records of the domain. The browser will not even send a request to a non-existent subdomain.