Почему нет редиректа с поддомена на домен?

сабж. накосячил где-то в конфиге...

listen 443 ssl http2 default_server;
listen [::]:443 ssl http2 default_server;

server_name site.ru *.site.ru;
set $base /home/site;
root $base/html;

домен : site.ru A 1.2.3.4.
*.site.ru cname site.ru

сертификат получен на домен без ввв толко site.ru
nginx Должен переводить все с поддомена на основной домен
при попытке зайти sadasdsad.site.ru допустим, выскакивает ошибка сертификата (оно и логично т.к. он не получался для такого поддомена) и нет редиректа на основной домен site.ru
не пойму где накосячил.. есть другой сайт с аналогичными настройками все работает.... но тут Nginx решил 1.17 поставить

конфиг хоста
	# subdomains redirect
server {
		listen 443 ssl;
		listen [::]:443 ssl;
	
		server_name *.testsite.ru;
	
		# SSL
		ssl_certificate /etc/letsencrypt/live/testsite.ru/fullchain.pem;
		ssl_certificate_key /etc/letsencrypt/live/testsite.ru/privkey.pem;
		ssl_trusted_certificate /etc/letsencrypt/live/testsite.ru/chain.pem;

		return 301 https://testsite.ru$request_uri;
}


# HTTP redirect
server {
		listen 80;
		listen [::]:80;
		server_name *.testsite.ru;
		
		return 301 https://testsite.ru$request_uri;
}

server {
		listen 443 ssl http2;
		listen [::]:443 ssl http2;
		server_name testsite.ru *.testsite.ru;
		
		set $base /home/testsite;
		root $base/html;
		
		# SSL
		ssl_certificate /etc/letsencrypt/live/testsite.ru/fullchain.pem;
		ssl_certificate_key /etc/letsencrypt/live/testsite.ru/privkey.pem;
		ssl_trusted_certificate /etc/letsencrypt/live/testsite.ru/chain.pem;
	
		# security headers
		add_header X-Frame-Options "SAMEORIGIN" always;
		add_header X-XSS-Protection "1; mode=block" always;
		add_header X-Content-Type-Options "nosniff" always;
		add_header Referrer-Policy "no-referrer-when-downgrade" always;
		add_header Content-Security-Policy "default-src 'self' http: https: data: blob: 'unsafe-inline'" always;
		add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
		
		# . files
		location ~ /\.(?!well-known) {
			deny all;
		}
	
		# index.php
		index index.php index.html;
	
		# index.php fallback
		location / {
			try_files $uri $uri/ /index.php?$query_string;
		}
	
		# handle .php
		location ~ \.php$ {
			include extra/php_fastcgi.conf;
		}
	
		# favicon.ico
		location = /favicon.ico {
			log_not_found off;
			access_log off;
		}
		
		# robots.txt
		location = /robots.txt {
			log_not_found off;
			access_log off;
		}
		
		# assets, media
		location ~* \.(?:css(\.map)?|js(\.map)?|jpe?g|png|gif|ico|cur|heic|webp|tiff?|mp3|m4a|aac|ogg|midi?|wav|mp4|mov|webm|mpe?g|avi|ogv|flv|wmv)$ {
			expires 7d;
			access_log off;
		}
		
		# svg, fonts
		location ~* \.(?:svgz?|ttf|ttc|otf|eot|woff2?)$ {
			add_header Access-Control-Allow-Origin "*";
			expires 7d;
			access_log off;
		}
		
		# gzip
		gzip on;
		gzip_vary on;
		gzip_proxied any;
		gzip_comp_level 6;
		gzip_types text/plain text/css text/xml application/json application/javascript application/rss+xml application/atom+xml image/svg+xml;
	
		# WordPress: allow TinyMCE
		location = /wp-includes/js/tinymce/wp-tinymce.php {
			include extra/php_fastcgi.conf;
		}
		
		# WordPress: deny wp-content, wp-includes php files
		location ~* ^/(?:wp-content|wp-includes)/.*\.php$ {
			deny all;
		}
		
		# WordPress: deny wp-content/uploads nasty stuff
		location ~* ^/wp-content/uploads/.*\.(?:s?html?|php|js|swf)$ {
			deny all;
		}
		
		# WordPress: deny wp-content/plugins (except earlier rules)
		location ~ ^/wp-content/plugins {
			deny all;
		}
		
		# WordPress: deny scripts and styles concat
		location ~* \/wp-admin\/load-(?:scripts|styles)\.php {
			deny all;
		}
		
		# WordPress: deny general stuff
		location ~* ^/(?:xmlrpc\.php|wp-links-opml\.php|wp-config\.php|wp-config-sample\.php|wp-comments-post\.php|readme\.html|license\.txt)$ {
			deny all;
		}
		
		#certbot
		location /.well-known {
		root /home/testsite/html;
		}
}

конфиг nginx

user nginx;
pid /var/run/nginx.pid;
worker_processes auto;
worker_rlimit_nofile 65535;

events {
	multi_accept on;
	worker_connections 65535;
}

http {
	charset utf-8;
	sendfile on;
	tcp_nopush on;
	tcp_nodelay on;
	server_tokens off;
	types_hash_max_size 2048;
	client_max_body_size 16M;

	# MIME
	include mime.types;
	default_type application/octet-stream;

	# logging
	access_log /var/log/nginx/access.log;
	error_log /var/log/nginx/error.log;
	
	# SSL
	ssl_session_timeout 1d;
	ssl_session_cache shared:SSL:10m;
	ssl_session_tickets off;

	# Diffie-Hellman parameter for DHE ciphersuites
	ssl_dhparam /etc/nginx/dhparam.pem;

	# Mozilla Intermediate configuration
	ssl_protocols TLSv1.2 TLSv1.3;
	ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;

	# OCSP Stapling
	ssl_stapling on;
	ssl_stapling_verify on;
	resolver 1.1.1.1 1.0.0.1 8.8.8.8 8.8.4.4 208.67.222.222 208.67.220.220 valid=60s;
	resolver_timeout 2s;
	
	# load configs
	include /etc/nginx/conf.d/*.conf;
	
}