How to prevent https:// being accessible from domains without a certificate?

Solution 1:

Non-SSL domains should not use this IP. Even for multiple SSL-capable domains, you rely on clients to implement SNI without issue, which may or may not be a safe assumption.

The problem is that before Apache can redirect the browser to HTTP, an SSL handshake has to succeed, so if you cannot provide a valid certificate for the domain, the clients will always claim SSL errors.

Edit: Multiple SSL domains will work without issue if you use just one certificate with appropriate SANs (multidomain certificate). The issue with non-SSL domains remains, though.

Solution 2:

As Koen van der Rijt already wrote you should check SF for similiar questions and read the answers carefully.

  apache2ctl -S 

gives you the order of vhost "execution"

so your example1.com is the first port :443 defined domain then this one will be used.

Instead you could either make a f.e. self signed cert and inform the user that this domain does not have a https connection right now or do a rewrite_rule which redirects the traffic from https://domain3.com to http://domain3.com. Note that this would need an "invalid" cert and will inform the user.

If you dont use SNI, you additionally need at least 1 IP per Cert.