How about not revert to a "default"? Just serve a redirect to the HTTP version if a HTTPS is not available for that vhost.