Since Apache is really popular, there are LOADS of articles about how to set up SSL and what can go wrong etc. and since I didn't really know what had happened, I tried/checked various things.
- Was apache running on port 443?
- Could I access the site with open ssl to check the cert? No, the suggested command line errored!
- Was the config OK? I thought it was because i ran config test and it succeeded.
- Did port 80/http work? When I copied in the config from default-ssl.conf into 000-default.conf, firstly I got some config errors (needed to have all +/- and not just some) and port 80/http worked fine.
- Were all my conf files named *.conf? (it used to take everything from mods and conf-enabled but now only those with *.conf). Mine were already called *.conf
- Did the ssl conf file match the version that dpkg kindly dumped in the directory during the upgrade? Yep, pretty much except for changes I had made for my server.
- Could I use wget locally to see anything useful? I got a 404 when using http and port 443 and an ssl error when using https and 443 so no clue there.
- Was there some weird protocol issue going on? Well apparently larger TLS 1.2 headers can cause problems on some proxies and possibly my site was now insisting on something too new/too old. I modified default-ssl.conf to set SSLProtocol to All -SSLv2 -SSLv3 and tried again - no dice but at least the site was stronger!
I was pulling what little is left of my hair out until I found another post with another simpler answer:
sudo a2ensite default-ssl
It worked! Simple as that. Why wasn't this already set from before the upgrade? No idea but it is also why its config was incorrect but not showing up as an error when starting apache. I should have looked into sites-enabled but I didn't think to since the original files are in sites-available.
Aaarrgghhh but on the other hand - phew!