both. neither are a no go. as soon as rename the self signed keys to match the conf file, the site works fine. when i rename the bought cert to match the conf file, it's completely unreachable by internal ip or domain. this certainly is odd. i blew up the container and did a reinstall twice. no dice