We're familiar with the situation where there is some issue with a site, and Apache Host Matching selects the first enabled vhost. A visitor requests example.com, and host matching gets the first vhost, which may be 000-default or one that we created like 100-a-default. The cert for that selected vhost doesn't match the requested domain. So the user gets an invalid cert error. I'd like to handle this better. If I Enable 000-default-ssl.conf and request a disabled domain, the client browser gets back a cert for server_hostname, which doesn't match the desired example.com. If I Disable 000-default-ssl.conf, the first vhost selected for port 443 is a placeholder that I created, "100-a-default.company.tld". The client browser gets back a cert for subdomain "a-default", which of course doesn't match example.com either. We can't 403-redirect (or similar) on a cert error: By definition the browser doesn't trust the server yet, so it won't redirect based on instructions from the server. The HTTP processing hasn't started yet. The SSL/TLS handshake ends and the browser disconnects without making the request for content. A common note in these forums is "you need to ensure all sites are HTTPS". Absolutely! But the issue that brought me here today is with a site with valid SSL, that was temporarily Disabled through ISPConfig. I think that uses `a2dissite`. So a request for example.com is valid according to DNS and gets through to this server, but Apache can't find it, it goes for that default vhost, and this results in a cert error that includes 'company.tld' to someone looking for example.com. I'd like to eliminate the redundant "a-default" vhost subdomain, and (maybe with the default vhost) move a visitor in this scenario to a page that will tell them something useful. For example, is there any feature yet for configuring a landing page for disabled sites? I know ... "They're DISABLED!" IMO the result of that shouldn't be a misleading security warning on the client side. I'm thinking of Domain Parking, where a "disabled" site is optionally "parked" with a domain alias. Rather than just removing a site from sites-enabled, replace them with an alias. Responses would need to return a site-specific cert, but the DocumentRoot would be common for all sites in this state. Is that a valid suggestion? Is there a better way to deal with this now? It would be helpful to know when Apache gets a request for a site that resolves back to the default vhost. Is anyone aware of a log where this event is recorded? Related to checking that all sites are SSL-enabled: Does anyone have a script that will show sites that are not SSL-enabled? That would be a useful field in the domain list, like the Disabled flag, with a check and/or CCS coloring. I understand many sites are intentionally not HTTPS - this wouldn't be a warning, just an indication of state. Right now I think the only way to do this would be with a SQL query, maybe a REST request? Thanks!