the php base dir is /home/e-smith/files/ibays/davidweb/ by default.
So any php script in /home/e-smith/files/ibays/davidweb/html can access to any content of /home/e-smith/files/ibays/davidweb/ unless unix permissions restrict so.
A very frequent hack on website is to simply upload a malicious php script on the html root (/home/e-smith/files/ibays/davidweb/html in your case) allowing to explore anything in php basedir allowed directories, and downloading them or uploading there another malicious script or fake website hidden in a directory. The upload usually occurs using a web form to upload files that is not protected to refuse php files, I have also seen cases using piece of software such as phpmailer that is included in a lot of CMS.
So unless you changed before that the directive PhpBaseDir (
https://wiki.contribs.org/Useful_Commands#PHPBaseDir_per_ibay ) to /home/e-smith/files/ibays/davidweb/html/ it was **possible** to steal your certificate and key from the Internet and use them to then impersonate your webserver, defeating the purpose of paying for a certificate and serving pages as https.
However, I do not think changing the PhpBaseDir is the solution as you might forget this for the next site, or when restoring this site to another server, and might reproduce this issue. I strongly suggest to move your cert either to /home/e-smith/domain.name/ or to /etc/httpd/mycerts/domain.name. In the second solution you will have to backup manually this location as this is not inside the main SME backup list.
I insist there on **possible** as yes you do not have any proof it was indeed stolen, but it will be rather difficult to prove it was not, unless your ibay was only open for LAN use and you are the only user on the LAN. So if your needs of security are as high as you presented which lead that you can not use letsencrypt, then with the same level of security you should consider your certificate as compromised and ask for a new one.
If you feel you can live with this doubt, then letsencrypt solution will be far more secure than keeping your current certificate.
Anyway, this is indeed a need to add the support for SNI on SME if ones wants to use certificate, so my goal here is not to stop you to work this direction, just to warn on false sensation of higher security.
The related bug to support per virtualhost certificate is
https://bugs.contribs.org/show_bug.cgi?id=8693Yes this is per virtualhost, so it might not be defined per ibay as they can appear in differents virtualhosts (at least Primary one and a dedicated one).
An important point you showed by your test, If I have well followed, is that you did not remove the directive for the global certificate as defined per the whole server in httpd.conf, and only defined the per virtualhost certificate in the virtualhost you needed and it worked ? Right ?
If yes, then this is an important element for the design.