Why do I get a 421 Misdirected Request?

April 27, 2017 873 views
Apache Ubuntu 16.04

Hi everyone,

I am trying to setup http2 and keep getting this error

Misdirected Request
The client needs a new connection for this request as the requested host name does not match the Server Name Indication (SNI) in use for this connection.

Server version: Apache/2.4.25

I have 2 virtualhost files and one certificate from Let's Encrypt which includes the subdomain.

Here's the domain https://app.animalcrossingcentral.com/
I go there in Chrome, click the link and I get the error mentioned.

This is the beginning of each virtualhost file

<VirtualHost *:443>
        Protocols h2 http/1.1

And here is what shows after clicking the link in the error.log

[Thu Apr 27 00:57:34.168321 2017] [ssl:error] [pid 28824] AH02032: Hostname app.animalcrossingcentral.com provided via SNI and hostname animalcrossingcentral.com provided via HTTP have no compatible SSL setup

I'm new to hosting my own server and will appreciate any help! :)

1 comment
2 Answers
jtittle1 April 28, 2017
Accepted Answer

@FootballFan141

The only difference between the two configurations, other than the sub .vs. domain, is that in the sub you don't have a directory configuration.

i.e.

        <Directory /var/www/blog/>
            Options Indexes FollowSymLinks
            AllowOverride All
            Require all granted
        </Directory>

So I would add that to the sub-domain as well (modified of course), for example:

        <Directory /var/www/testing/>
            Options Indexes FollowSymLinks
            AllowOverride All
            Require all granted
        </Directory>

... then restart Apache.

...

That being said, from doing a little digging, I stumbled across this --

When multiple vhosts share the same certificate, browsers will reuse an open connection for all those requests. mod_h2 currently only allows requests for the same host the connection was opened with. Some browsers throw then away the existing connection and open a new one. This can heavily impact performance.

So if that still holds true, then that's the issue right there.

To remedy this, you'd need to generate independent SSL certificates, one for the primary domain and one for the sub-domain, instead of grouping them altogether in one certificate.

So if you're using the older LetsEncrypt or the newer CertBot, you'd create one certificate passing:

-d animalcrossingcentral.com -d www.animalcrossingcentral.com

and then another, after the above is created, passing:

-d app.animalcrossingcentral.com -d www.app.animalcrossingcentral.com

You'd then modify the VirtualHost blocks to match the paths to the certificate and private key, then restart Apache again.

..

I didn't really think of that as I primary use NGINX and it does not suffer from this odd limitation from what I've experienced (as I've grouped numerous sub-domains with a domain in the past).

  • I think I had seen about the problem sharing the same certificate before but I wasn't sure if there was a way to avoid needing to have 2 different certificates. Would you recommend I switch to NGINX instead, I may do that if you think it will be easy to switch from Apache. I have heard a lot of good things about it.

    Thank you for all your help! :)

    • @FootballFan141

      Personally, I prefer NGINX, though it can be a bit more hands on at first, until you get used to the differences in configuration.

      I'd recommend taking a look at:

      https://www.digitalocean.com/community/tutorials/how-to-install-linux-nginx-mysql-php-lemp-stack-in-ubuntu-16-04

      I've also written an auto-installer for NGINX which does a source compile. I would, though, recommend that you run it on a clean droplet -- i.e. one you just deployed and it's the first time you've logged in.

      Source builds need a lot of additional packages, thus on a current production server, it's possible things may break as a result.

      If you'd like to test it, you can do the following:

      cd /opt \
      && git clone https://github.com/serveradminsh/installers.git \
      && cd installers/nginx \
      && chmod +x installer.sh \
      && ./installer.sh
      

      That'll build the latest version of NGINX from source and provide you with an optimized configuration suitable for production.

      Within installers/nginx/examples there are some example configurations you can take a look at for a general idea of how to get things setup.

      I always recommend tinkering on a dummy server first, before you try to get things moving. That way if something messes up, you can just destroy the server and start over.

      Note: My installer generates dhparam.pem for you which uses 4096 bits, and it will take a while to generate. It can take anywhere from 5-10 minutes up to 15-20 depending on CPU.

      The LEMP software stack is a group of software that can be used to serve dynamic web pages and web applications. This is an acronym that describes a Linux operating system, with an Nginx web server. The backend data is stored in the MySQL database and the dynamic processing...
      • Hey @jtittle sorry for the late response, I had been busy moving everything over to a new droplet. I decided to try NGINX! I used your auto-installer, it was simple and easy to get going. Thanks again, DigitalOcean is great! :)

        Just one more thing could you go to the main domain (don't have the app subdomain up yet) and make sure it loads on your end?
        https://animalcrossingcentral.com/

        I'll be sure to come back to the community if I have any more questions!

        • @FootballFan141

          Looking good on my end :-). Glad you were able to get things up and running!

          If you have any questions, feel free to tag me and let me know.

@FootballFan141

On Chrome 57.0.2987.98 64-bit (MacOS), the main domain doesn't present an issue, though since the app sub-domain is access-restricted, the only thing I see is a pop-up requesting authentication.

Checking the main domain on Windows 10 with Chrome 57.0.2987.133 64-bit seems to work as well.

...

Edit: Just checked on Chrome 58.0.3029.81 64-bit, Windows 10, and still good on my end.

Have another answer? Share your knowledge.