Problem with HSTS

Since updating to 1.3.3

have had a few issues with https only sites -
setting on the domain is set to force https (I think)
Wheezy Debian (7)
fastcgi I think - not 100% sure
showing FPM - verified via phpinfo
(fpm manages memory better? thought 1.3.x forced it over? - I might have to get re-introduced to verify that)
using panel redirect - plugin and phpswitcher
USING CloudFlare - so very possible that is causing the issue as well.
but it seems to be passing traffic fine.

var/log/apache2/<domain>
[error] [client 173.245.48.240] client denied by server configuration: /var/www/
IP is cloudflare

http://oceanodunes.org
getting a 403 - 301 permanently moved -

http://dwtsolutionsllc.com/
http://amps-corp.com
manually change to https - they work fine.
then it no longer will show the error page it forces over to https and works every time (browser cache?)
however I don't know if visitors are redirected on initial load.

even changed them to not force https and loads normal http.
re-enable https

and some start working - amps-corp.com - goes back to 403-301 error.

Don't believe it was happening previously, but honestly couldn't say for sure.

wheh
Thought I might be crazy!

Glad you guys knew about it.
I'll work on manual fix in a few hours!

Thx again!

updated to 1.3.5 - smoothly no issues

in my case still remove apc from packages as I have php5.5 for the base.

also followed errata and stopped services and umount remount procedures noted in errata.
because I was upgrading from a version higher than 1.3.2 - at least that was how I read it... (could be wrong and wasn't needed)

still
http://dwtsolutionsllc.com
and others still giving same error.
going into manual fix.

if it was browser HSTS issue the browser error would be different.
like: ssl_error_bad_cert_domain / cannot connect to the real <domain>

rebooted server - and planning to check manual settings shortly per above recommendation.

checked:

/etc/apache2/sites-available/dwtsolutionsllc.com.conf
see the 301 redirect in place seems correct..

<LocationMatch "^/(?!.well-known/)">
Redirect 301 / https://dwtsolutionsllc.com/
</LocationMatch>

checked:
/etc/apache2/sites-available/dwtsolutionsllc.com_ssl.conf

Header always set Strict-Transport-Security "max-age=31536000"

is that the flag to clear manually?

also verified chrome clearing cache and hsts (manual deletion of domain) no change.
https://really-simple-ssl.com/…-base/clear-hsts-browser/

is there somewhere else I should be looking?

attempted to remove line
Header always set Strict-Transport-Security "max-age=31536000"

and set to NO for HSTS strict in panel

still not loading.

Checking for redirect in:
/etc/apache2/sites-available/dwtsolutionsllc.com.conf
this line no longer exists after change in panel.

<LocationMatch "^/(?!.well-known/)">
Redirect 301 / https://dwtsolutionsllc.com/
</LocationMatch>

service apache2 restart
or
/etc/init.d/apache2 force-reload

now working again only for domains that I manually set NO Strict HSTS.
---
re-enabling hsts and service apache2 restart
- goes directly back to Error Page.

seems the redirect isn't working properly???? - hopefully Cloudflare isn't the Root of it!!
/etc/apache2/sites-available/dwtsolutionsllc.com.conf

<LocationMatch "^/(?!.well-known/)">
Redirect 301 / https://dwtsolutionsllc.com/
</LocationMatch>

lost on which flag to clear -
when HSTS is enabled
several sites were still getting 301 Redirect error

I've removed the HSTS and sites are working again and forcing https via other methods.
not sure what changed to cause the issue or what exactly to clear
the upgrade to 1.3.5 didn't clear / reset the flags.