Enable cloudflare on multiple subdomains when using VPS with nginx?

There is a VPS machine with nginx’om configured on which 10 sites are spinning
structure
tester.example.com
api-one.tester.example.com
api-two.tester.example.com
api-3.tester.example.com
api-4.tester.example.com
api-5.tester.example.com
api-6.tester.example.com

central site spinning on a separate hosting

in nginx, I configured the default site tester.example.com to use ssl from the cloudflare service

server {
    listen 80 default_server;
    listen [::]:80 default_server;

    server_name tester.example.com www.tester.example.com;
    return 302 https://$server_name$request_uri;
}
server {

# SSL configuration

  listen 443 ssl http2 default_server;
  listen [::]:443 ssl http2 default_server;
  ssl        on;
  ssl_certificate         /etc/ssl/certs/cert.pem;
  ssl_certificate_key     /etc/ssl/private/private.pem;
  ssl_client_certificate /etc/ssl/certs/cloudflare.crt;
  ssl_verify_client on;

  server_name tester.example.com www.tester.example.com;

  root /var/server/site/;
  index index.html index.htm index.nginx-debian.html;


  location / {
       # try_files $uri $uri/ =404;
        proxy_pass         http://localhost:8880;
        proxy_http_version 1.1;
        proxy_set_header   Upgrade $http_upgrade;
        proxy_set_header   Connection keep-alive;
        proxy_set_header   Host $host;
        proxy_cache_bypass $http_upgrade;
        proxy_set_header   X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header   X-Forwarded-Proto $scheme;
   }
} 

without https - using regular ip: Port, opening passes through all services

how can I make api-one.tester.example.com config, etc. so that they also open via ssl?

I tried to change the port in the subdomain config (8443 which supports cloudflare), but does not give the desired result

  .....
  listen 8443 ssl http2;
  listen [::]:8443 ssl http2;
  ssl        on;
  .....

Cloudflare’s free Universal SSL certs don’t go down to second level subdomains. They only cover example.com and *.example.com. In order to go to *.sub.example.com, you’ll need the $10/month dedicated certificate with custom hostnames.