Question
Why do I get a 421 Misdirected Request?
- Posted on April 27, 2017
- ApacheUbuntu 16.04
Asked by Travis Jones
Hi everyone,
I am trying to setup http2 and keep getting this error
Misdirected Request
The client needs a new connection for this request as the requested host name does not match the Server Name Indication (SNI) in use for this connection.
Server version: Apache/2.4.25
I have 2 virtualhost files and one certificate from Let’s Encrypt which includes the subdomain.
Here’s the domain https://app.animalcrossingcentral.com/ I go there in Chrome, click the link and I get the error mentioned.
This is the beginning of each virtualhost file
<VirtualHost *:443>
Protocols h2 http/1.1
And here is what shows after clicking the link in the error.log
[Thu Apr 27 00:57:34.168321 2017] [ssl:error] [pid 28824] AH02032: Hostname app.animalcrossingcentral.com provided via SNI and hostname animalcrossingcentral.com provided via HTTP have no compatible SSL setup
I’m new to hosting my own server and will appreciate any help! :)
This textbox defaults to using Markdown to format your answer.
You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!
These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.
The only difference between the two configurations, other than the sub .vs. domain, is that in the sub you don’t have a directory configuration.
i.e.
<Directory /var/www/blog/>
Options Indexes FollowSymLinks
AllowOverride All
Require all granted
</Directory>
So I would add that to the sub-domain as well (modified of course), for example:
<Directory /var/www/testing/>
Options Indexes FollowSymLinks
AllowOverride All
Require all granted
</Directory>
… then restart Apache.
…
That being said, from doing a little digging, I stumbled across this –
When multiple vhosts share the same certificate, browsers will reuse an open connection for all those requests. mod_h2 currently only allows requests for the same host the connection was opened with. Some browsers throw then away the existing connection and open a new one. This can heavily impact performance.
So if that still holds true, then that’s the issue right there.
To remedy this, you’d need to generate independent SSL certificates, one for the primary domain and one for the sub-domain, instead of grouping them altogether in one certificate.
So if you’re using the older LetsEncrypt or the newer CertBot, you’d create one certificate passing:
-d animalcrossingcentral.com -d www.animalcrossingcentral.com
and then another, after the above is created, passing:
-d app.animalcrossingcentral.com -d www.app.animalcrossingcentral.com
You’d then modify the VirtualHost blocks to match the paths to the certificate and private key, then restart Apache again.
…
I didn’t really think of that as I primary use NGINX and it does not suffer from this odd limitation from what I’ve experienced (as I’ve grouped numerous sub-domains with a domain in the past).
Want to learn more? Join the DigitalOcean Community!
Join our DigitalOcean community of over a million developers for free! Get help and share knowledge in Q&A, subscribe to topics of interest, and get courses and tools that will help you grow as a developer and scale your project or business.
@FootballFan141
On Chrome 57.0.2987.98 64-bit (MacOS), the main domain doesn’t present an issue, though since the app sub-domain is access-restricted, the only thing I see is a pop-up requesting authentication.
Checking the main domain on Windows 10 with Chrome 57.0.2987.133 64-bit seems to work as well.
…
Edit: Just checked on Chrome 58.0.3029.81 64-bit, Windows 10, and still good on my end.