HSTS forced on websites

[Pandur2000]

Since I've installed and used Let's Encrypt, some of my websites always set HSTS on, even though it's not defined in the vhost.conf. I'm out of options as I searched every config file I could think of. THe problem with that is that the certificates installed are not valid for subdomains, also not for webmail.* and lists.*. Since webmail and mailman also forward to https, browsers deny loading the page because of HSTS certificate error. Any suggestions appreciated...

 

[Pandur2000]

Oh my god, I am sorry for this stupid thread.
After I installed Let's Encrypt, the apache directive
Header always set Strict-Transport-Security"max-age=31536000; includeSubDomains"
was inserted to every vhost.conf of a domain which I enriched with a new SSL certificate from Let's Encrypt.
I deleted that lines, restarted apache - this should have done the trick, right?
No.
Chrome stores the HSTS status in it's own cache and obvioiusly doesn't update it from STRICT to n/a if the server setting has been changed.
SO, I was searching for hours and hours, until I tried Firefox - voila. Issue gone. Cleared Chrome cache - issue gone there as well.

The problem with Chrome is (also) that it checks the HSTS status of a domain, stores that in the cache and then redirects http requests to https automatically, no matter what.

Issue solved -.-.