If you want to use a ssl server block you need to specify a cert and a private key, you could create a self-signed certificate and use it as your default server so No SNI connections will reach this fake cert… or you can use the approach you are already using right now (with your real domain names oxxxxxx.club and kxxxxx.club) and it is use different ips for each domain.
I use haproxy as “SNI-Router”, to decide which connection goes to which service. Simply define no default, then a non-SNI-connection will be dropped without presenting a certificate.
If you want more people to help you… You would need to share us your real domain name since we can’t help if we know nothing about this server specific error.
If you have multiple IPs, then one IP per site would work best.
Otherwise…
If your directories were structured with all customer sites being subfolders to a common branch…
Like: /provider/ /provider/company1.site /provider/company2.site
(or you could do some aliasing within the vhost configs - but that would overcomplicate this example)
You could setup your vhost configs:
--- servername IP serveralias _default_ #use appropriate default equivalent string documentroot /provider/ sslcertificatefile /etc/letsencrypt/live/SAN/cert.pem #SAN would include all the names --- servername provider documentroot /provider/ sslcertificatefile /etc/letsencrypt/live/provider/cert.pem --- servername company1.site documentroot /provider/company1.site/ sslcertificatefile /etc/letsencrypt/live/company1.site/cert.pem --- servername company2.site documentroot /provider/company2.site/ sslcertificatefile /etc/letsencrypt/live/company2.site/cert.pem ---