Ok, thanks for your post MrH, it turns out that it wasn't my OSX server that was hacked but my Uverse 2wire gateway. I had been trying to switch from a personal ssl certificate that I put on the server to a signed certificate, when I noticed that an expired certificate that didn't belong to me would appear each time I went to the site on port 443. The certificate was self signed by "Mini Webservice Ltd". My suspicion was that my apache2 implementation had been hijacked and this certificate was the product of the hijacking. Having not found anything on the server despite a pretty thorough search, I resolved to reinstall everything, and hence my question.
Each time I googled the certificate issuer though I kept getting a site that listed several AT&T ip addresses, and certificate details that were identical to the one I was seeing. Here's an example: http://dazzlepod.com/ip/99.120.101.68/.
Also today for the first time I found some code in a code repository with these same certificate details in them, associated with "mini_httpd", a small web server that runs on unix appliances. Here is the code site: http://projects.plentyfact.org/repositories/entry/btoy/btoy/trunk/utils/mini-htt pd-1.19/mini_httpd.cnf?rev=55.
I began to suspect that someone had inserted this program or one like it on my router. So I turned off port 443 forwarding to my OS X server and went back to the site from an external VPN connection, and sure enough it still came up with the false certificate.
So here's what I think is happening, and why your comments helped.
The uverse router comes stock with an all numerical ~10 digit password, and the option to prevent excessive session detection is not enabled by default. So I am guessing that someone cracks the router password through a brute force attack and then installs this web server to do who knows what. I can't figure out how they did that, but I'm going to let AT&T know and cogitate on that one.
So, following your advice I did a hard reset to defaults and reboot, and immediately changed the password and enabled excessive session detection. Viola, no problem accessing 443 on my server, and my new signed certificate even works. For now.
So word to the uverse unwise - change your router password to something complicated and enable excessive session detection under Settings - Firewall - Advanced Configuration. Someone is actively putting a bogus web server on uverse boxes.
Final note - I know, you're thinking "uverse? 2wire gateway?" It's a server i use for our family and for me to learn on, and guess what - I've just learned a lot.